{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:41:09Z","timestamp":1775745669656,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":73,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,10,30]],"date-time":"2017-10-30T00:00:00Z","timestamp":1509321600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,10,30]]},"DOI":"10.1145\/3133956.3134077","type":"proceedings-article","created":{"date-parts":[[2017,10,27]],"date-time":"2017-10-27T12:48:18Z","timestamp":1509108498000},"page":"587-601","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":368,"title":["Machine Learning Models that Remember Too Much"],"prefix":"10.1145","author":[{"given":"Congzheng","family":"Song","sequence":"first","affiliation":[{"name":"Cornell University, Ithaca, NY, USA"}]},{"given":"Thomas","family":"Ristenpart","sequence":"additional","affiliation":[{"name":"Cornell Tech, New York, NY, USA"}]},{"given":"Vitaly","family":"Shmatikov","sequence":"additional","affiliation":[{"name":"Cornell Tech, New York, NY, USA"}]}],"member":"320","published-online":{"date-parts":[[2017,10,30]]},"reference":[{"key":"e_1_3_2_2_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_2_2_1","volume-title":"https:\/\/algorithmia.com","year":"2017","unstructured":"Algorithmia. https:\/\/algorithmia.com, 2017."},{"key":"e_1_3_2_2_3_1","volume-title":"https:\/\/aws.amazon.com\/machine-learning","author":"Learning Amazon Machine","year":"2017","unstructured":"Amazon Machine Learning. https:\/\/aws.amazon.com\/machine-learning, 2017."},{"key":"e_1_3_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1504\/IJSN.2015.071829"},{"key":"e_1_3_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978355"},{"key":"e_1_3_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2245276.2232005"},{"key":"e_1_3_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2799647"},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/234285.234289"},{"key":"e_1_3_2_2_9_1","volume-title":"ICML","author":"Biggio B.","year":"2012","unstructured":"B. Biggio, B. Nelson, and P. Laskov. Poisoning attacks against support vector machines. In ICML, 2012."},{"key":"e_1_3_2_2_10_1","volume-title":"https:\/\/bigml.com","author":"ML.","year":"2017","unstructured":"BigML. https:\/\/bigml.com, 2017."},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-012-0177-2"},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23241"},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1150402.1150464"},{"key":"e_1_3_2_2_14_1","volume-title":"CCS","author":"Bugiel S.","year":"2011","unstructured":"S. Bugiel, S. N\u00fcrnberger, T. P\u00f6ppelmann, A.-R. Sadeghi, and T. Schneider. AmazonIA: When elasticity snaps back. In CCS, 2011."},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939839"},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/772862.772867"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF00994018"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014066"},{"key":"e_1_3_2_2_19_1","volume-title":"https:\/\/www.deepdetect.com","year":"2015","unstructured":"DeepDetect. https:\/\/www.deepdetect.com, 2015--2017."},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","unstructured":"S. Dieleman J. Schl\u00fcter C. Raffel E. Olson S. K. S\u00f8nderby D. Nouri et al. Lasagne: First release. http:\/\/dx.doi.org\/10.5281\/zenodo.27878 2015.","DOI":"10.5281\/zenodo.27878"},{"key":"e_1_3_2_2_21_1","volume-title":"USENIX Security","author":"Dinh T. T. A.","year":"2015","unstructured":"T. T. A. Dinh, P. Saxena, E.-C. Chang, B. C. Ooi, and C. Zhang. M2R: Enabling stronger privacy in MapReduce computation. In USENIX Security, 2015."},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611972740.21"},{"key":"e_1_3_2_2_23_1","volume-title":"Adaptive subgradient methods for online learning and stochastic optimization. JMLR, 12(Jul):2121--2159","author":"Duchi J.","year":"2011","unstructured":"J. Duchi, E. Hazan, and Y. Singer. Adaptive subgradient methods for online learning and stochastic optimization. JMLR, 12(Jul):2121--2159, 2011."},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/FOCS.2015.46"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_2_26_1","volume-title":"USENIX Security","author":"Fredrikson M.","year":"2014","unstructured":"M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart. Privacy in pharmacogenetics: An end-to-end case study of personalized Warfarin dosing. In USENIX Security, 2014."},{"key":"e_1_3_2_2_27_1","unstructured":"Google Cloud Prediction API 2017."},{"key":"e_1_3_2_2_28_1","volume-title":"MIT Spam Conference","author":"Graham-Cumming J.","year":"2004","unstructured":"J. Graham-Cumming. How to beat an adaptive spam filter. In MIT Spam Conference, 2004."},{"key":"e_1_3_2_2_29_1","volume-title":"ICLR","author":"Han S.","year":"2016","unstructured":"S. Han, H. Mao, and W. J. Dally. Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding. In ICLR, 2016."},{"key":"e_1_3_2_2_30_1","volume-title":"https:\/\/www.havenondemand.com","author":"OnDemand Haven","year":"2017","unstructured":"Haven OnDemand. https:\/\/www.havenondemand.com, 2017."},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pgen.1000167"},{"key":"e_1_3_2_2_34_1","volume-title":"https:\/\/indico.io","year":"2016","unstructured":"indico. https:\/\/indico.io, 2016."},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0026683"},{"key":"e_1_3_2_2_36_1","volume-title":"https:\/\/keras.io","year":"2015","unstructured":"Keras. https:\/\/keras.io, 2015."},{"key":"e_1_3_2_2_37_1","volume-title":"https:\/\/www.theregister.co.uk\/2011\/08\/31\/linux_kernel_security_breach\/","author":"Linux","year":"2011","unstructured":"Kernel.org Linux repository rooted in hack attack. https:\/\/www.theregister.co.uk\/2011\/08\/31\/linux_kernel_security_breach\/, 2011."},{"key":"e_1_3_2_2_38_1","volume-title":"AISTATS","author":"Kloft M.","year":"2010","unstructured":"M. Kloft and P. Laskov. Online anomaly detection under adversarial impact. In AISTATS, 2010."},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc2104"},{"key":"e_1_3_2_2_40_1","volume-title":"Learning multiple layers of features from tiny images. Technical report","author":"Krizhevsky A.","year":"2009","unstructured":"A. Krizhevsky and G. Hinton. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009."},{"key":"e_1_3_2_2_41_1","volume-title":"NIPS","author":"Krizhevsky A.","year":"2012","unstructured":"A. Krizhevsky, I. Sutskever, and G. E. Hinton. ImageNet classification with deep convolutional neural networks. In NIPS, 2012."},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2009.5459250"},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/E14-3011"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.5555\/3091622.3091662"},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_2_48_1","volume-title":"ICLR","author":"Lin Z.","year":"2016","unstructured":"Z. Lin, M. Courbariaux, R. Memisevic, and Y. Bengio. Neural networks with few multiplications. In ICLR, 2016."},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-001-0019-2"},{"key":"e_1_3_2_2_50_1","volume-title":"CEAS","author":"Lowd D.","year":"2005","unstructured":"D. Lowd. Good word attacks on statistical spam filters. In CEAS, 2005."},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"e_1_3_2_2_52_1","volume-title":"Proc. 49th Annual Meeting of the ACL: Human Language Technologies","author":"Maas A. L.","year":"2011","unstructured":"A. L. Maas, R. E. Daly, P. T. Pham, D. Huang, A. Y. Ng, and C. Potts. Learning word vectors for sentiment analysis. In Proc. 49th Annual Meeting of the ACL: Human Language Technologies, 2011."},{"key":"e_1_3_2_2_53_1","volume-title":"v. d. Maaten and G. Hinton. Visualizing data using t-SNE. JMLR, 9(Nov):2579--2605","author":"L.","year":"2008","unstructured":"L. v. d. Maaten and G. Hinton. Visualizing data using t-SNE. JMLR, 9(Nov):2579--2605, 2008."},{"key":"e_1_3_2_2_54_1","volume-title":"https:\/\/azure.microsoft.com\/en-us\/services\/machine-learning","author":"Machine Learning Microsoft Azure","year":"2017","unstructured":"Microsoft Azure Machine Learning. https:\/\/azure.microsoft.com\/en-us\/services\/machine-learning, 2017."},{"key":"e_1_3_2_2_55_1","volume-title":"https:\/\/mljar.com","author":"MLJAR.","year":"2016","unstructured":"MLJAR. https:\/\/mljar.com, 2016--2017."},{"key":"e_1_3_2_2_56_1","volume-title":"http:\/\/mxnet.io","author":"MXNET.","year":"2015","unstructured":"MXNET. http:\/\/mxnet.io, 2015--2017."},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_5"},{"key":"e_1_3_2_2_58_1","volume-title":"http:\/\/www.nexosis.com","year":"2017","unstructured":"Nexosis. http:\/\/www.nexosis.com, 2017."},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2014.7025068"},{"key":"e_1_3_2_2_60_1","volume-title":"Numerical Optimization","author":"Nocedal J.","year":"2006","unstructured":"J. Nocedal and S. J. Wright. Numerical Optimization. Springer, New York, 2nd edition, 2006.","edition":"2"},{"key":"e_1_3_2_2_61_1","volume-title":"USENIX Security","author":"Ohrimenko O.","year":"2016","unstructured":"O. Ohrimenko, F. Schuster, C. Fournet, A. Mehta, S. Nowozin, K. Vaswani, and M. Costa. Oblivious multi-party machine learning on trusted processors. In USENIX Security, 2016."},{"key":"e_1_3_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.3115\/1219840.1219855"},{"key":"e_1_3_2_2_63_1","volume-title":"Towards the science of security and privacy in machine learning. https:\/\/arxiv.org\/abs\/1611.03814","author":"Papernot N.","year":"2016","unstructured":"N. Papernot, P. McDaniel, A. Sinha, and M. Wellman. Towards the science of security and privacy in machine learning. https:\/\/arxiv.org\/abs\/1611.03814, 2016."},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46493-0_32"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644895"},{"key":"e_1_3_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.10"},{"key":"e_1_3_2_2_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813687"},{"key":"e_1_3_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDAR.2003.1227801"},{"key":"e_1_3_2_2_70_1","volume-title":"Theano: A Python framework for fast computation of mathematical expressions. https:\/\/arxiv.org\/abs\/1605.02688","author":"Team Theano Development","year":"2016","unstructured":"Theano Development Team. Theano: A Python framework for fast computation of mathematical expressions. https:\/\/arxiv.org\/abs\/1605.02688, 2016."},{"key":"e_1_3_2_2_71_1","volume-title":"USENIX Security","author":"Torres-Arias S.","year":"2016","unstructured":"S. Torres-Arias, A. K. Ammula, R. Curtmola, and J. Cappos. On omitting commits and committing omissions: Preventing git metadata tampering that (re)-introduces software vulnerabilities. In USENIX Security, 2016."},{"key":"e_1_3_2_2_72_1","volume-title":"The Nature of Statistical Learning Theory","author":"Vapnik V.","year":"2013","unstructured":"V. Vapnik. The Nature of Statistical Learning Theory. Springer Science & Business Media, 2013."},{"key":"e_1_3_2_2_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/1655008.1655021"},{"key":"e_1_3_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987550.2987558"},{"key":"e_1_3_2_2_75_1","volume-title":"ICLR","author":"Zhang C.","year":"2017","unstructured":"C. Zhang, S. Bengio, M. Hardt, B. Recht, and O. Vinyals. Understanding deep learning requires rethinking generalization. In ICLR, 2017."}],"event":{"name":"CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security","location":"Dallas Texas USA","acronym":"CCS '17","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3134077","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3133956.3134077","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:03Z","timestamp":1750212663000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3134077"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,30]]},"references-count":73,"alternative-id":["10.1145\/3133956.3134077","10.1145\/3133956"],"URL":"https:\/\/doi.org\/10.1145\/3133956.3134077","relation":{},"subject":[],"published":{"date-parts":[[2017,10,30]]},"assertion":[{"value":"2017-10-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}