{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T14:57:17Z","timestamp":1773413837117,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":70,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,21]],"date-time":"2023-10-21T00:00:00Z","timestamp":1697846400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["2223768"],"award-info":[{"award-number":["2223768"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,21]]},"DOI":"10.1145\/3583780.3614784","type":"proceedings-article","created":{"date-parts":[[2023,10,21]],"date-time":"2023-10-21T07:45:42Z","timestamp":1697874342000},"page":"608-618","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Attacking Neural Networks with Neural Networks: Towards Deep Synchronization for Backdoor Attacks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0331-3403","authenticated-orcid":false,"given":"Zihan","family":"Guan","sequence":"first","affiliation":[{"name":"University of Georgia, Athens, GA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1539-7939","authenticated-orcid":false,"given":"Lichao","family":"Sun","sequence":"additional","affiliation":[{"name":"Lehigh University, Bethlehem, PA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1614-6069","authenticated-orcid":false,"given":"Mengnan","family":"Du","sequence":"additional","affiliation":[{"name":"New Jersey Institute of Technology, Newark, NJ, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9170-2424","authenticated-orcid":false,"given":"Ninghao","family":"Liu","sequence":"additional","affiliation":[{"name":"University of Georgia, Athens, GA, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,10,21]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2019.8802997"},{"key":"e_1_3_2_1_2_1","unstructured":"Weixin Chen Baoyuan Wu and Haoqian Wang. 2022. Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples. In Advances in Neural Information Processing Systems Alice H. Oh Alekh Agarwal Danielle Belgrave and Kyunghyun Cho (Eds.). https:\/\/openreview.net\/forum?id=AsH-Tx2U0Ug  Weixin Chen Baoyuan Wu and Haoqian Wang. 2022. Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples. In Advances in Neural Information Processing Systems Alice H. Oh Alekh Agarwal Danielle Belgrave and Kyunghyun Cho (Eds.). https:\/\/openreview.net\/forum?id=AsH-Tx2U0Ug"},{"key":"e_1_3_2_1_3_1","volume-title":"Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526","author":"Chen Xinyun","year":"2017","unstructured":"Xinyun Chen , Chang Liu , Bo Li , Kimberly Lu , and Dawn Song . 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 ( 2017 ). Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)."},{"key":"e_1_3_2_1_4_1","volume-title":"Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems. In Annual Computer Security Applications Conference","author":"Doan Bao Gia","unstructured":"Bao Gia Doan , Ehsan Abbasnejad , and Damith C. Ranasinghe . 2020 . Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems. In Annual Computer Security Applications Conference ( Austin, USA) (ACSAC '20). Association for Computing Machinery, New York, NY, USA, 897--912. https:\/\/doi.org\/10.1145\/3427228.3427264 10.1145\/3427228.3427264 Bao Gia Doan, Ehsan Abbasnejad, and Damith C. Ranasinghe. 2020. Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC '20). Association for Computing Machinery, New York, NY, USA, 897--912. https:\/\/doi.org\/10.1145\/3427228.3427264"},{"key":"e_1_3_2_1_5_1","volume-title":"Imperceptible and Robust Backdoor Attacks. In 2021 IEEE\/CVF International Conference on Computer Vision (ICCV). 11946--11956","author":"Doan Khoa","year":"2021","unstructured":"Khoa Doan , Yingjie Lao , Weijie Zhao , and Ping Li . 2021 . LIRA: Learnable , Imperceptible and Robust Backdoor Attacks. In 2021 IEEE\/CVF International Conference on Computer Vision (ICCV). 11946--11956 . https:\/\/doi.org\/10.1109\/ICCV48922.2021.01175 10.1109\/ICCV48922.2021.01175 Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. 2021. LIRA: Learnable, Imperceptible and Robust Backdoor Attacks. In 2021 IEEE\/CVF International Conference on Computer Vision (ICCV). 11946--11956. https:\/\/doi.org\/10.1109\/ICCV48922.2021.01175"},{"key":"e_1_3_2_1_6_1","volume-title":"Marksman Backdoor: Backdoor Attacks with Arbitrary Target Class. https:\/\/doi.org\/10.48550\/ARXIV.2210.09194","author":"Doan Khoa D.","year":"2022","unstructured":"Khoa D. Doan , Yingjie Lao , and Ping Li . 2022 . Marksman Backdoor: Backdoor Attacks with Arbitrary Target Class. https:\/\/doi.org\/10.48550\/ARXIV.2210.09194 10.48550\/ARXIV.2210.09194 Khoa D. Doan, Yingjie Lao, and Ping Li. 2022. Marksman Backdoor: Backdoor Attacks with Arbitrary Target Class. https:\/\/doi.org\/10.48550\/ARXIV.2210.09194"},{"key":"#cr-split#-e_1_3_2_1_7_1.1","doi-asserted-by":"crossref","unstructured":"Yinpeng Dong Xiao Yang Zhijie Deng Tianyu Pang Zihao Xiao Hang Su and Jun Zhu. 2021. Black-box Detection of Backdoor Attacks with Limited Information and Data. https:\/\/doi.org\/10.48550\/ARXIV.2103.13127 10.48550\/ARXIV.2103.13127","DOI":"10.1109\/ICCV48922.2021.01617"},{"key":"#cr-split#-e_1_3_2_1_7_1.2","doi-asserted-by":"crossref","unstructured":"Yinpeng Dong Xiao Yang Zhijie Deng Tianyu Pang Zihao Xiao Hang Su and Jun Zhu. 2021. Black-box Detection of Backdoor Attacks with Limited Information and Data. https:\/\/doi.org\/10.48550\/ARXIV.2103.13127","DOI":"10.1109\/ICCV48922.2021.01617"},{"key":"e_1_3_2_1_8_1","volume-title":"STRIP: A Defence Against Trojan Attacks on Deep Neural Networks.","author":"Gao Yansong","year":"2019","unstructured":"Yansong Gao , Chang Xu , Derui Wang , Shiping Chen , Damith C. Ranasinghe , and Surya Nepal . 2019 . STRIP: A Defence Against Trojan Attacks on Deep Neural Networks. (2019). https:\/\/doi.org\/10.48550\/ARXIV.1902.06531 10.48550\/ARXIV.1902.06531 Yansong Gao, Chang Xu, Derui Wang, Shiping Chen, Damith C. Ranasinghe, and Surya Nepal. 2019. STRIP: A Defence Against Trojan Attacks on Deep Neural Networks. (2019). https:\/\/doi.org\/10.48550\/ARXIV.1902.06531"},{"key":"e_1_3_2_1_9_1","volume-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu , Brendan Dolan-Gavitt , and Siddharth Garg . 2017 . Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017). Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)."},{"key":"e_1_3_2_1_10_1","volume-title":"XGBD: Explanation-Guided Graph Backdoor Detection. 26th European Conference on Artificial Intelligence (ECAI)","author":"Guan Zihan","year":"2023","unstructured":"Zihan Guan , Mengnan Du , and Ninghao Liu . 2023 a . XGBD: Explanation-Guided Graph Backdoor Detection. 26th European Conference on Artificial Intelligence (ECAI) (2023). Zihan Guan, Mengnan Du, and Ninghao Liu. 2023 a. XGBD: Explanation-Guided Graph Backdoor Detection. 26th European Conference on Artificial Intelligence (ECAI) (2023)."},{"key":"e_1_3_2_1_11_1","volume-title":"2023 b. Badsam: Exploring security vulnerabilities of sam via backdoor attacks. arXiv preprint arXiv:2305.03289","author":"Guan Zihan","year":"2023","unstructured":"Zihan Guan , Mengxuan Hu , Zhongliang Zhou , Jielu Zhang , Sheng Li , and Ninghao Liu . 2023 b. Badsam: Exploring security vulnerabilities of sam via backdoor attacks. arXiv preprint arXiv:2305.03289 ( 2023 ). Zihan Guan, Mengxuan Hu, Zhongliang Zhou, Jielu Zhang, Sheng Li, and Ninghao Liu. 2023 b. Badsam: Exploring security vulnerabilities of sam via backdoor attacks. arXiv preprint arXiv:2305.03289 (2023)."},{"key":"e_1_3_2_1_12_1","volume-title":"AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis. https:\/\/doi.org\/10.48550\/ARXIV.2110.14880","author":"Guo Junfeng","year":"2021","unstructured":"Junfeng Guo , Ang Li , and Cong Liu . 2021 . AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis. https:\/\/doi.org\/10.48550\/ARXIV.2110.14880 10.48550\/ARXIV.2110.14880 Junfeng Guo, Ang Li, and Cong Liu. 2021. AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis. https:\/\/doi.org\/10.48550\/ARXIV.2110.14880"},{"key":"e_1_3_2_1_13_1","volume-title":"Scale-up: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency. arXiv preprint arXiv:2302.03251","author":"Guo Junfeng","year":"2023","unstructured":"Junfeng Guo , Yiming Li , Xun Chen , Hanqing Guo , Lichao Sun , and Cong Liu . 2023 . Scale-up: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency. arXiv preprint arXiv:2302.03251 (2023). Junfeng Guo, Yiming Li, Xun Chen, Hanqing Guo, Lichao Sun, and Cong Liu. 2023. Scale-up: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency. arXiv preprint arXiv:2302.03251 (2023)."},{"key":"#cr-split#-e_1_3_2_1_14_1.1","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2015. Deep Residual Learning for Image Recognition. https:\/\/doi.org\/10.48550\/ARXIV.1512.03385 10.48550\/ARXIV.1512.03385"},{"key":"#cr-split#-e_1_3_2_1_14_1.2","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2015. Deep Residual Learning for Image Recognition. https:\/\/doi.org\/10.48550\/ARXIV.1512.03385"},{"key":"e_1_3_2_1_15_1","volume-title":"Backdoor defense via decoupling the training process. arXiv preprint arXiv:2202.03423","author":"Huang Kunzhe","year":"2022","unstructured":"Kunzhe Huang , Yiming Li , Baoyuan Wu , Zhan Qin , and Kui Ren . 2022. Backdoor defense via decoupling the training process. arXiv preprint arXiv:2202.03423 ( 2022 ). Kunzhe Huang, Yiming Li, Baoyuan Wu, Zhan Qin, and Kui Ren. 2022. Backdoor defense via decoupling the training process. arXiv preprint arXiv:2202.03423 (2022)."},{"key":"#cr-split#-e_1_3_2_1_16_1.1","unstructured":"Xijie Huang Moustafa Alzantot and Mani Srivastava. 2019. NeuronInspect: Detecting Backdoors in Neural Networks via Output Explanations. https:\/\/doi.org\/10.48550\/ARXIV.1911.07399 10.48550\/ARXIV.1911.07399"},{"key":"#cr-split#-e_1_3_2_1_16_1.2","unstructured":"Xijie Huang Moustafa Alzantot and Mani Srivastava. 2019. NeuronInspect: Detecting Backdoors in Neural Networks via Output Explanations. https:\/\/doi.org\/10.48550\/ARXIV.1911.07399"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_1_19_1","volume-title":"Backdoor Learning: A Survey. https:\/\/doi.org\/10.48550\/ARXIV.2007.08745","author":"Li Yiming","year":"2020","unstructured":"Yiming Li , Yong Jiang , Zhifeng Li , and Shu-Tao Xia . 2020 . Backdoor Learning: A Survey. https:\/\/doi.org\/10.48550\/ARXIV.2007.08745 10.48550\/ARXIV.2007.08745 Yiming Li, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. 2020. Backdoor Learning: A Survey. https:\/\/doi.org\/10.48550\/ARXIV.2007.08745"},{"key":"e_1_3_2_1_20_1","unstructured":"Yige Li Xixiang Lyu Nodens Koren Lingjuan Lyu Bo Li and Xingjun Ma. 2021a. Anti-Backdoor Learning: Training Clean Models on Poisoned Data. In NeurIPS.  Yige Li Xixiang Lyu Nodens Koren Lingjuan Lyu Bo Li and Xingjun Ma. 2021a. Anti-Backdoor Learning: Training Clean Models on Poisoned Data. In NeurIPS."},{"key":"e_1_3_2_1_21_1","unstructured":"Yige Li Xixiang Lyu Nodens Koren Lingjuan Lyu Bo Li and Xingjun Ma. 2021b. Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks. In ICLR.  Yige Li Xixiang Lyu Nodens Koren Lingjuan Lyu Bo Li and Xingjun Ma. 2021b. Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks. In ICLR."},{"key":"#cr-split#-e_1_3_2_1_22_1.1","doi-asserted-by":"crossref","unstructured":"Kang Liu Brendan Dolan-Gavitt and Siddharth Garg. 2018. Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.1805.12185 10.48550\/ARXIV.1805.12185","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"#cr-split#-e_1_3_2_1_22_1.2","doi-asserted-by":"crossref","unstructured":"Kang Liu Brendan Dolan-Gavitt and Siddharth Garg. 2018. Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.1805.12185","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"e_1_3_2_1_23_1","volume-title":"Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.2007.02343","author":"Liu Yunfei","year":"2020","unstructured":"Yunfei Liu , Xingjun Ma , James Bailey , and Feng Lu . 2020 . Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.2007.02343 10.48550\/ARXIV.2007.02343 Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. 2020. Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.2007.02343"},{"key":"#cr-split#-e_1_3_2_1_24_1.1","unstructured":"Aravindh Mahendran and Andrea Vedaldi. 2014. Understanding Deep Image Representations by Inverting Them. https:\/\/doi.org\/10.48550\/ARXIV.1412.0035 10.48550\/ARXIV.1412.0035"},{"key":"#cr-split#-e_1_3_2_1_24_1.2","doi-asserted-by":"crossref","unstructured":"Aravindh Mahendran and Andrea Vedaldi. 2014. Understanding Deep Image Representations by Inverting Them. https:\/\/doi.org\/10.48550\/ARXIV.1412.0035","DOI":"10.1109\/CVPR.2015.7299155"},{"key":"#cr-split#-e_1_3_2_1_25_1.1","unstructured":"Anh Nguyen and Anh Tran. 2021. WaNet -- Imperceptible Warping-based Backdoor Attack. https:\/\/doi.org\/10.48550\/ARXIV.2102.10369 10.48550\/ARXIV.2102.10369"},{"key":"#cr-split#-e_1_3_2_1_25_1.2","unstructured":"Anh Nguyen and Anh Tran. 2021. WaNet -- Imperceptible Warping-based Backdoor Attack. https:\/\/doi.org\/10.48550\/ARXIV.2102.10369"},{"key":"e_1_3_2_1_26_1","volume-title":"Lin (Eds.)","volume":"33","author":"Nguyen Tuan Anh","year":"2020","unstructured":"Tuan Anh Nguyen and Anh Tran . 2020 . Input-Aware Dynamic Backdoor Attack. In Advances in Neural Information Processing Systems, H. Larochelle, M. Ranzato, R. Hadsell, M. F. Balcan, and H . Lin (Eds.) , Vol. 33 . Curran Associates, Inc., 3454--3464. https:\/\/proceedings.neurips.cc\/paper\/ 2020\/file\/234e691320c0ad5b45ee3c96d0d7b8f8-Paper.pdf Tuan Anh Nguyen and Anh Tran. 2020. Input-Aware Dynamic Backdoor Attack. In Advances in Neural Information Processing Systems, H. Larochelle, M. Ranzato, R. Hadsell, M. F. Balcan, and H. Lin (Eds.), Vol. 33. Curran Associates, Inc., 3454--3464. https:\/\/proceedings.neurips.cc\/paper\/2020\/file\/234e691320c0ad5b45ee3c96d0d7b8f8-Paper.pdf"},{"key":"#cr-split#-e_1_3_2_1_27_1.1","unstructured":"Garima Pruthi Frederick Liu Mukund Sundararajan and Satyen Kale. 2020. Estimating Training Data Influence by Tracing Gradient Descent. https:\/\/doi.org\/10.48550\/ARXIV.2002.08484 10.48550\/ARXIV.2002.08484"},{"key":"#cr-split#-e_1_3_2_1_27_1.2","unstructured":"Garima Pruthi Frederick Liu Mukund Sundararajan and Satyen Kale. 2020. Estimating Training Data Influence by Tracing Gradient Descent. https:\/\/doi.org\/10.48550\/ARXIV.2002.08484"},{"key":"e_1_3_2_1_28_1","volume-title":"Revisiting the Assumption of Latent Separability for Backdoor Defenses. In The Eleventh International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=_wSHsgrVali","author":"Qi Xiangyu","year":"2023","unstructured":"Xiangyu Qi , Tinghao Xie , Yiming Li , Saeed Mahloujifar , and Prateek Mittal . 2023 . Revisiting the Assumption of Latent Separability for Backdoor Defenses. In The Eleventh International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=_wSHsgrVali Xiangyu Qi, Tinghao Xie, Yiming Li, Saeed Mahloujifar, and Prateek Mittal. 2023. Revisiting the Assumption of Latent Separability for Backdoor Defenses. In The Eleventh International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=_wSHsgrVali"},{"key":"#cr-split#-e_1_3_2_1_29_1.1","unstructured":"Ximing Qiao Yukun Yang and Hai Li. 2019. Defending Neural Backdoors via Generative Distribution Modeling. https:\/\/doi.org\/10.48550\/ARXIV.1910.04749 10.48550\/ARXIV.1910.04749"},{"key":"#cr-split#-e_1_3_2_1_29_1.2","unstructured":"Ximing Qiao Yukun Yang and Hai Li. 2019. Defending Neural Backdoors via Generative Distribution Modeling. https:\/\/doi.org\/10.48550\/ARXIV.1910.04749"},{"key":"e_1_3_2_1_30_1","volume-title":"TBT: Targeted Neural Network Attack with Bit Trojan. https:\/\/doi.org\/10.48550\/ARXIV.1909.05193","author":"Rakin Adnan Siraj","year":"2019","unstructured":"Adnan Siraj Rakin , Zhezhi He , and Deliang Fan . 2019 . TBT: Targeted Neural Network Attack with Bit Trojan. https:\/\/doi.org\/10.48550\/ARXIV.1909.05193 10.48550\/ARXIV.1909.05193 Adnan Siraj Rakin, Zhezhi He, and Deliang Fan. 2019. TBT: Targeted Neural Network Attack with Bit Trojan. https:\/\/doi.org\/10.48550\/ARXIV.1909.05193"},{"key":"#cr-split#-e_1_3_2_1_31_1.1","unstructured":"Aniruddha Saha Akshayvarun Subramanya and Hamed Pirsiavash. 2019. Hidden Trigger Backdoor Attacks. https:\/\/doi.org\/10.48550\/ARXIV.1910.00033 10.48550\/ARXIV.1910.00033"},{"key":"#cr-split#-e_1_3_2_1_31_1.2","unstructured":"Aniruddha Saha Akshayvarun Subramanya and Hamed Pirsiavash. 2019. Hidden Trigger Backdoor Attacks. https:\/\/doi.org\/10.48550\/ARXIV.1910.00033"},{"key":"e_1_3_2_1_32_1","first-page":"2","article-title":"Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization","volume":"128","author":"Selvaraju Ramprasaath R.","year":"2019","unstructured":"Ramprasaath R. Selvaraju , Michael Cogswell , Abhishek Das , Ramakrishna Vedantam , Devi Parikh , and Dhruv Batra . 2019 . Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization . International Journal of Computer Vision , Vol. 128 , 2 (oct 2019), 336--359. Ramprasaath R. Selvaraju, Michael Cogswell, Abhishek Das, Ramakrishna Vedantam, Devi Parikh, and Dhruv Batra. 2019. Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization. International Journal of Computer Vision, Vol. 128, 2 (oct 2019), 336--359.","journal-title":"International Journal of Computer Vision"},{"key":"e_1_3_2_1_33_1","unstructured":"Ali Shafahi W. Ronny Huang Mahyar Najibi Octavian Suciu Christoph Studer Tudor Dumitras and Tom Goldstein. 2018a. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.1804.00792    10.48550\/ARXIV.1804.00792\nAli Shafahi W. Ronny Huang Mahyar Najibi Octavian Suciu Christoph Studer Tudor Dumitras and Tom Goldstein. 2018a. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.1804.00792"},{"key":"e_1_3_2_1_34_1","unstructured":"Ali Shafahi W. Ronny Huang Mahyar Najibi Octavian Suciu Christoph Studer Tudor Dumitras and Tom Goldstein. 2018b. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.1804.00792    10.48550\/ARXIV.1804.00792\nAli Shafahi W. Ronny Huang Mahyar Najibi Octavian Suciu Christoph Studer Tudor Dumitras and Tom Goldstein. 2018b. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.1804.00792"},{"key":"#cr-split#-e_1_3_2_1_35_1.1","unstructured":"Guangyu Shen Yingqi Liu Guanhong Tao Shengwei An Qiuling Xu Siyuan Cheng Shiqing Ma and Xiangyu Zhang. 2021. Backdoor Scanning for Deep Neural Networks through K-Arm Optimization. https:\/\/doi.org\/10.48550\/ARXIV.2102.05123 10.48550\/ARXIV.2102.05123"},{"key":"#cr-split#-e_1_3_2_1_35_1.2","unstructured":"Guangyu Shen Yingqi Liu Guanhong Tao Shengwei An Qiuling Xu Siyuan Cheng Shiqing Ma and Xiangyu Zhang. 2021. Backdoor Scanning for Deep Neural Networks through K-Arm Optimization. https:\/\/doi.org\/10.48550\/ARXIV.2102.05123"},{"key":"e_1_3_2_1_36_1","volume-title":"BadGPT: Exploring Security Vulnerabilities of ChatGPT via Backdoor Attacks to InstructGPT. arXiv preprint arXiv:2304.12298","author":"Shi Jiawen","year":"2023","unstructured":"Jiawen Shi , Yixin Liu , Pan Zhou , and Lichao Sun . 2023. BadGPT: Exploring Security Vulnerabilities of ChatGPT via Backdoor Attacks to InstructGPT. arXiv preprint arXiv:2304.12298 ( 2023 ). Jiawen Shi, Yixin Liu, Pan Zhou, and Lichao Sun. 2023. BadGPT: Exploring Security Vulnerabilities of ChatGPT via Backdoor Attacks to InstructGPT. arXiv preprint arXiv:2304.12298 (2023)."},{"key":"#cr-split#-e_1_3_2_1_37_1.1","unstructured":"Ilia Shumailov Zakhar Shumaylov Dmitry Kazhdan Yiren Zhao Nicolas Papernot Murat A. Erdogdu and Ross Anderson. 2021. Manipulating SGD with Data Ordering Attacks. https:\/\/doi.org\/10.48550\/ARXIV.2104.09667 10.48550\/ARXIV.2104.09667"},{"key":"#cr-split#-e_1_3_2_1_37_1.2","unstructured":"Ilia Shumailov Zakhar Shumaylov Dmitry Kazhdan Yiren Zhao Nicolas Papernot Murat A. Erdogdu and Ross Anderson. 2021. Manipulating SGD with Data Ordering Attacks. https:\/\/doi.org\/10.48550\/ARXIV.2104.09667"},{"key":"e_1_3_2_1_38_1","volume-title":"Deep inside convolutional networks: Visualising image classification models and saliency maps. arXiv preprint arXiv:1312.6034","author":"Simonyan Karen","year":"2013","unstructured":"Karen Simonyan , Andrea Vedaldi , and Andrew Zisserman . 2013. Deep inside convolutional networks: Visualising image classification models and saliency maps. arXiv preprint arXiv:1312.6034 ( 2013 ). Karen Simonyan, Andrea Vedaldi, and Andrew Zisserman. 2013. Deep inside convolutional networks: Visualising image classification models and saliency maps. arXiv preprint arXiv:1312.6034 (2013)."},{"key":"#cr-split#-e_1_3_2_1_39_1.1","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. https:\/\/doi.org\/10.48550\/ARXIV.1409.1556 10.48550\/ARXIV.1409.1556"},{"key":"#cr-split#-e_1_3_2_1_39_1.2","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. https:\/\/doi.org\/10.48550\/ARXIV.1409.1556"},{"key":"e_1_3_2_1_40_1","volume-title":"Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch. https:\/\/doi.org\/10.48550\/ARXIV.2106.08970","author":"Souri Hossein","year":"2021","unstructured":"Hossein Souri , Liam Fowl , Rama Chellappa , Micah Goldblum , and Tom Goldstein . 2021 . Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch. https:\/\/doi.org\/10.48550\/ARXIV.2106.08970 10.48550\/ARXIV.2106.08970 Hossein Souri, Liam Fowl, Rama Chellappa, Micah Goldblum, and Tom Goldstein. 2021. Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch. https:\/\/doi.org\/10.48550\/ARXIV.2106.08970"},{"key":"e_1_3_2_1_41_1","volume-title":"Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks","author":"Stallkamp Johannes","year":"2012","unstructured":"Johannes Stallkamp , Marc Schlipsing , Jan Salmen , and Christian Igel . 2012. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks , Vol. 32 ( 2012 ), 323--332. Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. 2012. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks, Vol. 32 (2012), 323--332."},{"key":"e_1_3_2_1_42_1","volume-title":"Le","author":"Sutskever Ilya","year":"2014","unstructured":"Ilya Sutskever , Oriol Vinyals , and Quoc V . Le . 2014 . Sequence to Sequence Learning with Neural Networks . arxiv: 1409.3215 [cs.CL] Ilya Sutskever, Oriol Vinyals, and Quoc V. Le. 2014. Sequence to Sequence Learning with Neural Networks. arxiv: 1409.3215 [cs.CL]"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Christian Szegedy Vincent Vanhoucke Sergey Ioffe Jonathon Shlens and Zbigniew Wojna. 2015. Rethinking the Inception Architecture for Computer Vision. arxiv: 1512.00567 [cs.CV]  Christian Szegedy Vincent Vanhoucke Sergey Ioffe Jonathon Shlens and Zbigniew Wojna. 2015. Rethinking the Inception Architecture for Computer Vision. arxiv: 1512.00567 [cs.CV]","DOI":"10.1109\/CVPR.2016.308"},{"key":"e_1_3_2_1_44_1","volume-title":"Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research","volume":"6114","author":"Tan Mingxing","year":"2019","unstructured":"Mingxing Tan and Quoc Le . 2019 . EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks . In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research , Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). PMLR, 6105-- 6114 . https:\/\/proceedings.mlr.press\/v97\/tan19a.html Mingxing Tan and Quoc Le. 2019. EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks. In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). PMLR, 6105--6114. https:\/\/proceedings.mlr.press\/v97\/tan19a.html"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3394486.3403064"},{"key":"e_1_3_2_1_46_1","volume-title":"Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In 2019 IEEE Symposium on Security and Privacy (SP). 707--723","author":"Wang Bolun","year":"2019","unstructured":"Bolun Wang , Yuanshun Yao , Shawn Shan , Huiying Li , Bimal Viswanath , Haitao Zheng , and Ben Y. Zhao . 2019 . Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In 2019 IEEE Symposium on Security and Privacy (SP). 707--723 . https:\/\/doi.org\/10.1109\/SP. 2019 .00031 10.1109\/SP.2019.00031 Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. 2019. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In 2019 IEEE Symposium on Security and Privacy (SP). 707--723. https:\/\/doi.org\/10.1109\/SP.2019.00031"},{"key":"e_1_3_2_1_47_1","volume-title":"Stealthy and Flexible Trojan in Deep Learning Framework","author":"Wang Yajie","year":"2022","unstructured":"Yajie Wang , Kongyang Chen , Yu'an Tan , Shuxin Huang , Wencong Ma , and Yuanzhang Li. 2022a. Stealthy and Flexible Trojan in Deep Learning Framework . IEEE Transactions on Dependable and Secure Computing ( 2022 ), 1--1. https:\/\/doi.org\/10.1109\/TDSC.2022.3164073 10.1109\/TDSC.2022.3164073 Yajie Wang, Kongyang Chen, Yu'an Tan, Shuxin Huang, Wencong Ma, and Yuanzhang Li. 2022a. Stealthy and Flexible Trojan in Deep Learning Framework. IEEE Transactions on Dependable and Secure Computing (2022), 1--1. https:\/\/doi.org\/10.1109\/TDSC.2022.3164073"},{"key":"e_1_3_2_1_48_1","unstructured":"Zhenting Wang Hailun Ding Juan Zhai and Shiqing Ma. 2022b. Training with More Confidence: Mitigating Injected and Natural Backdoors During Training. In Advances in Neural Information Processing Systems Alice H. Oh Alekh Agarwal Danielle Belgrave and Kyunghyun Cho (Eds.). https:\/\/openreview.net\/forum?id=yNPsd3oG_s  Zhenting Wang Hailun Ding Juan Zhai and Shiqing Ma. 2022b. Training with More Confidence: Mitigating Injected and Natural Backdoors During Training. In Advances in Neural Information Processing Systems Alice H. Oh Alekh Agarwal Danielle Belgrave and Kyunghyun Cho (Eds.). https:\/\/openreview.net\/forum?id=yNPsd3oG_s"},{"key":"e_1_3_2_1_49_1","volume-title":"Wortman Vaughan (Eds.)","volume":"34","author":"Wu Dongxian","year":"2021","unstructured":"Dongxian Wu and Yisen Wang . 2021 . Adversarial Neuron Pruning Purifies Backdoored Deep Models. In Advances in Neural Information Processing Systems, M. Ranzato, A. Beygelzimer, Y. Dauphin, P.S. Liang, and J . Wortman Vaughan (Eds.) , Vol. 34 . Curran Associates, Inc., 16913--16925. https:\/\/proceedings.neurips.cc\/paper\/ 2021\/file\/8cbe9ce23f42628c98f80fa0fac8b19a-Paper.pdf Dongxian Wu and Yisen Wang. 2021. Adversarial Neuron Pruning Purifies Backdoored Deep Models. In Advances in Neural Information Processing Systems, M. Ranzato, A. Beygelzimer, Y. Dauphin, P.S. Liang, and J. Wortman Vaughan (Eds.), Vol. 34. Curran Associates, Inc., 16913--16925. https:\/\/proceedings.neurips.cc\/paper\/2021\/file\/8cbe9ce23f42628c98f80fa0fac8b19a-Paper.pdf"},{"key":"#cr-split#-e_1_3_2_1_50_1.1","unstructured":"Zhen Xiang David J. Miller and George Kesidis. 2022. Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios. https:\/\/doi.org\/10.48550\/ARXIV.2201.08474 10.48550\/ARXIV.2201.08474"},{"key":"#cr-split#-e_1_3_2_1_50_1.2","unstructured":"Zhen Xiang David J. Miller and George Kesidis. 2022. Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios. https:\/\/doi.org\/10.48550\/ARXIV.2201.08474"},{"key":"#cr-split#-e_1_3_2_1_51_1.1","unstructured":"Kaidi Xu Sijia Liu Pin-Yu Chen Pu Zhao and Xue Lin. 2020. Defending against Backdoor Attack on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.2002.12162 10.48550\/ARXIV.2002.12162"},{"key":"#cr-split#-e_1_3_2_1_51_1.2","unstructured":"Kaidi Xu Sijia Liu Pin-Yu Chen Pu Zhao and Xue Lin. 2020. Defending against Backdoor Attack on Deep Neural Networks. https:\/\/doi.org\/10.48550\/ARXIV.2002.12162"},{"key":"e_1_3_2_1_52_1","volume-title":"Backdoor attacks to pre-trained unified foundation models. arXiv preprint arXiv:2302.09360","author":"Yuan Zenghui","year":"2023","unstructured":"Zenghui Yuan , Yixin Liu , Kai Zhang , Pan Zhou , and Lichao Sun . 2023. Backdoor attacks to pre-trained unified foundation models. arXiv preprint arXiv:2302.09360 ( 2023 ). Zenghui Yuan, Yixin Liu, Kai Zhang, Pan Zhou, and Lichao Sun. 2023. Backdoor attacks to pre-trained unified foundation models. arXiv preprint arXiv:2302.09360 (2023)."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.5244\/C.30.87"},{"key":"e_1_3_2_1_54_1","volume-title":"International Conference on Learning Representations.","author":"Zeng Yi","year":"2021","unstructured":"Yi Zeng , Si Chen , Won Park , Zhuoqing Mao , Ming Jin , and Ruoxi Jia . 2021 a. Adversarial Unlearning of Backdoors via Implicit Hypergradient . In International Conference on Learning Representations. Yi Zeng, Si Chen, Won Park, Zhuoqing Mao, Ming Jin, and Ruoxi Jia. 2021a. Adversarial Unlearning of Backdoors via Implicit Hypergradient. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_55_1","volume-title":"Lingjuan Lyu, Meikang Qiu, and Ruoxi Jia.","author":"Zeng Yi","year":"2022","unstructured":"Yi Zeng , Minzhou Pan , Hoang Anh Just , Lingjuan Lyu, Meikang Qiu, and Ruoxi Jia. 2022 . Narcissus : A practical clean-label backdoor attack with limited information. arXiv preprint arXiv:2204.05255 (2022). Yi Zeng, Minzhou Pan, Hoang Anh Just, Lingjuan Lyu, Meikang Qiu, and Ruoxi Jia. 2022. Narcissus: A practical clean-label backdoor attack with limited information. arXiv preprint arXiv:2204.05255 (2022)."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"crossref","unstructured":"Yi Zeng Won Park Z. Morley Mao and Ruoxi Jia. 2021b. Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective. https:\/\/doi.org\/10.48550\/ARXIV.2104.03413    10.48550\/ARXIV.2104.03413\nYi Zeng Won Park Z. Morley Mao and Ruoxi Jia. 2021b. Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective. https:\/\/doi.org\/10.48550\/ARXIV.2104.03413","DOI":"10.1109\/ICCV48922.2021.01616"},{"key":"e_1_3_2_1_57_1","volume-title":"Karthikeyan Natesan Ramamurthy, and Xue Lin","author":"Zhao Pu","year":"2020","unstructured":"Pu Zhao , Pin-Yu Chen , Payel Das , Karthikeyan Natesan Ramamurthy, and Xue Lin . 2020 . Bridging Mode Connectivity in Loss Landscapes and Adversarial Robustness . https:\/\/doi.org\/10.48550\/ARXIV.2005.00060 10.48550\/ARXIV.2005.00060 Pu Zhao, Pin-Yu Chen, Payel Das, Karthikeyan Natesan Ramamurthy, and Xue Lin. 2020. Bridging Mode Connectivity in Loss Landscapes and Adversarial Robustness. https:\/\/doi.org\/10.48550\/ARXIV.2005.00060"}],"event":{"name":"CIKM '23: The 32nd ACM International Conference on Information and Knowledge Management","location":"Birmingham United Kingdom","acronym":"CIKM '23","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web","SIGIR ACM Special Interest Group on Information Retrieval"]},"container-title":["Proceedings of the 32nd ACM International Conference on Information and Knowledge Management"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3583780.3614784","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3583780.3614784","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3583780.3614784","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:56Z","timestamp":1750178216000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3583780.3614784"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,21]]},"references-count":70,"alternative-id":["10.1145\/3583780.3614784","10.1145\/3583780"],"URL":"https:\/\/doi.org\/10.1145\/3583780.3614784","relation":{},"subject":[],"published":{"date-parts":[[2023,10,21]]},"assertion":[{"value":"2023-10-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}