{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T17:06:48Z","timestamp":1770138408783,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,6,22]],"date-time":"2019-06-22T00:00:00Z","timestamp":1561161600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"ONR","award":["N00014-17-1-2500"],"award-info":[{"award-number":["N00014-17-1-2500"]}]},{"name":"AFOSR MURI","award":["FA9550-14-1-0351"],"award-info":[{"award-number":["FA9550-14-1-0351"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,6,22]]},"DOI":"10.1145\/3307650.3322251","type":"proceedings-article","created":{"date-parts":[[2019,6,14]],"date-time":"2019-06-14T12:42:33Z","timestamp":1560516153000},"page":"487-498","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":29,"title":["DeepAttest"],"prefix":"10.1145","author":[{"given":"Huili","family":"Chen","sequence":"first","affiliation":[{"name":"University of California, San Diego"}]},{"given":"Cheng","family":"Fu","sequence":"additional","affiliation":[{"name":"University of California, San Diego"}]},{"given":"Bita Darvish","family":"Rouhani","sequence":"additional","affiliation":[{"name":"University of California, San Diego and Microsoft"}]},{"given":"Jishen","family":"Zhao","sequence":"additional","affiliation":[{"name":"University of California, San Diego"}]},{"given":"Farinaz","family":"Koushanfar","sequence":"additional","affiliation":[{"name":"University of California, San Diego"}]}],"member":"320","published-online":{"date-parts":[[2019,6,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. arXiv preprint","author":"Adi Yossi","year":"2018","unstructured":"Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. arXiv preprint (2018)."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.5555\/3026877.3026930"},{"key":"e_1_3_2_1_3_1","first-page":"2399","article-title":"Manifold regularization: A geometric framework for learning from labeled and unlabeled examples","author":"Belkin Mikhail","year":"2006","unstructured":"Mikhail Belkin, Partha Niyogi, and Vikas Sindhwani. 2006. Manifold regularization: A geometric framework for learning from labeled and unlabeled examples. Journal of machine learning research 7, Nov (2006), 2399--2434.","journal-title":"Journal of machine learning research 7"},{"key":"e_1_3_2_1_4_1","volume-title":"IBM Research Division, RC25287 (WAT1205-070)","author":"Boivie Rick","year":"2012","unstructured":"Rick Boivie and Peter Williams. 2012. SecureBlue++: CPU support for secure execution. IBM, IBM Research Division, RC25287 (WAT1205-070) (2012), 1--9."},{"key":"e_1_3_2_1_5_1","volume-title":"2015 52nd ACM\/EDAC\/IEEE Design Automation Conference (DAC).","author":"Brasser F.","unstructured":"F. Brasser, B. El Mahjoub, A. Sadeghi, C. Wachsmann, and P. Koeberl. 2015. TyTAN: Tiny trust anchor for tiny devices. In 2015 52nd ACM\/EDAC\/IEEE Design Automation Conference (DAC)."},{"key":"e_1_3_2_1_6_1","volume-title":"Software grand exposure: SGX cache attacks are practical. arXiv","author":"Brasser Ferdinand","year":"2017","unstructured":"Ferdinand Brasser, Urs M\u00fcller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure: SGX cache attacks are practical. arXiv (2017)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3323873.3325042"},{"key":"e_1_3_2_1_8_1","volume-title":"Eyeriss: A Spatial Architecture for Energy-Efficient Dataflow for Convolutional Neural Networks. In 2016 ACM\/IEEE 43rd Annual International Symposium on Computer Architecture (ISCA). 367--379","author":"Chen Y.","unstructured":"Y. Chen, J. Emer, and V. Sze. 2016. Eyeriss: A Spatial Architecture for Energy-Efficient Dataflow for Convolutional Neural Networks. In 2016 ACM\/IEEE 43rd Annual International Symposium on Computer Architecture (ISCA). 367--379."},{"key":"e_1_3_2_1_9_1","volume-title":"G\u00e9rard Ben Arous, and Yann LeCun","author":"Choromanska Anna","year":"2015","unstructured":"Anna Choromanska, Mikael Henaff, Michael Mathieu, G\u00e9rard Ben Arous, and Yann LeCun. 2015. The loss surfaces of multilayer networks. In Artificial Intelligence and Statistics."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1390156.1390177"},{"key":"e_1_3_2_1_11_1","volume-title":"II: Intel SGX security analysis and MIT sanctum architecture. Foundations and Trends\u00ae in Electronic Design Automation 11, 3","author":"Costan Victor","year":"2017","unstructured":"Victor Costan, Ilia Lebedev, Srinivas Devadas, et al. 2017. Secure processors part II: Intel SGX security analysis and MIT sanctum architecture. Foundations and Trends\u00ae in Electronic Design Automation 11, 3 (2017), 249--361."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304051"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"J. Deng W. Dong R. Socher L.-J. Li K. Li and L. Fei-Fei. 2009. ImageNet: A Large-Scale Hierarchical Image Database. In CVPR09.","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.anucene.2018.05.054"},{"key":"e_1_3_2_1_15_1","volume-title":"International Conference on Machine Learning. 201--210","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International Conference on Machine Learning. 201--210."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/233551.233553"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3065913.3065915"},{"key":"e_1_3_2_1_18_1","volume-title":"Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding. arXiv preprint arXiv:1510.00149","author":"Han Song","year":"2015","unstructured":"Song Han, Huizi Mao, and William J Dally. 2015. Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding. arXiv preprint arXiv:1510.00149 (2015)."},{"key":"e_1_3_2_1_19_1","unstructured":"Danny Harnik. 2017. Impressions of Intel SGX performance. https:\/\/medium.com\/@danny_harnik\/impressions-of-intel-sgx-performance-22442093595a."},{"key":"e_1_3_2_1_20_1","volume-title":"Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint","author":"Howard Andrew G","year":"2017","unstructured":"Andrew G Howard, Menglong Zhu, Bo Chen, Dmitry Kalenichenko, Weijun Wang, Tobias Weyand, Marco Andreetto, and Hartwig Adam. 2017. Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint (2017)."},{"key":"e_1_3_2_1_21_1","volume-title":"FASE: FPGA Acceleration of Secure Function Evaluation. In Field-Programmable Custom Computing Machines.","author":"Hussain Siam U","year":"2019","unstructured":"Siam U Hussain and Farinaz Koushanfar. 2019. FASE: FPGA Acceleration of Secure Function Evaluation. In Field-Programmable Custom Computing Machines."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/DAC.2018.8465770"},{"key":"e_1_3_2_1_23_1","unstructured":"Intel. 2017. Intel Software Guard Extensions SDK. https:\/\/software.intel.com\/en-us\/sgx-sdk-dev-reference-sgx-get-trusted-time."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277326"},{"key":"e_1_3_2_1_25_1","unstructured":"Yash Katariya. 2016. MNIST CNN benchmark. https:\/\/github.com\/yashk2810\/MNIST-Keras\/tree\/master\/Notebook."},{"key":"e_1_3_2_1_26_1","volume-title":"Spectre attacks: Exploiting speculative execution. arXiv","author":"Kocher Paul","year":"2018","unstructured":"Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. arXiv (2018)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2592798.2592824"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241189.3241233"},{"key":"e_1_3_2_1_31_1","unstructured":"ARM LIMITED. 2009. ARM Security Technology - Building a Secure System using TrustZone Technology."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2017.2647955"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241189.3241289"},{"key":"e_1_3_2_1_34_1","volume-title":"Adversarial frontier stitching for remote neural network watermarking. arXiv preprint","author":"Merrer Erwan Le","year":"2017","unstructured":"Erwan Le Merrer, Patrick Perez, and Gilles Tr\u00e9dan. 2017. Adversarial frontier stitching for remote neural network watermarking. arXiv preprint (2017)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/211390"},{"key":"e_1_3_2_1_36_1","volume-title":"XONN: XNOR-based Oblivious Deep Neural Network Inference. USENIX Security","author":"Riazi M Sadegh","year":"2019","unstructured":"M Sadegh Riazi, Mohammad Samragh, Hao Chen, Kim Laine, Kristin Lauter, and Farinaz Koushanfar. 2019. XONN: XNOR-based Oblivious Deep Neural Network Inference. USENIX Security (2019)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196522"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3195970.3196023"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3240765.3240791"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.5555\/559923"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2018.00069"},{"key":"e_1_3_2_1_42_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv (2014)."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.32"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2670313"},{"key":"e_1_3_2_1_45_1","unstructured":"Synopsys. 2017. DesignWare pipelined AES-GCM\/CTR core. https:\/\/www.synopsys.com\/dw\/ipdir.php?ds=security-aes-gcm-ctr.."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.5555\/1267308.1267328"},{"key":"e_1_3_2_1_47_1","volume-title":"Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. arXiv","author":"Tramer Florian","year":"2018","unstructured":"Florian Tramer and Dan Boneh. 2018. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. arXiv (2018)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.5555\/3291168.3291219"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080208"},{"key":"e_1_3_2_1_51_1","volume-title":"Security, Steganography, and Watermarking of Multimedia Contents VI","author":"Wu Min","unstructured":"Min Wu, Wade Trappe, Z Jane Wang, and KJ Ray Liu. 2004. Collusion-resistant multimedia fingerprinting: a unified framework. In Security, Steganography, and Watermarking of Multimedia Contents VI, Vol. 5306. International Society for Optics and Photonics, 748--760."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2948618.2954330"}],"event":{"name":"ISCA '19: The 46th Annual International Symposium on Computer Architecture","location":"Phoenix Arizona","acronym":"ISCA '19","sponsor":["SIGARCH ACM Special Interest Group on Computer Architecture","IEEE-CS\\DATC IEEE Computer Society"]},"container-title":["Proceedings of the 46th International Symposium on Computer Architecture"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3307650.3322251","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3307650.3322251","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3307650.3322251","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:54:06Z","timestamp":1750204446000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3307650.3322251"}},"subtitle":["an end-to-end attestation framework for deep neural networks"],"short-title":[],"issued":{"date-parts":[[2019,6,22]]},"references-count":51,"alternative-id":["10.1145\/3307650.3322251","10.1145\/3307650"],"URL":"https:\/\/doi.org\/10.1145\/3307650.3322251","relation":{},"subject":[],"published":{"date-parts":[[2019,6,22]]},"assertion":[{"value":"2019-06-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}