{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T13:21:31Z","timestamp":1770729691690,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":45,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,12,4]],"date-time":"2023-12-04T00:00:00Z","timestamp":1701648000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Institute for Information & communication Technology Planning & Evaluation grant funded by the Korea government","award":["No.2018-0-00532, No.2022-0-00995, and No.2019-0-01343"],"award-info":[{"award-number":["No.2018-0-00532, No.2022-0-00995, and No.2019-0-01343"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,12,4]]},"DOI":"10.1145\/3627106.3627204","type":"proceedings-article","created":{"date-parts":[[2023,12,2]],"date-time":"2023-12-02T18:13:22Z","timestamp":1701540802000},"page":"535-549","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["DeepTaster: Adversarial Perturbation-Based Fingerprinting to Identify Proprietary Dataset Use in Deep Neural Networks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-9849-9599","authenticated-orcid":false,"given":"Seonhye","family":"Park","sequence":"first","affiliation":[{"name":"Sungkyunkwan University, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9695-7947","authenticated-orcid":false,"given":"Alsharif","family":"Abuadbba","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8938-2364","authenticated-orcid":false,"given":"Shuo","family":"Wang","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9962-5080","authenticated-orcid":false,"given":"Kristen","family":"Moore","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5783-2172","authenticated-orcid":false,"given":"Yansong","family":"Gao","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1605-3866","authenticated-orcid":false,"given":"Hyoungshick","family":"Kim","sequence":"additional","affiliation":[{"name":"Sungkyunkwan University, South Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3289-6599","authenticated-orcid":false,"given":"Surya","family":"Nepal","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Australia"}]}],"member":"320","published-online":{"date-parts":[[2023,12,4]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"USENIX Security Symposium (USENIX).","author":"Adi Yossi","year":"2018","unstructured":"Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In USENIX Security Symposium (USENIX)."},{"key":"e_1_3_2_1_2_1","volume-title":"Neural network laundering: Removing black-box backdoor watermarks from deep neural networks. Computers & Security","author":"Aiken William","year":"2021","unstructured":"William Aiken, Hyoungshick Kim, Simon Woo, and Jungwoo Ryoo. 2021. Neural network laundering: Removing black-box backdoor watermarks from deep neural networks. Computers & Security (2021)."},{"key":"e_1_3_2_1_3_1","unstructured":"Maksym Andriushchenko and Nicolas Flammarion. 2020. Understanding and improving fast adversarial training. In Advances in Neural Information Processing Systems (Neurips)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3437526"},{"key":"e_1_3_2_1_5_1","volume-title":"Deepmarks: A digital fingerprinting framework for deep neural networks. arXiv preprint arXiv:1804.03648","author":"Chen Huili","year":"2018","unstructured":"Huili Chen, Bita\u00a0Darvish Rohani, and Farinaz Koushanfar. 2018. Deepmarks: A digital fingerprinting framework for deep neural networks. arXiv preprint arXiv:1804.03648 (2018)."},{"key":"e_1_3_2_1_6_1","volume-title":"Blackmarks: Blackbox multibit watermarking for deep neural networks. arXiv preprint arXiv:1904.00344","author":"Chen Huili","year":"2019","unstructured":"Huili Chen, Bita\u00a0Darvish Rouhani, and Farinaz Koushanfar. 2019. Blackmarks: Blackbox multibit watermarking for deep neural networks. arXiv preprint arXiv:1904.00344 (2019)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833747"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304051"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_10_1","volume-title":"Backdoor attacks and countermeasures on deep learning: A comprehensive review. CoRR","author":"Gao Yansong","year":"2020","unstructured":"Yansong Gao, Bao\u00a0Gia Doan, Zhi Zhang, Siqi Ma, Jiliang Zhang, Anmin Fu, Surya Nepal, and Hyoungshick Kim. 2020. Backdoor attacks and countermeasures on deep learning: A comprehensive review. CoRR (2020)."},{"key":"e_1_3_2_1_11_1","unstructured":"Ian\u00a0J. Goodfellow Jonathon Shlens and Christian Szegedy. 2014. Explaining and Harnessing Adversarial Examples."},{"key":"e_1_3_2_1_12_1","volume-title":"OPM hack: The most dangerous threat to the federal government today. Journal of Applied Security Research","author":"Gootman Stephanie","year":"2016","unstructured":"Stephanie Gootman. 2016. OPM hack: The most dangerous threat to the federal government today. Journal of Applied Security Research (2016), 517\u2013525."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2021\/500"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN52387.2021.9533442"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_17_1","volume-title":"Laurens van\u00a0der Maaten, and Kilian\u00a0Q. Weinberger","author":"Huang Gao","year":"2016","unstructured":"Gao Huang, Zhuang Liu, Laurens van\u00a0der Maaten, and Kilian\u00a0Q. Weinberger. 2016. Densely Connected Convolutional Networks."},{"key":"e_1_3_2_1_18_1","unstructured":"Forrest\u00a0N. Iandola Song Han Matthew\u00a0W. Moskewicz Khalid Ashraf William\u00a0J. Dally and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and < 0.5MB model size."},{"key":"e_1_3_2_1_19_1","volume-title":"USENIX Security Symposium (USENIX).","author":"Jia Hengrui","year":"2021","unstructured":"Hengrui Jia, Christopher\u00a0A Choquette-Choo, Varun Chandrasekaran, and Nicolas Papernot. 2021. Entangled watermarks as a defense against model extraction. In USENIX Security Symposium (USENIX)."},{"key":"e_1_3_2_1_20_1","unstructured":"Alex Krizhevsky Geoffrey Hinton 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_1_21_1","volume-title":"Imagenet classification with deep convolutional neural networks. Commun. ACM","author":"Krizhevsky Alex","year":"2017","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey\u00a0E Hinton. 2017. Imagenet classification with deep convolutional neural networks. Commun. ACM (2017), 84\u201390."},{"key":"e_1_3_2_1_22_1","volume-title":"Tiny imagenet visual recognition challenge. CS 231N","author":"Le Ya","year":"2015","unstructured":"Ya Le and Xuan Yang. 2015. Tiny imagenet visual recognition challenge. CS 231N (2015)."},{"key":"e_1_3_2_1_23_1","volume-title":"Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications","author":"Le\u00a0Merrer Erwan","year":"2020","unstructured":"Erwan Le\u00a0Merrer, Patrick Perez, and Gilles Tr\u00e9dan. 2020. Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications (2020), 9233\u20139244."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Y. Lecun L. Bottou Y. Bengio and P. Haffner. 1998. Gradient-based learning applied to document recognition. IEEE (1998) 2278\u20132324.","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560684"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833693"},{"key":"e_1_3_2_1_27_1","volume-title":"Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888","author":"Lukas Nils","year":"2019","unstructured":"Nils Lukas, Yuxuan Zhang, and Florian Kerschbaum. 2019. Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888 (2019)."},{"key":"e_1_3_2_1_28_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_29_1","volume-title":"International Conference on Learning Representations (ICLR).","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_30_1","unstructured":"Hannah Murphy and Shannon Bond. 2019. Capital One data breach sparks cloud security fears. The Financial Times. https:\/\/www.securityinfowatch.com\/cybersecurity\/information-security\/cloud-security-solutions\/article\/21091156\/capital-one-breach-shines-spotlight-on-insider-threats"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3580305.3599291"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_33_1","volume-title":"Foolbox Native: Fast adversarial attacks to benchmark the robustness of machine learning models in PyTorch, TensorFlow, and JAX. Journal of Open Source Software","author":"Rauber Jonas","year":"2020","unstructured":"Jonas Rauber, Roland Zimmermann, Matthias Bethge, and Wieland Brendel. 2020. Foolbox Native: Fast adversarial attacks to benchmark the robustness of machine learning models in PyTorch, TensorFlow, and JAX. Journal of Open Source Software (2020), 2607."},{"key":"e_1_3_2_1_34_1","volume-title":"Deep One-Class Classification. In International Conference on Machine Learning (ICML).","author":"Ruff Lukas","year":"2018","unstructured":"Lukas Ruff, Robert Vandermeulen, Nico Goernitz, Lucas Deecke, Shoaib\u00a0Ahmed Siddiqui, Alexander Binder, Emmanuel M\u00fcller, and Marius Kloft. 2018. Deep One-Class Classification. In International Conference on Machine Learning (ICML)."},{"key":"e_1_3_2_1_35_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_1_36_1","volume-title":"USENIX Security Symposium (USENIX).","author":"Sun Zhichuang","year":"2021","unstructured":"Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In USENIX Security Symposium (USENIX)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3474085.3475591"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"crossref","unstructured":"Lisa Torrey and Jude Shavlik. 2010. Transfer Learning. In Handbook of Research on Machine Learning Applications and Trends. 242\u2013264.","DOI":"10.4018\/978-1-60566-766-9.ch011"},{"key":"e_1_3_2_1_39_1","volume-title":"Data-Free Model Extraction. In IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR).","author":"Truong Jean-Baptiste","year":"2021","unstructured":"Jean-Baptiste Truong, Pratyush Maini, Robert\u00a0J. Walls, and Nicolas Papernot. 2021. Data-Free Model Extraction. In IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3453688.3461752"},{"key":"e_1_3_2_1_43_1","volume-title":"CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. In Network and Distributed System Security Symposium (NDSS).","author":"Yu Honggang","year":"2020","unstructured":"Honggang Yu, Kaichen Yang, Teng Zhang, Yun-Yun Tsai, Tsung-Yi Ho, and Yier Jin. 2020. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196550"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2019.12.016"}],"event":{"name":"ACSAC '23: Annual Computer Security Applications Conference","location":"Austin TX USA","acronym":"ACSAC '23"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3627106.3627204","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3627106.3627204","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T17:38:36Z","timestamp":1755884316000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3627106.3627204"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,4]]},"references-count":45,"alternative-id":["10.1145\/3627106.3627204","10.1145\/3627106"],"URL":"https:\/\/doi.org\/10.1145\/3627106.3627204","relation":{},"subject":[],"published":{"date-parts":[[2023,12,4]]},"assertion":[{"value":"2023-12-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}