{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,28]],"date-time":"2026-02-28T17:42:45Z","timestamp":1772300565472,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":63,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,26]],"date-time":"2023-10-26T00:00:00Z","timestamp":1698278400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Fundamental Research Funds for the Central Universities"},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62022009, 62206009"],"award-info":[{"award-number":["62022009, 62206009"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,26]]},"DOI":"10.1145\/3581783.3612092","type":"proceedings-article","created":{"date-parts":[[2023,10,27]],"date-time":"2023-10-27T07:27:12Z","timestamp":1698391632000},"page":"4178-4189","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Isolation and Induction: Training Robust Deep Neural Networks against Model Stealing Attacks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6626-4135","authenticated-orcid":false,"given":"Jun","family":"Guo","sequence":"first","affiliation":[{"name":"Beihang University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-6283-7635","authenticated-orcid":false,"given":"Xingyu","family":"Zheng","sequence":"additional","affiliation":[{"name":"Beihang University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4224-1318","authenticated-orcid":false,"given":"Aishan","family":"Liu","sequence":"additional","affiliation":[{"name":"NLSDE, Beihang University &amp; Institute of Dataspace, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6154-0233","authenticated-orcid":false,"given":"Siyuan","family":"Liang","sequence":"additional","affiliation":[{"name":"Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8227-0052","authenticated-orcid":false,"given":"Yisong","family":"Xiao","sequence":"additional","affiliation":[{"name":"Beihang University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9628-4308","authenticated-orcid":false,"given":"Yichao","family":"Wu","sequence":"additional","affiliation":[{"name":"SenseTime Group Limited, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7618-3275","authenticated-orcid":false,"given":"Xianglong","family":"Liu","sequence":"additional","affiliation":[{"name":"NLSDE, Beihang University, Zhongguancun Laboratory, &amp; Institute of Dataspace, Beijing &amp; Hefei, China"}]}],"member":"320","published-online":{"date-parts":[[2023,10,27]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i9.21184"},{"key":"e_1_3_2_1_2_1","volume-title":"Deep learning for classical japanese literature. arXiv preprint arXiv:1812.01718","author":"Clanuwat Tarin","year":"2018","unstructured":"Tarin Clanuwat, Mikel Bober-Irizar, Asanobu Kitamoto, Alex Lamb, Kazuaki Yamamoto, and David Ha. 2018. Deep learning for classical japanese literature. arXiv preprint arXiv:1812.01718 (2018)."},{"key":"e_1_3_2_1_3_1","volume-title":"EMNIST: Extending MNIST to handwritten letters. In 2017 international joint conference on neural networks (IJCNN)","author":"Cohen Gregory","year":"2017","unstructured":"Gregory Cohen, Saeed Afshar, Jonathan Tapson, and Andre Van Schaik. 2017. EMNIST: Extending MNIST to handwritten letters. In 2017 international joint conference on neural networks (IJCNN). IEEE, 2921--2926."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"e_1_3_2_1_5_1","volume-title":"International Conference on Learning Representations.","author":"Goodfellow Ian J","year":"2015","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_6_1","volume-title":"A Comprehensive Evaluation Framework for Deep Model Robustness. Pattern Recognition","author":"Guo Jun","year":"2023","unstructured":"Jun Guo, Wei Bao, Jiakai Wang, Yuqing Ma, Xinghai Gao, Gang Xiao, Aishan Liu, Jian Dong, Xianglong Liu, and Wenjun Wu. 2023. A Comprehensive Evaluation Framework for Deep Model Robustness. Pattern Recognition (2023)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW56347.2022.00022"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_9_1","volume-title":"Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531","author":"Hinton Geoffrey","year":"2015","unstructured":"Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 (2015)."},{"key":"e_1_3_2_1_10_1","volume-title":"USENIX Security Symposium. 1937--1954","author":"Jia Hengrui","year":"2021","unstructured":"Hengrui Jia, Christopher A Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled Watermarks as a Defense against Model Extraction.. In USENIX Security Symposium. 1937--1954."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01360"},{"key":"e_1_3_2_1_12_1","volume-title":"International Conference on Learning Representations.","author":"Kariyappa Sanjay","year":"2021","unstructured":"Sanjay Kariyappa, Atul Prakash, and Moinuddin K Qureshi. 2021b. Protecting dnns from theft using an ensemble of diverse models. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00085"},{"key":"e_1_3_2_1_14_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_15_1","volume-title":"Tiny imagenet visual recognition challenge. CS 231N","author":"Le Ya","year":"2015","unstructured":"Ya Le and Xuan Yang. 2015. Tiny imagenet visual recognition challenge. CS 231N, Vol. 7, 7 (2015), 3."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2022\/100"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00020"},{"key":"e_1_3_2_1_19_1","volume-title":"2023 a. Attacking Cooperative Multi-Agent Reinforcement Learning by Adversarial Minority Influence. arXiv preprint arXiv:2302.03322","author":"Li Simin","year":"2023","unstructured":"Simin Li, Jun Guo, Jingqiao Xiu, Pu Feng, Xin Yu, Jiakai Wang, Aishan Liu, Wenjun Wu, and Xianglong Liu. 2023 a. Attacking Cooperative Multi-Agent Reinforcement Learning by Adversarial Minority Influence. arXiv preprint arXiv:2302.03322 (2023)."},{"key":"e_1_3_2_1_20_1","volume-title":"2023 b. Byzantine Robust Cooperative Multi-Agent Reinforcement Learning as a Bayesian Game. arXiv preprint arXiv:2305.12872","author":"Li Simin","year":"2023","unstructured":"Simin Li, Jun Guo, Jingqiao Xiu, Xini Yu, Jiakai Wang, Aishan Liu, Yaodong Yang, and Xianglong Liu. 2023 b. Byzantine Robust Cooperative Multi-Agent Reinforcement Learning as a Bayesian Game. arXiv preprint arXiv:2305.12872 (2023)."},{"key":"e_1_3_2_1_21_1","volume-title":"Hierarchical Perceptual Noise Injection for Social Media Fingerprint Privacy Protection. arXiv preprint arXiv:2208.10688","author":"Li Simin","year":"2022","unstructured":"Simin Li, Huangxinxin Xu, Jiakai Wang, Aishan Liu, Fazhi He, Xianglong Liu, and Dacheng Tao. 2022a. Hierarchical Perceptual Noise Injection for Social Media Fingerprint Privacy Protection. arXiv preprint arXiv:2208.10688 (2022)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01186"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i2.20036"},{"key":"e_1_3_2_1_24_1","volume-title":"Tel Aviv","author":"Liang Siyuan","year":"2022","unstructured":"Siyuan Liang, Longkang Li, Yanbo Fan, Xiaojun Jia, Jingzhi Li, Baoyuan Wu, and Xiaochun Cao. 2022a. A Large-Scale Multiple-objective Method for Black-box Attack Against Object Detection. In Computer Vision--ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23-27, 2022, Proceedings, Part IV. Springer, 619--636."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503161.3548416"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58574-7_3"},{"key":"e_1_3_2_1_27_1","volume-title":"Parallel rectangle flip attack: A query-based black-box attack against object detection. arXiv preprint arXiv:2201.08970","author":"Liang Siyuan","year":"2022","unstructured":"Siyuan Liang, Baoyuan Wu, Yanbo Fan, Xingxing Wei, and Xiaochun Cao. 2022c. Parallel rectangle flip attack: A query-based black-box attack against object detection. arXiv preprint arXiv:2201.08970 (2022)."},{"key":"e_1_3_2_1_28_1","volume-title":"2023 a. X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection. ArXiv","author":"Liu Aishan","year":"2023","unstructured":"Aishan Liu, Jun Guo, Jiakai Wang, Siyuan Liang, Renshuai Tao, Wenbo Zhou, Cong Liu, Xianglong Liu, and Dacheng Tao. 2023 a. X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection. ArXiv (2023)."},{"key":"e_1_3_2_1_29_1","unstructured":"Aishan Liu Tairan Huang Xianglong Liu Yitao Xu Yuqing Ma Xinyun Chen Stephen J Maybank and Dacheng Tao. 2020a. Spatiotemporal attacks for embodied agents. In ECCV."},{"key":"e_1_3_2_1_30_1","unstructured":"Aishan Liu Xianglong Liu Jiaxin Fan Yuqing Ma Anlan Zhang Huiyuan Xie and Dacheng Tao. 2019. Perceptual-sensitive gan for generating adversarial patches. In AAAI."},{"key":"e_1_3_2_1_31_1","volume-title":"Training robust deep neural networks via adversarial noise propagation. TIP","author":"Liu Aishan","year":"2021","unstructured":"Aishan Liu, Xianglong Liu, Hang Yu, Chongzhi Zhang, Qiang Liu, and Dacheng Tao. 2021. Training robust deep neural networks via adversarial noise propagation. TIP (2021)."},{"key":"e_1_3_2_1_32_1","unstructured":"Aishan Liu Shiyu Tang Siyuan Liang Ruihao Gong Boxi Wu Xianglong Liu and Dacheng Tao. 2023 b. Exploring the Relationship between Architecture and Adversarially Robust Generalization. In CVPR."},{"key":"e_1_3_2_1_33_1","unstructured":"Aishan Liu Jiakai Wang Xianglong Liu Bowen Cao Chongzhi Zhang and Hang Yu. 2020b. Bias-based universal adversarial patch attack for automatic check-out. In ECCV."},{"key":"e_1_3_2_1_34_1","unstructured":"Shunchang Liu Jiakai Wang Aishan Liu Yingwei Li Yijie Gao Xianglong Liu and Dacheng Tao. 2022. Harnessing Perceptual Adversarial Patches for Crowd Counting. In ACM CCS."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2021.3087514"},{"key":"e_1_3_2_1_37_1","first-page":"4090","article-title":"A Tale of HodgeRank and Spectral Method: Target Attack Against Rank Aggregation is the Fixed Point of Adversarial Game","volume":"45","author":"Ma Ke","year":"2022","unstructured":"Ke Ma, Qianqian Xu, Jinshan Zeng, Guorong Li, Xiaochun Cao, and Qingming Huang. 2022. A Tale of HodgeRank and Spectral Method: Target Attack Against Rank Aggregation is the Fixed Point of Adversarial Game. IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 45, 4 (2022), 4090--4108.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"e_1_3_2_1_38_1","volume-title":"International Conference on Learning Representations.","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_39_1","volume-title":"International Conference on Machine Learning. PMLR, 15241--15254","author":"Mazeika Mantas","year":"2022","unstructured":"Mantas Mazeika, Bo Li, and David Forsyth. 2022. How to steer your adversary: Targeted and efficient model stealing defenses with gradient redirection. In International Conference on Machine Learning. PMLR, 15241--15254."},{"key":"e_1_3_2_1_40_1","volume-title":"Advances in Neural Information Processing Systems","volume":"32","author":"Micaelli Paul","year":"2019","unstructured":"Paul Micaelli and Amos J Storkey. 2019. Zero-shot knowledge transfer via adversarial belief matching. Advances in Neural Information Processing Systems, Vol. 32 (2019)."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287562"},{"key":"e_1_3_2_1_42_1","volume-title":"NIPS Workshop on Deep Learning and Unsupervised Feature Learning.","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning."},{"key":"e_1_3_2_1_43_1","volume-title":"Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning","author":"Oh Seong Joon","year":"2019","unstructured":"Seong Joon Oh, Bernt Schiele, and Mario Fritz. 2019. Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning (2019), 121--144."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_2_1_45_1","volume-title":"International Conference on Learning Representations.","author":"Orekondy Tribhuvanesh","year":"2020","unstructured":"Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2020. Prediction poisoning: Towards defenses against dnn model stealing attacks. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_47_1","volume-title":"International Conference on Machine Learning. PMLR, 2817--2826","author":"Pinto Lerrel","year":"2017","unstructured":"Lerrel Pinto, James Davidson, Rahul Sukthankar, and Abhinav Gupta. 2017. Robust adversarial reinforcement learning. In International Conference on Machine Learning. PMLR, 2817--2826."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01485"},{"key":"e_1_3_2_1_49_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_1_50_1","volume-title":"International Conference on Learning Representations.","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_51_1","volume-title":"Robustart: Benchmarking robustness on architecture design and training techniques. ArXiv","author":"Tang Shiyu","year":"2021","unstructured":"Shiyu Tang, Ruihao Gong, Yan Wang, Aishan Liu, Jiakai Wang, Xinyun Chen, Fengwei Yu, Xianglong Liu, Dawn Song, Alan Yuille, et al. 2021. Robustart: Benchmarking robustness on architecture design and training techniques. ArXiv (2021)."},{"key":"e_1_3_2_1_52_1","volume-title":"USENIX security symposium","author":"Tram\u00e8r Florian","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction APIs.. In USENIX security symposium, Vol. 16. 601--618."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00474"},{"key":"e_1_3_2_1_54_1","article-title":"Visualizing data using t-SNE","volume":"9","author":"der Maaten Laurens Van","year":"2008","unstructured":"Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of machine learning research, Vol. 9, 11 (2008).","journal-title":"Journal of machine learning research"},{"key":"e_1_3_2_1_55_1","volume-title":"Imitation attacks and defenses for black-box machine translation systems. arXiv preprint arXiv:2004.15015","author":"Wallace Eric","year":"2020","unstructured":"Eric Wallace, Mitchell Stern, and Dawn Song. 2020. Imitation attacks and defenses for black-box machine translation systems. arXiv preprint arXiv:2004.15015 (2020)."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"crossref","unstructured":"Jiakai Wang Aishan Liu Zixin Yin Shunchang Liu Shiyu Tang and Xianglong Liu. 2021. Dual attention suppression attack: Generate adversarial camouflage in physical world. In CVPR.","DOI":"10.1109\/CVPR46437.2021.00846"},{"key":"e_1_3_2_1_58_1","volume-title":"Transferable adversarial attacks for image and video object detection. arXiv preprint arXiv:1811.12641","author":"Wei Xingxing","year":"2018","unstructured":"Xingxing Wei, Siyuan Liang, Ning Chen, and Xiaochun Cao. 2018. Transferable adversarial attacks for image and video object detection. arXiv preprint arXiv:1811.12641 (2018)."},{"key":"e_1_3_2_1_59_1","volume-title":"Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747","author":"Xiao Han","year":"2017","unstructured":"Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)."},{"key":"e_1_3_2_1_60_1","first-page":"5824","article-title":"Gradient surgery for multi-task learning","volume":"33","author":"Yu Tianhe","year":"2020","unstructured":"Tianhe Yu, Saurabh Kumar, Abhishek Gupta, Sergey Levine, Karol Hausman, and Chelsea Finn. 2020. Gradient surgery for multi-task learning. Advances in Neural Information Processing Systems, Vol. 33 (2020), 5824--5836.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2022.3147508"},{"key":"e_1_3_2_1_62_1","volume-title":"5th International Conference on Learning Representations (ICLR).","author":"Zhang Chiyuan","year":"2017","unstructured":"Chiyuan Zhang, Samy Bengio, Moritz Hardt, Benjamin Recht, and Oriol Vinyals. 2017. Understanding deep learning requires rethinking generalization. In 5th International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2020.3042083"}],"event":{"name":"MM '23: The 31st ACM International Conference on Multimedia","location":"Ottawa ON Canada","acronym":"MM '23","sponsor":["SIGMM ACM Special Interest Group on Multimedia"]},"container-title":["Proceedings of the 31st ACM International Conference on Multimedia"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3581783.3612092","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3581783.3612092","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T00:05:58Z","timestamp":1755821158000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3581783.3612092"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,26]]},"references-count":63,"alternative-id":["10.1145\/3581783.3612092","10.1145\/3581783"],"URL":"https:\/\/doi.org\/10.1145\/3581783.3612092","relation":{},"subject":[],"published":{"date-parts":[[2023,10,26]]},"assertion":[{"value":"2023-10-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}