{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T14:57:09Z","timestamp":1773413829634,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":47,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,26]],"date-time":"2023-10-26T00:00:00Z","timestamp":1698278400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"The National Natural Science Foundation of China","award":["62272261"],"award-info":[{"award-number":["62272261"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,26]]},"DOI":"10.1145\/3581783.3612032","type":"proceedings-article","created":{"date-parts":[[2023,10,27]],"date-time":"2023-10-27T07:27:12Z","timestamp":1698391632000},"page":"9134-9142","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-3714-8044","authenticated-orcid":false,"given":"Yizhen","family":"Yuan","sequence":"first","affiliation":[{"name":"Institute for AI Industry Research (AIR), Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-2889-2266","authenticated-orcid":false,"given":"Rui","family":"Kong","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1024-1166","authenticated-orcid":false,"given":"Shenghao","family":"Xie","sequence":"additional","affiliation":[{"name":"Wuhan University, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1591-2526","authenticated-orcid":false,"given":"Yuanchun","family":"Li","sequence":"additional","affiliation":[{"name":"Institute for AI Industry Research (AIR), Tsinghua University &amp; Shanghai AI Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7352-8955","authenticated-orcid":false,"given":"Yunxin","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute for AI Industry Research (AIR), Tsinghua University &amp; Shanghai AI Laboratory, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2023,10,27]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proceedings of the 2021 Korean Institute of Communication and Sciences Fall Conference","author":"Ajakwe S","year":"2021","unstructured":"S Ajakwe, R Arkter, D Kim, D Kim, and JM Lee. 2021. Lightweight cnn model for detection of unauthorized uav in military reconnaissance operations. In Proceedings of the 2021 Korean Institute of Communication and Sciences Fall Conference, Yeosu, Korea. 17--19."},{"key":"e_1_3_2_1_2_1","volume-title":"Adversarial patch. arXiv preprint arXiv:1712.09665","author":"Brown Tom B","year":"2017","unstructured":"Tom B Brown, Dandelion Man\u00e9, Aurko Roy, Mart\u00edn Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017)."},{"key":"e_1_3_2_1_3_1","volume-title":"Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728","author":"Chen Bryant","year":"2018","unstructured":"Bryant Chen, Wilka Carvalho, Nathalie Baracaldo, Heiko Ludwig, Benjamin Edwards, Taesung Lee, Ian Molloy, and Biplav Srivastava. 2018. Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728 (2018)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICIEVicIVPR48672.2020.9306675"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01175"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCB48548.2020.9304875"},{"key":"e_1_3_2_1_7_1","volume-title":"Adversarial reprogramming of neural networks. arXiv preprint arXiv:1806.11146","author":"Elsayed Gamaleldin F","year":"2018","unstructured":"Gamaleldin F Elsayed, Ian Goodfellow, and Jascha Sohl-Dickstein. 2018. Adversarial reprogramming of neural networks. arXiv preprint arXiv:1806.11146 (2018)."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2004.383"},{"key":"e_1_3_2_1_10_1","volume-title":"Backdoor Defense via Adaptively Splitting Poisoned Dataset. arXiv preprint arXiv:2303.12993","author":"Gao Kuofeng","year":"2023","unstructured":"Kuofeng Gao, Yang Bai, Jindong Gu, Yong Yang, and Shu-Tao Xia. 2023. Backdoor Defense via Adaptively Splitting Poisoned Dataset. arXiv preprint arXiv:2303.12993 (2023)."},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the Asian Conference on Computer Vision.","author":"Gittings Thomas","year":"2020","unstructured":"Thomas Gittings, Steve Schneider, and John Collomosse. 2020. Vax-a-net: Training-time defence against adversarial patch attacks. In Proceedings of the Asian Conference on Computer Vision."},{"key":"e_1_3_2_1_12_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_13_1","volume-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)."},{"key":"e_1_3_2_1_14_1","volume-title":"Learning both weights and connections for efficient neural network. Advances in neural information processing systems","author":"Han Song","year":"2015","unstructured":"Song Han, Jeff Pool, John Tran, and William Dally. 2015. Learning both weights and connections for efficient neural network. Advances in neural information processing systems, Vol. 28 (2015)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2018.00210"},{"key":"e_1_3_2_1_16_1","volume-title":"Deep Residual Learning for Image Recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"He Kaiming","year":"2016","unstructured":"Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep Residual Learning for Image Recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2016)."},{"key":"e_1_3_2_1_17_1","volume-title":"A baseline for detecting misclassified and out-of-distribution examples in neural networks. arXiv preprint arXiv:1610.02136","author":"Hendrycks Dan","year":"2016","unstructured":"Dan Hendrycks and Kevin Gimpel. 2016. A baseline for detecting misclassified and out-of-distribution examples in neural networks. arXiv preprint arXiv:1610.02136 (2016)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.3390\/info11020108"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503161.3548272"},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the Workshop on Artificial Intelligence Safety 2021 (SafeAI","author":"Huang Haiwen","year":"2021","unstructured":"Haiwen Huang, Zhihan Li, Lulu Wang, Sishuo Chen, Bin Dong, and Xinyu Zhou. 2021. Feature Space Singularity for Out-of-Distribution Detection. In Proceedings of the Workshop on Artificial Intelligence Safety 2021 (SafeAI 2021)."},{"key":"e_1_3_2_1_21_1","volume-title":"PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing. ACM Transactions on Software Engineering and Methodology","author":"Huang Yuheng","year":"2023","unstructured":"Yuheng Huang, Lei Ma, and Yuanchun Li. 2023. PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing. ACM Transactions on Software Engineering and Methodology (2023)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3400302.3415671"},{"key":"e_1_3_2_1_23_1","volume-title":"International Conference on Machine Learning. PMLR, 2507--2515","author":"Karmon Danny","year":"2018","unstructured":"Danny Karmon, Daniel Zoran, and Yoav Goldberg. 2018. Lavan: Localized and visible adversarial noise. In International Conference on Machine Learning. PMLR, 2507--2515."},{"key":"e_1_3_2_1_24_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_25_1","volume-title":"A simple unified framework for detecting out-of-distribution samples and adversarial attacks. Advances in neural information processing systems","author":"Lee Kimin","year":"2018","unstructured":"Kimin Lee, Kibok Lee, Honglak Lee, and Jinwoo Shin. 2018. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. Advances in neural information processing systems, Vol. 31 (2018)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00035"},{"key":"e_1_3_2_1_27_1","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","volume":"34","author":"Li Yige","year":"2021","unstructured":"Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. 2021b. Anti-backdoor learning: Training clean models on poisoned data. Advances in Neural Information Processing Systems, Vol. 34 (2021), 14900--14912.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_28_1","volume-title":"Backdoor attack in the physical world. arXiv preprint arXiv:2104.02361","author":"Li Yiming","year":"2021","unstructured":"Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. 2021c. Backdoor attack in the physical world. arXiv preprint arXiv:2104.02361 (2021)."},{"key":"e_1_3_2_1_29_1","volume-title":"Enhancing the reliability of out-of-distribution image detection in neural networks. arXiv preprint arXiv:1706.02690","author":"Liang Shiyu","year":"2017","unstructured":"Shiyu Liang, Yixuan Li, and Rayadurgam Srikant. 2017. Enhancing the reliability of out-of-distribution image detection in neural networks. arXiv preprint arXiv:1706.02690 (2017)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33011028"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-32239-7_13"},{"key":"e_1_3_2_1_32_1","volume-title":"RAID 2018, Heraklion, Crete, Greece, September 10-12, 2018, Proceedings 21","author":"Liu Kang","year":"2018","unstructured":"Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2018. Fine-pruning: Defending against backdooring attacks on deep neural networks. In Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10-12, 2018, Proceedings 21. Springer, 273--294."},{"key":"e_1_3_2_1_33_1","volume-title":"Jason Xinyu Liu, and David Wagner","author":"McCoyd Michael","year":"2020","unstructured":"Michael McCoyd, Won Park, Steven Chen, Neil Shah, Ryan Roggenkemper, Minjune Hwang, Jason Xinyu Liu, and David Wagner. 2020. Minority reports defense: Defending against adversarial patches. In Applied Cryptography and Network Security Workshops: ACNS 2020 Satellite Workshops, AIBlock, AIHWS, AIoTS, Cloud S&P, SCI, SecMT, and SiMLA, Rome, Italy, October 19-22, 2020, Proceedings. Springer, 564--582."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2019.00143"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33011093"},{"key":"e_1_3_2_1_36_1","volume-title":"The Eleventh International Conference on Learning Representations.","author":"Qi Xiangyu","year":"2023","unstructured":"Xiangyu Qi, Tinghao Xie, Yiming Li, Saeed Mahloujifar, and Prateek Mittal. 2023. Revisiting the assumption of latent separability for backdoor defenses. In The Eleventh International Conference on Learning Representations."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-68238-5_32"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"crossref","unstructured":"E. Riba D. Mishkin J. Shi D. Ponsa F. Moreno-Noguer and G. Bradski. 2020. A survey on Kornia: an Open Source Differentiable Computer Vision Library for PyTorch. arxiv: 2009.10521 [cs.CV]","DOI":"10.1109\/WACV45572.2020.9093363"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474"},{"key":"e_1_3_2_1_40_1","volume-title":"Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2015","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv preprint arXiv:1409.1556 (2015)."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.220"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"e_1_3_2_1_44_1","volume-title":"USENIX Security Symposium. 2237--2254","author":"Xiang Chong","year":"2021","unstructured":"Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, and Prateek Mittal. 2021. PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking.. In USENIX Security Symposium. 2237--2254."},{"key":"e_1_3_2_1_45_1","volume-title":"Defending against backdoor attack on deep neural networks. arXiv preprint arXiv:2002.12162","author":"Xu Kaidi","year":"2020","unstructured":"Kaidi Xu, Sijia Liu, Pin-Yu Chen, Pu Zhao, and Xue Lin. 2020. Defending against backdoor attack on deep neural networks. arXiv preprint arXiv:2002.12162 (2020)."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/WACV56688.2023.00461"},{"key":"e_1_3_2_1_47_1","volume-title":"Airline passenger profiling based on fuzzy deep machine learning","author":"Zheng Yu-Jun","year":"2016","unstructured":"Yu-Jun Zheng, Wei-Guo Sheng, Xing-Ming Sun, and Sheng-Yong Chen. 2016. Airline passenger profiling based on fuzzy deep machine learning. IEEE transactions on neural networks and learning systems, Vol. 28, 12 (2016), 2911--2923."}],"event":{"name":"MM '23: The 31st ACM International Conference on Multimedia","location":"Ottawa ON Canada","acronym":"MM '23","sponsor":["SIGMM ACM Special Interest Group on Multimedia"]},"container-title":["Proceedings of the 31st ACM International Conference on Multimedia"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3581783.3612032","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3581783.3612032","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T00:07:50Z","timestamp":1755821270000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3581783.3612032"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,26]]},"references-count":47,"alternative-id":["10.1145\/3581783.3612032","10.1145\/3581783"],"URL":"https:\/\/doi.org\/10.1145\/3581783.3612032","relation":{},"subject":[],"published":{"date-parts":[[2023,10,26]]},"assertion":[{"value":"2023-10-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}