{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T17:36:07Z","timestamp":1777570567372,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":58,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["1937786"],"award-info":[{"award-number":["1937786"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3548606.3560586","type":"proceedings-article","created":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T11:41:28Z","timestamp":1667821288000},"page":"2115-2128","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":24,"title":["StolenEncoder"],"prefix":"10.1145","author":[{"given":"Yupei","family":"Liu","sequence":"first","affiliation":[{"name":"Duke University, Durham, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jinyuan","family":"Jia","sequence":"additional","affiliation":[{"name":"Duke University, Durham, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hongbin","family":"Liu","sequence":"additional","affiliation":[{"name":"Duke University, Durham, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Neil Zhenqiang","family":"Gong","sequence":"additional","affiliation":[{"name":"Duke University, Durham, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2022,11,7]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2021. OpenAI API. https:\/\/openai.com\/blog\/openai-api\/. (2021).  2021. OpenAI API. https:\/\/openai.com\/blog\/openai-api\/. (2021)."},{"key":"e_1_3_2_1_2_1","unstructured":"2021. SimCLR. https:\/\/github.com\/google-research\/simclr. (2021).  2021. SimCLR. https:\/\/github.com\/google-research\/simclr. (2021)."},{"key":"e_1_3_2_1_3_1","unstructured":"2022. Clarifai General Image Embedding Model. https:\/\/www.clarifai.com\/ models\/general-image-embedding. (2022).  2022. Clarifai General Image Embedding Model. https:\/\/www.clarifai.com\/ models\/general-image-embedding. (2022)."},{"key":"e_1_3_2_1_4_1","unstructured":"2022. Clarifai Price Sheet. https:\/\/www.clarifai.com\/pricing. (2022).  2022. Clarifai Price Sheet. https:\/\/www.clarifai.com\/pricing. (2022)."},{"key":"e_1_3_2_1_5_1","volume-title":"USENIX Security Symposium.","author":"Adi Yossi","year":"2018","unstructured":"Yossi Adi , Carsten Baum , Moustapha Cisse , Benny Pinkas , and Joseph Keshet . 2018 . Turning your weakness into a strength: Watermarking deep neural networks by backdooring . In USENIX Security Symposium. Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In USENIX Security Symposium."},{"key":"e_1_3_2_1_6_1","unstructured":"Rishi Bommasani Drew A Hudson Ehsan Adeli Russ Altman Simran Arora Sydney von Arx Michael S Bernstein Jeannette Bohg Antoine Bosselut Emma Brunskill etal 2021. On the opportunities and risks of foundation models. arXiv preprint arXiv:2108.07258 (2021).  Rishi Bommasani Drew A Hudson Ehsan Adeli Russ Altman Simran Arora Sydney von Arx Michael S Bernstein Jeannette Bohg Antoine Bosselut Emma Brunskill et al. 2021. On the opportunities and risks of foundation models. arXiv preprint arXiv:2108.07258 (2021)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Lukas Bossard Matthieu Guillaumin and Luc Van Gool. 2014. Food-101 -- Mining Discriminative Components with Random Forests. In ECCV.  Lukas Bossard Matthieu Guillaumin and Luc Van Gool. 2014. Food-101 -- Mining Discriminative Components with Random Forests. In ECCV.","DOI":"10.1007\/978-3-319-10599-4_29"},{"key":"e_1_3_2_1_8_1","unstructured":"Tom B Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell etal 2020. Language models are few-shot learners. In NeurIPS.  Tom B Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell et al. 2020. Language models are few-shot learners. In NeurIPS."},{"key":"e_1_3_2_1_9_1","unstructured":"Xiaoyu Cao Jinyuan Jia and Neil Zhenqiang Gong. 2021. IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In AsiaCCS.  Xiaoyu Cao Jinyuan Jia and Neil Zhenqiang Gong. 2021. IPGuard: Protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In AsiaCCS."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Nicholas Carlini Matthew Jagielski and Ilya Mironov. 2020. Cryptanalytic extraction of neural network models. In CRYPTO.  Nicholas Carlini Matthew Jagielski and Ilya Mironov. 2020. Cryptanalytic extraction of neural network models. In CRYPTO.","DOI":"10.1007\/978-3-030-56877-1_7"},{"key":"e_1_3_2_1_11_1","volume-title":"Poisoning and Backdooring Contrastive Learning. arXiv preprint arXiv:2106.09667","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini and Andreas Terzis . 2021. Poisoning and Backdooring Contrastive Learning. arXiv preprint arXiv:2106.09667 ( 2021 ). Nicholas Carlini and Andreas Terzis. 2021. Poisoning and Backdooring Contrastive Learning. arXiv preprint arXiv:2106.09667 (2021)."},{"key":"e_1_3_2_1_12_1","volume-title":"USENIX Security Symposium.","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini , Florian Tramer , Eric Wallace , Matthew Jagielski , Ariel Herbert- Voss , Katherine Lee , Adam Roberts , Tom Brown , Dawn Song , Ulfar Erlingsson , 2021 . Extracting training data from large language models . In USENIX Security Symposium. Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert- Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, et al. 2021. Extracting training data from large language models. In USENIX Security Symposium."},{"key":"e_1_3_2_1_13_1","volume-title":"USENIX Security Symposium.","author":"Chandrasekaran Varun","year":"2020","unstructured":"Varun Chandrasekaran , Kamalika Chaudhuri , Irene Giacomelli , Somesh Jha , and Songbai Yan . 2020 . Exploring connections between active learning and model extraction . In USENIX Security Symposium. Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. 2020. Exploring connections between active learning and model extraction. In USENIX Security Symposium."},{"key":"e_1_3_2_1_14_1","unstructured":"Ting Chen Simon Kornblith Mohammad Norouzi and Geoffrey Hinton. 2020. A simple framework for contrastive learning of visual representations. In ICML.  Ting Chen Simon Kornblith Mohammad Norouzi and Geoffrey Hinton. 2020. A simple framework for contrastive learning of visual representations. In ICML."},{"key":"e_1_3_2_1_15_1","unstructured":"Adam Coates Andrew Ng and Honglak Lee. 2011. An analysis of single-layer networks in unsupervised feature learning. In AISTATS.  Adam Coates Andrew Ng and Honglak Lee. 2011. An analysis of single-layer networks in unsupervised feature learning. In AISTATS."},{"key":"e_1_3_2_1_16_1","volume-title":"SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. arXiv preprint arXiv:2201.11692","author":"Cong Tianshuo","year":"2022","unstructured":"Tianshuo Cong , Xinlei He , and Yang Zhang . 2022. SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. arXiv preprint arXiv:2201.11692 ( 2022 ). Tianshuo Cong, Xinlei He, and Yang Zhang. 2022. SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. arXiv preprint arXiv:2201.11692 (2022)."},{"key":"e_1_3_2_1_17_1","volume-title":"Imagenet: A large-scale hierarchical image database. In CVPR.","author":"Deng Jia","year":"2009","unstructured":"Jia Deng , Wei Dong , Richard Socher , Li-Jia Li , Kai Li , and Li Fei-Fei . 2009 . Imagenet: A large-scale hierarchical image database. In CVPR. Jia Deng,Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. Imagenet: A large-scale hierarchical image database. In CVPR."},{"key":"e_1_3_2_1_18_1","volume-title":"Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL-HLT.","author":"Devlin Jacob","year":"2019","unstructured":"Jacob Devlin , Ming-Wei Chang , Kenton Lee , and Kristina Toutanova . 2019 . Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL-HLT. Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL-HLT."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"crossref","unstructured":"Matt Fredrikson Somesh Jha and Thomas Ristenpart. 2015. Model inversion attacks that exploit confidence information and basic countermeasures. In CCS.  Matt Fredrikson Somesh Jha and Thomas Ristenpart. 2015. Model inversion attacks that exploit confidence information and basic countermeasures. In CCS.","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_1_20_1","unstructured":"Kaiming He Haoqi Fan Yuxin Wu Saining Xie and Ross Girshick. 2020. Momentum contrast for unsupervised visual representation learning. In CVPR.  Kaiming He Haoqi Fan Yuxin Wu Saining Xie and Ross Girshick. 2020. Momentum contrast for unsupervised visual representation learning. In CVPR."},{"key":"e_1_3_2_1_21_1","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2016. Deep residual learning for image recognition. In CVPR.  Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2016. Deep residual learning for image recognition. In CVPR."},{"key":"e_1_3_2_1_22_1","volume-title":"USENIX Security Symposium.","author":"He Xinlei","year":"2021","unstructured":"Xinlei He , Jinyuan Jia , Michael Backes , Neil Zhenqiang Gong , and Yang Zhang . 2021 . Stealing links from graph neural networks . In USENIX Security Symposium. Xinlei He, Jinyuan Jia, Michael Backes, Neil Zhenqiang Gong, and Yang Zhang. 2021. Stealing links from graph neural networks. In USENIX Security Symposium."},{"key":"e_1_3_2_1_23_1","unstructured":"Xinlei He and Yang Zhang. 2021. Quantifying and Mitigating Privacy Risks of Contrastive Learning. In CCS.  Xinlei He and Yang Zhang. 2021. Quantifying and Mitigating Privacy Risks of Contrastive Learning. In CCS."},{"key":"e_1_3_2_1_24_1","unstructured":"Geoffrey Hinton Oriol Vinyals Jeff Dean etal 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 2 7 (2015).  Geoffrey Hinton Oriol Vinyals Jeff Dean et al. 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 2 7 (2015)."},{"key":"e_1_3_2_1_25_1","volume-title":"USENIX Security Symposium.","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski , Nicholas Carlini , David Berthelot , Alex Kurakin , and Nicolas Papernot . 2020 . High accuracy and high fidelity extraction of neural networks . In USENIX Security Symposium. Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High accuracy and high fidelity extraction of neural networks. In USENIX Security Symposium."},{"key":"e_1_3_2_1_26_1","volume-title":"USENIX Security Symposium.","author":"Jia Hengrui","year":"2021","unstructured":"Hengrui Jia , Christopher A Choquette-Choo , Varun Chandrasekaran , and Nicolas Papernot . 2021 . Entangled watermarks as a defense against model extraction . In USENIX Security Symposium. Hengrui Jia, Christopher A Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled watermarks as a defense against model extraction. In USENIX Security Symposium."},{"key":"e_1_3_2_1_27_1","volume-title":"10 Security and Privacy Problems in Self-Supervised Learning. arXiv preprint arXiv:2110.15444","author":"Jia Jinyuan","year":"2021","unstructured":"Jinyuan Jia , Hongbin Liu , and Neil Zhenqiang Gong . 2021. 10 Security and Privacy Problems in Self-Supervised Learning. arXiv preprint arXiv:2110.15444 ( 2021 ). Jinyuan Jia, Hongbin Liu, and Neil Zhenqiang Gong. 2021. 10 Security and Privacy Problems in Self-Supervised Learning. arXiv preprint arXiv:2110.15444 (2021)."},{"key":"e_1_3_2_1_28_1","volume-title":"Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. arXiv preprint arXiv:2108.00352","author":"Jia Jinyuan","year":"2021","unstructured":"Jinyuan Jia , Yupei Liu , and Neil Zhenqiang Gong . 2021 . Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. arXiv preprint arXiv:2108.00352 (2021). Jinyuan Jia, Yupei Liu, and Neil Zhenqiang Gong. 2021. Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. arXiv preprint arXiv:2108.00352 (2021)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"e_1_3_2_1_30_1","unstructured":"Jinyuan Jia BinghuiWang and Neil Zhenqiang Gong. 2021. Robust and Verifiable Information Embedding Attacks to Deep Neural Networks via Error-Correcting Codes. In AsiaCCS.  Jinyuan Jia BinghuiWang and Neil Zhenqiang Gong. 2021. Robust and Verifiable Information Embedding Attacks to Deep Neural Networks via Error-Correcting Codes. In AsiaCCS."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Mika Juuti Sebastian Szyller Samuel Marchal and N Asokan. 2019. PRADA: protecting against DNN model stealing attacks. In EuroS&P.  Mika Juuti Sebastian Szyller Samuel Marchal and N Asokan. 2019. PRADA: protecting against DNN model stealing attacks. In EuroS&P.","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_2_1_32_1","volume-title":"Maze: Data-free model stealing attack using zeroth-order gradient estimation. In CVPR.","author":"Kariyappa Sanjay","year":"2021","unstructured":"Sanjay Kariyappa , Atul Prakash , and Moinuddin K Qureshi . 2021 . Maze: Data-free model stealing attack using zeroth-order gradient estimation. In CVPR. Sanjay Kariyappa, Atul Prakash, and Moinuddin K Qureshi. 2021. Maze: Data-free model stealing attack using zeroth-order gradient estimation. In CVPR."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"crossref","unstructured":"Sanjay Kariyappa and Moinuddin K Qureshi. 2020. Defending against model stealing attacks with adaptive misinformation. In CVPR.  Sanjay Kariyappa and Moinuddin K Qureshi. 2020. Defending against model stealing attacks with adaptive misinformation. In CVPR.","DOI":"10.1109\/CVPR42600.2020.00085"},{"key":"e_1_3_2_1_34_1","volume-title":"Ankur P Parikh, Nicolas Papernot, and Mohit Iyyer.","author":"Krishna Kalpesh","year":"2019","unstructured":"Kalpesh Krishna , Gaurav Singh Tomar , Ankur P Parikh, Nicolas Papernot, and Mohit Iyyer. 2019 . Thieves on sesame street! model extraction of bert-based apis. In ICLR. Kalpesh Krishna, Gaurav Singh Tomar, Ankur P Parikh, Nicolas Papernot, and Mohit Iyyer. 2019. Thieves on sesame street! model extraction of bert-based apis. In ICLR."},{"key":"e_1_3_2_1_35_1","unstructured":"Alex Krizhevsky Geoffrey Hinton etal 2009. Learning multiple layers of features from tiny images. Tech Report (2009).  Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. Tech Report (2009)."},{"key":"e_1_3_2_1_36_1","volume-title":"MNIST handwritten digit database. ATT Labs [Online]. Available: http:\/\/yann.lecun.com\/exdb\/mnist 2","author":"LeCun Yann","year":"2010","unstructured":"Yann LeCun , Corinna Cortes , and CJ Burges . 2010. MNIST handwritten digit database. ATT Labs [Online]. Available: http:\/\/yann.lecun.com\/exdb\/mnist 2 ( 2010 ). Yann LeCun, Corinna Cortes, and CJ Burges. 2010. MNIST handwritten digit database. ATT Labs [Online]. Available: http:\/\/yann.lecun.com\/exdb\/mnist 2 (2010)."},{"key":"e_1_3_2_1_37_1","volume-title":"Poisoned Encoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. In USENIX Security Symposium.","author":"Liu Hongbin","year":"2022","unstructured":"Hongbin Liu , Jinyuan Jia , and Neil Zhenqiang Gong . 2022 . Poisoned Encoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. In USENIX Security Symposium. Hongbin Liu, Jinyuan Jia, and Neil Zhenqiang Gong. 2022. Poisoned Encoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. In USENIX Security Symposium."},{"key":"e_1_3_2_1_38_1","volume-title":"Encoder MI: Membership Inference against Pre-trained Encoders in Contrastive Learning. In CCS.","author":"Liu Hongbin","year":"2021","unstructured":"Hongbin Liu , Jinyuan Jia , Wenjie Qu , and Neil Zhenqiang Gong . 2021 . Encoder MI: Membership Inference against Pre-trained Encoders in Contrastive Learning. In CCS. Hongbin Liu, Jinyuan Jia, Wenjie Qu, and Neil Zhenqiang Gong. 2021. Encoder MI: Membership Inference against Pre-trained Encoders in Contrastive Learning. In CCS."},{"key":"e_1_3_2_1_39_1","volume-title":"SoK: How Robust is Image Classification Deep Neural Network Watermarking? arXiv preprint arXiv:2108.04974","author":"Lukas Nils","year":"2021","unstructured":"Nils Lukas , Edward Jiang , Xinda Li , and Florian Kerschbaum . 2021. SoK: How Robust is Image Classification Deep Neural Network Watermarking? arXiv preprint arXiv:2108.04974 ( 2021 ). Nils Lukas, Edward Jiang, Xinda Li, and Florian Kerschbaum. 2021. SoK: How Robust is Image Classification Deep Neural Network Watermarking? arXiv preprint arXiv:2108.04974 (2021)."},{"key":"e_1_3_2_1_40_1","unstructured":"Nils Lukas Yuxuan Zhang and Florian Kerschbaum. 2021. Deep Neural Network Fingerprinting by Conferrable Adversarial Examples. In ICLR.  Nils Lukas Yuxuan Zhang and Florian Kerschbaum. 2021. Deep Neural Network Fingerprinting by Conferrable Adversarial Examples. In ICLR."},{"key":"e_1_3_2_1_41_1","volume-title":"NIPS Workshop on Deep Learning and Unsupervised Feature Learning.","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer , Tao Wang , Adam Coates , Alessandro Bissacco , Bo Wu , and Andrew Y Ng . 2011 . Reading digits in natural images with unsupervised feature learning . In NIPS Workshop on Deep Learning and Unsupervised Feature Learning. Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning."},{"key":"e_1_3_2_1_42_1","unstructured":"Seong Joon Oh Max Augustin Mario Fritz and Bernt Schiele. 2018. Towards Reverse-Engineering Black-Box Neural Networks. In ICLR.  Seong Joon Oh Max Augustin Mario Fritz and Bernt Schiele. 2018. Towards Reverse-Engineering Black-Box Neural Networks. In ICLR."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Tribhuvanesh Orekondy Bernt Schiele and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In CVPR.  Tribhuvanesh Orekondy Bernt Schiele and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In CVPR.","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_2_1_44_1","volume-title":"Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. In ICLR.","author":"Orekondy Tribhuvanesh","year":"2020","unstructured":"Tribhuvanesh Orekondy , Bernt Schiele , and Mario Fritz . 2020 . Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. In ICLR. Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2020. Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks. In ICLR."},{"key":"e_1_3_2_1_45_1","volume-title":"Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, et al.","author":"Radford Alec","year":"2021","unstructured":"Alec Radford , Jong Wook Kim , Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, et al. 2021 . Learning transferable visual models from natural language supervision. In ICML. Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, et al. 2021. Learning transferable visual models from natural language supervision. In ICML."},{"key":"e_1_3_2_1_47_1","unstructured":"Alec Radford Jeffrey Wu Rewon Child David Luan Dario Amodei Ilya Sutskever etal 2019. Language models are unsupervised multitask learners. OpenAI blog 1 8 (2019) 9.  Alec Radford Jeffrey Wu Rewon Child David Luan Dario Amodei Ilya Sutskever et al. 2019. Language models are unsupervised multitask learners. OpenAI blog 1 8 (2019) 9."},{"key":"e_1_3_2_1_48_1","volume-title":"Membership inference attacks against machine learning models","author":"Shokri Reza","unstructured":"Reza Shokri , Marco Stronati , Congzheng Song , and Vitaly Shmatikov . 2017. Membership inference attacks against machine learning models . In IEEE S &P. Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In IEEE S&P."},{"key":"e_1_3_2_1_49_1","volume-title":"Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks 32","author":"Stallkamp Johannes","year":"2012","unstructured":"Johannes Stallkamp , Marc Schlipsing , Jan Salmen , and Christian Igel . 2012. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks 32 ( 2012 ), 323--332. Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. 2012. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks 32 (2012), 323--332."},{"key":"e_1_3_2_1_50_1","volume-title":"USENIX Security Symposium.","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r , Fan Zhang , Ari Juels , Michael K Reiter , and Thomas Ristenpart . 2016 . Stealing machine learning models via prediction apis . In USENIX Security Symposium. Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction apis. In USENIX Security Symposium."},{"key":"e_1_3_2_1_51_1","volume-title":"Stealing hyperparameters in machine learning","author":"Wang Binghui","unstructured":"Binghui Wang and Neil Zhenqiang Gong . 2018. Stealing hyperparameters in machine learning . In IEEE S &P. Binghui Wang and Neil Zhenqiang Gong. 2018. Stealing hyperparameters in machine learning. In IEEE S&P."},{"key":"e_1_3_2_1_52_1","volume-title":"Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning. arXiv preprint arXiv:1708.07747","author":"Xiao Han","year":"2017","unstructured":"Han Xiao , Kashif Rasul , and Roland Vollgraf . 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning. arXiv preprint arXiv:1708.07747 ( 2017 ). Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning. arXiv preprint arXiv:1708.07747 (2017)."},{"key":"e_1_3_2_1_53_1","volume-title":"USENIX Security Symposium.","author":"Yan Mengjia","year":"2020","unstructured":"Mengjia Yan , Christopher W Fletcher , and Josep Torrellas . 2020 . Cache telepathy: Leveraging shared resource attacks to learn DNN architectures . In USENIX Security Symposium. Mengjia Yan, Christopher W Fletcher, and Josep Torrellas. 2020. Cache telepathy: Leveraging shared resource attacks to learn DNN architectures. In USENIX Security Symposium."},{"key":"e_1_3_2_1_54_1","unstructured":"Honggang Yu Kaichen Yang Teng Zhang Yun-Yun Tsai Tsung-Yi Ho and Yier Jin. 2020. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples.. In NDSS.  Honggang Yu Kaichen Yang Teng Zhang Yun-Yun Tsai Tsung-Yi Ho and Yier Jin. 2020. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples.. In NDSS."},{"key":"e_1_3_2_1_55_1","unstructured":"Santiago Zanella-Beguelin Shruti Tople Andrew Paverd and Boris K\u00f6pf. 2021. Grey-box extraction of natural language models. In ICML.  Santiago Zanella-Beguelin Shruti Tople Andrew Paverd and Boris K\u00f6pf. 2021. Grey-box extraction of natural language models. In ICML."},{"key":"e_1_3_2_1_56_1","unstructured":"Rowan Zellers Ari Holtzman Hannah Rashkin Yonatan Bisk Ali Farhadi Franziska Roesner and Yejin Choi. 2020. Defending against neural fake news. In NeurIPS.  Rowan Zellers Ari Holtzman Hannah Rashkin Yonatan Bisk Ali Farhadi Franziska Roesner and Yejin Choi. 2020. Defending against neural fake news. In NeurIPS."},{"key":"e_1_3_2_1_57_1","volume-title":"Heqing Huang, and Ian Molloy.","author":"Zhang Jialong","year":"2018","unstructured":"Jialong Zhang , Zhongshu Gu , Jiyong Jang , Hui Wu , Marc Ph Stoecklin , Heqing Huang, and Ian Molloy. 2018 . Protecting intellectual property of deep neural networks with watermarking. In AsiaCCS. Jialong Zhang, Zhongshu Gu, Jiyong Jang, Hui Wu, Marc Ph Stoecklin, Heqing Huang, and Ian Molloy. 2018. Protecting intellectual property of deep neural networks with watermarking. In AsiaCCS."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486863"},{"key":"e_1_3_2_1_59_1","volume-title":"Hermes Attack: Steal DNN Models with Lossless Inference Accuracy. In USENIX Security Symposium.","author":"Zhu Yuankun","year":"2021","unstructured":"Yuankun Zhu , Yueqiang Cheng , Husheng Zhou , and Yantao Lu . 2021 . Hermes Attack: Steal DNN Models with Lossless Inference Accuracy. In USENIX Security Symposium. Yuankun Zhu, Yueqiang Cheng, Husheng Zhou, and Yantao Lu. 2021. Hermes Attack: Steal DNN Models with Lossless Inference Accuracy. In USENIX Security Symposium."}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560586","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3560586","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3560586","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:50:57Z","timestamp":1750182657000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560586"}},"subtitle":["Stealing Pre-trained Encoders in Self-supervised Learning"],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":58,"alternative-id":["10.1145\/3548606.3560586","10.1145\/3548606"],"URL":"https:\/\/doi.org\/10.1145\/3548606.3560586","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}