{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,3]],"date-time":"2025-12-03T17:20:26Z","timestamp":1764782426690,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":52,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605764.3623912","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:12:17Z","timestamp":1700568737000},"page":"103-114","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["The Adversarial Implications of Variable-Time Inference"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7865-0308","authenticated-orcid":false,"given":"Dudi","family":"Biton","sequence":"first","affiliation":[{"name":"Ben-Gurion University of the Negev, Be'er Sheva, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-0334-6645","authenticated-orcid":false,"given":"Aditi","family":"Misra","sequence":"additional","affiliation":[{"name":"University of Toronto, Toronto, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9156-0254","authenticated-orcid":false,"given":"Efrat","family":"Levy","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Be'er Sheva, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7623-4186","authenticated-orcid":false,"given":"Jaidip","family":"Kotak","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Be'er Sheva, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8942-9783","authenticated-orcid":false,"given":"Ron","family":"Bitton","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Be'er Sheva, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1669-6367","authenticated-orcid":false,"given":"Roei","family":"Schuster","sequence":"additional","affiliation":[{"name":"Wild Moose, New York, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5078-7233","authenticated-orcid":false,"given":"Nicolas","family":"Papernot","sequence":"additional","affiliation":[{"name":"University of Toronto & Vector Institute, Toronto, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9641-128X","authenticated-orcid":false,"given":"Yuval","family":"Elovici","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Be'er Sheva, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3453-2120","authenticated-orcid":false,"given":"Ben","family":"Nassi","sequence":"additional","affiliation":[{"name":"Cornell Tech, New York, NY, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. YOLOv3 implementation: darknet. https:\/\/pjreddie.com\/darknet\/yolo\/."},{"volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 515--532.","author":"Batina Lejla","key":"e_1_3_2_1_2_1","unstructured":"Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. {CSI} {NN}: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 515--532."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_2_1_4_1","volume-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248","author":"Brendel Wieland","year":"2017","unstructured":"Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248 (2017)."},{"key":"e_1_3_2_1_5_1","unstructured":"Jason Brownlee. 2019. Deep learning for computer vision: image classification object detection and face recognition in python. Machine Learning Mastery."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/1090583.1648610"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58452-8_13"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00045"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_3_2_1_11_1","volume-title":"International Conference on Machine Learning. PMLR","author":"Choquette-Choo Christopher A","year":"2021","unstructured":"Christopher A Choquette-Choo, Florian Tramer, Nicholas Carlini, and Nicolas Papernot. 2021. Label-only membership inference attacks. In International Conference on Machine Learning. PMLR, 1964--1974."},{"key":"e_1_3_2_1_12_1","volume-title":"Stealing neural networks via timing side channels. arXiv preprint arXiv:1812.11720","author":"Duddu Vasisht","year":"2018","unstructured":"Vasisht Duddu, Debasis Samanta, D Vijay Rao, and Valentina E Balas. 2018. Stealing neural networks via timing side channels. arXiv preprint arXiv:1812.11720 (2018)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.169"},{"key":"e_1_3_2_1_14_1","volume-title":"BREACH: reviving the CRIME attack. Unpublished manuscript","author":"Gluck Yoel","year":"2013","unstructured":"Yoel Gluck, Neal Harris, and Angelo Prado. 2013. BREACH: reviving the CRIME attack. Unpublished manuscript (2013)."},{"key":"e_1_3_2_1_15_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.322"},{"key":"e_1_3_2_1_17_1","volume-title":"The curious case of neural text degeneration. arXiv preprint arXiv:1904.09751","author":"Holtzman Ari","year":"2019","unstructured":"Ari Holtzman, Jan Buys, Li Du, Maxwell Forbes, and Yejin Choi. 2019. The curious case of neural text degeneration. arXiv preprint arXiv:1904.09751 (2019)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.685"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/DAC.2018.8465773"},{"key":"e_1_3_2_1_20_1","volume-title":"Laurens Van Der Maaten, and Kilian Q Weinberger","author":"Huang Gao","year":"2017","unstructured":"Gao Huang, Danlu Chen, Tianhong Li, Felix Wu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Multi-scale dense networks for resource efficient image classification. arXiv preprint arXiv:1703.09844 (2017)."},{"key":"e_1_3_2_1_21_1","volume-title":"International Conference on Machine Learning. PMLR, 2137--2146","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas, Logan Engstrom, Anish Athalye, and Jessy Lin. 2018. Blackbox adversarial attacks with limited queries and information. In International Conference on Machine Learning. PMLR, 2137--2146."},{"key":"e_1_3_2_1_22_1","volume-title":"Prior convictions: Black-box adversarial attacks with bandits and priors. arXiv preprint arXiv:1807.07978","author":"Ilyas Andrew","year":"2018","unstructured":"Andrew Ilyas, Logan Engstrom, and Aleksander Madry. 2018. Prior convictions: Black-box adversarial attacks with bandits and priors. arXiv preprint arXiv:1807.07978 (2018)."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.5555\/646761.706156"},{"key":"e_1_3_2_1_24_1","unstructured":"Alexey Kurakin Ian Goodfellow Samy Bengio et al. 2016. Adversarial examples in the physical world."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10602-1_48"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46448-0_2"},{"key":"e_1_3_2_1_27_1","volume-title":"Dpatch: An adversarial patch attack on object detectors. arXiv preprint arXiv:1806.02299","author":"Liu Xin","year":"2018","unstructured":"Xin Liu, Huanrui Yang, Ziwei Liu, Linghao Song, Hai Li, and Yiran Chen. 2018. Dpatch: An adversarial patch attack on object detectors. arXiv preprint arXiv:1806.02299 (2018)."},{"key":"e_1_3_2_1_28_1","volume-title":"Timing Black-Box Attacks: Crafting Adversarial Examples through Timing Leaks against DNNs on Embedded Devices. IACR Transactions on Cryptographic Hardware and Embedded Systems","author":"Nakai Tsunato","year":"2021","unstructured":"Tsunato Nakai, Daisuke Suzuki, and Takeshi Fujino. 2021. Timing Black-Box Attacks: Crafting Adversarial Examples through Timing Leaks against DNNs on Embedded Devices. IACR Transactions on Cryptographic Hardware and Embedded Systems (2021), 149--175."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423359"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR.2006.479"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Andriy Panchenko Fabian Lanze Jan Pennekamp Thomas Engel Andreas Zinnen Martin Henze and Klaus Wehrle. 2016. Website Fingerprinting at Internet Scale.. In NDSS.","DOI":"10.14722\/ndss.2016.23477"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.91"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.690"},{"key":"e_1_3_2_1_34_1","volume-title":"Asian conference on computer vision. Springer, 290--306","author":"Rothe Rasmus","year":"2014","unstructured":"Rasmus Rothe, Matthieu Guillaumin, and Luc Van Gool. 2014. Non-maximum suppression for object detection by passing messages between windows. In Asian conference on computer vision. Springer, 290--306."},{"volume-title":"26th {USENIX} Security Symposium ({USENIX} Security 17). 1357--1374.","author":"Schuster Roei","key":"e_1_3_2_1_35_1","unstructured":"Roei Schuster, Vitaly Shmatikov, and Eran Tromer. 2017. Beauty and the burst: Remote identification of encrypted video streams. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 1357--1374."},{"key":"e_1_3_2_1_36_1","volume-title":"Practical Timing Side Channel Attacks on Memory Compression. arXiv preprint arXiv:2111.08404","author":"Schwarzl Martin","year":"2021","unstructured":"Martin Schwarzl, Pietro Borrello, Gururaj Saileshwar, Hanna M\u00fcller, Michael Schwarz, and Daniel Gruss. 2021. Practical Timing Side Channel Attacks on Memory Compression. arXiv preprint arXiv:2111.08404 (2021)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01455"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"volume-title":"12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18).","author":"Song Dawn","key":"e_1_3_2_1_40_1","unstructured":"Dawn Song, Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Florian Tramer, Atul Prakash, and Tadayoshi Kohno. 2018. Physical adversarial examples for object detectors. In 12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18)."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00021"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01422"},{"key":"e_1_3_2_1_43_1","first-page":"22420","article-title":"De-anonymizing text by fingerprinting language generation","volume":"33","author":"Sun Zhen","year":"2020","unstructured":"Zhen Sun, Roei Schuster, and Vitaly Shmatikov. 2020. De-anonymizing text by fingerprinting language generation. Advances in Neural Information Processing Systems 33 (2020), 22420--22431.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR.2016.7900006"},{"key":"e_1_3_2_1_45_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"volume-title":"25th USENIX security symposium (USENIX Security 16). 601--618.","author":"Tram\u00e8r Florian","key":"e_1_3_2_1_46_1","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16). 601--618."},{"volume-title":"Encyclopedia of cryptography and security","author":"Van Tilborg Henk CA","key":"e_1_3_2_1_47_1","unstructured":"Henk CA Van Tilborg and Sushil Jajodia. 2014. Encyclopedia of cryptography and security. Springer Science & Business Media."},{"key":"e_1_3_2_1_48_1","volume-title":"Daedalus: Breaking nonmaximum suppression in object detection via adversarial examples","author":"Wang Derui","year":"2021","unstructured":"Derui Wang, Chaoran Li, Sheng Wen, Qing-Long Han, Surya Nepal, Xiangyu Zhang, and Yang Xiang. 2021. Daedalus: Breaking nonmaximum suppression in object detection via adversarial examples. IEEE Transactions on Cybernetics (2021)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jpdc.2019.03.003"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/FCCM.2019.00059"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354259"},{"key":"e_1_3_2_1_52_1","volume-title":"Objects as points. arXiv preprint arXiv:1904.07850","author":"Zhou Xingyi","year":"2019","unstructured":"Xingyi Zhou, Dequan Wang, and Philipp Kr\u00e4henb\u00fchl. 2019. Objects as points. arXiv preprint arXiv:1904.07850 (2019)."}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Copenhagen Denmark","acronym":"CCS '23"},"container-title":["Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623912","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605764.3623912","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:37:36Z","timestamp":1755913056000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623912"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":52,"alternative-id":["10.1145\/3605764.3623912","10.1145\/3605764"],"URL":"https:\/\/doi.org\/10.1145\/3605764.3623912","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}