{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T04:34:03Z","timestamp":1769747643019,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":49,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,15]],"date-time":"2021-11-15T00:00:00Z","timestamp":1636934400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,15]]},"DOI":"10.1145\/3474369.3486863","type":"proceedings-article","created":{"date-parts":[[2021,10,28]],"date-time":"2021-10-28T11:13:28Z","timestamp":1635419608000},"page":"37-48","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":33,"title":["SEAT"],"prefix":"10.1145","author":[{"given":"Zhanyuan","family":"Zhang","sequence":"first","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yizheng","family":"Chen","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Wagner","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, Berkeley, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,11,15]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"crossref","unstructured":"Buse Gul Atli Sebastian Szyller Mika Juuti Samuel Marchal and N. Asokan. 2020. Extraction of Complex DNN Models: Real Threat or Boogeyman? arxiv: 1910.05429 [cs.LG] Buse Gul Atli Sebastian Szyller Mika Juuti Samuel Marchal and N. Asokan. 2020. Extraction of Complex DNN Models: Real Threat or Boogeyman? arxiv: 1910.05429 [cs.LG]","DOI":"10.1007\/978-3-030-62144-5_4"},{"key":"e_1_3_2_1_2_1","volume-title":"CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information. arxiv","author":"Batina Lejla","year":"1810","unstructured":"Lejla Batina , Shivam Bhasin , Dirmanto Jap , and Stjepan Picek . 2018. CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information. arxiv : 1810 .09076 [cs.CR] Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2018. CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information. arxiv: 1810.09076 [cs.CR]"},{"key":"e_1_3_2_1_3_1","unstructured":"Wieland Brendel Jonas Rauber and Matthias Bethge. 2018. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. arxiv: 1712.04248 [stat.ML] Wieland Brendel Jonas Rauber and Matthias Bethge. 2018. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. arxiv: 1712.04248 [stat.ML]"},{"key":"e_1_3_2_1_4_1","volume-title":"Cryptanalytic Extraction of Neural Network Models. arxiv","author":"Carlini Nicholas","year":"2003","unstructured":"Nicholas Carlini , Matthew Jagielski , and Ilya Mironov . 2020. Cryptanalytic Extraction of Neural Network Models. arxiv : 2003 .04884 [cs.LG] Nicholas Carlini, Matthew Jagielski, and Ilya Mironov. 2020. Cryptanalytic Extraction of Neural Network Models. arxiv: 2003.04884 [cs.LG]"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Nicholas Carlini and David Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. arxiv: 1608.04644 [cs.CR] Nicholas Carlini and David Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. arxiv: 1608.04644 [cs.CR]","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_6_1","volume-title":"Wainwright","author":"Chen Jianbo","year":"2020","unstructured":"Jianbo Chen , Michael I. Jordan , and Martin J . Wainwright . 2020 . HopSkipJumpAttack: A Query-Efficient Decision-Based Attack . arxiv: 1904.02144 [cs.LG] Jianbo Chen, Michael I. Jordan, and Martin J. Wainwright. 2020. HopSkipJumpAttack: A Query-Efficient Decision-Based Attack. arxiv: 1904.02144 [cs.LG]"},{"key":"e_1_3_2_1_7_1","volume-title":"Stateful Detection of Black-Box Adversarial Attacks. arxiv","author":"Chen Steven","year":"1907","unstructured":"Steven Chen , Nicholas Carlini , and David Wagner . 2019. Stateful Detection of Black-Box Adversarial Attacks. arxiv : 1907 .05587 [cs.CR] Steven Chen, Nicholas Carlini, and David Wagner. 2019. Stateful Detection of Black-Box Adversarial Attacks. arxiv: 1907.05587 [cs.CR]"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2018.8489592"},{"key":"e_1_3_2_1_9_1","volume-title":"Storkey","author":"Darlow Luke N.","year":"2018","unstructured":"Luke N. Darlow , Elliot J. Crowley , Antreas Antoniou , and Amos J . Storkey . 2018 . CINIC-10 is not ImageNet or CIFAR- 10. arxiv: 1810.03505 [cs.CV] Luke N. Darlow, Elliot J. Crowley, Antreas Antoniou, and Amos J. Storkey. 2018. CINIC-10 is not ImageNet or CIFAR-10. arxiv: 1810.03505 [cs.CV]"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"crossref","unstructured":"John (JD) Douceur. 2002. The Sybil Attack. In Proceedings of 1st International Workshop on Peer-to-Peer Systems (IPTPS) proceedings of 1st international workshop on peer-to-peer systems (iptps) ed.). https:\/\/www.microsoft.com\/en-us\/research\/publication\/the-sybil-attack\/ John (JD) Douceur. 2002. The Sybil Attack. In Proceedings of 1st International Workshop on Peer-to-Peer Systems (IPTPS) proceedings of 1st international workshop on peer-to-peer systems (iptps) ed.). https:\/\/www.microsoft.com\/en-us\/research\/publication\/the-sybil-attack\/","DOI":"10.1007\/3-540-45748-8_24"},{"key":"e_1_3_2_1_12_1","unstructured":"John C Duchi Michael I Jordan Martin J Wainwright and Andre Wibisono. 2012. Finite Sample Convergence Rates of Zero-Order Stochastic Optimization Methods.. In NIPS. Citeseer 1448--1456. John C Duchi Michael I Jordan Martin J Wainwright and Andre Wibisono. 2012. Finite Sample Convergence Rates of Zero-Order Stochastic Optimization Methods.. In NIPS. Citeseer 1448--1456."},{"key":"e_1_3_2_1_13_1","unstructured":"Ian J. Goodfellow Jean Pouget-Abadie Mehdi Mirza Bing Xu David Warde-Farley Sherjil Ozair Aaron Courville and Yoshua Bengio. 2014. Generative Adversarial Networks. arxiv: 1406.2661 [stat.ML] Ian J. Goodfellow Jean Pouget-Abadie Mehdi Mirza Bing Xu David Warde-Farley Sherjil Ozair Aaron Courville and Yoshua Bengio. 2014. Generative Adversarial Networks. arxiv: 1406.2661 [stat.ML]"},{"key":"e_1_3_2_1_14_1","unstructured":"Greg Griffin Alex Holub and Pietro Perona. 2006. Caltech256 Image Dataset. (2006). http:\/\/www.vision.caltech.edu\/Image_Datasets\/Caltech256\/ Greg Griffin Alex Holub and Pietro Perona. 2006. Caltech256 Image Dataset. (2006). http:\/\/www.vision.caltech.edu\/Image_Datasets\/Caltech256\/"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"crossref","DOI":"10.1109\/CVPR.2006.100","volume-title":"2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'06)","volume":"2","author":"Hadsell R.","year":"2006","unstructured":"R. Hadsell , S. Chopra , and Y. LeCun . 2006. Dimensionality Reduction by Learning an Invariant Mapping . In 2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'06) , Vol. 2 . 1735--1742. https:\/\/doi.org\/10.1109\/CVPR. 2006 .100 10.1109\/CVPR.2006.100 R. Hadsell, S. Chopra, and Y. LeCun. 2006. Dimensionality Reduction by Learning an Invariant Mapping. In 2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'06), Vol. 2. 1735--1742. https:\/\/doi.org\/10.1109\/CVPR.2006.100"},{"key":"e_1_3_2_1_16_1","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2015. Deep Residual Learning for Image Recognition. arxiv: 1512.03385 [cs.CV] Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2015. Deep Residual Learning for Image Recognition. arxiv: 1512.03385 [cs.CV]"},{"key":"e_1_3_2_1_17_1","volume-title":"Detection of Traffic Signs in Real-World Images: The German Traffic Sign Detection Benchmark. In International Joint Conference on Neural Networks.","author":"Houben Sebastian","year":"2013","unstructured":"Sebastian Houben , Johannes Stallkamp , Jan Salmen , Marc Schlipsing , and Christian Igel . 2013 . Detection of Traffic Signs in Real-World Images: The German Traffic Sign Detection Benchmark. In International Joint Conference on Neural Networks. Sebastian Houben, Johannes Stallkamp, Jan Salmen, Marc Schlipsing, and Christian Igel. 2013. Detection of Traffic Signs in Real-World Images: The German Traffic Sign Detection Benchmark. In International Joint Conference on Neural Networks."},{"key":"e_1_3_2_1_19_1","volume-title":"Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research","volume":"2146","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas , Logan Engstrom , Anish Athalye , and Jessy Lin . 2018 . Black-box Adversarial Attacks with Limited Queries and Information . In Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research , Vol. 80), Jennifer Dy and Andreas Krause (Eds.). PMLR, 2137-- 2146 . http:\/\/proceedings.mlr.press\/v80\/ilyas18a.html Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. 2018. Black-box Adversarial Attacks with Limited Queries and Information. In Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 80), Jennifer Dy and Andreas Krause (Eds.). PMLR, 2137--2146. http:\/\/proceedings.mlr.press\/v80\/ilyas18a.html"},{"key":"e_1_3_2_1_20_1","volume-title":"Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift. arxiv: 1502.03167 [cs.LG]","author":"Ioffe Sergey","year":"2015","unstructured":"Sergey Ioffe and Christian Szegedy . 2015 . Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift. arxiv: 1502.03167 [cs.LG] Sergey Ioffe and Christian Szegedy. 2015. Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift. arxiv: 1502.03167 [cs.LG]"},{"key":"e_1_3_2_1_21_1","volume-title":"High Accuracy and High Fidelity Extraction of Neural Networks. arxiv","author":"Jagielski Matthew","year":"1909","unstructured":"Matthew Jagielski , Nicholas Carlini , David Berthelot , Alex Kurakin , and Nicolas Papernot . 2020. High Accuracy and High Fidelity Extraction of Neural Networks. arxiv : 1909 .01838 [cs.LG] Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High Accuracy and High Fidelity Extraction of Neural Networks. arxiv: 1909.01838 [cs.LG]"},{"key":"e_1_3_2_1_22_1","volume-title":"PRADA: Protecting against DNN Model Stealing Attacks. arxiv","author":"Juuti Mika","year":"2019","unstructured":"Mika Juuti , Sebastian Szyller , Samuel Marchal , and N. Asokan . 2019 . PRADA: Protecting against DNN Model Stealing Attacks. arxiv : 1805.02628 [cs.CR] Mika Juuti, Sebastian Szyller, Samuel Marchal, and N. Asokan. 2019. PRADA: Protecting against DNN Model Stealing Attacks. arxiv: 1805.02628 [cs.CR]"},{"key":"e_1_3_2_1_23_1","volume-title":"International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=LucJxySuJcE","author":"Kariyappa Sanjay","year":"2021","unstructured":"Sanjay Kariyappa , Atul Prakash , and Moinuddin K Qureshi . 2021 . Protecting DNN s from Theft using an Ensemble of Diverse Models . In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=LucJxySuJcE Sanjay Kariyappa, Atul Prakash, and Moinuddin K Qureshi. 2021. Protecting DNN s from Theft using an Ensemble of Diverse Models. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=LucJxySuJcE"},{"key":"e_1_3_2_1_24_1","volume-title":"Defending Against Model Stealing Attacks With Adaptive Misinformation. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE Computer Society","author":"Kariyappa S.","year":"2020","unstructured":"S. Kariyappa and M. K. Qureshi . 2020 . Defending Against Model Stealing Attacks With Adaptive Misinformation. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE Computer Society , Los Alamitos, CA, USA, 767--775. https:\/\/doi.org\/10.1109\/CVPR42600. 2020 .00085 10.1109\/CVPR42600.2020.00085 S. Kariyappa and M. K. Qureshi. 2020. Defending Against Model Stealing Attacks With Adaptive Misinformation. In 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE Computer Society, Los Alamitos, CA, USA, 767--775. https:\/\/doi.org\/10.1109\/CVPR42600.2020.00085"},{"key":"e_1_3_2_1_25_1","unstructured":"Alex Krizhevsky. 2012. Learning Multiple Layers of Features from Tiny Images. University of Toronto (05 2012). Alex Krizhevsky. 2012. Learning Multiple Layers of Features from Tiny Images. University of Toronto (05 2012)."},{"key":"e_1_3_2_1_26_1","unstructured":"Ya Le and X. Yang. 2015. Tiny ImageNet Visual Recognition Challenge. Ya Le and X. Yang. 2015. Tiny ImageNet Visual Recognition Challenge."},{"key":"e_1_3_2_1_27_1","volume-title":"Zhao","author":"Li Huiying","year":"2020","unstructured":"Huiying Li , Shawn Shan , Emily Wenger , Jiayun Zhang , Haitao Zheng , and Ben Y . Zhao . 2020 . Blacklight : Defending Black-Box Adversarial Attacks on Deep Neural Networks . arxiv: 2006.14042 [cs.CR] Huiying Li, Shawn Shan, Emily Wenger, Jiayun Zhang, Haitao Zheng, and Ben Y. Zhao. 2020. Blacklight: Defending Black-Box Adversarial Attacks on Deep Neural Networks. arxiv: 2006.14042 [cs.CR]"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"e_1_3_2_1_29_1","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2019. Towards Deep Learning Models Resistant to Adversarial Attacks. arxiv: 1706.06083 [stat.ML] Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2019. Towards Deep Learning Models Resistant to Adversarial Attacks. arxiv: 1706.06083 [stat.ML]"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1873951.1874254"},{"key":"e_1_3_2_1_31_1","volume-title":"Model Reconstruction from Model Explanations. arxiv","author":"Milli Smitha","year":"1807","unstructured":"Smitha Milli , Ludwig Schmidt , Anca D. Dragan , and Moritz Hardt . 2018. Model Reconstruction from Model Explanations. arxiv : 1807 .05185 [stat.ML] Smitha Milli, Ludwig Schmidt, Anca D. Dragan, and Moritz Hardt. 2018. Model Reconstruction from Model Explanations. arxiv: 1807.05185 [stat.ML]"},{"key":"e_1_3_2_1_32_1","volume-title":"Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization. arxiv","author":"Moon Seungyong","year":"1905","unstructured":"Seungyong Moon , Gaon An , and Hyun Oh Song . 2019. Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization. arxiv : 1905 .06635 [cs.LG] Seungyong Moon, Gaon An, and Hyun Oh Song. 2019. Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization. arxiv: 1905.06635 [cs.LG]"},{"key":"e_1_3_2_1_33_1","volume-title":"Reading Digits in Natural Images with Unsupervised Feature Learning. NIPS (01","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer , Tao Wang , Adam Coates , Alessandro Bissacco , Bo Wu , and Andrew Ng. 2011. Reading Digits in Natural Images with Unsupervised Feature Learning. NIPS (01 2011 ). Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Ng. 2011. Reading Digits in Natural Images with Unsupervised Feature Learning. NIPS (01 2011)."},{"key":"e_1_3_2_1_34_1","volume-title":"Knockoff Nets: Stealing Functionality of Black-Box Models. arxiv","author":"Orekondy Tribhuvanesh","year":"2018","unstructured":"Tribhuvanesh Orekondy , Bernt Schiele , and Mario Fritz . 2018 . Knockoff Nets: Stealing Functionality of Black-Box Models. arxiv : 1812.02766 [cs.CV] Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2018. Knockoff Nets: Stealing Functionality of Black-Box Models. arxiv: 1812.02766 [cs.CV]"},{"key":"e_1_3_2_1_35_1","volume-title":"Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. arxiv","author":"Orekondy Tribhuvanesh","year":"2020","unstructured":"Tribhuvanesh Orekondy , Bernt Schiele , and Mario Fritz . 2020 . Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. arxiv : 1906.10908 [cs.LG] Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2020. Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. arxiv: 1906.10908 [cs.LG]"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5432"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"crossref","unstructured":"Nicolas Papernot Patrick McDaniel Ian Goodfellow Somesh Jha Z. Berkay Celik and Ananthram Swami. 2017. Practical Black-Box Attacks against Machine Learning. arxiv: 1602.02697 [cs.CR] Nicolas Papernot Patrick McDaniel Ian Goodfellow Somesh Jha Z. Berkay Celik and Ananthram Swami. 2017. Practical Black-Box Attacks against Machine Learning. arxiv: 1602.02697 [cs.CR]","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_38_1","unstructured":"Adam Paszke Sam Gross Soumith Chintala Gregory Chanan Edward Yang Zachary DeVito Zeming Lin Alban Desmaison Luca Antiga and Adam Lerer. 2017. Automatic differentiation in PyTorch. (2017). Adam Paszke Sam Gross Soumith Chintala Gregory Chanan Edward Yang Zachary DeVito Zeming Lin Alban Desmaison Luca Antiga and Adam Lerer. 2017. Automatic differentiation in PyTorch. (2017)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206537"},{"key":"e_1_3_2_1_40_1","volume-title":"Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http:\/\/arxiv.org\/abs\/1707","author":"Rauber Jonas","year":"2017","unstructured":"Jonas Rauber , Wieland Brendel , and Matthias Bethge . 2017 . Foolbox: A Python toolbox to benchmark the robustness of machine learning models . In Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http:\/\/arxiv.org\/abs\/1707 .04131 Jonas Rauber, Wieland Brendel, and Matthias Bethge. 2017. Foolbox: A Python toolbox to benchmark the robustness of machine learning models. In Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http:\/\/arxiv.org\/abs\/1707.04131"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.21105\/joss.02607"},{"key":"e_1_3_2_1_42_1","volume-title":"Fleet","author":"Sabour Sara","year":"2016","unstructured":"Sara Sabour , Yanshuai Cao , Fartash Faghri , and David J . Fleet . 2016 . Adversarial Manipulation of Deep Representations . arxiv: 1511.05122 [cs.CV] Sara Sabour, Yanshuai Cao, Fartash Faghri, and David J. Fleet. 2016. Adversarial Manipulation of Deep Representations. arxiv: 1511.05122 [cs.CV]"},{"key":"e_1_3_2_1_43_1","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. arxiv: 1409.1556 [cs.CV] Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. arxiv: 1409.1556 [cs.CV]"},{"key":"e_1_3_2_1_44_1","unstructured":"Florian Tram\u00e8r Fan Zhang Ari Juels Michael K. Reiter and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction APIs. arxiv: 1609.02943 [cs.CR] Florian Tram\u00e8r Fan Zhang Ari Juels Michael K. Reiter and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction APIs. arxiv: 1609.02943 [cs.CR]"},{"key":"e_1_3_2_1_45_1","volume-title":"Data-Free Model Extraction. arxiv","author":"Truong Jean-Baptiste","year":"2011","unstructured":"Jean-Baptiste Truong , Pratyush Maini , Robert J. Walls , and Nicolas Papernot . 2021. Data-Free Model Extraction. arxiv : 2011 .14779 [cs.LG] Jean-Baptiste Truong, Pratyush Maini, Robert J. Walls, and Nicolas Papernot. 2021. Data-Free Model Extraction. arxiv: 2011.14779 [cs.LG]"},{"key":"e_1_3_2_1_46_1","volume-title":"Proceedings of the British Machine Vision Conference (BMVC), Edwin R. Hancock Richard C. Wilson and William A. P. Smith (Eds.). BMVA Press, Article 119","author":"Vassileios Balntas Daniel Ponsa","year":"2016","unstructured":"Daniel Ponsa Vassileios Balntas , Edgar Riba and Krystian Mikolajczyk . 2016 . Learning local feature descriptors with triplets and shallow convolutional neural networks . In Proceedings of the British Machine Vision Conference (BMVC), Edwin R. Hancock Richard C. Wilson and William A. P. Smith (Eds.). BMVA Press, Article 119 , 11 pages. https:\/\/doi.org\/10.5244\/C.30.119 10.5244\/C.30.119 Daniel Ponsa Vassileios Balntas, Edgar Riba and Krystian Mikolajczyk. 2016. Learning local feature descriptors with triplets and shallow convolutional neural networks. In Proceedings of the British Machine Vision Conference (BMVC), Edwin R. Hancock Richard C. Wilson and William A. P. Smith (Eds.). BMVA Press, Article 119, 11 pages. https:\/\/doi.org\/10.5244\/C.30.119"},{"key":"e_1_3_2_1_47_1","volume-title":"Technical Report CNS-TR-2011-001. California Institute of Technology.","author":"Wah C.","year":"2011","unstructured":"C. Wah , S. Branson , P. Welinder , P. Perona , and S. Belongie . 2011 . The Caltech-UCSD Birds-200-2011 Dataset . Technical Report CNS-TR-2011-001. California Institute of Technology. C. Wah, S. Branson, P. Welinder, P. Perona, and S. Belongie. 2011. The Caltech-UCSD Birds-200-2011 Dataset. Technical Report CNS-TR-2011-001. California Institute of Technology."},{"key":"e_1_3_2_1_48_1","first-page":"2003","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Yan Mengjia","year":"2020","unstructured":"Mengjia Yan , Christopher W. Fletcher , and Josep Torrellas . 2020 . Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures . In 29th USENIX Security Symposium (USENIX Security 20) . USENIX Association , 2003 - 2020 . https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yan Mengjia Yan, Christopher W. Fletcher, and Josep Torrellas. 2020. Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2003-2020. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yan"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2556609"},{"key":"e_1_3_2_1_50_1","volume-title":"CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. Network and Distributed System Security Symposium. https:\/\/doi.org\/10","author":"Yu Honggang","year":"2020","unstructured":"Honggang Yu , Kaichen Yang , Teng Zhang , Yun-Yun Tsai , Tsung-Yi Ho , and Yier Jin . 2020 . CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. Network and Distributed System Security Symposium. https:\/\/doi.org\/10 .14722\/ndss.2020.24178 10.14722\/ndss.2020.24178 Honggang Yu, Kaichen Yang, Teng Zhang, Yun-Yun Tsai, Tsung-Yi Ho, and Yier Jin. 2020. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. Network and Distributed System Security Symposium. https:\/\/doi.org\/10.14722\/ndss.2020.24178"}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3474369.3486863","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3474369.3486863","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:26Z","timestamp":1750188626000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3474369.3486863"}},"subtitle":["Similarity Encoder by Adversarial Training for Detecting Model Extraction Attack Queries"],"short-title":[],"issued":{"date-parts":[[2021,11,15]]},"references-count":49,"alternative-id":["10.1145\/3474369.3486863","10.1145\/3474369"],"URL":"https:\/\/doi.org\/10.1145\/3474369.3486863","relation":{},"subject":[],"published":{"date-parts":[[2021,11,15]]},"assertion":[{"value":"2021-11-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}