{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T18:03:59Z","timestamp":1775325839615,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":75,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,13]],"date-time":"2022-11-13T00:00:00Z","timestamp":1668297600000},"content-version":"vor","delay-in-days":366,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100009318","name":"Helmholtz Association","doi-asserted-by":"publisher","award":["ZT-I-OO1 4"],"award-info":[{"award-number":["ZT-I-OO1 4"]}],"id":[{"id":"10.13039\/501100009318","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1931443"],"award-info":[{"award-number":["1931443"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100006377","name":"Purdue University","doi-asserted-by":"publisher","award":["Bilsland Dissertation Fellowship"],"award-info":[{"award-number":["Bilsland Dissertation Fellowship"]}],"id":[{"id":"10.13039\/100006377","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000008","name":"David and Lucile Packard Foundation","doi-asserted-by":"publisher","award":["Packard Fellowship"],"award-info":[{"award-number":["Packard Fellowship"]}],"id":[{"id":"10.13039\/100000008","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484756","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"896-911","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":145,"title":["When Machine Unlearning Jeopardizes Privacy"],"prefix":"10.1145","author":[{"given":"Min","family":"Chen","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]},{"given":"Zhikun","family":"Zhang","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]},{"given":"Tianhao","family":"Wang","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University &amp; University of Virginia, Pittsburgh, PA, USA"}]},{"given":"Michael","family":"Backes","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]},{"given":"Mathias","family":"Humbert","sequence":"additional","affiliation":[{"name":"University of Lausanne, Lausanne, Switzerland"}]},{"given":"Yang","family":"Zhang","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"https:\/\/gdpr-info.eu\/."},{"key":"e_1_3_2_2_2_1","unstructured":"https:\/\/oag.ca.gov\/privacy\/ccpa."},{"key":"e_1_3_2_2_3_1","unstructured":"https:\/\/laws-lois.justice.gc.ca\/ENG\/ACTS\/P-8.6\/index.html."},{"key":"e_1_3_2_2_4_1","first-page":"308","volume-title":"Li Zhang. Deep Learning with Differential Privacy. In ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Abadi Martin","year":"2016","unstructured":"Martin Abadi, Andy Chu, Ian Goodfellow, Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep Learning with Differential Privacy. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 308--318. ACM, 2016."},{"key":"e_1_3_2_2_5_1","first-page":"1943","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Backes Michael","year":"2017","unstructured":"Michael Backes, Mathias Humbert, Jun Pang, and Yang Zhang. walk2friends: Inferring Social Links from Mobility Profiles. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1943--1957. ACM, 2017."},{"key":"e_1_3_2_2_6_1","volume-title":"Machine Unlearning: Linear Filtration for Logit-based Classifier. CoRR abs\/2002.02730","author":"Baumhauer Thomas","year":"2020","unstructured":"Thomas Baumhauer, Pascal Sch\u00f6ttle, and Matthias Zeppelzauer. Machine Unlearning: Linear Filtration for Logit-based Classifier. CoRR abs\/2002.02730, 2020."},{"key":"e_1_3_2_2_7_1","first-page":"363","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Santiago Zanella B\u00e9","year":"2020","unstructured":"Santiago Zanella B\u00e9 guelin, Lukas Wutschitz, Shruti Tople, Victor R\u00fc hle, Andrew Paverd, Olga Ohrimenko, Boris K\u00f6 pf, and Marc Brockschmidt. Analyzing Information Leakage of Updates to Natural Language Models. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 363--375. ACM, 2020."},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354208"},{"key":"e_1_3_2_2_9_1","volume-title":"Ullman. CoinPress: Practical Private Mean and Covariance Estimation. In Annual Conference on Neural Information Processing Systems (NeurIPS). NeurIPS","author":"Biswas Sourav","year":"2020","unstructured":"Sourav Biswas, Yihe Dong, Gautam Kamath, and Jonathan R. Ullman. CoinPress: Practical Private Mean and Covariance Estimation. In Annual Conference on Neural Information Processing Systems (NeurIPS). NeurIPS, 2020."},{"key":"e_1_3_2_2_10_1","volume-title":"Nicolas Papernot. Machine Unlearning. In IEEE Symposium on Security and Privacy (S&P). IEEE","author":"Bourtoule Lucas","year":"2021","unstructured":"Lucas Bourtoule, Varun Chandrasekaran, Christopher Choquette-Choo, Hengrui Jia, Adelin Travers, Baiwu Zhang, David Lie, and Nicolas Papernot. Machine Unlearning. In IEEE Symposium on Security and Privacy (S&P). IEEE, 2021."},{"key":"e_1_3_2_2_11_1","first-page":"463","volume-title":"Cao and Junfeng Yang. Towards Making Systems Forget with Machine Unlearning. In IEEE Symposium on Security and Privacy (S&P)","author":"Yinzhi","year":"2015","unstructured":"Yinzhi Cao and Junfeng Yang. Towards Making Systems Forget with Machine Unlearning. In IEEE Symposium on Security and Privacy (S&P), pages 463--480. IEEE, 2015."},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196517"},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417238"},{"key":"e_1_3_2_2_14_1","first-page":"215","volume-title":"Honglak Lee. An Analysis of Single-Layer Networks in Unsupervised Feature Learning. In International Conference on Artificial Intelligence and Statistics (AISTATS)","author":"Coates Adam","year":"2011","unstructured":"Adam Coates, Andrew Y. Ng, and Honglak Lee. An Analysis of Single-Layer Networks in Unsupervised Feature Learning. In International Conference on Artificial Intelligence and Statistics (AISTATS), pages 215--223. JMLR, 2011."},{"key":"e_1_3_2_2_15_1","first-page":"1283","volume-title":"Dawn Song. Lifelong Anomaly Detection Through Unlearning. In ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Du Min","year":"2019","unstructured":"Min Du, Zhi Chen, Chang Liu, Rajvardhan Oak, and Dawn Song. Lifelong Anomaly Detection Through Unlearning. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1283--1297. ACM, 2019."},{"key":"e_1_3_2_2_16_1","volume-title":"The Algorithmic Foundations of Differential Privacy","author":"Dwork Cynthia","year":"2014","unstructured":"Cynthia Dwork and Aaron Roth. The Algorithmic Foundations of Differential Privacy. Now Publishers Inc., 2014."},{"key":"e_1_3_2_2_17_1","volume-title":"Privacy Attacks on Network Embeddings. CoRR abs\/1912.10979","author":"Ellers Michael","year":"2019","unstructured":"Michael Ellers, Michael Cochez, Tobias Schumacher, Markus Strohmaier, and Florian Lemmerich. Privacy Attacks on Network Embeddings. CoRR abs\/1912.10979, 2019."},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_2_19_1","first-page":"17","volume-title":"Thomas Ristenpart. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. In USENIX Security Symposium (USENIX Security)","author":"Fredrikson Matt","year":"2014","unstructured":"Matt Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. In USENIX Security Symposium (USENIX Security), pages 17--32. USENIX, 2014."},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_2_21_1","first-page":"3513","volume-title":"James Zou. Making AI Forget You: Data Deletion in Machine Learning. In Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"Ginart Antonio A.","year":"2019","unstructured":"Antonio A. Ginart, Melody Y. Guan, Gregory Valiant, and James Zou. Making AI Forget You: Data Deletion in Machine Learning. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 3513--3526. NeurIPS, 2019."},{"key":"e_1_3_2_2_22_1","first-page":"9301","volume-title":"Stefano Soatto. Eternal Sunshine of the Spotless Net: Selective Forgetting in Deep Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Golatkar Aditya","year":"2020","unstructured":"Aditya Golatkar, Alessandro Achille, and Stefano Soatto. Eternal Sunshine of the Spotless Net: Selective Forgetting in Deep Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 9301--9309. IEEE, 2020."},{"key":"e_1_3_2_2_23_1","volume-title":"Badnets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. CoRR abs\/1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Grag. Badnets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. CoRR abs\/1708.06733, 2017."},{"key":"e_1_3_2_2_24_1","first-page":"3832","volume-title":"International Conference on Machine Learning (ICML)","author":"Guo Chuan","year":"2020","unstructured":"Chuan Guo, Tom Goldstein, Awni Y. Hannun, and Laurens van der Maaten. Certified Data Removal from Machine Learning Models. In International Conference on Machine Learning (ICML), pages 3832--3842. PMLR, 2020."},{"key":"e_1_3_2_2_25_1","volume-title":"Weinberger. On Calibration of Modern Neural Networks. In International Conference on Machine Learning (ICML). PMLR","author":"Guo Chuan","year":"2017","unstructured":"Chuan Guo, Geoff Pleiss, Yu Sun, and Kilian Q. Weinberger. On Calibration of Modern Neural Networks. In International Conference on Machine Learning (ICML). PMLR, 2017."},{"key":"e_1_3_2_2_26_1","first-page":"364","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Guo Wenbo","year":"2018","unstructured":"Wenbo Guo, Dongliang Mu, Jun Xu, Purui Su, and Gang Wang abd Xinyu Xing. LEMNA: Explaining Deep Learning based Security Applications. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 364--379. ACM, 2018."},{"key":"e_1_3_2_2_27_1","volume-title":"Michael Backes. MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Hagestedt Inken","year":"2019","unstructured":"Inken Hagestedt, Yang Zhang, Mathias Humbert, Pascal Berrang, Haixu Tang, XiaoFeng Wang, and Michael Backes. MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019."},{"key":"e_1_3_2_2_28_1","volume-title":"Emiliano De Cristofaro. LOGAN: Evaluating Privacy Leakage of Generative Models Using Generative Adversarial Networks. Symposium on Privacy Enhancing Technologies Symposium","author":"Hayes Jamie","year":"2019","unstructured":"Jamie Hayes, Luca Melis, George Danezis, and Emiliano De Cristofaro. LOGAN: Evaluating Privacy Leakage of Generative Models Using Generative Adversarial Networks. Symposium on Privacy Enhancing Technologies Symposium, 2019."},{"key":"e_1_3_2_2_29_1","first-page":"770","volume-title":"Jian Sun. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"He Kaiming","year":"2016","unstructured":"Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770--778. IEEE, 2016."},{"key":"e_1_3_2_2_30_1","first-page":"519","volume-title":"Mario Fritz. Segmentations-Leak: Membership Inference Attacks and Defenses in Semantic Image Segmentation. In European Conference on Computer Vision (ECCV)","author":"He Yang","year":"2020","unstructured":"Yang He, Shadi Rahimian, Bernt Schiele1, and Mario Fritz. Segmentations-Leak: Membership Inference Attacks and Defenses in Semantic Image Segmentation. In European Conference on Computer Vision (ECCV), pages 519--535. Springer, 2020."},{"key":"e_1_3_2_2_31_1","first-page":"2261","volume-title":"Weinberger. Densely Connected Convolutional Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Huang Gao","year":"2017","unstructured":"Gao Huang, Zhuang Liu, Laurens van der Maaten, and Kilian Q. Weinberger. Densely Connected Convolutional Networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 2261--2269. IEEE, 2017."},{"key":"e_1_3_2_2_32_1","first-page":"2008","volume-title":"International Conference on Artificial Intelligence and Statistics (AISTATS)","author":"Izzo Zachary","year":"2021","unstructured":"Zachary Izzo, Mary Anne Smart, Kamalika Chaudhuri, and James Zou. Approximate Data Deletion from Machine Learning Models: Algorithms and Evaluations. In International Conference on Artificial Intelligence and Statistics (AISTATS), pages 2008--2016. PMLR, 2021."},{"key":"e_1_3_2_2_33_1","first-page":"1345","volume-title":"Nicolas Papernot. High Accuracy and High Fidelity Extraction of Neural Networks. In USENIX Security Symposium (USENIX Security)","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. High Accuracy and High Fidelity Extraction of Neural Networks. In USENIX Security Symposium (USENIX Security), pages 1345--1362. USENIX, 2020."},{"key":"e_1_3_2_2_34_1","first-page":"1895","volume-title":"Jayaraman and David Evans. Evaluating Differentially Private Machine Learning in Practice. In USENIX Security Symposium (USENIX Security)","author":"Bargav","year":"2019","unstructured":"Bargav Jayaraman and David Evans. Evaluating Differentially Private Machine Learning in Practice. In USENIX Security Symposium (USENIX Security), pages 1895--1912. USENIX, 2019."},{"key":"e_1_3_2_2_35_1","first-page":"349","volume-title":"Ting Wang. Model-Reuse Attacks on Deep Learning Systems. In ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Ji Yujie","year":"2018","unstructured":"Yujie Ji, Xinyang Zhang, Shouling Ji, Xiapu Luo, and Ting Wang. Model-Reuse Attacks on Deep Learning Systems. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 349--363. ACM, 2018."},{"key":"e_1_3_2_2_36_1","first-page":"259","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Jia Jinyuan","year":"2019","unstructured":"Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 259--274. ACM, 2019."},{"key":"e_1_3_2_2_37_1","first-page":"1605","volume-title":"Leino and Matt Fredrikson. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. In USENIX Security Symposium (USENIX Security)","author":"Klas","year":"2020","unstructured":"Klas Leino and Matt Fredrikson. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. In USENIX Security Symposium (USENIX Security), pages 1605--1622. USENIX, 2020."},{"key":"e_1_3_2_2_38_1","first-page":"5","volume-title":"ACM Conference on Data and Application Security and Privacy (CODASPY)","author":"Li Jiacheng","year":"2021","unstructured":"Jiacheng Li, Ninghui Li, and Bruno Ribeiro. Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap. In ACM Conference on Data and Application Security and Privacy (CODASPY), pages 5--16. ACM, 2021."},{"key":"e_1_3_2_2_39_1","volume-title":"Differential Privacy: From Theory to Practice","author":"Li Ninghui","year":"2016","unstructured":"Ninghui Li, Min Lyu, Dong Su, and Weining Yang. Differential Privacy: From Theory to Practice. Morgan & Claypool Publishers, 2016."},{"key":"e_1_3_2_2_40_1","volume-title":"Li and Yang Zhang. Membership Leakage in Label-Only Exposures. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM","author":"Zheng","year":"2021","unstructured":"Zheng Li and Yang Zhang. Membership Leakage in Label-Only Exposures. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2021."},{"key":"e_1_3_2_2_41_1","first-page":"673","volume-title":"Ting Wang. DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model. In IEEE Symposium on Security and Privacy (S&P)","author":"Ling Xiang","year":"2019","unstructured":"Xiang Ling, Shouling Ji, Jiaxu Zou, Jiannan Wang, Chunming Wu, Bo Li, and Ting Wang. DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model. In IEEE Symposium on Security and Privacy (S&P), pages 673--690. IEEE, 2019."},{"key":"e_1_3_2_2_42_1","volume-title":"Learn to Forget: Memorization Elimination for Neural Networks. CoRR abs\/2003.10933","author":"Liu Yang","year":"2020","unstructured":"Yang Liu, Zhuo Ma, Ximeng Liu, Jian Liu, Zhongyuan Jiang, JianFeng Ma, Philip Yu, and Kui Ren. Learn to Forget: Memorization Elimination for Neural Networks. CoRR abs\/2003.10933, 2020."},{"key":"e_1_3_2_2_43_1","volume-title":"Xiangyu Zhang. Trojaning Attack on Neural Networks. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Liu Yingqi","year":"2019","unstructured":"Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. Trojaning Attack on Neural Networks. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019."},{"key":"e_1_3_2_2_44_1","volume-title":"Mario Fritz, and Yang Zhang. ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. CoRR abs\/2102.02551","author":"Liu Yugeng","year":"2021","unstructured":"Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, and Yang Zhang. ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. CoRR abs\/2102.02551, 2021."},{"key":"e_1_3_2_2_45_1","volume-title":"Understanding Membership Inferences on Well-Generalized Learning Models. CoRR abs\/1802.04889","author":"Long Yunhui","year":"2018","unstructured":"Yunhui Long, Vincent Bindschaedler, Lei Wang, Diyue Bu, Xiaofeng Wang, Haixu Tang, Carl A. Gunter, and Kai Chen. Understanding Membership Inferences on Well-Generalized Learning Models. CoRR abs\/1802.04889, 2018."},{"key":"e_1_3_2_2_46_1","first-page":"497","volume-title":"Vitaly Shmatikov. Exploiting Unintended Feature Leakage in Collaborative Learning. In IEEE Symposium on Security and Privacy (S&P)","author":"Melis Luca","year":"2019","unstructured":"Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. Exploiting Unintended Feature Leakage in Collaborative Learning. In IEEE Symposium on Security and Privacy (S&P), pages 497--512. IEEE, 2019."},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_2_2_49_1","volume-title":"Nicholas Carlini. Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning. In IEEE Symposium on Security and Privacy (S&P). IEEE","author":"Nasr Milad","year":"2021","unstructured":"Milad Nasr, Shuang Song, Abhradeep Thakurta, Nicolas Papernot, and Nicholas Carlini. Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning. In IEEE Symposium on Security and Privacy (S&P). IEEE, 2021."},{"key":"e_1_3_2_2_50_1","first-page":"931","volume-title":"Saeed Sharifi-Malvajerdi. Descent-to-Delete: Gradient-Based Methods for Machine Unlearning. In International Conference on Algorithmic Learning Theory (ICALT)","author":"Neel Seth","year":"2021","unstructured":"Seth Neel, Aaron Roth, and Saeed Sharifi-Malvajerdi. Descent-to-Delete: Gradient-Based Methods for Machine Unlearning. In International Conference on Algorithmic Learning Theory (ICALT), pages 931--962. PMLR, 2021."},{"key":"e_1_3_2_2_51_1","volume-title":"Mario Fritz. Towards Reverse-Engineering Black-Box Neural Networks. In International Conference on Learning Representations (ICLR)","author":"Oh Seong Joon","year":"2018","unstructured":"Seong Joon Oh, Max Augustin, Bernt Schiele, and Mario Fritz. Towards Reverse-Engineering Black-Box Neural Networks. In International Conference on Learning Representations (ICLR), 2018."},{"key":"e_1_3_2_2_52_1","first-page":"399","volume-title":"Michael Wellman. SoK: Towards the Science of Security and Privacy in Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P)","author":"Papernot Nicolas","year":"2018","unstructured":"Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. SoK: Towards the Science of Security and Privacy in Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 399--414. IEEE, 2018."},{"key":"e_1_3_2_2_53_1","first-page":"506","volume-title":"Ananthram Swami. Practical Black-Box Attacks Against Machine Learning. In ACM Asia Conference on Computer and Communications Security (ASIACCS)","author":"Papernot Nicolas","year":"2017","unstructured":"Nicolas Papernot, Patrick D. McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. Practical Black-Box Attacks Against Machine Learning. In ACM Asia Conference on Computer and Communications Security (ASIACCS), pages 506--519. ACM, 2017."},{"key":"e_1_3_2_2_54_1","first-page":"372","volume-title":"Ananthram Swami. The Limitations of Deep Learning in Adversarial Settings. In IEEE European Symposium on Security and Privacy (Euro S&P)","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick D. McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. The Limitations of Deep Learning in Adversarial Settings. In IEEE European Symposium on Security and Privacy (Euro S&P), pages 372--387. IEEE, 2016."},{"key":"e_1_3_2_2_55_1","volume-title":"Erlingsson. Scalable Private Learning with PATE. In International Conference on Learning Representations (ICLR)","author":"Papernot Nicolas","year":"2018","unstructured":"Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, and \u00da lfar Erlingsson. Scalable Private Learning with PATE. In International Conference on Learning Representations (ICLR), 2018."},{"key":"e_1_3_2_2_56_1","volume-title":"Membership Inference on Aggregate Location Data. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Pyrgelis Apostolos","year":"2018","unstructured":"Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. Knock Knock, Who's There? Membership Inference on Aggregate Location Data. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2018."},{"key":"e_1_3_2_2_57_1","first-page":"479","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Quiring Erwin","year":"2019","unstructured":"Erwin Quiring, Alwin Maier, and Konrad Rieck. Misleading Authorship Attribution of Source Code using Adversarial Learning. In USENIX Security Symposium (USENIX Security), pages 479--496. USENIX, 2019."},{"key":"e_1_3_2_2_58_1","volume-title":"Mario Fritz. Differential Privacy Defenses and Sampling Attacks for Membership Inference. In PriML Workshop (PriML). NeurIPS","author":"Rahimian Shadi","year":"2020","unstructured":"Shadi Rahimian, Tribhuvanesh Orekondy, and Mario Fritz. Differential Privacy Defenses and Sampling Attacks for Membership Inference. In PriML Workshop (PriML). NeurIPS, 2020."},{"key":"e_1_3_2_2_59_1","first-page":"1291","volume-title":"Yang Zhang. Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. In USENIX Security Symposium (USENIX Security)","author":"Salem Ahmed","year":"2020","unstructured":"Ahmed Salem, Apratim Bhattacharya, Michael Backes, Mario Fritz, and Yang Zhang. Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. In USENIX Security Symposium (USENIX Security), pages 1291--1308. USENIX, 2020."},{"key":"e_1_3_2_2_60_1","volume-title":"Michael Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed System Security Symposium (NDSS). Internet Society","author":"Salem Ahmed","year":"2019","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2019."},{"key":"e_1_3_2_2_61_1","first-page":"6103","volume-title":"Targeted Clean-Label Poisoning Attacks on Neural Networks. In Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"Shafahi Ali","year":"2018","unstructured":"Ali Shafahi, W Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Tudor Dumitras, and Tom Goldstein. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 6103--6113. NeurIPS, 2018."},{"key":"e_1_3_2_2_62_1","first-page":"364","volume-title":"Suman Jana. Neutaint: Efficient Dynamic Taint Analysis with Neural Networks. In IEEE Symposium on Security and Privacy (S&P)","author":"She Dongdong","year":"2020","unstructured":"Dongdong She, Yizheng Chen, Abhishek Shah, Baishakhi Ray, and Suman Jana. Neutaint: Efficient Dynamic Taint Analysis with Neural Networks. In IEEE Symposium on Security and Privacy (S&P), pages 364--380. IEEE, 2020."},{"key":"e_1_3_2_2_63_1","volume-title":"The AAAI Workshop on Privacy-Preserving Artificial Intelligence (PPAI). AAAI","author":"Shokri Reza","year":"2020","unstructured":"Reza Shokri, Martin Strobel, and Yair Zick. Exploiting Transparency Measures for Membership Inference: a Cautionary Tale. In The AAAI Workshop on Privacy-Preserving Artificial Intelligence (PPAI). AAAI, 2020."},{"key":"e_1_3_2_2_64_1","first-page":"3","volume-title":"Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P)","author":"Shokri Reza","year":"2017","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy (S&P), pages 3--18. IEEE, 2017."},{"key":"e_1_3_2_2_65_1","volume-title":"Towards Probabilistic Verification of Machine Unlearning. CoRR abs\/2003.04247","author":"Sommer David Marco","year":"2020","unstructured":"David Marco Sommer, Liwei Song, Sameer Wagh, and Prateek Mittal. Towards Probabilistic Verification of Machine Unlearning. CoRR abs\/2003.04247, 2020."},{"key":"e_1_3_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134077"},{"key":"e_1_3_2_2_67_1","first-page":"196","volume-title":"Song and Vitaly Shmatikov. Auditing Data Provenance in Text-Generation Models. In ACM Conference on Knowledge Discovery and Data Mining (KDD)","author":"Congzheng","year":"2019","unstructured":"Congzheng Song and Vitaly Shmatikov. Auditing Data Provenance in Text-Generation Models. In ACM Conference on Knowledge Discovery and Data Mining (KDD), pages 196--206. ACM, 2019."},{"key":"e_1_3_2_2_68_1","volume-title":"Song and Vitaly Shmatikov. Overlearning Reveals Sensitive Attributes. In International Conference on Learning Representations (ICLR)","author":"Congzheng","year":"2020","unstructured":"Congzheng Song and Vitaly Shmatikov. Overlearning Reveals Sensitive Attributes. In International Conference on Learning Representations (ICLR), 2020."},{"key":"e_1_3_2_2_69_1","volume-title":"Patrick McDaniel. Ensemble Adversarial Training: Attacks and Defenses. In International Conference on Learning Representations (ICLR)","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. Ensemble Adversarial Training: Attacks and Defenses. In International Conference on Learning Representations (ICLR), 2017."},{"key":"e_1_3_2_2_70_1","first-page":"601","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. Stealing Machine Learning Models via Prediction APIs. In USENIX Security Symposium (USENIX Security), pages 601--618. USENIX, 2016."},{"key":"e_1_3_2_2_71_1","volume":"201","author":"Villaronga Eduard Fosch","unstructured":"Eduard Fosch Villaronga, Peter Kieseberg, and Tiffany Li. Humans Forget, Machines Remember: Artificial Intelligence and the Right to Be Forgotten. Computer Law & Security Review, 2018.","journal-title":"Security Review"},{"key":"e_1_3_2_2_72_1","first-page":"36","volume-title":"Wang and Neil Zhenqiang Gong. Stealing Hyperparameters in Machine Learning. In IEEE Symposium on Security and Privacy (S&P)","author":"Binghui","year":"2018","unstructured":"Binghui Wang and Neil Zhenqiang Gong. Stealing Hyperparameters in Machine Learning. In IEEE Symposium on Security and Privacy (S&P), pages 36--52. IEEE, 2018."},{"key":"e_1_3_2_2_73_1","first-page":"707","volume-title":"Zhao. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In IEEE Symposium on Security and Privacy (S&P)","author":"Wang Bolun","year":"2019","unstructured":"Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In IEEE Symposium on Security and Privacy (S&P), pages 707--723. IEEE, 2019."},{"key":"e_1_3_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1515\/popets-2016-0046"},{"key":"e_1_3_2_2_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484756","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484756","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484756","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:50:17Z","timestamp":1763499017000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484756"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":75,"alternative-id":["10.1145\/3460120.3484756","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484756","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}