{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T20:08:57Z","timestamp":1778789337960,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":79,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/"}],"funder":[{"name":"NSFC","award":["U1836211"],"award-info":[{"award-number":["U1836211"]}]},{"name":"NSFC","award":["61902395"],"award-info":[{"award-number":["61902395"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3548606.3559388","type":"proceedings-article","created":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T11:41:28Z","timestamp":1667821288000},"page":"785-799","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":28,"title":["Understanding Real-world Threats to Deep Learning Models in Android Apps"],"prefix":"10.1145","author":[{"given":"Zizhuang","family":"Deng","sequence":"first","affiliation":[{"name":"SKLOIS, IIE, CAS & School of Cyber Security, UCAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kai","family":"Chen","sequence":"additional","affiliation":[{"name":"SKLOIS, IIE, CAS & School of Cyber Security, UCAS & BAAI, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guozhu","family":"Meng","sequence":"additional","affiliation":[{"name":"SKLOIS, IIE, CAS & School of Cyber Security, UCAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiaodong","family":"Zhang","sequence":"additional","affiliation":[{"name":"SKLOIS, IIE, CAS & School of Cyber Security, UCAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ke","family":"Xu","sequence":"additional","affiliation":[{"name":"Huawei International Pte Ltd, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yao","family":"Cheng","sequence":"additional","affiliation":[{"name":"Huawei International Pte Ltd, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2022,11,7]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2020. Android SafetyNet. https:\/\/developer.android.com\/training\/safetynet\/attes tation.  2020. Android SafetyNet. https:\/\/developer.android.com\/training\/safetynet\/attes tation."},{"key":"e_1_3_2_2_2_1","unstructured":"2020. Caffe2. https:\/\/research.fb.com\/downloads\/caffe2\/.  2020. Caffe2. https:\/\/research.fb.com\/downloads\/caffe2\/."},{"key":"e_1_3_2_2_3_1","unstructured":"2020. Convert from TFLite. https:\/\/stackoverflow.com\/questions\/59559289\/is- there-any-way-to-convert-a-tensorflow-lite-tflite-file-back-to-a-keras-fil.  2020. Convert from TFLite. https:\/\/stackoverflow.com\/questions\/59559289\/is- there-any-way-to-convert-a-tensorflow-lite-tflite-file-back-to-a-keras-fil."},{"key":"e_1_3_2_2_4_1","unstructured":"2020. Google Assistant. https:\/\/assistant.google.com.  2020. Google Assistant. https:\/\/assistant.google.com."},{"key":"e_1_3_2_2_5_1","unstructured":"2020. Google Image. https:\/\/images.google.com.  2020. Google Image. https:\/\/images.google.com."},{"key":"e_1_3_2_2_6_1","unstructured":"2020. NanoNet. https:\/\/nanonets.com.  2020. NanoNet. https:\/\/nanonets.com."},{"key":"e_1_3_2_2_7_1","unstructured":"2020. Nexar - AI Dash Cam for Peace of Mind on the Road. https:\/\/play.google. com\/store\/apps\/details?id=mobi.nexar.dashcam&hl=en.  2020. Nexar - AI Dash Cam for Peace of Mind on the Road. https:\/\/play.google. com\/store\/apps\/details?id=mobi.nexar.dashcam&hl=en."},{"key":"e_1_3_2_2_8_1","unstructured":"2020. Open Images Dataset. g.co\/dataset\/open-images.  2020. Open Images Dataset. g.co\/dataset\/open-images."},{"key":"e_1_3_2_2_9_1","unstructured":"2020. Sensory. https:\/\/www.sensory.com.  2020. Sensory. https:\/\/www.sensory.com."},{"key":"e_1_3_2_2_10_1","unstructured":"2020. TensorFlow Hub. https:\/\/tfhub.dev.  2020. TensorFlow Hub. https:\/\/tfhub.dev."},{"key":"e_1_3_2_2_11_1","unstructured":"2020. TensorFlow Lite example apps. https:\/\/www.tensorflow.org\/lite\/examples.  2020. TensorFlow Lite example apps. https:\/\/www.tensorflow.org\/lite\/examples."},{"key":"e_1_3_2_2_12_1","unstructured":"2020. TensorFlow Lite model optimization. https:\/\/www.tensorflow.org\/lite\/per formance\/model_optimization.  2020. TensorFlow Lite model optimization. https:\/\/www.tensorflow.org\/lite\/per formance\/model_optimization."},{"key":"e_1_3_2_2_13_1","unstructured":"2021. Convert model(s) to C code. https:\/\/mace.readthedocs.io\/en\/latest\/user _guide\/advanced_usage.html#convert-model-s-to-c-code.  2021. Convert model(s) to C code. https:\/\/mace.readthedocs.io\/en\/latest\/user _guide\/advanced_usage.html#convert-model-s-to-c-code."},{"key":"e_1_3_2_2_14_1","unstructured":"2021. Curated NLP Database. https:\/\/metatext.io\/datasets.  2021. Curated NLP Database. https:\/\/metatext.io\/datasets."},{"key":"e_1_3_2_2_15_1","unstructured":"2021. Google Play Services for AR. https:\/\/play.google.com\/store\/apps\/details?i d=com.google.ar.core&hl=en.  2021. Google Play Services for AR. https:\/\/play.google.com\/store\/apps\/details?i d=com.google.ar.core&hl=en."},{"key":"e_1_3_2_2_16_1","unstructured":"2021. Google Translate. https:\/\/play.google.com\/store\/apps\/details?id=com.goog le.android.apps.translate&hl=en.  2021. Google Translate. https:\/\/play.google.com\/store\/apps\/details?id=com.goog le.android.apps.translate&hl=en."},{"key":"e_1_3_2_2_17_1","unstructured":"2021. Tiny Encryption Algorithm. https:\/\/en.wikipedia.org\/wiki\/Tiny_ Encrypt ion_Algorithm.  2021. Tiny Encryption Algorithm. https:\/\/en.wikipedia.org\/wiki\/Tiny_ Encrypt ion_Algorithm."},{"key":"e_1_3_2_2_18_1","unstructured":"2022. PayPal. https:\/\/play.google.com\/store\/apps\/details?id=com.paypal.android .p2pmobile&hl=en&gl=US.  2022. PayPal. https:\/\/play.google.com\/store\/apps\/details?id=com.paypal.android .p2pmobile&hl=en&gl=US."},{"key":"e_1_3_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_3_2_2_20_1","volume-title":"Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460--465","author":"Bayerl Sebastian P","year":"2020","unstructured":"Sebastian P Bayerl , Tommaso Frassetto , Patrick Jauernig , Korbinian Riedhammer , Ahmad-Reza Sadeghi , Thomas Schneider , Emmanuel Stapf , and Christian Weinert . 2020 . Offline model guard: Secure and private ML on mobile devices. In 2020 Design , Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460--465 . Sebastian P Bayerl, Tommaso Frassetto, Patrick Jauernig, Korbinian Riedhammer, Ahmad-Reza Sadeghi, Thomas Schneider, Emmanuel Stapf, and Christian Weinert. 2020. Offline model guard: Secure and private ML on mobile devices. In 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 460--465."},{"key":"e_1_3_2_2_21_1","volume-title":"Adversarial Robustness of Quantized Embedded Neural Networks. Computer & Electronics Security Applications Rendezvous","author":"Bernhard Remi","year":"2019","unstructured":"Remi Bernhard , Pierre-Alain Moellic , Jean-Max Dutertre , and France Gardanne . 2019. Adversarial Robustness of Quantized Embedded Neural Networks. Computer & Electronics Security Applications Rendezvous ( 2019 ), 1--33. Remi Bernhard, Pierre-Alain Moellic, Jean-Max Dutertre, and France Gardanne. 2019. Adversarial Robustness of Quantized Embedded Neural Networks. Computer & Electronics Security Applications Rendezvous (2019), 1--33."},{"key":"e_1_3_2_2_22_1","volume-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248","author":"Brendel Wieland","year":"2017","unstructured":"Wieland Brendel , Jonas Rauber , and Matthias Bethge . 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 ( 2017 ). Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 (2017)."},{"key":"e_1_3_2_2_23_1","volume-title":"Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp)","author":"Carlini Nicholas","unstructured":"Nicholas Carlini and David Wagner . 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp) . IEEE , 39--57. Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). IEEE, 39--57."},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2654822.2541967"},{"key":"e_1_3_2_2_26_1","unstructured":"Yu Chen and H. C. Ma. 2019. Biometric Authentication Under Threat: Liveness Detection Hacking. In Black Hat USA.  Yu Chen and H. C. Ma. 2019. Biometric Authentication Under Threat: Liveness Detection Hacking. In Black Hat USA."},{"key":"e_1_3_2_2_27_1","volume-title":"USENIX Security Symposium. 2667--2684","author":"Chen Yuxuan","year":"2020","unstructured":"Yuxuan Chen , Xuejing Yuan , Jiangshan Zhang , Yue Zhao , Shengzhi Zhang , Kai Chen , and XiaoFeng Wang . 2020 . Devil's Whisper: A General Approach for Physical Adversarial Attacks against Commercial Black-box Speech Recognition Devices .. In USENIX Security Symposium. 2667--2684 . Yuxuan Chen, Xuejing Yuan, Jiangshan Zhang, Yue Zhao, Shengzhi Zhang, Kai Chen, and XiaoFeng Wang. 2020. Devil's Whisper: A General Approach for Physical Adversarial Attacks against Commercial Black-box Speech Recognition Devices.. In USENIX Security Symposium. 2667--2684."},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3007787.3001177"},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-49538-X_5"},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"crossref","unstructured":"Jia Deng Wei Dong Richard Socher Li-Jia Li Kai Li and Fei-Fei Li. 2009. Ima- geNet: A Large-Scale Hierarchical Image Database. In CVPR09.  Jia Deng Wei Dong Richard Socher Li-Jia Li Kai Li and Fei-Fei Li. 2009. Ima- geNet: A Large-Scale Hierarchical Image Database. In CVPR09.","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00040"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_2_2_33_1","unstructured":"Goodman Dou Xin Hao Yang Wang Yuesheng Wu Junfeng Xiong and Huan Zhang. 2020. Advbox: a toolbox to generate adversarial examples that fool neural networks. arXiv:2001.05574 [cs.LG]  Goodman Dou Xin Hao Yang Wang Yuesheng Wu Junfeng Xiong and Huan Zhang. 2020. Advbox: a toolbox to generate adversarial examples that fool neural networks. arXiv:2001.05574 [cs.LG]"},{"key":"e_1_3_2_2_34_1","volume-title":"Gardner","author":"Feinman Reuben","year":"2017","unstructured":"Reuben Feinman , Ryan R. Curtin , Saurabh Shintre , and Andrew B . Gardner . 2017 . Detecting Adversarial Samples from Artifacts. ArXiv abs\/1703.00410 (2017). Reuben Feinman, Ryan R. Curtin, Saurabh Shintre, and Andrew B. Gardner. 2017. Detecting Adversarial Samples from Artifacts. ArXiv abs\/1703.00410 (2017)."},{"key":"e_1_3_2_2_35_1","volume-title":"Attacking binarized neural networks. arXiv preprint arXiv:1711.00449","author":"Galloway Angus","year":"2017","unstructured":"Angus Galloway , Graham W Taylor , and Medhat Moussa . 2017. Attacking binarized neural networks. arXiv preprint arXiv:1711.00449 ( 2017 ). Angus Galloway, Graham W Taylor, and Medhat Moussa. 2017. Attacking binarized neural networks. arXiv preprint arXiv:1711.00449 (2017)."},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2017.7952261"},{"key":"e_1_3_2_2_37_1","unstructured":"Ian J Goodfellow Jonathon Shlens and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In ICLR.  Ian J Goodfellow Jonathon Shlens and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In ICLR."},{"key":"e_1_3_2_2_38_1","volume-title":"International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=SyJ7 ClWCb","author":"Guo Chuan","unstructured":"Chuan Guo , Mayank Rana , Moustapha Cisse , and Laurens van der Maaten. 2018. Countering Adversarial Images using Input Transformations . In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=SyJ7 ClWCb Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens van der Maaten. 2018. Countering Adversarial Images using Input Transformations. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=SyJ7 ClWCb"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3007787.3001163"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00015"},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_2_42_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX)","author":"He Yingzhe","year":"2021","unstructured":"Yingzhe He , Guozhu Meng , Kai Chen , Jinwen He , and Xingbo Hu . 2021 . DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks . In Proceedings of the 30th USENIX Security Symposium (USENIX) ( Vancouver, B.C., Canada). Yingzhe He, Guozhu Meng, Kai Chen, Jinwen He, and Xingbo Hu. 2021. DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks. In Proceedings of the 30th USENIX Security Symposium (USENIX) (Vancouver, B.C., Canada)."},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3034721"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3458864.3466627"},{"key":"e_1_3_2_2_45_1","volume-title":"Proceedings of the European Conference on Computer Vision (ECCV). 0-0.","author":"Ignatov Andrey","year":"2018","unstructured":"Andrey Ignatov , Radu Timofte , William Chou , Ke Wang , Max Wu , Tim Hartley , and Luc Van Gool . 2018 . Ai benchmark: Running deep neural networks on android smartphones . In Proceedings of the European Conference on Computer Vision (ECCV). 0-0. Andrey Ignatov, Radu Timofte, William Chou, Ke Wang, Max Wu, Tim Hartley, and Luc Van Gool. 2018. Ai benchmark: Running deep neural networks on android smartphones. In Proceedings of the European Conference on Computer Vision (ECCV). 0-0."},{"key":"e_1_3_2_2_46_1","volume-title":"AI Benchmark: All About Deep Learning on Smartphones","author":"Ignatov Andrey","year":"2019","unstructured":"Andrey Ignatov , Radu Timofte , Andrei Kulik , Seungsoo Yang , Ke Wang , Felix Baum , Max Wu , Lirong Xu , and Luc Van Gool . 2019. AI Benchmark: All About Deep Learning on Smartphones in 2019 . arXiv preprint arXiv:1910.06663 (2019). Andrey Ignatov, Radu Timofte, Andrei Kulik, Seungsoo Yang, Ke Wang, Felix Baum, Max Wu, Lirong Xu, and Luc Van Gool. 2019. AI Benchmark: All About Deep Learning on Smartphones in 2019. arXiv preprint arXiv:1910.06663 (2019)."},{"key":"e_1_3_2_2_47_1","volume-title":"Blackbox adversarial attacks with limited queries and information. arXiv preprint arXiv:1804.08598","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas , Logan Engstrom , Anish Athalye , and Jessy Lin . 2018. Blackbox adversarial attacks with limited queries and information. arXiv preprint arXiv:1804.08598 ( 2018 ). Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. 2018. Blackbox adversarial attacks with limited queries and information. arXiv preprint arXiv:1804.08598 (2018)."},{"key":"e_1_3_2_2_48_1","unstructured":"Andrew Ilyas Shibani Santurkar Dimitris Tsipras Logan Engstrom Brandon Tran and Aleksander Madry. 2019. Adversarial examples are not bugs they are features. In Advances in Neural Information Processing Systems. 125--136.  Andrew Ilyas Shibani Santurkar Dimitris Tsipras Logan Engstrom Brandon Tran and Aleksander Madry. 2019. Adversarial examples are not bugs they are features. In Advances in Neural Information Processing Systems. 125--136."},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00286"},{"key":"e_1_3_2_2_50_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX)","author":"Jia Hengrui","year":"2021","unstructured":"Hengrui Jia , Christopher A. Choquette-Choo , Varun Chandrasekaran , and Nicolas Papernot . 2021 . Entangled Watermarks as a Defense against Model Extraction . In Proceedings of the 30th USENIX Security Symposium (USENIX) ( Vancouver, B.C., Canada). Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled Watermarks as a Defense against Model Extraction. In Proceedings of the 30th USENIX Security Symposium (USENIX) (Vancouver, B.C., Canada)."},{"key":"e_1_3_2_2_51_1","unstructured":"Alex Krizhevsky Geoffrey Hinton etal 2009. Learning multiple layers of features from tiny images. (2009).  Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_2_52_1","unstructured":"Alexey Kurakin Ian Goodfellow and Samy Bengio. 2016. Adversarial machine learning at scale. In ICLR.  Alexey Kurakin Ian Goodfellow and Samy Bengio. 2016. Adversarial machine learning at scale. In ICLR."},{"key":"e_1_3_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_2_54_1","volume-title":"DroidBot: A Lightweight UI-Guided Test Input Generator for Android","author":"Li Yuanchun","unstructured":"Yuanchun Li , Ziyue Yang , Yao Guo , and Xiangqun Chen . 2017. DroidBot: A Lightweight UI-Guided Test Input Generator for Android . IEEE Press . Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. DroidBot: A Lightweight UI-Guided Test Input Generator for Android. IEEE Press."},{"key":"e_1_3_2_2_55_1","volume-title":"Defensive quantization: When efficiency meets robustness. arXiv preprint arXiv:1904.08444","author":"Lin Ji","year":"2019","unstructured":"Ji Lin , Chuang Gan , and Song Han . 2019. Defensive quantization: When efficiency meets robustness. arXiv preprint arXiv:1904.08444 ( 2019 ). Ji Lin, Chuang Gan, and Song Han. 2019. Defensive quantization: When efficiency meets robustness. arXiv preprint arXiv:1904.08444 (2019)."},{"key":"e_1_3_2_2_56_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10602-1_48"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00023"},{"key":"e_1_3_2_2_58_1","volume-title":"Rethinking the Value of Network Pruning. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=rJlnB3C5Ym","author":"Liu Zhuang","year":"2019","unstructured":"Zhuang Liu , Mingjie Sun , Tinghui Zhou , Gao Huang , and Trevor Darrell . 2019 . Rethinking the Value of Network Pruning. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=rJlnB3C5Ym Zhuang Liu, Mingjie Sun, Tinghui Zhou, Gao Huang, and Trevor Darrell. 2019. Rethinking the Value of Network Pruning. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=rJlnB3C5Ym"},{"key":"e_1_3_2_2_59_1","volume-title":"Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=B1gJ 1L2aW","author":"Ma Xingjun","year":"2018","unstructured":"Xingjun Ma , Bo Li , Yisen Wang , Sarah M. Erfani , Sudanthi Wijewickrema , Grant Schoenebeck , Michael E. Houle , Dawn Song , and James Bailey . 2018 . Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=B1gJ 1L2aW Xingjun Ma, Bo Li, Yisen Wang, Sarah M. Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Michael E. Houle, Dawn Song, and James Bailey. 2018. Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality. In International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=B1gJ 1L2aW"},{"key":"e_1_3_2_2_60_1","volume-title":"International Conference on Learning Representations. https:\/\/openre view.net\/forum?id=rJzIBfZAb","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry , Aleksandar Makelov , Ludwig Schmidt , Dimitris Tsipras , and Adrian Vladu . 2018 . Towards Deep Learning Models Resistant to Adversarial Attacks . In International Conference on Learning Representations. https:\/\/openre view.net\/forum?id=rJzIBfZAb Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations. https:\/\/openre view.net\/forum?id=rJzIBfZAb"},{"key":"e_1_3_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_2_62_1","volume-title":"Beat Buesser, Ambrish Rawat, Martin Wistuba, Valentina Zantedeschi, Nathalie Baracaldo, Bryant Chen, Heiko Ludwig, Ian Molloy, and Ben Edwards.","author":"Nicolae Maria-Irina","year":"2018","unstructured":"Maria-Irina Nicolae , Mathieu Sinn , Minh Ngoc Tran , Beat Buesser, Ambrish Rawat, Martin Wistuba, Valentina Zantedeschi, Nathalie Baracaldo, Bryant Chen, Heiko Ludwig, Ian Molloy, and Ben Edwards. 2018 . Adversarial Robustness Toolbox v1.2.0. CoRR 1807.01069 (2018). https:\/\/arxiv.org\/pdf\/1807.01069 Maria-Irina Nicolae, Mathieu Sinn, Minh Ngoc Tran, Beat Buesser, Ambrish Rawat, Martin Wistuba, Valentina Zantedeschi, Nathalie Baracaldo, Bryant Chen, Heiko Ludwig, Ian Molloy, and Ben Edwards. 2018. Adversarial Robustness Toolbox v1.2.0. CoRR 1807.01069 (2018). https:\/\/arxiv.org\/pdf\/1807.01069"},{"key":"e_1_3_2_2_63_1","unstructured":"Nicolas Papernot Fartash Faghri Nicholas Carlini Ian Goodfellow Reuben Fein- man Alexey Kurakin Cihang Xie Yash Sharma Tom Brown Aurko Roy Alexander Matyasko Vahid Behzadan Karen Hambardzumyan Zhishuai Zhang Yi-Lin Juang Zhi Li Ryan Sheatsley Abhibhav Garg Jonathan Uesato Willi Gierke Yinpeng Dong David Berthelot Paul Hendricks Jonas Rauber and Rujun Long. 2018. Technical Report on the CleverHans v2.1.0 Adversarial Examples Library. arXiv preprint arXiv:1610.00768 (2018).  Nicolas Papernot Fartash Faghri Nicholas Carlini Ian Goodfellow Reuben Fein- man Alexey Kurakin Cihang Xie Yash Sharma Tom Brown Aurko Roy Alexander Matyasko Vahid Behzadan Karen Hambardzumyan Zhishuai Zhang Yi-Lin Juang Zhi Li Ryan Sheatsley Abhibhav Garg Jonathan Uesato Willi Gierke Yinpeng Dong David Berthelot Paul Hendricks Jonas Rauber and Rujun Long. 2018. Technical Report on the CleverHans v2.1.0 Adversarial Examples Library. arXiv preprint arXiv:1610.00768 (2018)."},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_2_66_1","volume-title":"Intriguing Properties of Adversarial ML Attacks in the Problem Space. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 1308--1325","author":"Pierazzi Fabio","year":"2020","unstructured":"Fabio Pierazzi , Feargus Pendlebury , Jacopo Cortellazzi , and Lorenzo Cavallaro . 2020 . Intriguing Properties of Adversarial ML Attacks in the Problem Space. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 1308--1325 . https:\/\/doi.org\/10.1109\/SP40000.2020.00073 10.1109\/SP40000.2020.00073 Fabio Pierazzi, Feargus Pendlebury, Jacopo Cortellazzi, and Lorenzo Cavallaro. 2020. Intriguing Properties of Adversarial ML Attacks in the Problem Space. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 1308--1325. https:\/\/doi.org\/10.1109\/SP40000.2020.00073"},{"key":"e_1_3_2_2_67_1","volume-title":"Deflecting Adversarial Attacks with Pixel Deflection. 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Prakash Aaditya","year":"2018","unstructured":"Aaditya Prakash , Nick Moran , Solomon Garber , Antonella DiLillo , and James A. Storer . 2018 . Deflecting Adversarial Attacks with Pixel Deflection. 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition ( 2018 ), 8571--8580. Aaditya Prakash, Nick Moran, Solomon Garber, Antonella DiLillo, and James A. Storer. 2018. Deflecting Adversarial Attacks with Pixel Deflection. 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (2018), 8571--8580."},{"key":"e_1_3_2_2_68_1","volume-title":"Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http:\/\/arxiv.org\/abs\/1707","author":"Rauber Jonas","year":"2017","unstructured":"Jonas Rauber , Wieland Brendel , and Matthias Bethge . 2017 . Foolbox: A Python toolbox to benchmark the robustness of machine learning models . In Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http:\/\/arxiv.org\/abs\/1707 .04131 Jonas Rauber, Wieland Brendel, and Matthias Bethge. 2017. Foolbox: A Python toolbox to benchmark the robustness of machine learning models. In Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http:\/\/arxiv.org\/abs\/1707.04131"},{"key":"e_1_3_2_2_69_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman . 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 ( 2014 ). Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_2_70_1","volume-title":"Somesh Jha, and Long Lu.","author":"Sun Zhichuang","year":"2020","unstructured":"Zhichuang Sun , Ruimin Sun , Changming Liu , Amrita Roy Chowdhury , Somesh Jha, and Long Lu. 2020 . Shadownet : A secure and efficient system for on-device model inference. arXiv preprint arXiv:2011.05905 (2020). Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowdhury, Somesh Jha, and Long Lu. 2020. Shadownet: A secure and efficient system for on-device model inference. arXiv preprint arXiv:2011.05905 (2020)."},{"key":"e_1_3_2_2_71_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Sun Zhichuang","year":"2021","unstructured":"Zhichuang Sun , Ruimin Sun , Long Lu , and Alan Mislove . 2021 . Mind Your Weight(s): A Large-scale Study on Insufficient Machine Learning Model Protection in Mobile Apps . In 30th USENIX Security Symposium (USENIX Security 21) . 1955--1972. Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind Your Weight(s): A Large-scale Study on Insufficient Machine Learning Model Protection in Mobile Apps. In 30th USENIX Security Symposium (USENIX Security 21). 1955--1972."},{"key":"e_1_3_2_2_72_1","volume-title":"Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In ICLR.","author":"Tram\u00e8r Florian","year":"2019","unstructured":"Florian Tram\u00e8r and Dan Boneh . 2019 . Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In ICLR. Florian Tram\u00e8r and Dan Boneh. 2019. Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. In ICLR."},{"key":"e_1_3_2_2_73_1","volume-title":"A Survey on Edge Intelligence. arXiv preprint arXiv:2003.12172","author":"Xu Dianlei","year":"2020","unstructured":"Dianlei Xu , Tong Li , Yong Li , Xiang Su , Sasu Tarkoma , and Pan Hui . 2020. A Survey on Edge Intelligence. arXiv preprint arXiv:2003.12172 ( 2020 ). Dianlei Xu, Tong Li, Yong Li, Xiang Su, Sasu Tarkoma, and Pan Hui. 2020. A Survey on Edge Intelligence. arXiv preprint arXiv:2003.12172 (2020)."},{"key":"e_1_3_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11633-019-1211-x"},{"key":"e_1_3_2_2_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313591"},{"key":"e_1_3_2_2_76_1","unstructured":"Mingming Zha Guozhu Meng Chaoyang Lin Zhe Zhou and Kai Chen. 2019. RoLMA: A Practical Adversarial Attack Against Deep Learning-Based LPR Sys- tems. In Information Security and Cryptology (Inscrypt). 4701--4708.  Mingming Zha Guozhu Meng Chaoyang Lin Zhe Zhou and Kai Chen. 2019. RoLMA: A Practical Adversarial Attack Against Deep Learning-Based LPR Sys- tems. In Information Security and Cryptology (Inscrypt). 4701--4708."},{"key":"e_1_3_2_2_77_1","volume-title":"International Conference on Machine Learning.","author":"Zhang Hongyang","unstructured":"Hongyang Zhang , Yaodong Yu , Jiantao Jiao , Eric P. Xing , Laurent El Ghaoui , and Michael I. Jordan . 2019. Theoretically Principled Trade-off between Robustness and Accuracy . In International Conference on Machine Learning. Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric P. Xing, Laurent El Ghaoui, and Michael I. Jordan. 2019. Theoretically Principled Trade-off between Robustness and Accuracy. In International Conference on Machine Learning."},{"key":"e_1_3_2_2_78_1","volume-title":"Hassan Jameel Asghar, and Mohamed Ali Kaafar","author":"Hao Zhao Benjamin Zi","year":"2020","unstructured":"Benjamin Zi Hao Zhao , Hassan Jameel Asghar, and Mohamed Ali Kaafar . 2020 . On the Resilience of Biometric Authentication Systems against Random Inputs . arXiv preprint arXiv:2001.04056 (2020). Benjamin Zi Hao Zhao, Hassan Jameel Asghar, and Mohamed Ali Kaafar. 2020. On the Resilience of Biometric Authentication Systems against Random Inputs. arXiv preprint arXiv:2001.04056 (2020)."},{"key":"e_1_3_2_2_79_1","volume-title":"Object detection with deep learning: A review","author":"Zhao Zhong-Qiu","year":"2019","unstructured":"Zhong-Qiu Zhao , Peng Zheng , Shou-tao Xu, and Xindong Wu. 2019. Object detection with deep learning: A review . IEEE transactions on neural networks and learning systems 30, 11 ( 2019 ), 3212--3232 Zhong-Qiu Zhao, Peng Zheng, Shou-tao Xu, and Xindong Wu. 2019. Object detection with deep learning: A review. IEEE transactions on neural networks and learning systems 30, 11 (2019), 3212--3232"}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3559388","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3559388","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:50:57Z","timestamp":1750182657000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3559388"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":79,"alternative-id":["10.1145\/3548606.3559388","10.1145\/3548606"],"URL":"https:\/\/doi.org\/10.1145\/3548606.3559388","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}