{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T16:04:57Z","timestamp":1774541097649,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,8,14]],"date-time":"2022-08-14T00:00:00Z","timestamp":1660435200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2020AAA0107600"],"award-info":[{"award-number":["2020AAA0107600"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Shanghai Municipal Science and Technology Major Project","award":["2021SHZDZX0102"],"award-info":[{"award-number":["2021SHZDZX0102"]}]},{"name":"NSFC","award":["61972250, 72061127003"],"award-info":[{"award-number":["61972250, 72061127003"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,8,14]]},"DOI":"10.1145\/3534678.3539242","type":"proceedings-article","created":{"date-parts":[[2022,8,12]],"date-time":"2022-08-12T19:06:41Z","timestamp":1660331201000},"page":"1483-1492","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["DICE: Domain-attack Invariant Causal Learning for Improved Data Privacy Protection and Adversarial Robustness"],"prefix":"10.1145","author":[{"given":"Qibing","family":"Ren","sequence":"first","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"given":"Yiting","family":"Chen","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"given":"Yichuan","family":"Mo","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"given":"Qitian","family":"Wu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"given":"Junchi","family":"Yan","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]}],"member":"320","published-online":{"date-parts":[[2022,8,14]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Invariant risk minimization. arXiv preprint arXiv:1907.02893","author":"Arjovsky Martin","year":"2019","unstructured":"Martin Arjovsky, L\u00e9on Bottou, Ishaan Gulrajani, and David Lopez-Paz. 2019. Invariant risk minimization. arXiv preprint arXiv:1907.02893 (2019)."},{"key":"e_1_3_2_1_2_1","unstructured":"Anish Athalye Nicholas Carlini and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ICML."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"crossref","unstructured":"Peter B\u00fchlmann. 2020. Invariance causality and robustness. Statist. Sci. (2020).","DOI":"10.1214\/19-STS721"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_5_1","volume-title":"NeurIPS","volume":"32","author":"Carmon Yair","year":"2019","unstructured":"Yair Carmon, Aditi Raghunathan, Ludwig Schmidt, John C Duchi, and Percy S Liang. 2019. Unlabeled data improves adversarial robustness. In NeurIPS, Vol. 32."},{"key":"e_1_3_2_1_6_1","unstructured":"Shiyu Chang Yang Zhang Mo Yu and Tommi Jaakkola. 2020. Invariant rationalization. In ICML."},{"key":"e_1_3_2_1_7_1","unstructured":"Tianlong Chen Zhenyu Zhang Sijia Liu Shiyu Chang and Zhangyang Wang. 2020. Robust overfitting may be mitigated by properly learned smoothening. In ICLR."},{"key":"e_1_3_2_1_8_1","unstructured":"Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In ICML."},{"key":"e_1_3_2_1_9_1","unstructured":"Ji Feng Qi-Zhi Cai and Zhi-Hua Zhou. 2019. Learning to confuse: generating training time adversarial data with auto-encoder. In NeurIPS."},{"key":"e_1_3_2_1_10_1","unstructured":"Liam Fowl Micah Goldblum Ping-yeh Chiang Jonas Geiping Wojciech Czaja and Tom Goldstein. 2021. Adversarial examples make strong poisons. In NeurIPS."},{"key":"e_1_3_2_1_11_1","unstructured":"Jonas Geiping Liam Fowl W Ronny Huang Wojciech Czaja Gavin Taylor Michael Moeller and Tom Goldstein. 2021. Witches' brew: Industrial scale data poisoning via gradient matching. In ICLR."},{"key":"e_1_3_2_1_12_1","volume-title":"Causal inference in statistics: A primer","author":"Glymour Madelyn","unstructured":"Madelyn Glymour, Judea Pearl, and Nicholas P Jewell. 2016. Causal inference in statistics: A primer. John Wiley & Sons."},{"key":"e_1_3_2_1_13_1","volume-title":"Explaining and Harnessing Adversarial Examples. arXiv preprint arxiv:1412.6572","author":"Goodfellow I.","year":"2015","unstructured":"I. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. arXiv preprint arxiv:1412.6572 (2015)."},{"key":"e_1_3_2_1_14_1","volume-title":"A theory of causal learning in children: causal maps and Bayes nets. Psychological review 111, 1","author":"Gopnik Alison","year":"2004","unstructured":"Alison Gopnik, Clark Glymour, David M Sobel, Laura E Schulz, Tamar Kushnir, and David Danks. 2004. A theory of causal learning in children: causal maps and Bayes nets. Psychological review 111, 1 (2004), 3."},{"key":"e_1_3_2_1_15_1","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2016. Deep residual learning for image recognition. In CVPR."},{"key":"e_1_3_2_1_16_1","volume-title":"Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861","author":"Howard Andrew G","year":"2017","unstructured":"Andrew G Howard, Menglong Zhu, Bo Chen, Dmitry Kalenichenko, Weijun Wang, Tobias Weyand, Marco Andreetto, and Hartwig Adam. 2017. Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861 (2017)."},{"key":"e_1_3_2_1_17_1","volume-title":"Laurens Van Der Maaten, and Kilian Q Weinberger","author":"Huang Gao","year":"2017","unstructured":"Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In CVPR."},{"key":"e_1_3_2_1_18_1","volume-title":"James Bailey, and Yisen Wang.","author":"Huang Hanxun","year":"2021","unstructured":"Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, James Bailey, and Yisen Wang. 2021. Unlearnable examples: Making personal data unexploitable. In ICLR."},{"key":"e_1_3_2_1_19_1","volume-title":"Metapoison: Practical general-purpose clean-label data poisoning. In NeurIPS.","author":"Huang W Ronny","year":"2020","unstructured":"W Ronny Huang, Jonas Geiping, Liam Fowl, Gavin Taylor, and Tom Goldstein. 2020. Metapoison: Practical general-purpose clean-label data poisoning. In NeurIPS."},{"key":"e_1_3_2_1_20_1","unstructured":"Ilyes Khemakhem Diederik Kingma Ricardo Monti and Aapo Hyvarinen. 2020. Variational autoencoders and nonlinear ica: A unifying framework. In AISTATS."},{"key":"e_1_3_2_1_21_1","volume-title":"Bridging adversarial robustness and gradient interpretability. arXiv preprint arXiv:1903.11626","author":"Kim Beomsu","year":"2019","unstructured":"Beomsu Kim, Junghoon Seo, and Taegyun Jeon. 2019. Bridging adversarial robustness and gradient interpretability. arXiv preprint arXiv:1903.11626 (2019)."},{"key":"e_1_3_2_1_22_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_23_1","volume-title":"Remi Le Priol, and Aaron Courville","author":"Krueger David","year":"2021","unstructured":"David Krueger, Ethan Caballero, Joern-Henrik Jacobsen, Amy Zhang, Jonathan Binas, Dinghuai Zhang, Remi Le Priol, and Aaron Courville. 2021. Out-ofdistribution generalization via risk extrapolation (rex). In ICML."},{"key":"e_1_3_2_1_24_1","unstructured":"Chang Liu Xinwei Sun Jindong Wang Haoyue Tang Tao Li Tao Qin Wei Chen and Tie-Yan Liu. 2021. Learning causal semantic representation for out-ofdistribution prediction. In NeurIPS."},{"key":"e_1_3_2_1_25_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_26_1","volume-title":"Representation learning via invariant causal mechanisms. arXiv preprint arXiv:2010.07922","author":"Mitrovic Jovana","year":"2020","unstructured":"Jovana Mitrovic, Brian McWilliams, Jacob Walker, Lars Buesing, and Charles Blundell. 2020. Representation learning via invariant causal mechanisms. arXiv preprint arXiv:2010.07922 (2020)."},{"key":"e_1_3_2_1_27_1","volume-title":"NeurIPS","volume":"32","author":"Najafi Amir","year":"2019","unstructured":"Amir Najafi, Shin-ichi Maeda, Masanori Koyama, and Takeru Miyato. 2019. Robustness to adversarial perturbations in learning from incomplete data. In NeurIPS, Vol. 32."},{"key":"e_1_3_2_1_28_1","unstructured":"Tianyu Pang Kun Xu Chao Du Ning Chen and Jun Zhu. 2019. Improving adversarial robustness via promoting ensemble diversity. In ICML."},{"key":"e_1_3_2_1_29_1","volume-title":"Bag of tricks for adversarial training. arXiv preprint arXiv:2010.00467","author":"Pang Tianyu","year":"2020","unstructured":"Tianyu Pang, Xiao Yang, Yinpeng Dong, Hang Su, and Jun Zhu. 2020. Bag of tricks for adversarial training. arXiv preprint arXiv:2010.00467 (2020)."},{"key":"e_1_3_2_1_30_1","unstructured":"Judea Pearl. 2009. Causality. Cambridge university press."},{"key":"e_1_3_2_1_31_1","volume-title":"Interpretation and identification of causal mediation. Psychological methods 19, 4","author":"Pearl Judea","year":"2014","unstructured":"Judea Pearl. 2014. Interpretation and identification of causal mediation. Psychological methods 19, 4 (2014), 459."},{"key":"e_1_3_2_1_32_1","volume-title":"Causal inference by using invariant prediction: identification and confidence intervals. Journal of the Royal Statistical Society: Series B (Statistical Methodology)","author":"Peters Jonas","year":"2016","unstructured":"Jonas Peters, Peter B\u00fchlmann, and Nicolai Meinshausen. 2016. Causal inference by using invariant prediction: identification and confidence intervals. Journal of the Royal Statistical Society: Series B (Statistical Methodology) (2016)."},{"key":"e_1_3_2_1_33_1","volume-title":"Elements of causal inference: foundations and learning algorithms","author":"Peters Jonas","unstructured":"Jonas Peters, Dominik Janzing, and Bernhard Sch\u00f6lkopf. 2017. Elements of causal inference: foundations and learning algorithms. The MIT Press."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"crossref","unstructured":"Fengchun Qiao Long Zhao and Xi Peng. 2020. Learning to learn single domain generalization. In CVPR.","DOI":"10.1109\/CVPR42600.2020.01257"},{"key":"e_1_3_2_1_35_1","unstructured":"Qibing Ren Qingquan Bao Runzhong Wang and Junchi Yan. 2022. Appearance and Structure Aware Robust Deep Visual Graph Matching: Attack Defense and Beyond. In CVPR."},{"key":"e_1_3_2_1_36_1","unstructured":"Leslie Rice Eric Wong and Zico Kolter. 2020. Overfitting in adversarially robust deep learning. In ICML."},{"key":"e_1_3_2_1_37_1","unstructured":"Ludwig Schmidt Shibani Santurkar Dimitris Tsipras Kunal Talwar and Aleksander Madry. 2018. Adversarially robust generalization requires more data. In NeurIPS."},{"key":"e_1_3_2_1_38_1","unstructured":"Bernhard Sch\u00f6lkopf Dominik Janzing Jonas Peters Eleni Sgouritsa Kun Zhang and Joris Mooij. 2012. On causal and anticausal learning. In ICML."},{"key":"e_1_3_2_1_39_1","unstructured":"Karen Simonyan and AndrewZisserman. 2015. Very deep convolutional networks for large-scale image recognition. In ICLR."},{"key":"e_1_3_2_1_40_1","unstructured":"Dong Su Huan Zhang Hongge Chen Jinfeng Yi Pin-Yu Chen and Yupeng Gao. 2018. Is Robustness the Cost of Accuracy?--A Comprehensive Study on the Robustness of 18 Deep Image Classification Models. In ECCV."},{"key":"e_1_3_2_1_41_1","unstructured":"Xinwei Sun Botong Wu Xiangyu Zheng Chang Liu Wei Chen Tao Qin and Tie-yan Liu. 2021. Recovering Latent Causal Factor for Generalization to Distributional Shifts. In NeurIPS."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","unstructured":"Christian Szegedy Wei Liu Yangqing Jia Pierre Sermanet Scott Reed Dragomir Anguelov Dumitru Erhan Vincent Vanhoucke and Andrew Rabinovich. 2015. Going deeper with convolutions. In CVPR.","DOI":"10.1109\/CVPR.2015.7298594"},{"key":"e_1_3_2_1_43_1","unstructured":"Christian Szegedy W. Zaremba Ilya Sutskever Joan Bruna D. Erhan I. Goodfellow and R. Fergus. 2014. Intriguing properties of neural networks. arXiv preprint arxiv:1312.6199 (2014)."},{"key":"e_1_3_2_1_44_1","unstructured":"Lue Tao Lei Feng Jinfeng Yi Sheng-Jun Huang and Songcan Chen. 2021. Better safe than sorry: Preventing delusive adversaries with adversarial training. In NeurIPS."},{"key":"e_1_3_2_1_45_1","unstructured":"Florian Tramer Nicholas Carlini Wieland Brendel and Aleksander Madry. 2020. On adaptive attacks to adversarial example defenses. In NeurIPS."},{"key":"e_1_3_2_1_46_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"key":"e_1_3_2_1_47_1","volume-title":"Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152","author":"Tsipras Dimitris","year":"2018","unstructured":"Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. 2018. Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152 (2018)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"crossref","unstructured":"Haohan Wang Xindi Wu Zeyi Huang and Eric P Xing. 2020. High-frequency component helps explain the generalization of convolutional neural networks. In CVPR.","DOI":"10.1109\/CVPR42600.2020.00871"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"crossref","unstructured":"TanWang Chang Zhou Qianru Sun and Hanwang Zhang. 2021. Causal attention for unbiased visual recognition. In ICCV.","DOI":"10.1109\/ICCV48922.2021.00308"},{"key":"e_1_3_2_1_50_1","unstructured":"Yisen Wang Difan Zou Jinfeng Yi James Bailey Xingjun Ma and Quanquan Gu. 2019. Improving adversarial robustness requires revisiting misclassified examples. In ICLR."},{"key":"e_1_3_2_1_51_1","unstructured":"Qitian Wu Hengrui Zhang Junchi Yan and David Wipf. 2022. Handling Distribution Shifts on Graphs: An Invariance Perspective. In ICLR."},{"key":"e_1_3_2_1_52_1","unstructured":"Kelvin Xu Jimmy Ba Ryan Kiros Kyunghyun Cho Aaron Courville Ruslan Salakhudinov Rich Zemel and Yoshua Bengio. 2015. Show attend and tell: Neural image caption generation with visual attention. In ICML."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"crossref","unstructured":"Xu Yang Hanwang Zhang Guojun Qi and Jianfei Cai. 2021. Causal attention for vision-language tasks. In CVPR.","DOI":"10.1109\/CVPR46437.2021.00972"},{"key":"e_1_3_2_1_54_1","unstructured":"Yao-Yuan Yang Cyrus Rashtchian Hongyang Zhang Russ R Salakhutdinov and Kamalika Chaudhuri. 2020. A closer look at accuracy vs. robustness. In NeurIPS."},{"key":"e_1_3_2_1_55_1","volume-title":"Wide residual networks. arXiv preprint arXiv:1605.07146","author":"Zagoruyko Sergey","year":"2016","unstructured":"Sergey Zagoruyko and Nikos Komodakis. 2016. Wide residual networks. arXiv preprint arXiv:1605.07146 (2016)."},{"key":"e_1_3_2_1_56_1","unstructured":"Cheng Zhang Kun Zhang and Yingzhen Li. 2020. A causal view on robustness of neural networks. In NeurIPS."},{"key":"e_1_3_2_1_57_1","unstructured":"Dong Zhang Hanwang Zhang Jinhui Tang Xian-Sheng Hua and Qianru Sun. 2020. Causal intervention for weakly-supervised semantic segmentation. In NeurIPS."},{"key":"e_1_3_2_1_58_1","unstructured":"Hongyi Zhang Moustapha Cisse Yann N Dauphin and David Lopez-Paz. 2018. mixup: Beyond empirical risk minimization. In ICLR."},{"key":"e_1_3_2_1_59_1","volume-title":"Laurent El Ghaoui, and Michael Jordan","author":"Zhang Hongyang","year":"2019","unstructured":"Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019. Theoretically principled trade-off between robustness and accuracy. In ICML."},{"key":"e_1_3_2_1_60_1","unstructured":"Jingfeng Zhang Jianing Zhu Gang Niu Bo Han Masashi Sugiyama and Mohan Kankanhalli. 2021. Geometry-aware instance-reweighted adversarial training. In ICLR."},{"key":"e_1_3_2_1_61_1","volume-title":"Adversarial robustness through the lens of causality. arXiv preprint arXiv:2106.06196","author":"Zhang Yonggang","year":"2021","unstructured":"Yonggang Zhang, Mingming Gong, Tongliang Liu, Gang Niu, Xinmei Tian, Bo Han, Bernhard Sch\u00f6lkopf, and Kun Zhang. 2021. Adversarial robustness through the lens of causality. arXiv preprint arXiv:2106.06196 (2021)."}],"event":{"name":"KDD '22: The 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining","location":"Washington DC USA","acronym":"KDD '22","sponsor":["SIGMOD ACM Special Interest Group on Management of Data","SIGKDD ACM Special Interest Group on Knowledge Discovery in Data"]},"container-title":["Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3534678.3539242","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3534678.3539242","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:59:58Z","timestamp":1750186798000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3534678.3539242"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,8,14]]},"references-count":61,"alternative-id":["10.1145\/3534678.3539242","10.1145\/3534678"],"URL":"https:\/\/doi.org\/10.1145\/3534678.3539242","relation":{},"subject":[],"published":{"date-parts":[[2022,8,14]]},"assertion":[{"value":"2022-08-14","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}