{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T19:44:43Z","timestamp":1776887083436,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100009318","name":"Helmholtz Association","doi-asserted-by":"publisher","award":["ZT-I-OO1 4"],"award-info":[{"award-number":["ZT-I-OO1 4"]}],"id":[{"id":"10.13039\/501100009318","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484575","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:27Z","timestamp":1636805127000},"page":"880-895","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":152,"title":["Membership Leakage in Label-Only Exposures"],"prefix":"10.1145","author":[{"given":"Zheng","family":"Li","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]},{"given":"Yang","family":"Zhang","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"https:\/\/www.cs.toronto.edu\/~kriz\/cifar.html."},{"key":"e_1_3_2_2_2_1","unstructured":"http:\/\/benchmark.ini.rub.de\/'section=gtsrb."},{"key":"e_1_3_2_2_3_1","unstructured":"http:\/\/vis-www.cs.umass.edu\/lfw\/."},{"key":"e_1_3_2_2_4_1","first-page":"308","volume-title":"Li Zhang. Deep Learning with Differential Privacy. In ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Abadi Martin","year":"2016","unstructured":"Martin Abadi, Andy Chu, Ian Goodfellow, Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep Learning with Differential Privacy. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 308--318. ACM, 2016."},{"key":"e_1_3_2_2_5_1","first-page":"1615","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Adi Yossi","year":"2018","unstructured":"Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. In USENIX Security Symposium (USENIX Security), pages 1615--1631. USENIX, 2018."},{"key":"e_1_3_2_2_6_1","first-page":"319","volume-title":"Praveen Manoharan. Membership Privacy in MicroRNA-based Studies. In ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Backes Michael","year":"2016","unstructured":"Michael Backes, Pascal Berrang, Mathias Humbert, and Praveen Manoharan. Membership Privacy in MicroRNA-based Studies. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 319--330. ACM, 2016."},{"key":"e_1_3_2_2_7_1","first-page":"1943","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Backes Michael","year":"2017","unstructured":"Michael Backes, Mathias Humbert, Jun Pang, and Yang Zhang. walk2friends: Inferring Social Links from Mobility Profiles. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1943--1957. ACM, 2017."},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_2_9_1","first-page":"3962","volume-title":"Bressler. Automatic Screening of Age-related Macular Degeneration and Retinal Abnormalities. In Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC)","author":"Burlina Philippe","year":"2011","unstructured":"Philippe Burlina, David E. Freund, B. Dupas, and Neil M. Bressler. Automatic Screening of Age-related Macular Degeneration and Retinal Abnormalities. In Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC), pages 3962--3966. IEEE, 2011."},{"key":"e_1_3_2_2_10_1","first-page":"39","volume-title":"Carlini and David Wagner. Towards Evaluating the Robustness of Neural Networks. In IEEE Symposium on Security and Privacy (S&P)","author":"Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner. Towards Evaluating the Robustness of Neural Networks. In IEEE Symposium on Security and Privacy (S&P), pages 39--57. IEEE, 2017."},{"key":"e_1_3_2_2_11_1","volume-title":"Journal of Machine Learning Research","author":"Chaudhuri Kamalika","year":"2011","unstructured":"Kamalika Chaudhuri, Claire Monteleoni, and Anand D Sarwate. Differentially Private Empirical Risk Minimization. Journal of Machine Learning Research, 2011."},{"key":"e_1_3_2_2_12_1","first-page":"1277","volume-title":"Wainwright. HopSkipJumpAttack: A Query-Efficient Decision-Based Attack. In IEEE Symposium on Security and Privacy (S&P)","author":"Chen Jianbo","year":"2020","unstructured":"Jianbo Chen, Michael I. Jordan, and Martin J. Wainwright. HopSkipJumpAttack: A Query-Efficient Decision-Based Attack. In IEEE Symposium on Security and Privacy (S&P), pages 1277--1294. IEEE, 2020."},{"key":"e_1_3_2_2_13_1","volume-title":"Label-Only Membership Inference Attacks. CoRR abs\/2007.14321","author":"Choquette Choo Christopher A.","year":"2020","unstructured":"Christopher A. Choquette Choo, Florian Tram\u00e8r, Nicholas Carlini, and Nicolas Papernot. Label-Only Membership Inference Attacks. CoRR abs\/2007.14321, 2020."},{"key":"e_1_3_2_2_14_1","first-page":"1310","volume-title":"International Conference on Machine Learning (ICML)","author":"Cohen Jeremy M.","year":"2019","unstructured":"Jeremy M. Cohen, Elan Rosenfeld, and J. Zico Kolter. Certified Adversarial Robustness via Randomized Smoothing. In International Conference on Machine Learning (ICML), pages 1310--1320. PMLR, 2019."},{"key":"e_1_3_2_2_15_1","first-page":"321","volume-title":"Explaining Transferability of Evasion and Poisoning Attacks. In USENIX Security Symposium (USENIX Security)","author":"Demontis Ambra","year":"2019","unstructured":"Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Battista Biggio, Alina Oprea, Cristina Nita-Rotaru, and Fabio Roli. Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks. In USENIX Security Symposium (USENIX Security), pages 321--338. USENIX, 2019."},{"key":"e_1_3_2_2_16_1","volume-title":"Journal of Machine Learning Research","author":"der Maaten Laurens Van","year":"2008","unstructured":"Laurens Van der Maaten and Geoffrey Hinton. Visualizing Data Using t-SNE. Journal of Machine Learning Research, 2008."},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_2_19_1","first-page":"17","volume-title":"Thomas Ristenpart. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. In USENIX Security Symposium (USENIX Security)","author":"Fredrikson Matt","year":"2014","unstructured":"Matt Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. In USENIX Security Symposium (USENIX Security), pages 17--32. USENIX, 2014."},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_2_21_1","volume-title":"Badnets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. CoRR abs\/1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Grag. Badnets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. CoRR abs\/1708.06733, 2017."},{"key":"e_1_3_2_2_22_1","volume-title":"Michael Backes. MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Hagestedt Inken","year":"2019","unstructured":"Inken Hagestedt, Yang Zhang, Mathias Humbert, Pascal Berrang, Haixu Tang, XiaoFeng Wang, and Michael Backes. MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019."},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0067"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pgen.1000167"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24293"},{"key":"e_1_3_2_2_26_1","first-page":"299","volume-title":"Lun Wang. Towards Practical Differentially Private Convex Optimization. In IEEE Symposium on Security and Privacy (S&P)","author":"Iyengar Roger","year":"2019","unstructured":"Roger Iyengar, Joseph P. Near, Dawn Xiaodong Song, Om Dipakbhai Thakkar, Abhradeep Thakurta, and Lun Wang. Towards Practical Differentially Private Convex Optimization. In IEEE Symposium on Security and Privacy (S&P), pages 299--316. IEEE, 2019."},{"key":"e_1_3_2_2_27_1","first-page":"259","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Jia Jinyuan","year":"2019","unstructured":"Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 259--274. ACM, 2019."},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.527"},{"key":"e_1_3_2_2_29_1","volume":"201","author":"Kourou Konstantina","unstructured":"Konstantina Kourou, Themis P. Exarchos, Konstantinos P. Exarchos, Michalis V. Karamouzis, and Dimitrios I. Fotiadis. Machine Learning Applications in Cancer Prognosis and Prediction. Computational and Structural Biotechnology Journal, 2015.","journal-title":"Structural Biotechnology Journal"},{"key":"e_1_3_2_2_30_1","first-page":"1218","volume-title":"Bo Li. QEBA: Query-Efficient Boundary-Based Blackbox Attack. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Li Huichen","year":"2020","unstructured":"Huichen Li, Xiaojun Xu, Xiaolu Zhang, Shuang Yang, and Bo Li. QEBA: Query-Efficient Boundary-Based Blackbox Attack. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 1218--1227. IEEE, 2020."},{"key":"e_1_3_2_2_31_1","first-page":"5","volume-title":"ACM Conference on Data and Application Security and Privacy (CODASPY)","author":"Li Jiacheng","year":"2021","unstructured":"Jiacheng Li, Ninghui Li, and Bruno Ribeiro. Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap. In ACM Conference on Data and Application Security and Privacy (CODASPY), pages 5--16. ACM, 2021."},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359801"},{"key":"e_1_3_2_2_33_1","volume-title":"Delving into Transferable Adversarial Examples and Black-box Attacks. CoRR abs\/1611.02770","author":"Liu Yanpei","year":"2016","unstructured":"Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. Delving into Transferable Adversarial Examples and Black-box Attacks. CoRR abs\/1611.02770, 2016."},{"key":"e_1_3_2_2_34_1","volume-title":"Xiangyu Zhang. Trojaning Attack on Neural Networks. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Liu Yingqi","year":"2019","unstructured":"Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. Trojaning Attack on Neural Networks. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019."},{"key":"e_1_3_2_2_35_1","volume-title":"Towards Measuring Membership Privacy. CoRR abs\/1712.09136","author":"Long Yunhui","year":"2017","unstructured":"Yunhui Long, Vincent Bindschaedler, and Carl A. Gunter. Towards Measuring Membership Privacy. CoRR abs\/1712.09136, 2017."},{"key":"e_1_3_2_2_36_1","volume-title":"Understanding Membership Inferences on Well-Generalized Learning Models. CoRR abs\/1802.04889","author":"Long Yunhui","year":"2018","unstructured":"Yunhui Long, Vincent Bindschaedler, Lei Wang, Diyue Bu, Xiaofeng Wang, Haixu Tang, Carl A. Gunter, and Kai Chen. Understanding Membership Inferences on Well-Generalized Learning Models. CoRR abs\/1802.04889, 2018."},{"key":"e_1_3_2_2_37_1","first-page":"12885","volume-title":"Fatih Porikli. Cross-Domain Transferability of Adversarial Perturbations. In Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"Naseer Muzammal","year":"2019","unstructured":"Muzammal Naseer, Salman H. Khan, Muhammad Haris Khan, Fahad Shahbaz Khan, and Fatih Porikli. Cross-Domain Transferability of Adversarial Perturbations. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 12885--12895. NeurIPS, 2019."},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"e_1_3_2_2_39_1","volume-title":"Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. CoRR abs\/1605.07277","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. CoRR abs\/1605.07277, 2016."},{"key":"e_1_3_2_2_40_1","first-page":"399","volume-title":"Michael Wellman. SoK: Towards the Science of Security and Privacy in Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P)","author":"Papernot Nicolas","year":"2018","unstructured":"Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. SoK: Towards the Science of Security and Privacy in Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 399--414. IEEE, 2018."},{"key":"e_1_3_2_2_41_1","first-page":"506","volume-title":"Ananthram Swami. Practical Black-Box Attacks Against Machine Learning. In ACM Asia Conference on Computer and Communications Security (ASIACCS)","author":"Papernot Nicolas","year":"2017","unstructured":"Nicolas Papernot, Patrick D. McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. Practical Black-Box Attacks Against Machine Learning. In ACM Asia Conference on Computer and Communications Security (ASIACCS), pages 506--519. ACM, 2017."},{"key":"e_1_3_2_2_42_1","first-page":"372","volume-title":"Ananthram Swami. The Limitations of Deep Learning in Adversarial Settings. In IEEE European Symposium on Security and Privacy (Euro S&P)","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick D. McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. The Limitations of Deep Learning in Adversarial Settings. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 372--387. IEEE, 2016."},{"key":"e_1_3_2_2_43_1","volume-title":"Membership Inference on Aggregate Location Data. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Pyrgelis Apostolos","year":"2018","unstructured":"Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. Knock Knock, Who's There? Membership Inference on Aggregate Location Data. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2018."},{"key":"e_1_3_2_2_44_1","volume-title":"DeepSigns: A Generic Watermarking Framework for IP Protection of Deep Learning Models. CoRR abs\/1804.00750","author":"Rouhani Bita Darvish","year":"2018","unstructured":"Bita Darvish Rouhani, Huili Chen, and Farinaz Koushanfar. DeepSigns: A Generic Watermarking Framework for IP Protection of Deep Learning Models. CoRR abs\/1804.00750, 2018."},{"key":"e_1_3_2_2_45_1","first-page":"5558","volume-title":"International Conference on Machine Learning (ICML)","author":"Sablayrolles Alexandre","year":"2019","unstructured":"Alexandre Sablayrolles, Matthijs Douze, Cordelia Schmid, Yann Ollivier, and Herv\u00e9 J\u00e9gou. White-box vs Black-box: Bayes Optimal Strategies for Membership Inference. In International Conference on Machine Learning (ICML), pages 5558--5567. PMLR, 2019."},{"key":"e_1_3_2_2_46_1","volume-title":"Michael Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Salem Ahmed","year":"2019","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019."},{"key":"e_1_3_2_2_47_1","first-page":"6103","volume-title":"Targeted Clean-Label Poisoning Attacks on Neural Networks. In Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"Shafahi Ali","year":"2018","unstructured":"Ali Shafahi, W Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Tudor Dumitras, and Tom Goldstein. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 6103--6113. NeurIPS, 2018."},{"key":"e_1_3_2_2_48_1","first-page":"3","volume-title":"Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P)","author":"Shokri Reza","year":"2017","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P), pages 3--18. IEEE, 2017."},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354211"},{"key":"e_1_3_2_2_50_1","volume-title":"Journal of Machine Learning Research","author":"Srivastava Nitish","year":"2014","unstructured":"Nitish Srivastava, Geoffrey Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. Dropout: A Simple Way to Prevent Neural Networks from Overfitting. Journal of Machine Learning Research, 2014."},{"key":"e_1_3_2_2_51_1","volume":"201","author":"Stanfill Mary H.","unstructured":"Mary H. Stanfill, Margaret Williams, Susan H. Fenton, Robert A. Jenders, and William R. Hersh. A Systematic Literature Review of Automated Clinical Coding and Classification Systems. J. Am. Medical Informatics Assoc., 2010.","journal-title":"Classification Systems. J. Am. Medical Informatics Assoc."},{"key":"e_1_3_2_2_52_1","volume-title":"Patrick McDaniel. Ensemble Adversarial Training: Attacks and Defenses. In International Conference on Learning Representations (ICLR)","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. Ensemble Adversarial Training: Attacks and Defenses. In International Conference on Learning Representations (ICLR), 2017."},{"key":"e_1_3_2_2_53_1","first-page":"601","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. Stealing Machine Learning Models via Prediction APIs. In USENIX Security Symposium (USENIX Security), pages 601--618. USENIX, 2016."},{"key":"e_1_3_2_2_54_1","volume-title":"Lei Yu, and Wenqi Wei. Towards Demystifying Membership Inference Attacks. CoRR abs\/1807.09173","author":"Truex Stacey","year":"2018","unstructured":"Stacey Truex, Ling Liu, Mehmet Emre Gursoy, Lei Yu, and Wenqi Wei. Towards Demystifying Membership Inference Attacks. CoRR abs\/1807.09173, 2018."},{"key":"e_1_3_2_2_55_1","first-page":"707","volume-title":"Zhao. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In IEEE Symposium on Security and Privacy (S&P)","author":"Wang Bolun","year":"2019","unstructured":"Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In IEEE Symposium on Security and Privacy (S&P), pages 707--723. IEEE, 2019."},{"key":"e_1_3_2_2_56_1","volume-title":"Defending Model Inversion and Membership Inference Attacks via Prediction Purification. CoRR abs\/2005.03915","author":"Yang Ziqi","year":"2020","unstructured":"Ziqi Yang, Bin Shao, Bohan Xuan, Ee-Chien Chang, and Fan Zhang. Defending Model Inversion and Membership Inference Attacks via Prediction Purification. CoRR abs\/2005.03915, 2020."},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"e_1_3_2_2_58_1","volume-title":"International Conference on Learning Representations (ICLR)","author":"Zhai Runtian","year":"2020","unstructured":"Runtian Zhai, Chen Dan, Di He, Huan Zhang, Boqing Gong, Pradeep Ravikumar, Cho-Jui Hsieh, and Liwei Wang. MACER: Attack-free and Scalable Robust Training via Maximizing Certified Radius. In International Conference on Learning Representations (ICLR), 2020."},{"key":"e_1_3_2_2_59_1","first-page":"159","volume-title":"Ian Molloy. Protecting Intellectual Property of Deep Neural Networks with Watermarking. In ACM Asia Conference on Computer and Communications Security (ASIACCS)","author":"Zhang Jialong","year":"2018","unstructured":"Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph. Stoecklin, Heqing Huang, and Ian Molloy. Protecting Intellectual Property of Deep Neural Networks with Watermarking. In ACM Asia Conference on Computer and Communications Security (ASIACCS), pages 159--172. ACM, 2018."},{"key":"e_1_3_2_2_60_1","first-page":"250","volume-title":"Dawn Song. The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Zhang Yuheng","year":"2020","unstructured":"Yuheng Zhang, Ruoxi Jia, Hengzhi Pei, Wenxiao Wang, Bo Li, and Dawn Song. The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 250--258. IEEE, 2020."},{"key":"e_1_3_2_2_61_1","volume-title":"Cross-Age LFW: A Database for Studying Cross-Age Face Recognition in Unconstrained Environments. CoRR abs\/1708.08197","author":"Zheng Tianyue","year":"2017","unstructured":"Tianyue Zheng, Weihong Deng, and Jiani Hu. Cross-Age LFW: A Database for Studying Cross-Age Face Recognition in Unconstrained Environments. CoRR abs\/1708.08197, 2017."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484575","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484575","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:43:48Z","timestamp":1763498628000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484575"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":61,"alternative-id":["10.1145\/3460120.3484575","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484575","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}