{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T04:37:41Z","timestamp":1769920661831,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,21]],"date-time":"2024-11-21T00:00:00Z","timestamp":1732147200000},"content-version":"vor","delay-in-days":372,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000185","name":"Defense Advanced Research Projects Agency","doi-asserted-by":"publisher","award":["885000"],"award-info":[{"award-number":["885000"]}],"id":[{"id":"10.13039\/100000185","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1841052, 2039445"],"award-info":[{"award-number":["1841052, 2039445"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,15]]},"DOI":"10.1145\/3576915.3623116","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:35:13Z","timestamp":1700570113000},"page":"786-800","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4767-274X","authenticated-orcid":false,"given":"Ryan","family":"Feng","sequence":"first","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2928-919X","authenticated-orcid":false,"given":"Ashish","family":"Hooda","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, WI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0684-4971","authenticated-orcid":false,"given":"Neal","family":"Mangaokar","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4609-7691","authenticated-orcid":false,"given":"Kassem","family":"Fawaz","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, WI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5877-0436","authenticated-orcid":false,"given":"Somesh","family":"Jha","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, WI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4907-3687","authenticated-orcid":false,"given":"Atul","family":"Prakash","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Amazon. [n. d.]. Amazon Rekognition: Automate your image recognition and video analysis with machine learning. https:\/\/aws.amazon.com\/rekognition\/"},{"key":"e_1_3_2_1_2_1","volume-title":"UK","author":"Andriushchenko Maksym","year":"2020","unstructured":"Maksym Andriushchenko, Francesco Croce, Nicolas Flammarion, and Matthias Hein. 2020. Square attack: a query-efficient black-box adversarial attack via random search. In Computer Vision-ECCV 2020: 16th European Conference, Glasgow, UK, August 23-28, 2020, Proceedings, Part XXIII. Springer, 484--501."},{"key":"e_1_3_2_1_3_1","volume-title":"International conference on machine learning. PMLR, 274--283","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning. PMLR, 274--283."},{"key":"e_1_3_2_1_4_1","volume-title":"Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning","author":"Azmoodeh Amin","year":"2018","unstructured":"Amin Azmoodeh, Ali Dehghantanha, and Kim-Kwang Raymond Choo. 2018. Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE transactions on sustainable computing, Vol. 4, 1 (2018), 88--95."},{"key":"e_1_3_2_1_5_1","volume-title":"Learning visual similarity for product design with convolutional neural networks. ACM transactions on graphics (TOG)","author":"Bell Sean","year":"2015","unstructured":"Sean Bell and Kavita Bala. 2015. Learning visual similarity for product design with convolutional neural networks. ACM transactions on graphics (TOG), Vol. 34, 4 (2015), 1--10."},{"key":"e_1_3_2_1_6_1","volume-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248","author":"Brendel Wieland","year":"2017","unstructured":"Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 (2017)."},{"key":"e_1_3_2_1_7_1","volume-title":"Adversarial patch. arXiv preprint arXiv:1712.09665","author":"Brown Tom B","year":"2017","unstructured":"Tom B Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017)."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00045"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3385003.3410925"},{"key":"e_1_3_2_1_10_1","volume-title":"Adversarial Attack on Attackers: Post-Process to Mitigate Black-Box Score-Based Query Attacks. arXiv preprint arXiv:2205.12134","author":"Chen Sizhe","year":"2022","unstructured":"Sizhe Chen, Zhehao Huang, Qinghua Tao, Yingwen Wu, Cihang Xie, and Xiaolin Huang. 2022. Adversarial Attack on Attackers: Post-Process to Mitigate Black-Box Score-Based Query Attacks. arXiv preprint arXiv:2205.12134 (2022)."},{"key":"e_1_3_2_1_11_1","volume-title":"PIHA: Detection method using perceptual image hashing against query-based adversarial attacks. Future Generation Computer Systems","author":"Choi Seok-Hwan","year":"2023","unstructured":"Seok-Hwan Choi, Jinmyeong Shin, and Yoon-Ho Choi. 2023. PIHA: Detection method using perceptual image hashing against query-based adversarial attacks. Future Generation Computer Systems (2023)."},{"key":"e_1_3_2_1_12_1","unstructured":"Clarifai. [n. d.]. The world's AI: Clarifai Computer Vision AI and Machine Learning Platform. https:\/\/www.clarifai.com\/"},{"key":"e_1_3_2_1_13_1","volume-title":"International conference on machine learning. PMLR, 2206--2216","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning. PMLR, 2206--2216."},{"key":"e_1_3_2_1_14_1","volume-title":"arXiv e-prints","author":"Dalins Janis","year":"2019","unstructured":"Janis Dalins, Campbell Wilson, and Douglas Boudry. 2019. PDQ & TMK PDQF-A Test Drive of Facebook's Perceptual Hashing Algorithms. arXiv e-prints (2019), arXiv-1912."},{"key":"e_1_3_2_1_15_1","volume-title":"IPTPS 2002 Cambridge, MA, USA","author":"Douceur John R","year":"2002","unstructured":"John R Douceur. 2002. The sybil attack. In Peer-to-Peer Systems: First InternationalWorkshop, IPTPS 2002 Cambridge, MA, USA, March 7-8, 2002 Revised Papers 1. Springer, 251--260."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.image.2019.115713"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2022.3167672"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_1_19_1","volume-title":"GRAPHITE: Generating Automatic Physical Examples for Machine-Learning Attacks on Computer Vision Systems. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE, 664--683","author":"Feng Ryan","year":"2022","unstructured":"Ryan Feng, Neal Mangaokar, Jiefeng Chen, Earlence Fernandes, Somesh Jha, and Atul Prakash. 2022. GRAPHITE: Generating Automatic Physical Examples for Machine-Learning Attacks on Computer Vision Systems. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE, 664--683."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/2354409.2354978"},{"key":"e_1_3_2_1_21_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1001\/jama.2016.17216"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_24_1","unstructured":"Ashish Hooda Neal Mangaokar Ryan Feng Kassem Fawaz Somesh Jha and Atul Prakash. 2022. Towards Adversarially Robust Deepfake Detection: An Ensemble Approach. arxiv: 2202.05687 [cs.LG]"},{"key":"e_1_3_2_1_25_1","volume-title":"International conference on machine learning. PMLR, 2137--2146","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. 2018. Black-box adversarial attacks with limited queries and information. In International conference on machine learning. PMLR, 2137--2146."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_2_1_27_1","volume-title":"International Conference on Learning Representations.","author":"Karras Tero","year":"2018","unstructured":"Tero Karras, Timo Aila, Samuli Laine, and Jaakko Lehtinen. 2018. Progressive Growing of GANs for Improved Quality, Stability, and Variation. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_28_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_29_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Li Huiying","year":"2022","unstructured":"Huiying Li, Shawn Shan, Emily Wenger, Jiayun Zhang, Haitao Zheng, and Ben Y Zhao. 2022. Blacklight: Scalable Defense for Neural Networks against {Query-Based}{Black-Box} Attacks. In 31st USENIX Security Symposium (USENIX Security 22). 2117--2134."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00130"},{"key":"e_1_3_2_1_31_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_32_1","volume-title":"On the generalized distance in statistics","author":"Mahalanobis Prasanta Chandra","unstructured":"Prasanta Chandra Mahalanobis. 1936. On the generalized distance in statistics. National Institute of Science of India."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01029"},{"key":"e_1_3_2_1_34_1","volume-title":"International Conference on Machine Learning. PMLR, 4636--4645","author":"Moon Seungyong","year":"2019","unstructured":"Seungyong Moon, Gaon An, and Hyun Oh Song. 2019. Parsimonious black-box adversarial attacks via efficient combinatorial optimization. In International Conference on Machine Learning. PMLR, 4636--4645."},{"key":"e_1_3_2_1_35_1","volume-title":"A comparative study of texture measures with classification based on featured distributions. Pattern recognition","author":"Ojala Timo","year":"1996","unstructured":"Timo Ojala, Matti Pietik\u00e4inen, and David Harwood. 1996. A comparative study of texture measures with classification based on featured distributions. Pattern recognition, Vol. 29, 1 (1996), 51--59."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3394486.3403241"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449978"},{"key":"e_1_3_2_1_38_1","unstructured":"Plate Recognizer. 2022. Automatic license plate recognition - high accuracy ALPR. https:\/\/platerecognizer.com\/"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"crossref","unstructured":"Olga Russakovsky Jia Deng Hao Su Jonathan Krause Sanjeev Satheesh Sean Ma Zhiheng Huang Andrej Karpathy Aditya Khosla Michael Bernstein et al. 2015. Imagenet large scale visual recognition challenge. International journal of computer vision Vol. 115 (2015) 211--252.","DOI":"10.1007\/s11263-015-0816-y"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.244"},{"key":"e_1_3_2_1_41_1","volume-title":"On adaptive attacks to adversarial example defenses. Advances in neural information processing systems","author":"Tramer Florian","year":"2020","unstructured":"Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. 2020. On adaptive attacks to adversarial example defenses. Advances in neural information processing systems, Vol. 33 (2020), 1633--1645."},{"key":"e_1_3_2_1_42_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"key":"e_1_3_2_1_43_1","volume-title":"Deep learning for identifying metastatic breast cancer. arXiv preprint arXiv:1606.05718","author":"Wang Dayong","year":"2016","unstructured":"Dayong Wang, Aditya Khosla, Rishab Gargeya, Humayun Irshad, and Andrew H Beck. 2016. Deep learning for identifying metastatic breast cancer. arXiv preprint arXiv:1606.05718 (2016)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2638566"},{"key":"e_1_3_2_1_45_1","volume-title":"International Conference on Learning Representations.","author":"Yan Ziang","year":"2021","unstructured":"Ziang Yan, Yiwen Guo, Jian Liang, and Changshui Zhang. 2021. Policy-driven attack: learning to query for hard-label black-box adversarial examples. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_46_1","volume-title":"Uncovering social network sybils in the wild. ACM Transactions on Knowledge Discovery from Data (TKDD)","author":"Yang Zhi","year":"2014","unstructured":"Zhi Yang, Christo Wilson, Xiao Wang, Tingting Gao, Ben Y Zhao, and Yafei Dai. 2014. Uncovering social network sybils in the wild. ACM Transactions on Knowledge Discovery from Data (TKDD), Vol. 8, 1 (2014), 1--29."}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3623116","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3623116","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3623116","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T01:57:20Z","timestamp":1755741440000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3623116"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,15]]},"references-count":46,"alternative-id":["10.1145\/3576915.3623116","10.1145\/3576915"],"URL":"https:\/\/doi.org\/10.1145\/3576915.3623116","relation":{},"subject":[],"published":{"date-parts":[[2023,11,15]]},"assertion":[{"value":"2023-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}