{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T17:30:35Z","timestamp":1777656635395,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,7,10]],"date-time":"2023-07-10T00:00:00Z","timestamp":1688947200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,7,10]]},"DOI":"10.1145\/3579856.3582816","type":"proceedings-article","created":{"date-parts":[[2023,7,5]],"date-time":"2023-07-05T14:52:13Z","timestamp":1688568733000},"page":"689-703","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":20,"title":["Jujutsu: A Two-stage Defense against Adversarial Patch Attacks on Deep Neural Networks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6756-8675","authenticated-orcid":false,"given":"Zitao","family":"Chen","sequence":"first","affiliation":[{"name":"University of British Columbia, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9818-4922","authenticated-orcid":false,"given":"Pritam","family":"Dash","sequence":"additional","affiliation":[{"name":"University of British Columbia, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2380-3415","authenticated-orcid":false,"given":"Karthik","family":"Pattabiraman","sequence":"additional","affiliation":[{"name":"University of British Columbia, Canada"}]}],"member":"320","published-online":{"date-parts":[[2023,7,10]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. CelebA dataset. https:\/\/github.com\/ndb796\/CelebA-HQ-Face-Identity-and-Attributes-Recognition-PyTorch.  [n.d.]. CelebA dataset. https:\/\/github.com\/ndb796\/CelebA-HQ-Face-Identity-and-Attributes-Recognition-PyTorch."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. Code for Februus defense. https:\/\/github.com\/AdelaideAuto-IDLab\/Februus.git.  [n.d.]. Code for Februus defense. https:\/\/github.com\/AdelaideAuto-IDLab\/Februus.git."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. Code for STRIP defense. https:\/\/github.com\/garrisongys\/STRIP.  [n.d.]. Code for STRIP defense. https:\/\/github.com\/garrisongys\/STRIP."},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. Image Filtering Median Filtering. https:\/\/homepages.inf.ed.ac.uk\/rbf\/HIPR2\/mean.htm.  [n.d.]. Image Filtering Median Filtering. https:\/\/homepages.inf.ed.ac.uk\/rbf\/HIPR2\/mean.htm."},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. ImageNette dataset. https:\/\/github.com\/fastai\/imagenette.  [n.d.]. ImageNette dataset. https:\/\/github.com\/fastai\/imagenette."},{"key":"e_1_3_2_1_6_1","volume-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye , Nicholas Carlini , and David Wagner . 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 ( 2018 ). Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 (2018)."},{"key":"e_1_3_2_1_7_1","volume-title":"International conference on machine learning. PMLR, 284\u2013293","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye , Logan Engstrom , Andrew Ilyas , and Kevin Kwok . 2018 . Synthesizing robust adversarial examples . In International conference on machine learning. PMLR, 284\u2013293 . Anish Athalye, Logan Engstrom, Andrew Ilyas, and Kevin Kwok. 2018. Synthesizing robust adversarial examples. In International conference on machine learning. PMLR, 284\u2013293."},{"key":"e_1_3_2_1_8_1","volume-title":"End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316","author":"Bojarski Mariusz","year":"2016","unstructured":"Mariusz Bojarski , Davide Del\u00a0Testa , Daniel Dworakowski , Bernhard Firner , Beat Flepp , Prasoon Goyal , Lawrence\u00a0 D Jackel , Mathew Monfort , Urs Muller , Jiakai Zhang , 2016. End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316 ( 2016 ). Mariusz Bojarski, Davide Del\u00a0Testa, Daniel Dworakowski, Bernhard Firner, Beat Flepp, Prasoon Goyal, Lawrence\u00a0D Jackel, Mathew Monfort, Urs Muller, Jiakai Zhang, 2016. End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316 (2016)."},{"key":"e_1_3_2_1_9_1","volume-title":"Adversarial patch. arXiv preprint arXiv:1712.09665","author":"Brown B","year":"2017","unstructured":"Tom\u00a0 B Brown , Dandelion Man\u00e9 , Aurko Roy , Mart\u00edn Abadi , and Justin Gilmer . 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 ( 2017 ). Tom\u00a0B Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/FG.2018.00020"},{"key":"e_1_3_2_1_11_1","volume-title":"Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693","author":"Ni Renkun","year":"2020","unstructured":"Ping-yeh Chiang, Renkun Ni , Ahmed Abdelkader , Chen Zhu , Christoph Studor , and Tom Goldstein . 2020. Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693 ( 2020 ). Ping-yeh Chiang, Renkun Ni, Ahmed Abdelkader, Chen Zhu, Christoph Studor, and Tom Goldstein. 2020. Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693 (2020)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427264"},{"key":"e_1_3_2_1_15_1","volume-title":"A guide to deep learning in healthcare. Nature medicine 25, 1","author":"Esteva Andre","year":"2019","unstructured":"Andre Esteva , Alexandre Robicquet , Bharath Ramsundar , Volodymyr Kuleshov , Mark DePristo , Katherine Chou , Claire Cui , Greg Corrado , Sebastian Thrun , and Jeff Dean . 2019. A guide to deep learning in healthcare. Nature medicine 25, 1 ( 2019 ), 24\u201329. Andre Esteva, Alexandre Robicquet, Bharath Ramsundar, Volodymyr Kuleshov, Mark DePristo, Katherine Chou, Claire Cui, Greg Corrado, Sebastian Thrun, and Jeff Dean. 2019. A guide to deep learning in healthcare. Nature medicine 25, 1 (2019), 24\u201329."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33013681"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2018.00210"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00080"},{"key":"e_1_3_2_1_21_1","volume-title":"Attribution-driven causal analysis for detection of adversarial examples. arXiv preprint arXiv:1903.05821","author":"Jha Susmit","year":"2019","unstructured":"Susmit Jha , Sunny Raj , Steven\u00a0Lawrence Fernandes , Sumit\u00a0Kumar Jha , Somesh Jha , Gunjan Verma , Brian Jalaian , and Ananthram Swami . 2019. Attribution-driven causal analysis for detection of adversarial examples. arXiv preprint arXiv:1903.05821 ( 2019 ). Susmit Jha, Sunny Raj, Steven\u00a0Lawrence Fernandes, Sumit\u00a0Kumar Jha, Somesh Jha, Gunjan Verma, Brian Jalaian, and Ananthram Swami. 2019. Attribution-driven causal analysis for detection of adversarial examples. arXiv preprint arXiv:1903.05821 (2019)."},{"key":"e_1_3_2_1_22_1","volume-title":"Adversarial logit pairing. arXiv preprint arXiv:1803.06373","author":"Kannan Harini","year":"2018","unstructured":"Harini Kannan , Alexey Kurakin , and Ian Goodfellow . 2018. Adversarial logit pairing. arXiv preprint arXiv:1803.06373 ( 2018 ). Harini Kannan, Alexey Kurakin, and Ian Goodfellow. 2018. Adversarial logit pairing. arXiv preprint arXiv:1803.06373 (2018)."},{"key":"e_1_3_2_1_23_1","volume-title":"arXiv preprint arXiv:2002.10733","author":"Levine Alexander","year":"2020","unstructured":"Alexander Levine and Soheil Feizi . 2020. (De) Randomized Smoothing for Certifiable Defense against Patch Attacks . arXiv preprint arXiv:2002.10733 ( 2020 ). Alexander Levine and Soheil Feizi. 2020. (De) Randomized Smoothing for Certifiable Defense against Patch Attacks. arXiv preprint arXiv:2002.10733 (2020)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01049"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423348"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01252-6_6"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.425"},{"key":"e_1_3_2_1_28_1","volume-title":"Minority Reports Defense: Defending Against Adversarial Patches. arXiv preprint arXiv:2004.13799","author":"McCoyd Michael","year":"2020","unstructured":"Michael McCoyd , Won Park , Steven Chen , Neil Shah , Ryan Roggenkemper , Minjune Hwang , Jason\u00a0Xinyu Liu , and David Wagner . 2020. Minority Reports Defense: Defending Against Adversarial Patches. arXiv preprint arXiv:2004.13799 ( 2020 ). Michael McCoyd, Won Park, Steven Chen, Neil Shah, Ryan Roggenkemper, Minjune Hwang, Jason\u00a0Xinyu Liu, and David Wagner. 2020. Minority Reports Defense: Defending Against Adversarial Patches. arXiv preprint arXiv:2004.13799 (2020)."},{"key":"e_1_3_2_1_29_1","volume-title":"Efficient saliency maps for explainable AI. arXiv preprint arXiv:1911.11293","author":"Mundhenk T\u00a0Nathan","year":"2019","unstructured":"T\u00a0Nathan Mundhenk , Barry\u00a0 Y Chen , and Gerald Friedland . 2019. Efficient saliency maps for explainable AI. arXiv preprint arXiv:1911.11293 ( 2019 ). T\u00a0Nathan Mundhenk, Barry\u00a0Y Chen, and Gerald Friedland. 2019. Efficient saliency maps for explainable AI. arXiv preprint arXiv:1911.11293 (2019)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2019.00143"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Omkar\u00a0M Parkhi Andrea Vedaldi and Andrew Zisserman. 2015. Deep face recognition. (2015).  Omkar\u00a0M Parkhi Andrea Vedaldi and Andrew Zisserman. 2015. Deep face recognition. (2015).","DOI":"10.5244\/C.29.41"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.278"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3194085.3194087"},{"key":"e_1_3_2_1_34_1","volume-title":"Adversarial Training against Location-Optimized Adversarial Patches. arXiv preprint arXiv:2005.02313","author":"Rao Sukrut","year":"2020","unstructured":"Sukrut Rao , David Stutz , and Bernt Schiele . 2020. Adversarial Training against Location-Optimized Adversarial Patches. arXiv preprint arXiv:2005.02313 ( 2020 ). Sukrut Rao, David Stutz, and Bernt Schiele. 2020. Adversarial Training against Location-Optimized Adversarial Patches. arXiv preprint arXiv:2005.02313 (2020)."},{"key":"e_1_3_2_1_35_1","volume-title":"Deep learning in medical imaging and radiation therapy. Medical physics 46, 1","author":"Sahiner Berkman","year":"2019","unstructured":"Berkman Sahiner , Aria Pezeshk , Lubomir\u00a0 M Hadjiiski , Xiaosong Wang , Karen Drukker , Kenny\u00a0 H Cha , Ronald\u00a0 M Summers , and Maryellen\u00a0 L Giger . 2019. Deep learning in medical imaging and radiation therapy. Medical physics 46, 1 ( 2019 ), e1\u2013e36. Berkman Sahiner, Aria Pezeshk, Lubomir\u00a0M Hadjiiski, Xiaosong Wang, Karen Drukker, Kenny\u00a0H Cha, Ronald\u00a0M Summers, and Maryellen\u00a0L Giger. 2019. Deep learning in medical imaging and radiation therapy. Medical physics 46, 1 (2019), e1\u2013e36."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.74"},{"key":"e_1_3_2_1_37_1","volume-title":"Smoothgrad: removing noise by adding noise. arXiv preprint arXiv:1706.03825","author":"Smilkov Daniel","year":"2017","unstructured":"Daniel Smilkov , Nikhil Thorat , Been Kim , Fernanda Vi\u00e9gas , and Martin Wattenberg . 2017. Smoothgrad: removing noise by adding noise. arXiv preprint arXiv:1706.03825 ( 2017 ). Daniel Smilkov, Nikhil Thorat, Been Kim, Fernanda Vi\u00e9gas, and Martin Wattenberg. 2017. Smoothgrad: removing noise by adding noise. arXiv preprint arXiv:1706.03825 (2017)."},{"key":"e_1_3_2_1_38_1","volume-title":"Universal Adversarial Attacks with Natural Triggers for Text Classification. arXiv preprint arXiv:2005.00174","author":"Song Liwei","year":"2020","unstructured":"Liwei Song , Xinwei Yu , Hsuan-Tung Peng , and Karthik Narasimhan . 2020. Universal Adversarial Attacks with Natural Triggers for Text Classification. arXiv preprint arXiv:2005.00174 ( 2020 ). Liwei Song, Xinwei Yu, Hsuan-Tung Peng, and Karthik Narasimhan. 2020. Universal Adversarial Attacks with Natural Triggers for Text Classification. arXiv preprint arXiv:2005.00174 (2020)."},{"key":"e_1_3_2_1_39_1","volume-title":"Deepid3: Face recognition with very deep neural networks. arXiv preprint arXiv:1502.00873","author":"Sun Yi","year":"2015","unstructured":"Yi Sun , Ding Liang , Xiaogang Wang , and Xiaoou Tang . 2015. Deepid3: Face recognition with very deep neural networks. arXiv preprint arXiv:1502.00873 ( 2015 ). Yi Sun, Ding Liang, Xiaogang Wang, and Xiaoou Tang. 2015. Deepid3: Face recognition with very deep neural networks. arXiv preprint arXiv:1502.00873 (2015)."},{"key":"e_1_3_2_1_40_1","volume-title":"Axiomatic attribution for deep networks. arXiv preprint arXiv:1703.01365","author":"Sundararajan Mukund","year":"2017","unstructured":"Mukund Sundararajan , Ankur Taly , and Qiqi Yan . 2017. Axiomatic attribution for deep networks. arXiv preprint arXiv:1703.01365 ( 2017 ). Mukund Sundararajan, Ankur Taly, and Qiqi Yan. 2017. Axiomatic attribution for deep networks. arXiv preprint arXiv:1703.01365 (2017)."},{"key":"e_1_3_2_1_41_1","volume-title":"Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy , Wojciech Zaremba , Ilya Sutskever , Joan Bruna , Dumitru Erhan , Ian Goodfellow , and Rob Fergus . 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 ( 2013 ). Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)."},{"key":"e_1_3_2_1_42_1","volume-title":"Defending Against Physically Realizable Attacks on Image Classification. In International Conference on Learning Representations.","author":"Wu Tong","year":"2020","unstructured":"Tong Wu , Liang Tong , and Yevgeniy Vorobeychik . 2020 . Defending Against Physically Realizable Attacks on Image Classification. In International Conference on Learning Representations. Tong Wu, Liang Tong, and Yevgeniy Vorobeychik. 2020. Defending Against Physically Realizable Attacks on Image Classification. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_43_1","volume-title":"PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields. arXiv preprint arXiv:2005.10884","author":"Xiang Chong","year":"2020","unstructured":"Chong Xiang , Arjun\u00a0Nitin Bhagoji , Vikash Sehwag , and Prateek Mittal . 2020. PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields. arXiv preprint arXiv:2005.10884 ( 2020 ). Chong Xiang, Arjun\u00a0Nitin Bhagoji, Vikash Sehwag, and Prateek Mittal. 2020. PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields. arXiv preprint arXiv:2005.10884 (2020)."},{"key":"e_1_3_2_1_44_1","volume-title":"PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier. arXiv preprint arXiv:2108.09135","author":"Xiang Chong","year":"2021","unstructured":"Chong Xiang , Saeed Mahloujifar , and Prateek Mittal . 2021. PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier. arXiv preprint arXiv:2108.09135 ( 2021 ). Chong Xiang, Saeed Mahloujifar, and Prateek Mittal. 2021. PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier. arXiv preprint arXiv:2108.09135 (2021)."},{"key":"e_1_3_2_1_45_1","volume-title":"Smooth adversarial training. arXiv preprint arXiv:2006.14536","author":"Xie Cihang","year":"2020","unstructured":"Cihang Xie , Mingxing Tan , Boqing Gong , Alan Yuille , and Quoc\u00a0 V Le. 2020. Smooth adversarial training. arXiv preprint arXiv:2006.14536 ( 2020 ). Cihang Xie, Mingxing Tan, Boqing Gong, Alan Yuille, and Quoc\u00a0V Le. 2020. Smooth adversarial training. arXiv preprint arXiv:2006.14536 (2020)."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASP-DAC47756.2020.9045584"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00457"},{"key":"e_1_3_2_1_48_1","volume-title":"29th { USENIX} Security Symposium ({ USENIX} Security 20).","author":"Zhang Xinyang","unstructured":"Xinyang Zhang , Ningfei Wang , Hua Shen , Shouling Ji , Xiapu Luo , and Ting Wang . 2020. Interpretable deep learning under fire . In 29th { USENIX} Security Symposium ({ USENIX} Security 20). Xinyang Zhang, Ningfei Wang, Hua Shen, Shouling Ji, Xiapu Luo, and Ting Wang. 2020. Interpretable deep learning under fire. In 29th { USENIX} Security Symposium ({ USENIX} Security 20)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00153"},{"key":"e_1_3_2_1_50_1","volume-title":"Places: A 10 million Image Database for Scene Recognition","author":"Zhou Bolei","year":"2017","unstructured":"Bolei Zhou , Agata Lapedriza , Aditya Khosla , Aude Oliva , and Antonio Torralba . 2017 . Places: A 10 million Image Database for Scene Recognition . IEEE Transactions on Pattern Analysis and Machine Intelligence ( 2017). Bolei Zhou, Agata Lapedriza, Aditya Khosla, Aude Oliva, and Antonio Torralba. 2017. Places: A 10 million Image Database for Scene Recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017)."}],"event":{"name":"ASIA CCS '23: ACM ASIA Conference on Computer and Communications Security","location":"Melbourne VIC Australia","acronym":"ASIA CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579856.3582816","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:51:27Z","timestamp":1750182687000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579856.3582816"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,10]]},"references-count":50,"alternative-id":["10.1145\/3579856.3582816","10.1145\/3579856"],"URL":"https:\/\/doi.org\/10.1145\/3579856.3582816","relation":{},"subject":[],"published":{"date-parts":[[2023,7,10]]},"assertion":[{"value":"2023-07-10","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}