{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T15:41:36Z","timestamp":1774539696576,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":68,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,15]],"date-time":"2021-11-15T00:00:00Z","timestamp":1636934400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["CNS-1949650"],"award-info":[{"award-number":["CNS-1949650"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,15]]},"DOI":"10.1145\/3474369.3486875","type":"proceedings-article","created":{"date-parts":[[2021,10,28]],"date-time":"2021-10-28T11:13:28Z","timestamp":1635419608000},"page":"97-109","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":30,"title":["Patch-based Defenses against Web Fingerprinting Attacks"],"prefix":"10.1145","author":[{"given":"Shawn","family":"Shan","sequence":"first","affiliation":[{"name":"University of Chicago, Chicago, IL, USA"}]},{"given":"Arjun Nitin","family":"Bhagoji","sequence":"additional","affiliation":[{"name":"University of Chicago, Chicago, IL, USA"}]},{"given":"Haitao","family":"Zheng","sequence":"additional","affiliation":[{"name":"University of Chicago, Chicago, IL, USA"}]},{"given":"Ben Y.","family":"Zhao","sequence":"additional","affiliation":[{"name":"University of Chicago, Chicago, IL, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,11,15]]},"reference":[{"key":"e_1_3_2_1_1_1","first-page":"15","article-title":"Fingerprinting attack on Tor anonymity using deep learning","volume":"42","author":"Abe Kota","year":"2016","unstructured":"Kota Abe and Shigeki Goto . 2016 . Fingerprinting attack on Tor anonymity using deep learning . APAN 42 (2016), 15 -- 20 . Kota Abe and Shigeki Goto. 2016. Fingerprinting attack on Tor anonymity using deep learning. APAN 42 (2016), 15--20.","journal-title":"APAN"},{"key":"e_1_3_2_1_2_1","volume-title":"Proc. of CVPR. 3389--3398","author":"Akhtar Naveed","year":"2018","unstructured":"Naveed Akhtar , Jian Liu , and Ajmal Mian . 2018 . Defense against universal ad- versarial perturbations . In Proc. of CVPR. 3389--3398 . Naveed Akhtar, Jian Liu, and Ajmal Mian. 2018. Defense against universal ad- versarial perturbations. In Proc. of CVPR. 3389--3398."},{"key":"e_1_3_2_1_3_1","unstructured":"Alexa Top websites 2017. https:\/\/www.alexa.com.  Alexa Top websites 2017. https:\/\/www.alexa.com."},{"key":"e_1_3_2_1_4_1","volume-title":"Blind Backdoors in Deep Learning Models. arXiv preprint arXiv:2005.03823","author":"Bagdasaryan Eugene","year":"2020","unstructured":"Eugene Bagdasaryan and Vitaly Shmatikov . 2020. Blind Backdoors in Deep Learning Models. arXiv preprint arXiv:2005.03823 ( 2020 ). Eugene Bagdasaryan and Vitaly Shmatikov. 2020. Blind Backdoors in Deep Learning Models. arXiv preprint arXiv:2005.03823 (2020)."},{"key":"e_1_3_2_1_5_1","volume-title":"Proc. of NeurIPS. 7498--7510","author":"Bhagoji Arjun Nitin","year":"2019","unstructured":"Arjun Nitin Bhagoji , Daniel Cullina , and Prateek Mittal . 2019 . Lower bounds on adversarial robustness from optimal transport . In Proc. of NeurIPS. 7498--7510 . Arjun Nitin Bhagoji, Daniel Cullina, and Prateek Mittal. 2019. Lower bounds on adversarial robustness from optimal transport. In Proc. of NeurIPS. 7498--7510."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0070"},{"key":"e_1_3_2_1_7_1","volume-title":"Adversarial patch. arXiv preprint arXiv:1712.09665","author":"Brown Tom B","year":"2017","unstructured":"Tom B Brown , Dandelion Man\u00e9 , Aurko Roy , Mart\u00edn Abadi , and Justin Gilmer . 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 ( 2017 ). Tom B Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017)."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2665943.2665949"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660362"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382260"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"e_1_3_2_1_12_1","volume-title":"Proc. of AI- STAT. PMLR","author":"Charles Zachary","year":"2019","unstructured":"Zachary Charles , Harrison Rosenberg , and Dimitris Papailiopoulos . 2019 . A geo- metric perspective on the transferability of adversarial directions . In Proc. of AI- STAT. PMLR , 1960--1968. Zachary Charles, Harrison Rosenberg, and Dimitris Papailiopoulos. 2019. A geo- metric perspective on the transferability of adversarial directions. In Proc. of AI- STAT. PMLR, 1960--1968."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1515\/popets-2017-0046"},{"key":"e_1_3_2_1_14_1","volume-title":"Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693","author":"Ni Renkun","year":"2020","unstructured":"Ping-yeh Chiang, Renkun Ni , Ahmed Abdelkader , Chen Zhu , Christoph Studor , and Tom Goldstein . 2020. Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693 ( 2020 ). Ping-yeh Chiang, Renkun Ni, Ahmed Abdelkader, Chen Zhu, Christoph Studor, and Tom Goldstein. 2020. Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693 (2020)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423351"},{"key":"e_1_3_2_1_16_1","volume-title":"Proc. of USENIX Security. 321--338","author":"Demontis Ambra","year":"2019","unstructured":"Ambra Demontis , Marco Melis , Maura Pintor , Matthew Jagielski , Battista Biggio , Alina Oprea , Cristina Nita-Rotaru , and Fabio Roli . 2019 . Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks . In Proc. of USENIX Security. 321--338 . Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Battista Biggio, Alina Oprea, Cristina Nita-Rotaru, and Fabio Roli. 2019. Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks. In Proc. of USENIX Security. 321--338."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.28"},{"key":"e_1_3_2_1_18_1","volume-title":"Detecting adversarial samples from artifacts. arXiv:1703.00410","author":"Feinman Reuben","year":"2017","unstructured":"Reuben Feinman , Ryan R Curtin , Saurabh Shintre , and Andrew B Gardner . 2017. Detecting adversarial samples from artifacts. arXiv:1703.00410 ( 2017 ). Reuben Feinman, Ryan R Curtin, Saurabh Shintre, and Andrew B Gardner. 2017. Detecting adversarial samples from artifacts. arXiv:1703.00410 (2017)."},{"key":"e_1_3_2_1_19_1","volume-title":"Proc. of USENIX Security. 717--734","author":"Gong Jiajun","year":"2020","unstructured":"Jiajun Gong and Tao Wang . 2020 . Zero-delay Lightweight Defenses against Web-site Fingerprinting . In Proc. of USENIX Security. 717--734 . Jiajun Gong and Tao Wang. 2020. Zero-delay Lightweight Defenses against Web-site Fingerprinting. In Proc. of USENIX Security. 717--734."},{"key":"e_1_3_2_1_20_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow , Jonathon Shlens , and Christian Szegedy . 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 ( 2014 ). Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2018.00210"},{"key":"e_1_3_2_1_22_1","volume-title":"Proc. of USENIX Security. 1187--1203","author":"Hayes Jamie","year":"2016","unstructured":"Jamie Hayes and George Danezis . 2016 . k-fingerprinting: A robust scalable web- site fingerprinting technique . In Proc. of USENIX Security. 1187--1203 . Jamie Hayes and George Danezis. 2016. k-fingerprinting: A robust scalable web- site fingerprinting technique. In Proc. of USENIX Security. 1187--1203."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2020-0019"},{"key":"e_1_3_2_1_24_1","volume-title":"Proc. of CCSW. 31--42","author":"Herrmann Dominik","year":"2009","unstructured":"Dominik Herrmann , Rolf Wendolsky , and Hannes Federrath . 2009 . Website fin- gerprinting: attacking popular privacy enhancing technologies with the multinomial na\u00efve-bayes classifier . In Proc. of CCSW. 31--42 . Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website fin- gerprinting: attacking popular privacy enhancing technologies with the multinomial na\u00efve-bayes classifier. In Proc. of CCSW. 31--42."},{"key":"e_1_3_2_1_25_1","volume-title":"RegulaTOR: A Powerful Website Fingerprinting Defense. arXiv preprint arXiv:2012.06609","author":"Holland James K","year":"2020","unstructured":"James K Holland and Nicholas Hopper . 2020. RegulaTOR: A Powerful Website Fingerprinting Defense. arXiv preprint arXiv:2012.06609 ( 2020 ). James K Holland and Nicholas Hopper. 2020. RegulaTOR: A Powerful Website Fingerprinting Defense. arXiv preprint arXiv:2012.06609 (2020)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC50000.2020.9219593"},{"key":"e_1_3_2_1_27_1","volume-title":"Proc. of NeurIPS.","author":"Ilyas A.","unstructured":"A. Ilyas , S. Santurkar , D. Tsipras , L. Engstrom , B. Tran , and A. Madry . 2019. Ad- versarial examples are not bugs, they are features . In Proc. of NeurIPS. A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry. 2019. Ad- versarial examples are not bugs, they are features. In Proc. of NeurIPS."},{"key":"e_1_3_2_1_28_1","volume-title":"Proc","author":"Juarez Marc","unstructured":"Marc Juarez , Mohsen Imani , Mike Perry , Claudia Diaz , and Matthew Wright . 2016. Toward an efficient website fingerprinting defense . In Proc . of ESORICS. Springer , 27--46. Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In Proc. of ESORICS. Springer, 27--46."},{"key":"e_1_3_2_1_29_1","volume-title":"Proc. of ICML. PMLR, 2507--2515","author":"Karmon Danny","year":"2018","unstructured":"Danny Karmon , Daniel Zoran , and Yoav Goldberg . 2018 . Lavan: Localized and visible adversarial noise . In Proc. of ICML. PMLR, 2507--2515 . Danny Karmon, Daniel Zoran, and Yoav Goldberg. 2018. Lavan: Localized and visible adversarial noise. In Proc. of ICML. PMLR, 2507--2515."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.23919\/EUSIPCO.2018.8553214"},{"key":"e_1_3_2_1_31_1","volume-title":"A first course in combinatorial optimization","author":"Lee Jon","unstructured":"Jon Lee . 2004. A first course in combinatorial optimization . Vol. 36 . Cambridge University Press . Jon Lee. 2004. A first course in combinatorial optimization. Vol. 36. Cambridge University Press."},{"key":"e_1_3_2_1_32_1","volume-title":"Towards Understanding Fast Adversarial Training. arXiv preprint arXiv:2006.03089","author":"Li Bai","year":"2020","unstructured":"Bai Li , Shiqi Wang , Suman Jana , and Lawrence Carin . 2020. Towards Understanding Fast Adversarial Training. arXiv preprint arXiv:2006.03089 ( 2020 ). Bai Li, Shiqi Wang, Suman Jana, and Lawrence Carin. 2020. Towards Understanding Fast Adversarial Training. arXiv preprint arXiv:2006.03089 (2020)."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180437"},{"key":"e_1_3_2_1_34_1","volume-title":"Proc","author":"Lu Liming","unstructured":"Liming Lu , Ee-Chien Chang , and Mun Choon Chan . 2010. Website fingerprinting and identification using ordered feature sequences . In Proc . of ESORICS. Springer , 199--214. Liming Lu, Ee-Chien Chang, and Mun Choon Chan. 2010. Website fingerprinting and identification using ordered feature sequences. In Proc. of ESORICS. Springer, 199--214."},{"key":"e_1_3_2_1_35_1","volume-title":"Proc. of ICLR.","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry , Aleksandar Makelov , Ludwig Schmidt , Dimitris Tsipras , and Adrian Vladu . 2018 . Towards deep learning models resistant to adversarial attacks . In Proc. of ICLR. Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proc. of ICLR."},{"key":"e_1_3_2_1_36_1","volume-title":"Jason Xinyu Liu, and David Wagner","author":"McCoyd Michael","year":"2020","unstructured":"Michael McCoyd , Won Park , Steven Chen , Neil Shah , Ryan Roggenkemper , Min-june Hwang , Jason Xinyu Liu, and David Wagner . 2020 . Minority Reports Defense: Defending Against Adversarial Patches . arXiv preprint arXiv:2004.13799 (2020). Michael McCoyd, Won Park, Steven Chen, Neil Shah, Ryan Roggenkemper, Min-june Hwang, Jason Xinyu Liu, and David Wagner. 2020. Minority Reports Defense: Defending Against Adversarial Patches. arXiv preprint arXiv:2004.13799 (2020)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2019.00143"},{"key":"e_1_3_2_1_39_1","volume-title":"Proc. of USENIX Security.","author":"Nasr Milad","year":"2021","unstructured":"Milad Nasr , Alireza Bahramali , and Amir Houmansadr . 2021 . Defeating DNN- Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations . In Proc. of USENIX Security. Milad Nasr, Alireza Bahramali, and Amir Houmansadr. 2021. Defeating DNN- Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations. In Proc. of USENIX Security."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2665943.2665950"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2009.191"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23477"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046556.2046570"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM.2016.7795300"},{"key":"e_1_3_2_1_45_1","unstructured":"Mike Perry. 2015. Tor Protocol Specification Proposal. https:\/\/gitweb.torproject.org\/torspec.git\/tree\/proposals\/254-padding-negotiation.txt.  Mike Perry. 2015. Tor Protocol Specification Proposal. https:\/\/gitweb.torproject.org\/torspec.git\/tree\/proposals\/254-padding-negotiation.txt."},{"key":"e_1_3_2_1_46_1","volume-title":"Measuring the transferability of adversarial examples. arXiv preprint arXiv:1907.06291","author":"Petrov Deyan","year":"2019","unstructured":"Deyan Petrov and Timothy M Hospedales . 2019. Measuring the transferability of adversarial examples. arXiv preprint arXiv:1907.06291 ( 2019 ). Deyan Petrov and Timothy M Hospedales. 2019. Measuring the transferability of adversarial examples. arXiv preprint arXiv:1907.06291 (2019)."},{"key":"e_1_3_2_1_47_1","volume-title":"Proc. of ICML. 7814--7823","author":"Pydi Muni Sreenivas","year":"2020","unstructured":"Muni Sreenivas Pydi and Varun Jog . 2020 . Adversarial Risk via Optimal Transport and Optimal Couplings . In Proc. of ICML. 7814--7823 . Muni Sreenivas Pydi and Varun Jog. 2020. Adversarial Risk via Optimal Transport and Optimal Couplings. In Proc. of ICML. 7814--7823."},{"key":"e_1_3_2_1_48_1","volume-title":"Mockingbird: Defending against deep-learning-based website fin- gerprinting attacks with adversarial traces. TIFS","author":"Rahman Mohammad Saidur","year":"2020","unstructured":"Mohammad Saidur Rahman , Mohsen Imani , Nate Mathews , and Matthew Wright . 2020 . Mockingbird: Defending against deep-learning-based website fin- gerprinting attacks with adversarial traces. TIFS (2020), 1594--1609. Mohammad Saidur Rahman, Mohsen Imani, Nate Mathews, and Matthew Wright. 2020. Mockingbird: Defending against deep-learning-based website fin- gerprinting attacks with adversarial traces. TIFS (2020), 1594--1609."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2020-0043"},{"key":"e_1_3_2_1_50_1","volume-title":"Adversarial training against location-optimized adversarial patches. arXiv preprint arXiv:2005.02313","author":"Rao Sukrut","year":"2020","unstructured":"Sukrut Rao , David Stutz , and Bernt Schiele . 2020. Adversarial training against location-optimized adversarial patches. arXiv preprint arXiv:2005.02313 ( 2020 ). Sukrut Rao, David Stutz, and Bernt Schiele. 2020. Adversarial training against location-optimized adversarial patches. arXiv preprint arXiv:2005.02313 (2020)."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P19-1103"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23105"},{"key":"e_1_3_2_1_53_1","unstructured":"Ali Shafahi W Ronny Huang Christoph Studer Soheil Feizi and Tom Goldstein. 2019. Are adversarial examples inevitable?. In ICLR.  Ali Shafahi W Ronny Huang Christoph Studer Soheil Feizi and Tom Goldstein. 2019. Are adversarial examples inevitable?. In ICLR."},{"key":"e_1_3_2_1_54_1","volume-title":"Understanding machine learning: From theory to algorithms","author":"Shalev-Shwartz Shai","unstructured":"Shai Shalev-Shwartz and Shai Ben-David . 2014. Understanding machine learning: From theory to algorithms . Cambridge university press . Shai Shalev-Shwartz and Shai Ben-David. 2014. Understanding machine learning: From theory to algorithms. Cambridge university press."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243768"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354217"},{"key":"e_1_3_2_1_57_1","volume-title":"Proc. of WOOT.","author":"Song Dawn","year":"2018","unstructured":"Dawn Song , Kevin Eykholt , Ivan Evtimov , Earlence Fernandes , Bo Li , Amir Rah- mati, Florian Tramer , Atul Prakash , and Tadayoshi Kohno . 2018 . Physical adversarial examples for object detectors . In Proc. of WOOT. Dawn Song, Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rah- mati, Florian Tramer, Atul Prakash, and Tadayoshi Kohno. 2018. Physical adversarial examples for object detectors. In Proc. of WOOT."},{"key":"e_1_3_2_1_58_1","volume-title":"Proc. of USENIX Security.","author":"Suciu Octavian","year":"2018","unstructured":"Octavian Suciu , Radu Mrginean , Yitcan Kaya , Hal Daum\u00e9 III, and Tudor Dumitra?. 2018 . When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks . In Proc. of USENIX Security. Octavian Suciu, Radu Mrginean, Yitcan Kaya, Hal Daum\u00e9 III, and Tudor Dumitra?. 2018. When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks. In Proc. of USENIX Security."},{"key":"e_1_3_2_1_59_1","volume-title":"Proc. of IEEE S&P. IEEE, 19--30","author":"Sun Qixiang","year":"2002","unstructured":"Qixiang Sun , Daniel R Simon , Yi-Min Wang , Wilf Russell , Venkata N Padmanabhan , and Lili Qiu . 2002 . Statistical identification of encrypted web browsing traffic . In Proc. of IEEE S&P. IEEE, 19--30 . Qixiang Sun, Daniel R Simon, Yi-Min Wang, Wilf Russell, Venkata N Padmanabhan, and Lili Qiu. 2002. Statistical identification of encrypted web browsing traffic. In Proc. of IEEE S&P. IEEE, 19--30."},{"key":"e_1_3_2_1_60_1","volume-title":"Proc. of NeurIPS. 5866--5876","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh . 2019 . Adversarial training and robustness for multiple perturbations . In Proc. of NeurIPS. 5866--5876 . Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. In Proc. of NeurIPS. 5866--5876."},{"key":"e_1_3_2_1_61_1","volume-title":"Universal adversarial triggers for attacking and analyzing NLP. arXiv preprint arXiv:1908.07125","author":"Wallace Eric","year":"2019","unstructured":"Eric Wallace , Shi Feng , Nikhil Kandpal , Matt Gardner , and Sameer Singh . 2019. Universal adversarial triggers for attacking and analyzing NLP. arXiv preprint arXiv:1908.07125 ( 2019 ). Eric Wallace, Shi Feng, Nikhil Kandpal, Matt Gardner, and Sameer Singh. 2019. Universal adversarial triggers for attacking and analyzing NLP. arXiv preprint arXiv:1908.07125 (2019)."},{"key":"e_1_3_2_1_62_1","volume-title":"Proc. of USENIX Security. 143--157","author":"Wang Tao","year":"2014","unstructured":"Tao Wang , Xiang Cai , Rishab Nithyanand , Rob Johnson , and Ian Goldberg . 2014 . Effective attacks and provable defenses for website fingerprinting . In Proc. of USENIX Security. 143--157 . Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective attacks and provable defenses for website fingerprinting. In Proc. of USENIX Security. 143--157."},{"key":"e_1_3_2_1_63_1","volume-title":"Proc. of USENIX Security. 1375--1390","author":"Wang Tao","year":"2017","unstructured":"Tao Wang and Ian Goldberg . 2017 . Walkie-talkie: An efficient defense against passive website fingerprinting attacks . In Proc. of USENIX Security. 1375--1390 . Tao Wang and Ian Goldberg. 2017. Walkie-talkie: An efficient defense against passive website fingerprinting attacks. In Proc. of USENIX Security. 1375--1390."},{"key":"e_1_3_2_1_64_1","volume-title":"Natural language adversarial attacks and defenses in word level. arXiv preprint arXiv:1909.06723","author":"Wang Xiaosen","year":"2019","unstructured":"Xiaosen Wang , Hao Jin , and Kun He. 2019. Natural language adversarial attacks and defenses in word level. arXiv preprint arXiv:1909.06723 ( 2019 ). Xiaosen Wang, Hao Jin, and Kun He. 2019. Natural language adversarial attacks and defenses in word level. arXiv preprint arXiv:1909.06723 (2019)."},{"key":"e_1_3_2_1_65_1","volume-title":"Proc. of ICLR.","author":"Wong Eric","year":"2020","unstructured":"Eric Wong , Leslie Rice , and J Zico Kolter . 2020 . Fast is better than free: Revisiting adversarial training . In Proc. of ICLR. Eric Wong, Leslie Rice, and J Zico Kolter. 2020. Fast is better than free: Revisiting adversarial training. In Proc. of ICLR."},{"key":"e_1_3_2_1_66_1","volume-title":"Making an invisibility cloak: Real world adversarial attacks on object detectors. arXiv preprint arXiv:1910.14667","author":"Wu Zuxuan","year":"2019","unstructured":"Zuxuan Wu , Ser-Nam Lim , Larry Davis , and Tom Goldstein . 2019. Making an invisibility cloak: Real world adversarial attacks on object detectors. arXiv preprint arXiv:1910.14667 ( 2019 ). Zuxuan Wu, Ser-Nam Lim, Larry Davis, and Tom Goldstein. 2019. Making an invisibility cloak: Real world adversarial attacks on object detectors. arXiv preprint arXiv:1910.14667 (2019)."},{"key":"e_1_3_2_1_67_1","volume-title":"Vikash Sehwag, and Prateek Mittal.","author":"Xiang Chong","year":"2020","unstructured":"Chong Xiang , Arjun Nitin Bhagoji , Vikash Sehwag, and Prateek Mittal. 2020 . PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields . arXiv preprint arXiv:2005.10884 (2020). Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, and Prateek Mittal. 2020. PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields. arXiv preprint arXiv:2005.10884 (2020)."},{"key":"e_1_3_2_1_68_1","volume-title":"Proc. of NeurIPS.","author":"Yosinski Jason","year":"2014","unstructured":"Jason Yosinski , Jeff Clune , Yoshua Bengio , and Hod Lipson . 2014 . How transfer- able are features in deep neural networks? . In Proc. of NeurIPS. Jason Yosinski, Jeff Clune, Yoshua Bengio, and Hod Lipson. 2014. How transfer- able are features in deep neural networks?. In Proc. of NeurIPS."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3474369.3486875","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/abs\/10.1145\/3474369.3486875","content-type":"text\/html","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3474369.3486875","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3474369.3486875","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:26Z","timestamp":1750188626000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3474369.3486875"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,15]]},"references-count":68,"alternative-id":["10.1145\/3474369.3486875","10.1145\/3474369"],"URL":"https:\/\/doi.org\/10.1145\/3474369.3486875","relation":{},"subject":[],"published":{"date-parts":[[2021,11,15]]},"assertion":[{"value":"2021-11-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}