{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T20:08:09Z","timestamp":1778789289986,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":53,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,11,9]],"date-time":"2020-11-09T00:00:00Z","timestamp":1604880000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Bosch Forschungsstiftung im Stifterverband","award":["PhD Scholarship of the main author"],"award-info":[{"award-number":["PhD Scholarship of the main author"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,11,13]]},"DOI":"10.1145\/3411508.3421381","type":"proceedings-article","created":{"date-parts":[[2020,11,2]],"date-time":"2020-11-02T21:16:40Z","timestamp":1604351800000},"page":"13-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Towards Certifiable Adversarial Sample Detection"],"prefix":"10.1145","author":[{"given":"Ilia","family":"Shumailov","sequence":"first","affiliation":[{"name":"University of Cambridge, Cambridge, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yiren","family":"Zhao","sequence":"additional","affiliation":[{"name":"University of Cambridge, Cambridge, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Robert","family":"Mullins","sequence":"additional","affiliation":[{"name":"University of Cambridge, Cambridge, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ross","family":"Anderson","sequence":"additional","affiliation":[{"name":"University of Cambridge, Cambridge, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,11,9]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Segnet: A deep convolutional encoder-decoder architecture for image segmentation. arXiv preprint arXiv:1511.00561","author":"Badrinarayanan Vijay","year":"2015","unstructured":"Vijay Badrinarayanan , Alex Kendall , and Roberto Cipolla . 2015 . Segnet: A deep convolutional encoder-decoder architecture for image segmentation. arXiv preprint arXiv:1511.00561 (2015). Vijay Badrinarayanan, Alex Kendall, and Roberto Cipolla. 2015. Segnet: A deep convolutional encoder-decoder architecture for image segmentation. arXiv preprint arXiv:1511.00561 (2015)."},{"key":"e_1_3_2_1_2_1","volume-title":"International Conference on Learning Representations Workshop (ICLR)","author":"Bhagoji Arjun Nitin","year":"2018","unstructured":"Arjun Nitin Bhagoji , Warren He , Bo Li , and Dawn Song . 2018 . Black-box attacks on deep neural networks via gradient estimation . International Conference on Learning Representations Workshop (ICLR) (2018). Arjun Nitin Bhagoji, Warren He, Bo Li, and Dawn Song. 2018. Black-box attacks on deep neural networks via gradient estimation. International Conference on Learning Representations Workshop (ICLR) (2018)."},{"key":"e_1_3_2_1_3_1","volume-title":"Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=SyZI0GWCZ","author":"Brendel Wieland","year":"2018","unstructured":"Wieland Brendel , Jonas Rauber , and Matthias Bethge . 2018 . Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=SyZI0GWCZ Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2018. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=SyZI0GWCZ"},{"key":"e_1_3_2_1_4_1","volume-title":"Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security 16)","author":"Carlini Nicholas","year":"2016","unstructured":"Nicholas Carlini , Pratyush Mishra , Tavish Vaidya , Yuankai Zhang , Micah Sherr , Clay Shields , David Wagner , and Wenchao Zhou . 2016 . Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security 16) . USENIX Association. Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. 2016. Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association."},{"key":"e_1_3_2_1_5_1","volume-title":"arXiv preprint arXiv:1711.08478","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner . 2017a. Magnet and \"efficient defenses against adversarial attacks\" are not robust to adversarial examples. arXiv preprint arXiv:1711.08478 ( 2017 ). Nicholas Carlini and David Wagner. 2017a. Magnet and \"efficient defenses against adversarial attacks\" are not robust to adversarial examples. arXiv preprint arXiv:1711.08478 (2017)."},{"key":"e_1_3_2_1_6_1","volume-title":"Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner . 2017 b. Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57 . Nicholas Carlini and David Wagner. 2017b. Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57."},{"key":"e_1_3_2_1_7_1","volume-title":"Wagner","author":"Chen Steven","year":"2019","unstructured":"Steven Chen , Nicholas Carlini , and David A . Wagner . 2019 . Stateful Detection of Black-Box Adversarial Attacks. CoRR , Vol. abs\/ 1907 .05587 (2019). arxiv: 1907.05587 http:\/\/arxiv.org\/abs\/1907.05587 Steven Chen, Nicholas Carlini, and David A. Wagner. 2019. Stateful Detection of Black-Box Adversarial Attacks. CoRR, Vol. abs\/1907.05587 (2019). arxiv: 1907.05587 http:\/\/arxiv.org\/abs\/1907.05587"},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of the 36th International Conference on Machine Learning.","author":"Cohen Jeremy","year":"2019","unstructured":"Jeremy Cohen , Elan Rosenfeld , and Zico Kolter . 2019 . Certified Adversarial Robustness via Randomized Smoothing . In Proceedings of the 36th International Conference on Machine Learning. Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified Adversarial Robustness via Randomized Smoothing. In Proceedings of the 36th International Conference on Machine Learning."},{"key":"e_1_3_2_1_9_1","volume-title":"Training verified learners with learned verifiers. arXiv preprint arXiv:1805.10265","author":"Dvijotham Krishnamurthy","year":"2018","unstructured":"Krishnamurthy Dvijotham , Sven Gowal , Robert Stanforth , Relja Arandjelovic , Brendan O'Donoghue , Jonathan Uesato , and Pushmeet Kohli . 2018. Training verified learners with learned verifiers. arXiv preprint arXiv:1805.10265 ( 2018 ). Krishnamurthy Dvijotham, Sven Gowal, Robert Stanforth, Relja Arandjelovic, Brendan O'Donoghue, Jonathan Uesato, and Pushmeet Kohli. 2018. Training verified learners with learned verifiers. arXiv preprint arXiv:1805.10265 (2018)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_1_11_1","volume-title":"Road-sign detection and tracking","author":"Fang Chiung-Yao","year":"2003","unstructured":"Chiung-Yao Fang , Sei-Wang Chen , and Chiou-Shann Fuh . 2003. Road-sign detection and tracking . IEEE transactions on vehicular technology, Vol. 52 , 5 ( 2003 ), 1329--1341. Chiung-Yao Fang, Sei-Wang Chen, and Chiou-Shann Fuh. 2003. Road-sign detection and tracking. IEEE transactions on vehicular technology, Vol. 52, 5 (2003), 1329--1341."},{"key":"e_1_3_2_1_12_1","volume-title":"Deep Ensembles: A Loss Landscape Perspective. arXiv preprint arXiv:1912.02757","author":"Fort Stanislav","year":"2019","unstructured":"Stanislav Fort , Huiyi Hu , and Balaji Lakshminarayanan . 2019 . Deep Ensembles: A Loss Landscape Perspective. arXiv preprint arXiv:1912.02757 (2019). Stanislav Fort, Huiyi Hu, and Balaji Lakshminarayanan. 2019. Deep Ensembles: A Loss Landscape Perspective. arXiv preprint arXiv:1912.02757 (2019)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00058"},{"key":"e_1_3_2_1_14_1","volume-title":"Adversarial spheres. arXiv preprint arXiv:1801.02774","author":"Gilmer Justin","year":"2018","unstructured":"Justin Gilmer , Luke Metz , Fartash Faghri , Samuel S Schoenholz , Maithra Raghu , Martin Wattenberg , and Ian Goodfellow . 2018. Adversarial spheres. arXiv preprint arXiv:1801.02774 ( 2018 ). Justin Gilmer, Luke Metz, Fartash Faghri, Samuel S Schoenholz, Maithra Raghu, Martin Wattenberg, and Ian Goodfellow. 2018. Adversarial spheres. arXiv preprint arXiv:1801.02774 (2018)."},{"key":"e_1_3_2_1_15_1","volume-title":"International Conference on Learning Representations (ICLR)","author":"Goodfellow Ian J","year":"2015","unstructured":"Ian J Goodfellow , Jonathon Shlens , and Christian Szegedy . 2015 . Explaining and harnessing adversarial examples . International Conference on Learning Representations (ICLR) (2015). Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. International Conference on Learning Representations (ICLR) (2015)."},{"key":"e_1_3_2_1_16_1","volume-title":"On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715","author":"Gowal Sven","year":"2018","unstructured":"Sven Gowal , Krishnamurthy Dvijotham , Robert Stanforth , Rudy Bunel , Chongli Qin , Jonathan Uesato , Timothy Mann , and Pushmeet Kohli . 2018. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715 ( 2018 ). Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Timothy Mann, and Pushmeet Kohli. 2018. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715 (2018)."},{"key":"e_1_3_2_1_17_1","volume-title":"McDaniel","author":"Grosse Kathrin","year":"2017","unstructured":"Kathrin Grosse , Praveen Manoharan , Nicolas Papernot , Michael Backes , and Patrick D . McDaniel . 2017 . On the (Statistical) Detection of Adversarial Examples. CoRR , Vol. abs\/ 1702 .06280 (2017). arxiv: 1702.06280 Kathrin Grosse, Praveen Manoharan, Nicolas Papernot, Michael Backes, and Patrick D. McDaniel. 2017. On the (Statistical) Detection of Adversarial Examples. CoRR, Vol. abs\/1702.06280 (2017). arxiv: 1702.06280"},{"key":"e_1_3_2_1_18_1","volume-title":"Florian Tram\u00e8 r, and Nicolas Papernot","author":"Henrik Jacobsen J\u00f6","year":"2019","unstructured":"J\u00f6 rn- Henrik Jacobsen , Jens Behrmann , Nicholas Carlini , Florian Tram\u00e8 r, and Nicolas Papernot . 2019 . Exploiting Excessive Invariance caused by Norm-Bounded Adversarial Robustness. CoRR , Vol. abs\/ 1903 .10484 (2019). arxiv: 1903.10484 http:\/\/arxiv.org\/abs\/1903.10484 J\u00f6 rn-Henrik Jacobsen, Jens Behrmann, Nicholas Carlini, Florian Tram\u00e8 r, and Nicolas Papernot. 2019. Exploiting Excessive Invariance caused by Norm-Bounded Adversarial Robustness. CoRR, Vol. abs\/1903.10484 (2019). arxiv: 1903.10484 http:\/\/arxiv.org\/abs\/1903.10484"},{"key":"e_1_3_2_1_19_1","volume-title":"High Accuracy and High Fidelity Extraction of Neural Networks. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski , Nicholas Carlini , David Berthelot , Alex Kurakin , and Nicolas Papernot . 2020 . High Accuracy and High Fidelity Extraction of Neural Networks. In 29th USENIX Security Symposium (USENIX Security 20) . USENIX Association, Boston, MA. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/jagielski Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High Accuracy and High Fidelity Extraction of Neural Networks. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/jagielski"},{"key":"e_1_3_2_1_20_1","volume-title":"3D convolutional neural networks for human action recognition","author":"Ji Shuiwang","year":"2013","unstructured":"Shuiwang Ji , Wei Xu , Ming Yang , and Kai Yu. 2013. 3D convolutional neural networks for human action recognition . IEEE transactions on pattern analysis and machine intelligence, Vol. 35 , 1 ( 2013 ), 221--231. Shuiwang Ji, Wei Xu, Ming Yang, and Kai Yu. 2013. 3D convolutional neural networks for human action recognition. IEEE transactions on pattern analysis and machine intelligence, Vol. 35, 1 (2013), 221--231."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-63387-9_5"},{"key":"e_1_3_2_1_22_1","volume-title":"La cryptographie militaire. Journal des sciences militaires","author":"Kerckhoffs Auguste","unstructured":"Auguste Kerckhoffs . 1883. La cryptographie militaire. Journal des sciences militaires , vol. IX , 161--191. Auguste Kerckhoffs. 1883. La cryptographie militaire. Journal des sciences militaires, vol. IX, 161--191."},{"key":"e_1_3_2_1_23_1","unstructured":"Alex Krizhevsky Vinod Nair and Geoffrey Hinton. 2014. The CIFAR-10 dataset. (2014).  Alex Krizhevsky Vinod Nair and Geoffrey Hinton. 2014. The CIFAR-10 dataset. (2014)."},{"key":"e_1_3_2_1_24_1","unstructured":"Alex Krizhevsky Ilya Sutskever and Geoffrey E Hinton. 2012. ImageNet classification with deep convolutional neural networks. In Advances in neural information processing systems. 1097--1105.  Alex Krizhevsky Ilya Sutskever and Geoffrey E Hinton. 2012. ImageNet classification with deep convolutional neural networks. In Advances in neural information processing systems. 1097--1105."},{"key":"e_1_3_2_1_25_1","volume-title":"Remi Le Priol, and Aaron Courville","author":"Krueger David","year":"2020","unstructured":"David Krueger , Ethan Caballero , Joern-Henrik Jacobsen , Amy Zhang , Jonathan Binas , Remi Le Priol, and Aaron Courville . 2020 . Out-of-Distribution Generalization via Risk Extrapolation (REx) . arXiv preprint arXiv:2003.00688 (2020). David Krueger, Ethan Caballero, Joern-Henrik Jacobsen, Amy Zhang, Jonathan Binas, Remi Le Priol, and Aaron Courville. 2020. Out-of-Distribution Generalization via Risk Extrapolation (REx). arXiv preprint arXiv:2003.00688 (2020)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3369412.3395076"},{"key":"e_1_3_2_1_27_1","unstructured":"Alexey Kurakin Ian Goodfellow and Samy Bengio. 2017. Adversarial machine learning at scale. (2017).  Alexey Kurakin Ian Goodfellow and Samy Bengio. 2017. Adversarial machine learning at scale. (2017)."},{"key":"e_1_3_2_1_28_1","volume-title":"mbox","author":"LeCun Yann","year":"2015","unstructured":"Yann LeCun mbox . 2015 . LeNet- 5, convolutional neural networks. (2015), 20. Yann LeCun et almbox. 2015. LeNet-5, convolutional neural networks. (2015), 20."},{"key":"e_1_3_2_1_29_1","volume-title":"MNIST handwritten digit database","author":"LeCun Yann","year":"2010","unstructured":"Yann LeCun , Corinna Cortes , and CJ Burges . 2010. MNIST handwritten digit database ., Vol. 2 ( 2010 ). Yann LeCun, Corinna Cortes, and CJ Burges. 2010. MNIST handwritten digit database., Vol. 2 (2010)."},{"key":"e_1_3_2_1_30_1","volume-title":"Certified Robustness to Adversarial Examples with Differential Privacy","author":"L\u00e9cuyer Mathias","year":"2019","unstructured":"Mathias L\u00e9cuyer , Vaggelis Atlidakis , Roxana Geambasu , Daniel Hsu , and Suman Jana . 2018. Certified Robustness to Adversarial Examples with Differential Privacy . In IEEE S &P 2019 . Mathias L\u00e9cuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, and Suman Jana. 2018. Certified Robustness to Adversarial Examples with Differential Privacy. In IEEE S&P 2019."},{"key":"e_1_3_2_1_31_1","unstructured":"Jiajun Lu Theerasit Issaranon and David A Forsyth. [n.d.]. SafetyNet: Detecting and Rejecting Adversarial Examples Robustly.  Jiajun Lu Theerasit Issaranon and David A Forsyth. [n.d.]. SafetyNet: Detecting and Rejecting Adversarial Examples Robustly."},{"key":"e_1_3_2_1_32_1","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. (2018).  Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. (2018)."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_2_1_34_1","volume-title":"Proceedings of 5th International Conference on Learning Representations (ICLR).","author":"Metzen Jan Hendrik","year":"2017","unstructured":"Jan Hendrik Metzen , Tim Genewein , Volker Fischer , and Bastian Bischoff . 2017 . On Detecting Adversarial Perturbations . In Proceedings of 5th International Conference on Learning Representations (ICLR). Jan Hendrik Metzen, Tim Genewein, Volker Fischer, and Bastian Bischoff. 2017. On Detecting Adversarial Perturbations. In Proceedings of 5th International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_35_1","volume-title":"International Conference on Machine Learning.","author":"Mirman Matthew","year":"2018","unstructured":"Matthew Mirman , Timon Gehr , and Martin Vechev . 2018 . Differentiable abstract interpretation for provably robust neural networks . In International Conference on Machine Learning. Matthew Mirman, Timon Gehr, and Martin Vechev. 2018. Differentiable abstract interpretation for provably robust neural networks. In International Conference on Machine Learning."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"crossref","unstructured":"Seyed-Mohsen Moosavi-Dezfooli Alhussein Fawzi and Pascal Frossard. 2016. DeepFool: a simple and accurate method to fool deep neural networks. (2016).  Seyed-Mohsen Moosavi-Dezfooli Alhussein Fawzi and Pascal Frossard. 2016. DeepFool: a simple and accurate method to fool deep neural networks. (2016).","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00348"},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research","volume":"4979","author":"Pang Tianyu","year":"2019","unstructured":"Tianyu Pang , Kun Xu , Chao Du , Ning Chen , and Jun Zhu . 2019 . Improving Adversarial Robustness via Promoting Ensemble Diversity . In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research , Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). 4970-- 4979 . Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. 2019. Improving Adversarial Robustness via Promoting Ensemble Diversity. In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). 4970--4979."},{"key":"e_1_3_2_1_39_1","volume-title":"Foolbox: A python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131","author":"Rauber Jonas","year":"2017","unstructured":"Jonas Rauber , Wieland Brendel , and Matthias Bethge . 2017 . Foolbox: A python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131 (2017). Jonas Rauber, Wieland Brendel, and Matthias Bethge. 2017. Foolbox: A python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131 (2017)."},{"key":"e_1_3_2_1_40_1","unstructured":"Shaoqing Ren Kaiming He Ross Girshick and Jian Sun. 2015. Faster R-CNN: Towards real-time object detection with region proposal networks. In Advances in neural information processing systems. 91--99.  Shaoqing Ren Kaiming He Ross Girshick and Jian Sun. 2015. Faster R-CNN: Towards real-time object detection with region proposal networks. In Advances in neural information processing systems. 91--99."},{"key":"e_1_3_2_1_41_1","volume-title":"International Conference on Learning Representations Workshop (ICLR)","author":"Schott Lukas","year":"2019","unstructured":"Lukas Schott , Jonas Rauber , Matthias Bethge , and Wieland Brendel . 2019 . Towards the first adversarially robust neural network model on MNIST . International Conference on Learning Representations Workshop (ICLR) (2019). Lukas Schott, Jonas Rauber, Matthias Bethge, and Wieland Brendel. 2019. Towards the first adversarially robust neural network model on MNIST. International Conference on Learning Representations Workshop (ICLR) (2019)."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298682"},{"key":"e_1_3_2_1_43_1","volume-title":"Zhao","author":"Shan Shawn","year":"2019","unstructured":"Shawn Shan , Emily Willson , Bolun Wang , Bo Li , Haitao Zheng , and Ben Y . Zhao . 2019 . Gotta Catch 'Em All : Using Concealed Trapdoors to Detect Adversarial Attacks on Neural Networks. CoRR , Vol. abs\/ 1904 .08554 (2019). arxiv: 1904.08554 http:\/\/arxiv.org\/abs\/1904.08554 Shawn Shan, Emily Willson, Bolun Wang, Bo Li, Haitao Zheng, and Ben Y. Zhao. 2019. Gotta Catch 'Em All: Using Concealed Trapdoors to Detect Adversarial Attacks on Neural Networks. CoRR, Vol. abs\/1904.08554 (2019). arxiv: 1904.08554 http:\/\/arxiv.org\/abs\/1904.08554"},{"key":"e_1_3_2_1_44_1","volume-title":"Sitatapatra: Blocking the Transfer of Adversarial Samples.","author":"Shumailov Ilia","year":"2019","unstructured":"Ilia Shumailov , Xitong Gao , Yiren Zhao , Robert Mullins , Ross Anderson , and Cheng-Zhong Xu . 2019 . Sitatapatra: Blocking the Transfer of Adversarial Samples. (2019). Ilia Shumailov, Xitong Gao, Yiren Zhao, Robert Mullins, Ross Anderson, and Cheng-Zhong Xu. 2019. Sitatapatra: Blocking the Transfer of Adversarial Samples. (2019)."},{"key":"e_1_3_2_1_45_1","volume-title":"Sponge Examples: Energy-Latency Attacks on Neural Networks. arXiv preprint arXiv:2006.03463","author":"Shumailov Ilia","year":"2020","unstructured":"Ilia Shumailov , Yiren Zhao , Daniel Bates , Nicolas Papernot , Robert Mullins , and Ross Anderson . 2020 . Sponge Examples: Energy-Latency Attacks on Neural Networks. arXiv preprint arXiv:2006.03463 (2020). Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, and Ross Anderson. 2020. Sponge Examples: Energy-Latency Attacks on Neural Networks. arXiv preprint arXiv:2006.03463 (2020)."},{"key":"e_1_3_2_1_46_1","volume-title":"The Taboo Trap: Behavioural Detection of Adversarial Samples. arXiv preprint arXiv:1811.07375","author":"Shumailov Ilia","year":"2018","unstructured":"Ilia Shumailov , Yiren Zhao , Robert Mullins , and Ross Anderson . 2018. The Taboo Trap: Behavioural Detection of Adversarial Samples. arXiv preprint arXiv:1811.07375 ( 2018 ). Ilia Shumailov, Yiren Zhao, Robert Mullins, and Ross Anderson. 2018. The Taboo Trap: Behavioural Detection of Adversarial Samples. arXiv preprint arXiv:1811.07375 (2018)."},{"key":"e_1_3_2_1_47_1","volume-title":"Intriguing properties of neural networks. CoRR","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy , Wojciech Zaremba , Ilya Sutskever , Joan Bruna , Dumitru Erhan , Ian J. Goodfellow , and Rob Fergus . 2013. Intriguing properties of neural networks. CoRR , Vol. abs\/ 1312 .6199 ( 2013 ). arxiv: 1312.6199 Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. CoRR, Vol. abs\/1312.6199 (2013). arxiv: 1312.6199"},{"key":"e_1_3_2_1_48_1","unstructured":"Shiqi Wang Kexin Pei Justin Whitehouse Junfeng Yang and Suman Jana. 2018. Efficient formal safety analysis of neural networks. In Advances in Neural Information Processing Systems. 6367--6377.  Shiqi Wang Kexin Pei Justin Whitehouse Junfeng Yang and Suman Jana. 2018. Efficient formal safety analysis of neural networks. In Advances in Neural Information Processing Systems. 6367--6377."},{"key":"e_1_3_2_1_49_1","volume":"201","author":"Wong Eric","unstructured":"Eric Wong , Frank Schmidt , Jan Hendrik Metzen , and J Zico Kolter. 201 8. Scaling provable adversarial defenses. In Advances in Neural Information Processing Systems. 8400--8409. Eric Wong, Frank Schmidt, Jan Hendrik Metzen, and J Zico Kolter. 2018. Scaling provable adversarial defenses. In Advances in Neural Information Processing Systems. 8400--8409.","journal-title":"J Zico Kolter."},{"key":"e_1_3_2_1_50_1","unstructured":"Han Xiao Kashif Rasul and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. showeprint[arXiv]cs.LG\/1708.07747 [cs.LG]  Han Xiao Kashif Rasul and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. showeprint[arXiv]cs.LG\/1708.07747 [cs.LG]"},{"key":"e_1_3_2_1_51_1","volume-title":"Detection and Recovery of Adversarial Attacks with Injected Attractors. arXiv preprint arXiv:2003.02732","author":"Zhang Jiyi","year":"2020","unstructured":"Jiyi Zhang , Ee-Chien Chang , and Hwee Kuan Lee . 2020. Detection and Recovery of Adversarial Attacks with Injected Attractors. arXiv preprint arXiv:2003.02732 ( 2020 ). Jiyi Zhang, Ee-Chien Chang, and Hwee Kuan Lee. 2020. Detection and Recovery of Adversarial Attacks with Injected Attractors. arXiv preprint arXiv:2003.02732 (2020)."},{"key":"e_1_3_2_1_52_1","volume-title":"Mayo: A Framework for Auto-generating Hardware Friendly Deep Neural Networks.","author":"Zhao Yiren","year":"2018","unstructured":"Yiren Zhao , Xitong Gao , Robert Mullins , and Chengzhong Xu . 2018 a. Mayo: A Framework for Auto-generating Hardware Friendly Deep Neural Networks. (2018). Yiren Zhao, Xitong Gao, Robert Mullins, and Chengzhong Xu. 2018a. Mayo: A Framework for Auto-generating Hardware Friendly Deep Neural Networks. (2018)."},{"key":"e_1_3_2_1_53_1","volume-title":"To compress or not to compress: Understanding the Interactions between Adversarial Attacks and Neural Network Compression. arXiv preprint arXiv:1810.00208","author":"Zhao Yiren","year":"2018","unstructured":"Yiren Zhao , Ilia Shumailov , Robert Mullins , and Ross Anderson . 2018b. To compress or not to compress: Understanding the Interactions between Adversarial Attacks and Neural Network Compression. arXiv preprint arXiv:1810.00208 ( 2018 ). Yiren Zhao, Ilia Shumailov, Robert Mullins, and Ross Anderson. 2018b. To compress or not to compress: Understanding the Interactions between Adversarial Attacks and Neural Network Compression. arXiv preprint arXiv:1810.00208 (2018)."}],"event":{"name":"CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event USA","acronym":"CCS '20","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3411508.3421381","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3411508.3421381","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:38Z","timestamp":1750197758000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3411508.3421381"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,9]]},"references-count":53,"alternative-id":["10.1145\/3411508.3421381","10.1145\/3411508"],"URL":"https:\/\/doi.org\/10.1145\/3411508.3421381","relation":{},"subject":[],"published":{"date-parts":[[2020,11,9]]},"assertion":[{"value":"2020-11-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}