{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:55:43Z","timestamp":1763499343846,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61771211"],"award-info":[{"award-number":["61771211"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012226","name":"Fundamental Research Funds for the Central Universities","doi-asserted-by":"publisher","award":["2017KFYXJJ064"],"award-info":[{"award-number":["2017KFYXJJ064"]}],"id":[{"id":"10.13039\/501100012226","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Wuhan Applied Foundational Frontier Project","award":["2020010601012188"],"award-info":[{"award-number":["2020010601012188"]}]},{"name":"Guangdong Provincial Key R\\&D Plan Project","award":["2019B010139001"],"award-info":[{"award-number":["2019B010139001"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3485378","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:33Z","timestamp":1636805133000},"page":"3159-3176","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Feature-Indistinguishable Attack to Circumvent Trapdoor-Enabled Defense"],"prefix":"10.1145","author":[{"given":"Chaoxiang","family":"He","sequence":"first","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, Hubei, China"}]},{"given":"Bin Benjamin","family":"Zhu","sequence":"additional","affiliation":[{"name":"Microsoft Research Asia, Beijing, China"}]},{"given":"Xiaojing","family":"Ma","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, Hubei, China"}]},{"given":"Hai","family":"Jin","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, Hubei, China"}]},{"given":"Shengshan","family":"Hu","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, Hubei, China"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsm\u00e4ssan","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Nicholas Carlini, and David A. Wagner. 2018. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsm\u00e4ssan, Stockholm, Sweden, July 10--15, 2018 (Proceedings of Machine Learning Research), Jennifer G. Dy and Andreas Krause (Eds.), Vol. 80. PMLR, 274--283. http:\/\/proceedings.mlr.press\/v80\/athalye18a.html"},{"key":"e_1_3_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.5555\/3157382.3157391"},{"key":"e_1_3_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/MMSP.2018.8547128"},{"key":"e_1_3_2_2_4_1","volume-title":"International Conference on Learning Representations ICLR.","author":"Brendel Wieland","year":"2018","unstructured":"Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In International Conference on Learning Representations ICLR."},{"key":"e_1_3_2_2_5_1","volume-title":"International Conference on Learning Representations.","author":"Buckman Jacob","year":"2018","unstructured":"Jacob Buckman, Aurko Roy, Colin Raffel, and Ian Goodfellow. 2018. Thermometer encoding: One hot way to resist adversarial examples. In International Conference on Learning Representations."},{"key":"e_1_3_2_2_6_1","volume-title":"A partial break of the honeypots defense to catch adversarial attacks. arXiv preprint arXiv:2009.10975","author":"Carlini Nicholas","year":"2020","unstructured":"Nicholas Carlini. 2020. A partial break of the honeypots defense to catch adversarial attacks. arXiv preprint arXiv:2009.10975 (2020)."},{"key":"e_1_3_2_2_7_1","volume-title":"Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311","author":"Carlini Nicholas","year":"2016","unstructured":"Nicholas Carlini and David Wagner. 2016. Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311 (2016)."},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_2_2_9_1","volume-title":"arXiv preprint arXiv:1711.08478","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner. 2017. Magnet and \"efficient defenses against adversarial attacks\" are not robust to adversarial examples. arXiv preprint arXiv:1711.08478 (2017)."},{"key":"e_1_3_2_2_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11302"},{"key":"e_1_3_2_2_12_1","volume-title":"Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 52--68","author":"Chen Shang-Tse","year":"2018","unstructured":"Shang-Tse Chen, Cory Cornelius, Jason Martin, and Duen Horng Polo Chau. 2018. Shapeshifter: Robust physical adversarial attack on faster r-cnn object detector. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases. Springer, 52--68."},{"key":"e_1_3_2_2_13_1","volume-title":"International Conference on Machine Learning. PMLR, 1310--1320","author":"Cohen Jeremy","year":"2019","unstructured":"Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310--1320."},{"key":"e_1_3_2_2_14_1","volume-title":"International Conference on Machine Learning. PMLR, 2196--2205","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Minimally distorted adversarial examples with a fast adaptive boundary attack. In International Conference on Machine Learning. PMLR, 2196--2205."},{"key":"e_1_3_2_2_15_1","unstructured":"Guneet S Dhillon Kamyar Azizzadenesheli Zachary C Lipton Jeremy Bernstein Jean Kossai Aran Khanna and Anima Anandkumar. 2018. Stochastic activation pruning for robust adversarial defense. (2018)."},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"crossref","unstructured":"Yinpeng Dong Fangzhou Liao Tianyu Pang Hang Su Jun Zhu Xiaolin Hu and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In CVPR.","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"crossref","unstructured":"Yinpeng Dong Tianyu Pang Hang Su and Jun Zhu. 2019. Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks. In CVPR.","DOI":"10.1109\/CVPR.2019.00444"},{"key":"e_1_3_2_2_18_1","unstructured":"Martin Ester Hans-Peter Kriegel J\u00f6rg Sander Xiaowei Xu et al. 1996. A density-based algorithm for discovering clusters in large spatial databases with noise. In kdd Vol. 96. 226--231."},{"key":"e_1_3_2_2_19_1","volume-title":"Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410","author":"Feinman Reuben","year":"2017","unstructured":"Reuben Feinman, Ryan R Curtin, Saurabh Shintre, and Andrew B Gardner. 2017. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410 (2017)."},{"key":"e_1_3_2_2_20_1","volume-title":"3rd International Conference on Learning Representations, ICLR","author":"Goodfellow Ian J.","year":"2015","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7--9, 2015, Conference Track Proceedings, Yoshua Bengio and Yann LeCun (Eds.). http:\/\/arxiv.org\/abs\/1412.6572"},{"key":"e_1_3_2_2_21_1","volume-title":"On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280","author":"Grosse Kathrin","year":"2017","unstructured":"Kathrin Grosse, Praveen Manoharan, Nicolas Papernot, Michael Backes, and Patrick McDaniel. 2017. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 (2017)."},{"key":"e_1_3_2_2_22_1","volume-title":"International Conference on Learning Representations, (ICLR) Workshop.","author":"Gu Shixiang","year":"2015","unstructured":"Shixiang Gu and Luca Rigazio. 2015. Towards deep neural network architectures robust to adversarial examples. In International Conference on Learning Representations, (ICLR) Workshop."},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"e_1_3_2_2_24_1","unstructured":"Chuan Guo Mayank Rana Moustapha Cisse and Laurens Van Der Maaten. 2018. Countering adversarial images using input transformations. (2018)."},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_2_26_1","volume-title":"11th USENIX workshop on offensive technologies (WOOT 17)","author":"He Warren","year":"2017","unstructured":"Warren He, James Wei, Xinyun Chen, Nicholas Carlini, and Dawn Song. 2017. Adversarial example defense: Ensembles of weak defenses are not strong. In 11th USENIX workshop on offensive technologies (WOOT 17)."},{"key":"e_1_3_2_2_27_1","volume-title":"Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531","author":"Hinton Geoffrey","year":"2015","unstructured":"Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 (2015)."},{"key":"e_1_3_2_2_28_1","volume-title":"International Conference on Learning Representations (ICLR)","author":"Huang Ruitong","year":"2016","unstructured":"Ruitong Huang, Bing Xu, Dale Schuurmans, and Csaba Szepesv\u00e1ri. 2016. Learning with a strong adversary. In International Conference on Learning Representations (ICLR), 2016."},{"key":"e_1_3_2_2_29_1","volume-title":"International Conference on Learning Representations, ICLR","author":"Inkawhich Nathan","year":"2020","unstructured":"Nathan Inkawhich, Kevin J Liang, Lawrence Carin, and Yiran Chen. 2020. Transferable perturbations of deep feature distributions. In International Conference on Learning Representations, ICLR 2020."},{"key":"e_1_3_2_2_30_1","volume-title":"Perturbing across the feature hierarchy to improve standard and strict blackbox attack transferability. arXiv preprint arXiv:2004.14861","author":"Inkawhich Nathan","year":"2020","unstructured":"Nathan Inkawhich, Kevin J Liang, BinghuiWang, Matthew Inkawhich, Lawrence Carin, and Yiran Chen. 2020. Perturbing across the feature hierarchy to improve standard and strict blackbox attack transferability. arXiv preprint arXiv:2004.14861 (2020)."},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00723"},{"key":"e_1_3_2_2_32_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_2_33_1","volume-title":"5th International Conference on Learning Representations ICLR 2017, Workshop track.","author":"Kurakin Alexey","year":"2017","unstructured":"Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017. Adversarial examples in the physical world. In 5th International Conference on Learning Representations ICLR 2017, Workshop track."},{"key":"e_1_3_2_2_34_1","volume-title":"5th International Conference on Learning Representations ICLR","author":"Kurakin Alexey","year":"2017","unstructured":"Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017. Adversarial machine learning at scale. In 5th International Conference on Learning Representations ICLR 2017."},{"key":"e_1_3_2_2_35_1","unstructured":"Yann LeCun Lawrence D Jackel L\u00e9on Bottou Corinna Cortes John S Denker Harris Drucker Isabelle Guyon Urs A Muller Eduard Sackinger Patrice Simard et al. 1995. Learning algorithms for classification: A comparison on handwritten digit recognition. Neural networks: the statistical mechanics perspective (1995) 261--276."},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"e_1_3_2_2_37_1","volume-title":"NeurIPS","author":"Li Bai","year":"2019","unstructured":"Bai Li, Changyou Chen, Wenlin Wang, and Lawrence Carin. 2019. Certified adversarial robustness with additive noise. In NeurIPS 2019."},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.56"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23415"},{"key":"e_1_3_2_2_40_1","unstructured":"Xingjun Ma Bo Li Yisen Wang Sarah M Erfani Sudanthi Wijewickrema Grant Schoenebeck Dawn Song Michael E Houle and James Bailey. 2018. Characterizing adversarial subspaces using local intrinsic dimensionality. (2018)."},{"key":"e_1_3_2_2_41_1","volume-title":"6th International Conference on Learning Representations, ICLR","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net. https:\/\/openreview.net\/forum?id=rJzIBfZAb"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"e_1_3_2_2_43_1","unstructured":"Jeet Mohapatra Ching-Yun Ko Sijia Liu Pin-Yu Chen Luca Daniel et al. 2020. Rethinking randomized smoothing for adversarial robustness. arXiv preprint arXiv:2003.01249 (2020)."},{"key":"e_1_3_2_2_44_1","volume-title":"CVPR Workshops.","author":"Narodytska Nina","year":"2017","unstructured":"Nina Narodytska and Shiva Prasad Kasiviswanathan. 2017. Simple black-box adversarial perturbations for deep networks. In CVPR Workshops."},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"e_1_3_2_2_48_1","volume-title":"Defense-gan: Protecting classiers against adversarial attacks using generative models.","author":"Samangouei Pouya","year":"2018","unstructured":"Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-gan: Protecting classiers against adversarial attacks using generative models. (2018)."},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2018.04.027"},{"key":"e_1_3_2_2_50_1","volume-title":"Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. https:\/\/github.com\/Shawn-Shan\/trapdoor, note = Accessed on May 1st","author":"Shan Shawn","year":"2021","unstructured":"Shawn Shan. 2021. Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. https:\/\/github.com\/Shawn-Shan\/trapdoor, note = Accessed on May 1st, 2021. (2021)."},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417231"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"e_1_3_2_2_53_1","volume-title":"Pixeldefend: Leveraging generative models to understand and defend against adversarial examples.","author":"Song Yang","year":"2018","unstructured":"Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, and Nate Kushman. 2018. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. (2018)."},{"key":"e_1_3_2_2_54_1","volume-title":"Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks 32","author":"Stallkamp Johannes","year":"2012","unstructured":"Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. 2012. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks 32 (2012), 323--332."},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"e_1_3_2_2_56_1","volume-title":"2nd International Conference on Learning Representations (ICLR)","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy,Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. 2nd International Conference on Learning Representations (ICLR) 2014."},{"key":"e_1_3_2_2_57_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"key":"e_1_3_2_2_58_1","volume-title":"Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsm\u00e4ssan","author":"Uesato Jonathan","year":"2018","unstructured":"Jonathan Uesato, Brendan O'Donoghue, Pushmeet Kohli, and A\u00e4ron van den Oord. 2018. Adversarial Risk and the Dangers of Evaluating Against Weak Attacks. In Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsm\u00e4ssan, Stockholm, Sweden, July 10--15, 2018 (Proceedings of Machine Learning Research), Jennifer G. Dy and Andreas Krause (Eds.), Vol. 80. PMLR, 5032--5041. http:\/\/proceedings.mlr.press\/v80\/uesato18a.html"},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"e_1_3_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2011.5995566"},{"key":"e_1_3_2_2_61_1","unstructured":"Cihang Xie Jianyu Wang Zhishuai Zhang Zhou Ren and Alan Yuille. 2018. Mitigating adversarial effects through randomization. (2018)."},{"key":"e_1_3_2_2_62_1","unstructured":"Cihang Xie Zhishuai Zhang Yuyin Zhou Song Bai JianyuWang Zhou Ren and Alan L Yuille. 2019. Improving transferability of adversarial examples with input diversity. In CVPR."},{"key":"e_1_3_2_2_63_1","volume-title":"Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018","author":"Xu Weilin","year":"2018","unstructured":"Weilin Xu, David Evans, and Yanjun Qi. 2018. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18--21, 2018. The Internet Society. http:\/\/wp.internetsociety.org\/ndss\/wpcontent\/uploads\/sites\/25\/2018\/02\/ndss2018_03A-4_Xu_paper.pdf"},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140449"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.485"}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Virtual Event Republic of Korea","acronym":"CCS '21"},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3485378","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3485378","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:49:55Z","timestamp":1763498995000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3485378"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":65,"alternative-id":["10.1145\/3460120.3485378","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3485378","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}