{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:08:40Z","timestamp":1755907720256,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":63,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,12,6]],"date-time":"2022-12-06T00:00:00Z","timestamp":1670284800000},"content-version":"vor","delay-in-days":365,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100011039","name":"Intelligence Advanced Research Projects Activity","doi-asserted-by":"publisher","award":["W911NF20C0038"],"award-info":[{"award-number":["W911NF20C0038"]}],"id":[{"id":"10.13039\/100011039","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,12,6]]},"DOI":"10.1145\/3485832.3485908","type":"proceedings-article","created":{"date-parts":[[2021,12,6]],"date-time":"2021-12-06T13:42:32Z","timestamp":1638798152000},"page":"570-585","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["MISA: Online Defense of Trojaned Models using Misattributions"],"prefix":"10.1145","author":[{"given":"Panagiota","family":"Kiourti","sequence":"first","affiliation":[{"name":"Boston University, United States of America"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wenchao","family":"Li","sequence":"additional","affiliation":[{"name":"Boston University, United States of America"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Anirban","family":"Roy","sequence":"additional","affiliation":[{"name":"SRI International, United States of America"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Karan","family":"Sikka","sequence":"additional","affiliation":[{"name":"SRI International, United States of America"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Susmit","family":"Jha","sequence":"additional","affiliation":[{"name":"SRI International, United States of America"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,12,6]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102277"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0130140"},{"key":"e_1_3_2_1_3_1","unstructured":"Eugene Bagdasaryan and Vitaly Shmatikov. 2020. Blind backdoors in deep learning models. arXiv preprint arXiv:2005.03823(2020)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.354"},{"key":"e_1_3_2_1_5_1","volume-title":"International Conference on Machine Learning. PMLR, 531\u2013540","author":"Belghazi Mohamed\u00a0Ishmael","year":"2018","unstructured":"Mohamed\u00a0Ishmael Belghazi, Aristide Baratin, Sai Rajeshwar, Sherjil Ozair, Yoshua Bengio, Aaron Courville, and Devon Hjelm. 2018. Mutual information neural estimation. In International Conference on Machine Learning. PMLR, 531\u2013540."},{"key":"e_1_3_2_1_6_1","unstructured":"Mariusz Bojarski Davide Del\u00a0Testa Daniel Dworakowski Bernhard Firner Beat Flepp Prasoon Goyal Lawrence\u00a0D Jackel Mathew Monfort Urs Muller Jiakai Zhang 2016. End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316(2016)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9414862"},{"key":"e_1_3_2_1_8_1","unstructured":"Bryant Chen Wilka Carvalho Nathalie Baracaldo Heiko Ludwig Benjamin Edwards Taesung Lee Ian Molloy and Biplav Srivastava. 2018. Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728(2018)."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Huili Chen Cheng Fu Jishen Zhao and Farinaz Koushanfar. 2019. DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks.. In International joint conferences on artificial intelligence. 4658\u20134664.","DOI":"10.24963\/ijcai.2019\/647"},{"key":"e_1_3_2_1_10_1","unstructured":"Xinyun Chen Chang Liu Bo Li Kimberly Lu and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526(2017)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"e_1_3_2_1_12_1","volume-title":"Februus: Input purification defense against trojan attacks on deep neural network systems. In arXiv","author":"Doan B\u00a0Gia","year":"2019","unstructured":"B\u00a0Gia Doan, Ehsan Abbasnejad, and Damith\u00a0C Ranasinghe. 2019. Februus: Input purification defense against trojan attacks on deep neural network systems. In arXiv: 1908.03369. arXiv."},{"key":"e_1_3_2_1_13_1","volume-title":"Strip: A defence against trojan attacks on deep neural networks. In Computer security applications conference. 113\u2013125.","author":"Gao Yansong","year":"2019","unstructured":"Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith\u00a0C Ranasinghe, and Surya Nepal. 2019. Strip: A defence against trojan attacks on deep neural networks. In Computer security applications conference. 113\u2013125."},{"key":"e_1_3_2_1_14_1","unstructured":"Timur Garipov Pavel Izmailov Dmitrii Podoprikhin Dmitry\u00a0P Vetrov and Andrew\u00a0G Wilson. 2018. Loss surfaces mode connectivity and fast ensembling of dnns. In Neural information processing systems. 8789\u20138798."},{"key":"e_1_3_2_1_15_1","unstructured":"Ian J et\u00a0al. Goodfellow. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572(2014)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"e_1_3_2_1_17_1","volume-title":"TABOR: A Highly Accurate Approach to Inspecting and Restoring Trojan Backdoors in AI Systems. ICDM","author":"Guo Wenbo","year":"2020","unstructured":"Wenbo Guo, Lun Wang, Xinyu Xing, Min Du, and Dawn Song. 2020. TABOR: A Highly Accurate Approach to Inspecting and Restoring Trojan Backdoors in AI Systems. ICDM (2020). arXiv:1908.01763"},{"key":"e_1_3_2_1_18_1","volume-title":"SPECTRE: Defending Against Backdoor Attacks Using Robust Statistics. arXiv preprint arXiv:2104.11315(2021).","author":"Hayase Jonathan","year":"2021","unstructured":"Jonathan Hayase, Weihao Kong, Raghav Somani, and Sewoong Oh. 2021. SPECTRE: Defending Against Backdoor Attacks Using Robust Statistics. arXiv preprint arXiv:2104.11315(2021)."},{"key":"e_1_3_2_1_19_1","volume-title":"Neuroninspect: Detecting backdoors in neural networks via output explanations. arXiv preprint arXiv:1911.07399(2019).","author":"Huang Xijie","year":"2019","unstructured":"Xijie Huang, Moustafa Alzantot, and Mani Srivastava. 2019. Neuroninspect: Detecting backdoors in neural networks via output explanations. arXiv preprint arXiv:1911.07399(2019)."},{"key":"e_1_3_2_1_20_1","volume-title":"TOP: Backdoor Detection in Neural Networks via Transferability of Perturbation. arXiv preprint arXiv:2103.10274(2021).","author":"Huster Todd","year":"2021","unstructured":"Todd Huster and Emmanuel Ekwedike. 2021. TOP: Backdoor Detection in Neural Networks via Transferability of Perturbation. arXiv preprint arXiv:2103.10274(2021)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3400302.3415671"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00505"},{"key":"e_1_3_2_1_23_1","unstructured":"Kiran Karra Chace Ashcraft and Neil Fendley. 2020. The TrojAI Software Framework: An OpenSource tool for Embedding Trojans into Deep Learning Models. arXiv preprint arXiv:2003.07233(2020)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218663"},{"key":"e_1_3_2_1_25_1","volume-title":"Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs. In Conference on computer vision and pattern recognition. 301\u2013310","author":"Kolouri Soheil","year":"2020","unstructured":"Soheil Kolouri, Aniruddha Saha, Hamed Pirsiavash, and Heiko Hoffmann. 2020. Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs. In Conference on computer vision and pattern recognition. 301\u2013310."},{"key":"e_1_3_2_1_26_1","unstructured":"Alex Krizhevsky Ilya Sutskever and Geoffrey\u00a0E Hinton. 2012. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems. 1097\u20131105."},{"key":"e_1_3_2_1_27_1","volume-title":"Jiahao Yu, Minhui Xue, Dali Kaafar, and Haojin Zhu.","author":"Li Shaofeng","year":"2019","unstructured":"Shaofeng Li, Benjamin Zi\u00a0Hao Zhao, Jiahao Yu, Minhui Xue, Dali Kaafar, and Haojin Zhu. 2019. Invisible backdoor attacks against deep neural networks. arXiv preprint arXiv:1909.02742(2019)."},{"key":"e_1_3_2_1_28_1","unstructured":"Yige Li Xixiang Lyu Nodens Koren Lingjuan Lyu Bo Li and Xingjun Ma. 2021. Neural attention distillation: Erasing backdoor triggers from deep neural networks. arXiv preprint arXiv:2101.05930(2021)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"e_1_3_2_1_31_1","volume-title":"Trojaning Attack on Neural Networks. In 25nd Annual Network and Distributed System Security Symposium, NDSS 2018","author":"Liu Yingqi","year":"2018","unstructured":"Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. 2018. Trojaning Attack on Neural Networks. In 25nd Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-221, 2018. The Internet Society."},{"key":"e_1_3_2_1_32_1","unstructured":"Yunfei Liu Xingjun Ma James Bailey and Feng Lu. 2020. Reflection backdoor: A natural backdoor attack on deep neural networks. arXiv preprint arXiv:2007.02343(2020)."},{"key":"e_1_3_2_1_33_1","first-page":"I","article-title":"A Unified Approach to Interpreting Model Predictions","volume":"30","author":"Lundberg M","year":"2017","unstructured":"Scott\u00a0M Lundberg and Su-In Lee. 2017. A Unified Approach to Interpreting Model Predictions. In Advances in Neural Information Processing Systems 30, I.\u00a0Guyon, U.\u00a0V. Luxburg, S.\u00a0Bengio, H.\u00a0Wallach, R.\u00a0Fergus, S.\u00a0Vishwanathan, and R.\u00a0Garnett(Eds.). Curran Associates, Inc., 4765\u20134774.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_34_1","unstructured":"Shervin Minaee Amirali Abdolrashidi Hang Su Mohammed Bennamoun and David Zhang. 2019. Biometric recognition using deep learning: A survey. arXiv preprint arXiv:1912.00271(2019)."},{"key":"e_1_3_2_1_35_1","unstructured":"Woo-Jeoung Nam Shir Gur Jaesik Choi Lior Wolf and Seong-Whan Lee. 2019. Relative Attributing Propagation: Interpreting the Comparative Contributions of Individual Units in Deep Neural Networks. arXiv preprint arXiv:1904.00605(2019)."},{"key":"e_1_3_2_1_36_1","volume-title":"TROJANZOO: Everything you ever wanted to know about neural backdoors (but were afraid to ask). arXiv preprint arXiv:2012.09302(2020).","author":"Pang Ren","year":"2020","unstructured":"Ren Pang, Zheng Zhang, Xiangshan Gao, Zhaohan Xi, Shouling Ji, Peng Cheng, and Ting Wang. 2020. TROJANZOO: Everything you ever wanted to know about neural backdoors (but were afraid to ask). arXiv preprint arXiv:2012.09302(2020)."},{"volume-title":"Advances in Neural Information Processing Systems, H.\u00a0Wallach, H.\u00a0Larochelle, A.\u00a0Beygelzimer, F.\u00a0d'Alch\u00e9-Buc, E.\u00a0Fox, and R.\u00a0Garnett (Eds.), Vol.\u00a032. Curran Associates","author":"Qiao Ximing","key":"e_1_3_2_1_37_1","unstructured":"Ximing Qiao, Yukun Yang, and Hai Li. 2019. Defending Neural Backdoors via Generative Distribution Modeling. In Advances in Neural Information Processing Systems, H.\u00a0Wallach, H.\u00a0Larochelle, A.\u00a0Beygelzimer, F.\u00a0d'Alch\u00e9-Buc, E.\u00a0Fox, and R.\u00a0Garnett (Eds.), Vol.\u00a032. Curran Associates, Inc., 14004\u201314013."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453108"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"e_1_3_2_1_40_1","unstructured":"Ahmed Salem Rui Wen Michael Backes Shiqing Ma and Yang Zhang. 2020. Dynamic backdoor attacks against machine learning models. arXiv preprint arXiv:2003.03675(2020)."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298682"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.74"},{"key":"e_1_3_2_1_43_1","unstructured":"Guangyu Shen Yingqi Liu Guanhong Tao Shengwei An Qiuling Xu Siyuan Cheng Shiqing Ma and Xiangyu Zhang. 2021. Backdoor Scanning for Deep Neural Networks through K-Arm Optimization. arXiv preprint arXiv:2102.05123(2021)."},{"key":"e_1_3_2_1_44_1","volume-title":"International Conference on Machine Learning. PMLR, 3145\u20133153","author":"Shrikumar Avanti","year":"2017","unstructured":"Avanti Shrikumar, Peyton Greenside, and Anshul Kundaje. 2017. Learning important features through propagating activation differences. In International Conference on Machine Learning. PMLR, 3145\u20133153."},{"key":"e_1_3_2_1_45_1","volume-title":"Julian Schrittwieser, Ioannis Antonoglou","author":"Silver David","year":"2016","unstructured":"David Silver, Aja Huang, Chris\u00a0J Maddison, Arthur Guez, Laurent Sifre, George Van Den\u00a0Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershelvam, Marc Lanctot, 2016. Mastering the game of Go with deep neural networks and tree search. nature 529, 7587 (2016), 484."},{"key":"e_1_3_2_1_46_1","unstructured":"Jost\u00a0Tobias Springenberg Alexey Dosovitskiy Thomas Brox and Martin Riedmiller. 2014. Striving for simplicity: The all convolutional net. arXiv preprint arXiv:1412.6806(2014)."},{"key":"e_1_3_2_1_47_1","unstructured":"Mukund Sundararajan Ankur Taly and Qiqi Yan. 2017. Axiomatic attribution for deep networks. arXiv preprint arXiv:1703.01365(2017)."},{"key":"e_1_3_2_1_48_1","volume-title":"International Conference on Learning Representations.","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01079"},{"key":"e_1_3_2_1_50_1","unstructured":"Brandon Tran Jerry Li and Aleksander Madry. 2018. Spectral signatures in backdoor attacks. arXiv preprint arXiv:1811.00636(2018)."},{"key":"e_1_3_2_1_51_1","unstructured":"Alexander Turner Dimitris Tsipras and Aleksander Madry. 2018. Clean-label backdoor attacks. (2018)."},{"key":"e_1_3_2_1_52_1","unstructured":"Alexander Turner Dimitris Tsipras and Aleksander Madry. 2019. Label-consistent backdoor attacks. arXiv preprint arXiv:1912.02771(2019)."},{"key":"e_1_3_2_1_53_1","unstructured":"Sakshi Udeshi Shanshan Peng Gerald Woo Lionell Loh Louth Rawshan and Sudipta Chattopadhyay. 2019. Model agnostic defence against backdoor attacks in machine learning. arXiv preprint arXiv:1908.02203(2019)."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"crossref","unstructured":"Akshaj\u00a0Kumar Veldanda Kang Liu Benjamin Tan Prashanth Krishnamurthy Farshad Khorrami Ramesh Karri Brendan Dolan-Gavitt and Siddharth Garg. 2020. NNoculation: broad spectrum and targeted treatment of backdoored DNNs. arXiv preprint arXiv:2002.08313(2020).","DOI":"10.1145\/3474369.3486874"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00614"},{"key":"e_1_3_2_1_57_1","unstructured":"Xiaojun Xu Qi Wang Huichen Li Nikita Borisov Carl\u00a0A Gunter and Bo Li. 2019. Detecting AI Trojans Using Meta Neural Analysis. arXiv preprint arXiv:1910.03137(2019)."},{"key":"e_1_3_2_1_58_1","unstructured":"Zhaoyuan Yang Naresh Iyer Johan Reimann and Nurali Virani. 2019. Design of intentional backdoors in sequential models. arXiv preprint arXiv:1902.09972(2019)."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"volume-title":"Visualizing and understanding convolutional networks","author":"Zeiler D","key":"e_1_3_2_1_60_1","unstructured":"Matthew\u00a0D Zeiler and Rob Fergus. 2014. Visualizing and understanding convolutional networks. In ECCV. Springer, 818\u2013833."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"crossref","unstructured":"Yi Zeng Won Park Z\u00a0Morley Mao and Ruoxi Jia. 2021. Rethinking the Backdoor Attacks\u2019 Triggers: A Frequency Perspective. arXiv preprint arXiv:2104.03413(2021).","DOI":"10.1109\/ICCV48922.2021.01616"},{"key":"e_1_3_2_1_62_1","volume-title":"TAD: Trigger Approximation based Black-box Trojan Detection for AI. arXiv preprint arXiv:2102.01815(2021).","author":"Zhang Xinqiao","year":"2021","unstructured":"Xinqiao Zhang, Huili Chen, and Farinaz Koushanfar. 2021. TAD: Trigger Approximation based Black-box Trojan Detection for AI. arXiv preprint arXiv:2102.01815(2021)."},{"key":"e_1_3_2_1_63_1","unstructured":"Pu Zhao Pin-Yu Chen Payel Das Karthikeyan\u00a0Natesan Ramamurthy and Xue Lin. 2020. Bridging Mode Connectivity in Loss Landscapes and Adversarial Robustness. arXiv preprint arXiv:2005.00060(2020)."}],"event":{"name":"ACSAC '21: Annual Computer Security Applications Conference","acronym":"ACSAC '21","location":"Virtual Event USA"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485832.3485908","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3485832.3485908","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3485832.3485908","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T19:18:17Z","timestamp":1755890297000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485832.3485908"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,12,6]]},"references-count":63,"alternative-id":["10.1145\/3485832.3485908","10.1145\/3485832"],"URL":"https:\/\/doi.org\/10.1145\/3485832.3485908","relation":{},"subject":[],"published":{"date-parts":[[2021,12,6]]},"assertion":[{"value":"2021-12-06","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}