{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T08:54:13Z","timestamp":1773392053763,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":85,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,7,1]],"date-time":"2024-07-01T00:00:00Z","timestamp":1719792000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1951729"],"award-info":[{"award-number":["1951729"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1953813"],"award-info":[{"award-number":["1953813"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2119331"],"award-info":[{"award-number":["2119331"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2212323"],"award-info":[{"award-number":["2212323"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,7]]},"DOI":"10.1145\/3634737.3657002","type":"proceedings-article","created":{"date-parts":[[2024,6,28]],"date-time":"2024-06-28T11:51:38Z","timestamp":1719575498000},"page":"1231-1245","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["Model Extraction Attacks Revisited"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-0116-7664","authenticated-orcid":false,"given":"Jiacheng","family":"Liang","sequence":"first","affiliation":[{"name":"Stony Brook University, Stony Brook, United States"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-2474-4491","authenticated-orcid":false,"given":"Ren","family":"Pang","sequence":"additional","affiliation":[{"name":"Penn State University, State College, United States"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1671-7183","authenticated-orcid":false,"given":"Changjiang","family":"Li","sequence":"additional","affiliation":[{"name":"Stony Brook University, Stony Brook, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4927-5833","authenticated-orcid":false,"given":"Ting","family":"Wang","sequence":"additional","affiliation":[{"name":"Stony Brook University, Stony Brook, United States"}]}],"member":"320","published-online":{"date-parts":[[2024,7]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. IMDb Datasets. https:\/\/www.imdb.com\/interfaces\/. Accessed: 2023-03-16."},{"key":"e_1_3_2_1_2_1","unstructured":"[n. d.]. Yelp Datasets. https:\/\/www.yelp.com\/dataset. Accessed: 2023-07-16."},{"key":"e_1_3_2_1_3_1","volume-title":"Model extraction from counterfactual explanations. ArXiv e-prints","author":"A\u00efvodji Ulrich","year":"2020","unstructured":"Ulrich A\u00efvodji, Alexandre Bolot, and S\u00e9bastien Gambs. 2020. Model extraction from counterfactual explanations. ArXiv e-prints (2020)."},{"key":"e_1_3_2_1_4_1","unstructured":"Amazon. [n. d.]. AWS Rekognition documentation. https:\/\/docs.aws.amazon.com\/rekognition\/latest\/dg\/what-is.html."},{"key":"e_1_3_2_1_5_1","volume-title":"Proceedings of ACM International Conference on Multimodal Interaction (ICMI).","author":"Barsoum Emad","year":"2016","unstructured":"Emad Barsoum, Cha Zhang, Cristian Canton Ferrer, and Zhengyou Zhang. 2016. Training Deep Networks for Facial Expression Recognition with Crowd-Sourced Label Distribution. In Proceedings of ACM International Conference on Multimodal Interaction (ICMI)."},{"key":"e_1_3_2_1_6_1","volume-title":"MixMatch: A Holistic Approach to Semi-Supervised Learning. ArXiv e-prints","author":"Berthelot David","year":"2019","unstructured":"David Berthelot, Nicholas Carlini, Ian J. Goodfellow, Nicolas Papernot, Avital Oliver, and Colin Raffel. 2019. MixMatch: A Holistic Approach to Semi-Supervised Learning. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_7_1","volume-title":"Proceedings of the IEEE International Conference on Automatic Face & Gesture Recognition (FG).","author":"Cao Qiong","year":"2018","unstructured":"Qiong Cao, Li Shen, Weidi Xie, Omkar M Parkhi, and Andrew Zisserman. 2018. Vggface2: A dataset for recognizing faces across pose and age. In Proceedings of the IEEE International Conference on Automatic Face & Gesture Recognition (FG)."},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel HerbertVoss, Katherine Lee, Adam Roberts, Tom B Brown, Dawn Song, Ulfar Erlingsson, et al. 2021. Extracting Training Data from Large Language Models.. In Proceedings of USENIX Security Symposium (SEC)."},{"key":"e_1_3_2_1_9_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P).","author":"Carlini Nicholas","year":"2017","unstructured":"Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In Proceedings of IEEE Symposium on Security and Privacy (S&P)."},{"key":"e_1_3_2_1_10_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Chandrasekaran Varun","year":"2020","unstructured":"Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. 2020. Exploring connections between active learning and model extraction. In Proceedings of USENIX Security Symposium (SEC)."},{"key":"e_1_3_2_1_11_1","volume-title":"HAPI: A Large-scale Longitudinal Dataset of Commercial ML API Predictions. ArXiv e-prints","author":"Chen Lingjiao","year":"2022","unstructured":"Lingjiao Chen, Zhihua Jin, Sabri Eyuboglu, Christopher R\u00e9, Matei Zaharia, and James Zou. 2022. HAPI: A Large-scale Longitudinal Dataset of Commercial ML API Predictions. ArXiv e-prints (2022)."},{"key":"e_1_3_2_1_12_1","volume-title":"Le","author":"Chen Xiangning","year":"2023","unstructured":"Xiangning Chen, Chen Liang, Da Huang, Esteban Real, Kaiyuan Wang, Yao Liu, Hieu Pham, Xuanyi Dong, Thang Luong, Cho-Jui Hsieh, Yifeng Lu, and Quoc V. Le. 2023. Symbolic Discovery of Optimization Algorithms. ArXiv e-prints (2023)."},{"key":"e_1_3_2_1_13_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Chen Yufei","year":"2022","unstructured":"Yufei Chen, Chao Shen, Cong Wang, and Yang Zhang. 2022. Teacher model fingerprinting attacks against transfer learning. In Proceedings of USENIX Security Symposium (SEC)."},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of the 46th International ACM SIGIR conference on Research and Development in Information Retrieval. 2426--2430","author":"Chen Ziheng","year":"2023","unstructured":"Ziheng Chen, Fabrizio Silvestri, Jia Wang, Yongfeng Zhang, and Gabriele Tolomei. 2023. The dark side of explanations: Poisoning recommender systems with counterfactual examples. In Proceedings of the 46th International ACM SIGIR conference on Research and Development in Information Retrieval. 2426--2430."},{"key":"e_1_3_2_1_15_1","volume-title":"Proceedings of the International Joint Conference on Neural Networks (IJCNN).","author":"Correia-Silva Jacson Rodrigues","year":"2018","unstructured":"Jacson Rodrigues Correia-Silva, Rodrigo F Berriel, Claudine Badue, Alberto F de Souza, and Thiago Oliveira-Santos. 2018. Copycat cnn: Stealing knowledge by persuading confession with random non-labeled data. In Proceedings of the International Joint Conference on Neural Networks (IJCNN)."},{"key":"e_1_3_2_1_16_1","volume-title":"Bert: Pre-training of deep bidirectional transformers for language understanding. ArXiv e-prints","author":"Devlin Jacob","year":"2018","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. Bert: Pre-training of deep bidirectional transformers for language understanding. ArXiv e-prints (2018)."},{"key":"e_1_3_2_1_17_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Dosovitskiy Alexey","year":"2020","unstructured":"Alexey Dosovitskiy, Lucas Beyer, Alexander Kolesnikov, Dirk Weissenborn, Xiaohua Zhai, Thomas Unterthiner, Mostafa Dehghani, Matthias Minderer, Georg Heigold, Sylvain Gelly, Jakob Uszkoreit, and Neil Houlsby. 2020. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_18_1","volume-title":"Proceedings of the ACM Multimedia Systems Conference (MMSys).","author":"Feng Xianglong","year":"2021","unstructured":"Xianglong Feng, Weitian Li, and Sheng Wei. 2021. LiveROI: Region of Interest Analysis for Viewport Prediction in Live Mobile Virtual Reality Streaming. In Proceedings of the ACM Multimedia Systems Conference (MMSys)."},{"key":"e_1_3_2_1_19_1","volume-title":"Proceedings of International Joint Conference on Artificial Intelligence (IJCAI).","author":"Gong Xueluan","year":"2021","unstructured":"Xueluan Gong, Yanjiao Chen, Wenbin Yang, Guanghao Mei, and Qian Wang. 2021. InverseNet: Augmenting Model Extraction Attacks with Training Data Inversion.. In Proceedings of International Joint Conference on Artificial Intelligence (IJCAI)."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"crossref","first-page":"1789","DOI":"10.1007\/s11263-021-01453-z","article-title":"Knowledge distillation: A survey","volume":"129","author":"Gou Jianping","year":"2021","unstructured":"Jianping Gou, Baosheng Yu, Stephen J Maybank, and Dacheng Tao. 2021. Knowledge distillation: A survey. International Journal of Computer Vision 129 (2021), 1789--1819.","journal-title":"International Journal of Computer Vision"},{"key":"e_1_3_2_1_21_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"He Kaiming","year":"2015","unstructured":"Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Deep Residual Learning for Image Recognition. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_22_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"He Kaiming","year":"2016","unstructured":"Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_23_1","volume-title":"Distilling the Knowledge in a Neural Network. ArXiv e-prints","author":"Hinton Geoffrey","year":"2015","unstructured":"Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. 2015. Distilling the Knowledge in a Neural Network. ArXiv e-prints (2015)."},{"key":"e_1_3_2_1_24_1","volume-title":"Annual Computer Security Applications Conference. 1--16","author":"Hu Hailong","year":"2021","unstructured":"Hailong Hu and Jun Pang. 2021. Stealing machine learning models: Attacks and countermeasures for generative adversarial networks. In Annual Computer Security Applications Conference. 1--16."},{"key":"e_1_3_2_1_25_1","unstructured":"Dong Huang Qingwen Bu Yuhao Qing Yichao Fu and Heming Cui. [n. d.]. ADVERSARIAL FEATURE MAP PRUNING FOR BACK. ([n. d.])."},{"key":"e_1_3_2_1_26_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"Huang Gao","year":"2017","unstructured":"Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_27_1","volume-title":"Weinberger","author":"Huang Gao","year":"2018","unstructured":"Gao Huang, Zhuang Liu, Laurens van der Maaten, and Kilian Q. Weinberger. 2018. Densely Connected Convolutional Networks. ArXiv e-prints (2018)."},{"key":"e_1_3_2_1_28_1","volume-title":"Like what you like: Knowledge distill via neuron selectivity transfer. ArXiv e-prints","author":"Huang Zehao","year":"2017","unstructured":"Zehao Huang and Naiyan Wang. 2017. Like what you like: Knowledge distill via neuron selectivity transfer. ArXiv e-prints (2017)."},{"key":"e_1_3_2_1_29_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High accuracy and high fidelity extraction of neural networks. In Proceedings of USENIX Security Symposium (SEC)."},{"key":"e_1_3_2_1_30_1","volume-title":"Information theory and statistical mechanics. Physical review 106, 4","author":"Jaynes Edwin T","year":"1957","unstructured":"Edwin T Jaynes. 1957. Information theory and statistical mechanics. Physical review 106, 4 (1957), 620."},{"key":"e_1_3_2_1_31_1","volume-title":"Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P).","author":"Juuti Mika","year":"2019","unstructured":"Mika Juuti, Sebastian Szyller, Samuel Marchal, and N Asokan. 2019. PRADA: protecting against DNN model stealing attacks. In Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P)."},{"key":"e_1_3_2_1_32_1","volume-title":"Kingma and Jimmy Ba","author":"Diederik","year":"2017","unstructured":"Diederik P. Kingma and Jimmy Ba. 2017. Adam: A Method for Stochastic Optimization. ArXiv e-prints (2017)."},{"key":"e_1_3_2_1_33_1","volume-title":"Ankur P Parikh, Nicolas Papernot, and Mohit Iyyer.","author":"Krishna Kalpesh","year":"2019","unstructured":"Kalpesh Krishna, Gaurav Singh Tomar, Ankur P Parikh, Nicolas Papernot, and Mohit Iyyer. 2019. Thieves on sesame street! model extraction of bert-based apis. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_34_1","volume-title":"One weird trick for parallelizing convolutional neural networks. ArXiv e-prints","author":"Krizhevsky Alex","year":"2014","unstructured":"Alex Krizhevsky. 2014. One weird trick for parallelizing convolutional neural networks. ArXiv e-prints (2014)."},{"key":"e_1_3_2_1_35_1","volume-title":"Deep learning. Nature 521, 7553","author":"LeCun Yann","year":"2015","unstructured":"Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. Nature 521, 7553 (2015), 436--444."},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of European Conference on Computer Vision (ECCV).","author":"Lee Seung Hyun","year":"2018","unstructured":"Seung Hyun Lee, Dae Ha Kim, and Byung Cheol Song. 2018. Self-supervised knowledge distillation using singular value decomposition. In Proceedings of European Conference on Computer Vision (ECCV)."},{"key":"e_1_3_2_1_37_1","volume-title":"2019 IEEE Security and Privacy Workshops (SPW). IEEE, 43--49","author":"Lee Taesung","year":"2019","unstructured":"Taesung Lee, Benjamin Edwards, Ian Molloy, and Dong Su. 2019. Defending against neural network model stealing attacks using deceptive perturbations. In 2019 IEEE Security and Privacy Workshops (SPW). IEEE, 43--49."},{"key":"e_1_3_2_1_38_1","first-page":"3987","article-title":"Towards certifying the asymmetric robustness for neural networks: quantification and applications","volume":"19","author":"Li Changjiang","year":"2021","unstructured":"Changjiang Li, Shouling Ji, Haiqin Weng, Bo Li, Jie Shi, Raheem Beyah, Shanqing Guo, Zonghui Wang, and Ting Wang. 2021. Towards certifying the asymmetric robustness for neural networks: quantification and applications. IEEE Transactions on Dependable and Secure Computing 19, 6 (2021), 3987--4001.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_39_1","volume-title":"An Embarrassingly Simple Backdoor Attack on Self-supervised Learning. In The 2023 International Conference on Computer Vision (ICCV' 23)","author":"Li Changjiang","year":"2023","unstructured":"Changjiang Li, Ren Pang, Zhaohan Xi, Tianyu Du, Shouling Ji, Yuan Yao, and Ting Wang. 2023. An Embarrassingly Simple Backdoor Attack on Self-supervised Learning. In The 2023 International Conference on Computer Vision (ICCV' 23)."},{"key":"e_1_3_2_1_40_1","volume-title":"Seeing is living? rethinking the security of facial liveness verification in the deepfake era. USENIX Security 2022","author":"Li Changjiang","year":"2022","unstructured":"Changjiang Li, Li Wang, Shouling Ji, Xuhong Zhang, Zhaohan Xi, Shanqing Guo, and Ting Wang. 2022. Seeing is living? rethinking the security of facial liveness verification in the deepfake era. USENIX Security 2022 (2022)."},{"key":"e_1_3_2_1_41_1","volume-title":"Cyberspace Safety and Security: 11th International Symposium, CSS 2019, Guangzhou, China, December 1--3, 2019, Proceedings, Part I 11","author":"Li Changjiang","year":"2019","unstructured":"Changjiang Li, Haiqin Weng, Shouling Ji, Jianfeng Dong, and Qinming He. 2019. DeT: Defending against adversarial examples via decreasing transferability. In Cyberspace Safety and Security: 11th International Symposium, CSS 2019, Guangzhou, China, December 1--3, 2019, Proceedings, Part I 11. Springer International Publishing, 307--322."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","first-page":"356","DOI":"10.1109\/TIP.2018.2868382","article-title":"Reliable Crowdsourcing and Deep Locality-Preserving Learning for Unconstrained Facial Expression Recognition","volume":"28","author":"Li Shan","year":"2019","unstructured":"Shan Li and Weihong Deng. 2019. Reliable Crowdsourcing and Deep Locality-Preserving Learning for Unconstrained Facial Expression Recognition. IEEE Transactions on Image Processing 28, 1 (2019), 356--370.","journal-title":"IEEE Transactions on Image Processing"},{"key":"e_1_3_2_1_43_1","volume-title":"Feature Manipulation for DDPM based Change Detection. arXiv preprint arXiv:2403.15943","author":"Li Zhenglin","year":"2024","unstructured":"Zhenglin Li, Yangchen Huang, Mengran Zhu, Jingyu Zhang, JingHao Chang, and Houze Liu. 2024. Feature Manipulation for DDPM based Change Detection. arXiv preprint arXiv:2403.15943 (2024)."},{"key":"e_1_3_2_1_44_1","volume-title":"Omnilytics: A blockchain-based secure data market for decentralized machine learning. arXiv preprint arXiv:2107.05252","author":"Liang Jiacheng","year":"2021","unstructured":"Jiacheng Liang, Songze Li, Bochuan Cao, Wensi Jiang, and Chaoyang He. 2021. Omnilytics: A blockchain-based secure data market for decentralized machine learning. arXiv preprint arXiv:2107.05252 (2021)."},{"key":"e_1_3_2_1_45_1","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 5146--5155","author":"Liu Han","year":"2023","unstructured":"Han Liu, Yuhao Wu, Zhiyuan Yu, Yevgeniy Vorobeychik, and Ning Zhang. 2023. Slowlidar: Increasing the latency of lidar-based detection using adversarial examples. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 5146--5155."},{"key":"e_1_3_2_1_46_1","volume-title":"2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 120--120","author":"Liu Han","year":"2024","unstructured":"Han Liu, Yuhao Wu, Zhiyuan Yu, and Ning Zhang. 2024. Please Tell Me More: Privacy Impact of Explainability through the Lens of Membership Inference Attack. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 120--120."},{"key":"e_1_3_2_1_47_1","volume-title":"Roberta: A robustly optimized bert pretraining approach. ArXiv e-prints","author":"Liu Yinhan","year":"2019","unstructured":"Yinhan Liu, Myle Ott, Naman Goyal, Jingfei Du, Mandar Joshi, Danqi Chen, Omer Levy, Mike Lewis, Luke Zettlemoyer, and Veselin Stoyanov. 2019. Roberta: A robustly optimized bert pretraining approach. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_48_1","first-page":"1839","article-title":"Efficient dropout-resilient aggregation for privacy-preserving machine learning","volume":"18","author":"Liu Ziyao","year":"2022","unstructured":"Ziyao Liu, Jiale Guo, Kwok-Yan Lam, and Jun Zhao. 2022. Efficient dropout-resilient aggregation for privacy-preserving machine learning. IEEE Transactions on Information Forensics and Security 18 (2022), 1839--1854.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"e_1_3_2_1_49_1","volume-title":"Long-term privacy-preserving aggregation with user-dynamics for federated learning","author":"Liu Ziyao","year":"2023","unstructured":"Ziyao Liu, Hsiao-Ying Lin, and Yamin Liu. 2023. Long-term privacy-preserving aggregation with user-dynamics for federated learning. IEEE Transactions on Information Forensics and Security (2023)."},{"key":"e_1_3_2_1_50_1","volume-title":"Decoupled Weight Decay Regularization. ArXiv e-prints","author":"Loshchilov Ilya","year":"2019","unstructured":"Ilya Loshchilov and Frank Hutter. 2019. Decoupled Weight Decay Regularization. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_51_1","volume-title":"CD ROM from Department of Clinical Neuroscience, Psychology section","author":"Lundqvist Daniel","year":"1998","unstructured":"Daniel Lundqvist, Anders Flykt, and A \u00d6hman. 2022. The Karolinska directed emotional faces---KDEF, CD ROM from Department of Clinical Neuroscience, Psychology section, Karolinska Institutet, 1998. ArXiv e-prints (2022)."},{"key":"e_1_3_2_1_52_1","volume-title":"Task-Agnostic Detector for Insertion-Based Backdoor Attacks. arXiv preprint arXiv:2403.17155","author":"Lyu Weimin","year":"2024","unstructured":"Weimin Lyu, Xiao Lin, Songzhu Zheng, Lu Pang, Haibin Ling, Susmit Jha, and Chao Chen. 2024. Task-Agnostic Detector for Insertion-Based Backdoor Attacks. arXiv preprint arXiv:2403.17155 (2024)."},{"key":"e_1_3_2_1_53_1","volume-title":"Attention-Enhancing Backdoor Attacks Against BERT-based Models. arXiv preprint arXiv:2310.14480","author":"Lyu Weimin","year":"2023","unstructured":"Weimin Lyu, Songzhu Zheng, Lu Pang, Haibin Ling, and Chao Chen. 2023. Attention-Enhancing Backdoor Attacks Against BERT-based Models. arXiv preprint arXiv:2310.14480 (2023)."},{"key":"e_1_3_2_1_54_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_55_1","volume-title":"Parting with illusions about deep active learning. ArXiv e-prints","author":"Mittal Sudhanshu","year":"2019","unstructured":"Sudhanshu Mittal, Maxim Tatarchenko, \u00d6zg\u00fcn \u00c7i\u00e7ek, and Thomas Brox. 2019. Parting with illusions about deep active learning. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_56_1","volume-title":"Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning","author":"Oh Seong Joon","year":"2019","unstructured":"Seong Joon Oh, Bernt Schiele, and Mario Fritz. 2019. Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning (2019), 121--144."},{"key":"e_1_3_2_1_57_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"Orekondy Tribhuvanesh","year":"2019","unstructured":"Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff nets: Stealing functionality of black-box models. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_58_1","volume-title":"Prediction poisoning: Towards defenses against dnn model stealing attacks. arXiv preprint arXiv:1906.10908","author":"Orekondy Tribhuvanesh","year":"2019","unstructured":"Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Prediction poisoning: Towards defenses against dnn model stealing attacks. arXiv preprint arXiv:1906.10908 (2019)."},{"key":"e_1_3_2_1_59_1","volume-title":"A framework for the extraction of deep neural networks by leveraging public data. ArXiv e-prints","author":"Pal Soham","year":"2019","unstructured":"Soham Pal, Yash Gupta, Aditya Shukla, Aditya Kanade, Shirish Shevade, and Vinod Ganapathy. 2019. A framework for the extraction of deep neural networks by leveraging public data. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_60_1","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI).","author":"Pal Soham","year":"2020","unstructured":"Soham Pal, Yash Gupta, Aditya Shukla, Aditya Kanade, Shirish Shevade, and Vinod Ganapathy. 2020. Activethief: Model extraction using active learning and unannotated public data. In Proceedings of AAAI Conference on Artificial Intelligence (AAAI)."},{"key":"e_1_3_2_1_61_1","volume-title":"Proceedings of ACM Symposium on Information, Computer and Communications Security (AsiaCCS).","author":"Papernot Nicolas","year":"2017","unstructured":"Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In Proceedings of ACM Symposium on Information, Computer and Communications Security (AsiaCCS)."},{"key":"e_1_3_2_1_62_1","volume-title":"Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P).","author":"Papernot Nicolas","year":"2018","unstructured":"Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael P Wellman. 2018. Sok: Security and privacy in machine learning. In Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P)."},{"key":"e_1_3_2_1_63_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P).","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of IEEE Symposium on Security and Privacy (S&P)."},{"key":"e_1_3_2_1_64_1","volume-title":"Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. ArXiv e-prints","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick D McDaniel, and Ian J Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. ArXiv e-prints (2016)."},{"key":"e_1_3_2_1_65_1","volume-title":"Proceedings of IEEE International Conference on Data Mining (ICDM).","author":"Pengcheng Li","year":"2018","unstructured":"Li Pengcheng, Jinfeng Yi, and Lijun Zhang. 2018. Query-efficient black-box attack by active learning. In Proceedings of IEEE International Conference on Data Mining (ICDM)."},{"key":"e_1_3_2_1_66_1","volume-title":"OCBEV: Object-Centric BEV Transformer for Multi-View 3D Object Detection. arXiv preprint arXiv:2306.01738","author":"Qi Zhangyang","year":"2023","unstructured":"Zhangyang Qi, Jiaqi Wang, Xiaoyang Wu, and Hengshuang Zhao. 2023. OCBEV: Object-Centric BEV Transformer for Multi-View 3D Object Detection. arXiv preprint arXiv:2306.01738 (2023)."},{"key":"e_1_3_2_1_67_1","volume-title":"A stochastic approximation method. The Annals of Mathematical Statistics","author":"Robbins Herbert","year":"1951","unstructured":"Herbert Robbins and Sutton Monro. 1951. A stochastic approximation method. The Annals of Mathematical Statistics (1951), 400--407."},{"key":"e_1_3_2_1_68_1","volume-title":"Antoine Chassang, Carlo Gatta, and Yoshua Bengio.","author":"Romero Adriana","year":"2014","unstructured":"Adriana Romero, Nicolas Ballas, Samira Ebrahimi Kahou, Antoine Chassang, Carlo Gatta, and Yoshua Bengio. 2014. Fitnets: Hints for thin deep nets. ArXiv e-prints (2014)."},{"key":"e_1_3_2_1_69_1","volume-title":"Active learning for convolutional neural networks: A core-set approach. ArXiv e-prints","author":"Sener Ozan","year":"2017","unstructured":"Ozan Sener and Silvio Savarese. 2017. Active learning for convolutional neural networks: A core-set approach. ArXiv e-prints (2017)."},{"key":"e_1_3_2_1_70_1","volume-title":"Proceedings of the IEEE International Symposium on Technologies for Homeland Security (HST).","author":"Shi Yi","year":"2017","unstructured":"Yi Shi, Yalin Sagduyu, and Alexander Grushin. 2017. How to steal a machine learning classifier with deep learning. In Proceedings of the IEEE International Symposium on Technologies for Homeland Security (HST)."},{"key":"e_1_3_2_1_71_1","volume-title":"2018 IEEE International Symposium on Technologies for Homeland Security (HST).","author":"Shi Yi","year":"2018","unstructured":"Yi Shi, Yalin E Sagduyu, Kemal Davaslioglu, and Jason H Li. 2018. Active deep learning attacks under strict rate limitations for online API calls. In 2018 IEEE International Symposium on Technologies for Homeland Security (HST)."},{"key":"e_1_3_2_1_72_1","volume-title":"Very deep convolutional networks for large-scale image recognition. ArXiv e-prints","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. ArXiv e-prints (2014)."},{"key":"e_1_3_2_1_73_1","volume-title":"Going Deeper with Convolutions. ArXiv e-prints","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott E. Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2014. Going Deeper with Convolutions. ArXiv e-prints (2014)."},{"key":"e_1_3_2_1_74_1","volume-title":"Le","author":"Tan Mingxing","year":"2020","unstructured":"Mingxing Tan and Quoc V. Le. 2020. EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks. ArXiv e-prints (2020)."},{"key":"e_1_3_2_1_75_1","volume-title":"Proceedings of USENIX Security Symposium (SEC).","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction APIs.. In Proceedings of USENIX Security Symposium (SEC)."},{"key":"e_1_3_2_1_76_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"Truong Jean-Baptiste","year":"2021","unstructured":"Jean-Baptiste Truong, Pratyush Maini, Robert J. Walls, and Nicolas Papernot. 2021. Data-Free Model Extraction. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_77_1","volume-title":"Stealing Hyperparameters in Machine Learning. ArXiv e-prints","author":"Wang Binghui","year":"2019","unstructured":"Binghui Wang and Neil Zhenqiang Gong. 2019. Stealing Hyperparameters in Machine Learning. ArXiv e-prints (2019)."},{"key":"e_1_3_2_1_78_1","first-page":"1","article-title":"Learning dynamics of gradient descent optimization in deep neural networks","volume":"64","author":"Wu Wei","year":"2021","unstructured":"Wei Wu, Xiaoyuan Jing, Wencai Du, and Guoliang Chen. 2021. Learning dynamics of gradient descent optimization in deep neural networks. Science China Information Sciences 64 (2021), 1--15.","journal-title":"Science China Information Sciences"},{"key":"e_1_3_2_1_79_1","unstructured":"Meilong Xu Xiaoling Hu Saumya Gupta Shahira Abousamra and Chao Chen. 2023. TopoSemiSeg: Enforcing Topological Consistency for Semi-Supervised Segmentation of Histopathology Images. arXiv:2311.16447 [eess.IV]"},{"key":"e_1_3_2_1_80_1","volume-title":"Proceedings of Advances in Neural Information Processing Systems (NeurIPS)","volume":"32","author":"Yang Zhilin","year":"2019","unstructured":"Zhilin Yang, Zihang Dai, Yiming Yang, Jaime Carbonell, Russ R Salakhutdinov, and Quoc V Le. 2019. Xlnet: Generalized autoregressive pretraining for language understanding. In Proceedings of Advances in Neural Information Processing Systems (NeurIPS), Vol. 32."},{"key":"e_1_3_2_1_81_1","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR).","author":"Yim Junho","year":"2017","unstructured":"Junho Yim, Donggyu Joo, Jihoon Bae, and Junmo Kim. 2017. A gift from knowledge distillation: Fast optimization, network minimization and transfer learning. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)."},{"key":"e_1_3_2_1_82_1","unstructured":"Honggang Yu Kaichen Yang Teng Zhang Yun-Yun Tsai Tsung-Yi Ho and Yier Jin. 2020. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. In NDSS."},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"crossref","first-page":"183","DOI":"10.1049\/ell2.12015","article-title":"Restore DeepFakes video frames via identifying individual motion styles","volume":"57","author":"Zhang Haichao","year":"2021","unstructured":"Haichao Zhang, Zhe-Ming Lu, Hao Luo, and Ya-Pei Feng. 2021. Restore DeepFakes video frames via identifying individual motion styles. Electronics Letters 57, 4 (2021), 183--186.","journal-title":"Electronics Letters"},{"key":"e_1_3_2_1_84_1","volume-title":"Chen Change Loy, and Xiaoou Tang","author":"Zhang Zhanpeng","year":"2016","unstructured":"Zhanpeng Zhang, Ping Luo, Chen Change Loy, and Xiaoou Tang. 2016. From Facial Expression Recognition to Interpersonal Relation Prediction. ArXiv e-prints (2016)."},{"key":"e_1_3_2_1_85_1","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","volume":"37","author":"Zhou Qihua","year":"2023","unstructured":"Qihua Zhou, Song Guo, Jun Pan, Jiacheng Liang, Zhenda Xu, and Jingren Zhou. 2023. PASS: Patch Automatic Skip Scheme for Efficient Real-Time Video Perception on Edge Devices. In Proceedings of AAAI Conference on Artificial Intelligence (AAAI), Vol. 37."}],"event":{"name":"ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security","location":"Singapore Singapore","acronym":"ASIA CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 19th ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3634737.3657002","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T23:44:07Z","timestamp":1750290247000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3634737.3657002"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7]]},"references-count":85,"alternative-id":["10.1145\/3634737.3657002","10.1145\/3634737"],"URL":"https:\/\/doi.org\/10.1145\/3634737.3657002","relation":{},"subject":[],"published":{"date-parts":[[2024,7]]},"assertion":[{"value":"2024-07-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}