{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,12]],"date-time":"2026-05-12T16:37:45Z","timestamp":1778603865824,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":55,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,10,30]],"date-time":"2020-10-30T00:00:00Z","timestamp":1604016000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["1910546, 1953813, 1846151"],"award-info":[{"award-number":["1910546, 1953813, 1846151"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,10,30]]},"DOI":"10.1145\/3372297.3417253","type":"proceedings-article","created":{"date-parts":[[2020,11,2]],"date-time":"2020-11-02T18:27:04Z","timestamp":1604341624000},"page":"85-99","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":55,"title":["A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models"],"prefix":"10.1145","author":[{"given":"Ren","family":"Pang","sequence":"first","affiliation":[{"name":"Pennsylvania State University, State College, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hua","family":"Shen","sequence":"additional","affiliation":[{"name":"Pennsylvania State University, State College, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xinyang","family":"Zhang","sequence":"additional","affiliation":[{"name":"Pennsylvania State University, State College, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shouling","family":"Ji","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, UNK, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yevgeniy","family":"Vorobeychik","sequence":"additional","affiliation":[{"name":"Washington University in St. Louis, St. Louis, MO, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiapu","family":"Luo","sequence":"additional","affiliation":[{"name":"Hong Kong Polytechnic University, Hongkong, UNK, Hong Kong"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alex","family":"Liu","sequence":"additional","affiliation":[{"name":"Ant Financia, Hangzhou, UNK, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ting","family":"Wang","sequence":"additional","affiliation":[{"name":"Pennsylvania State University, State College, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,11,2]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Alaifari Rima","year":"2019"},{"key":"e_1_3_2_2_2_1","volume-title":"Proceedings of IEEE Conference on Machine Learning (ICML).","author":"Athalye Anish","year":"2018"},{"key":"e_1_3_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_2_2_4_1","unstructured":"M. Bojarski D. Del Testa D. Dworakowski B. Firner B. Flepp P. Goyal L. D. Jackel M. Monfort U. Muller J. Zhang X. Zhang J. Zhao and K. Zieba. 2016. End to End Learning for Self-Driving Cars. ArXiv e-prints (2016).  M. Bojarski D. Del Testa D. Dworakowski B. Firner B. Flepp P. Goyal L. D. Jackel M. Monfort U. Muller J. Zhang X. Zhang J. Zhao and K. Zieba. 2016. End to End Learning for Self-Driving Cars. ArXiv e-prints (2016)."},{"key":"e_1_3_2_2_5_1","volume-title":"Convex Optimization","author":"Boyd Stephen"},{"key":"e_1_3_2_2_6_1","unstructured":"BVLC. 2017. Model Zoo. https:\/\/github.com\/BVLC\/caffe\/wiki\/Model-Zoo.  BVLC. 2017. Model Zoo. https:\/\/github.com\/BVLC\/caffe\/wiki\/Model-Zoo."},{"key":"e_1_3_2_2_7_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P).","author":"Carlini Nicholas"},{"key":"e_1_3_2_2_8_1","unstructured":"Bryant Chen Wilka Carvalho Nathalie Baracaldo Heiko Ludwig Benjamin Edwards Taesung Lee Ian Molloy and Biplav Srivastava. 2018. Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering. In ArXiv e-prints.  Bryant Chen Wilka Carvalho Nathalie Baracaldo Heiko Ludwig Benjamin Edwards Taesung Lee Ian Molloy and Biplav Srivastava. 2018. Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering. In ArXiv e-prints."},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"e_1_3_2_2_10_1","unstructured":"Edward Chou Florian Tramer Giancarlo Pellegrino and Dan Boneh. 2018. SentiNet: Detecting Physical Attacks Against Deep Learning Systems. In ArXiv e-prints.  Edward Chou Florian Tramer Giancarlo Pellegrino and Dan Boneh. 2018. SentiNet: Detecting Physical Attacks Against Deep Learning Systems. In ArXiv e-prints."},{"key":"e_1_3_2_2_11_1","volume-title":"Proceedings of IEEE Conference on Machine Learning (ICML).","author":"Cohen Jeremy","year":"2019"},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF02551274"},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"crossref","volume-title":"The Theory of Max-Min and Its Application to Weapons Allocation Problems","author":"Danskin J.M.","DOI":"10.1007\/978-3-642-46092-0"},{"key":"e_1_3_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_2_15_1","volume-title":"Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems. In ArXiv e-prints.","author":"Doan Bao","year":"2020"},{"key":"e_1_3_2_2_16_1","volume-title":"Nature","volume":"542","author":"Esteva Andre","year":"2017"},{"key":"e_1_3_2_2_17_1","volume-title":"Classification Regions of Deep Neural Networks. ArXiv e-prints","author":"Fawzi Alhussein","year":"2017"},{"key":"e_1_3_2_2_18_1","volume-title":"STRIP: A Defence Against Trojan Attacks on Deep Neural Networks. In ArXiv e-prints.","author":"Gao Yansong","year":"2019"},{"key":"e_1_3_2_2_19_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P).","author":"Gehr T."},{"key":"e_1_3_2_2_20_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Goodfellow Ian","year":"2015"},{"key":"e_1_3_2_2_21_1","volume-title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. ArXiv e-prints","author":"Gu Tianyu","year":"2017"},{"key":"e_1_3_2_2_22_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Guo Chuan"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243757"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2017.8228656"},{"key":"e_1_3_2_2_26_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Diederik"},{"key":"e_1_3_2_2_27_1","volume-title":"Learning Multiple Layers of Features from Tiny Images. Technical report","author":"Krizhevsky Alex"},{"key":"e_1_3_2_2_28_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Kurakin Alexey","year":"2017"},{"key":"e_1_3_2_2_29_1","volume-title":"Backdoor Embedding in Convolutional Neural Network Models via Invisible Perturbation. ArXiv e-prints","author":"Liao Cong","year":"2018"},{"key":"e_1_3_2_2_30_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P).","author":"Ling X."},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23415"},{"key":"e_1_3_2_2_34_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Madry Aleksander","year":"2018"},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_2_2_36_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"Moosavi-Dezfooli S."},{"key":"e_1_3_2_2_37_1","volume-title":"Analysis of Universal Adversarial Perturbations. ArXiv e-prints","author":"Moosavi-Dezfooli Seyed-Mohsen","year":"2017"},{"key":"e_1_3_2_2_38_1","volume-title":"Robustness via Curvature Regularization, and Vice Versa. ArXiv e-prints","author":"Moosavi-Dezfooli Seyed-Mohsen","year":"2018"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"crossref","unstructured":"A.D. Polyanin and A.V. Manzhirov. 2006. Handbook of Mathematics for Engineers and Scientists. Taylor & Francis.  A.D. Polyanin and A.V. Manzhirov. 2006. Handbook of Mathematics for Engineers and Scientists. Taylor & Francis.","DOI":"10.1201\/9781420010510"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D16-1264"},{"key":"e_1_3_2_2_43_1","volume-title":"Proceedings of Advances in Neural Information Processing Systems (NeurIPS).","author":"Shafahi Ali","year":"2019"},{"key":"e_1_3_2_2_44_1","volume-title":"Proceedings of Advances in Neural Information Processing Systems (NeurIPS).","author":"Shafahi Ali","year":"2018"},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1038\/nature16961"},{"key":"e_1_3_2_2_46_1","volume-title":"Man vs. Computer: Benchmarking Machine Learning Algorithms for Traffic Sign Recognition. Neural Metworks","author":"Stallkamp Johannes","year":"2012"},{"key":"e_1_3_2_2_47_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Suciu Octavian","year":"2018"},{"key":"e_1_3_2_2_48_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Szegedy Christian","year":"2014"},{"key":"e_1_3_2_2_49_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Tram\u00e8r F."},{"key":"e_1_3_2_2_50_1","volume-title":"Proceedings of Advances in Neural Information Processing Systems (NeurIPS).","author":"Tran Brandon","year":"2018"},{"key":"e_1_3_2_2_51_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P).","author":"Wang B."},{"key":"e_1_3_2_2_52_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Wang Shiqi","year":"2018"},{"key":"e_1_3_2_2_53_1","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS).","author":"Xu W."},{"key":"e_1_3_2_2_54_1","volume-title":"Proceedings of ACM SAC Conference on Computer and Communications (CCS).","author":"Yao Yuanshun"},{"key":"e_1_3_2_2_55_1","volume-title":"Smola","author":"Zinkevich Martin","year":"2010"}],"event":{"name":"CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event USA","acronym":"CCS '20","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372297.3417253","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372297.3417253","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372297.3417253","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:01:30Z","timestamp":1750197690000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372297.3417253"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,10,30]]},"references-count":55,"alternative-id":["10.1145\/3372297.3417253","10.1145\/3372297"],"URL":"https:\/\/doi.org\/10.1145\/3372297.3417253","relation":{},"subject":[],"published":{"date-parts":[[2020,10,30]]},"assertion":[{"value":"2020-11-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}