{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:36:36Z","timestamp":1775745396543,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":62,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Federal Ministry of Education and Research of Germany (BMBF)","award":["IoTGuard"],"award-info":[{"award-number":["IoTGuard"]}]},{"DOI":"10.13039\/501100006374","name":"European Commission","doi-asserted-by":"publisher","award":["101093126 & 101070537"],"award-info":[{"award-number":["101093126 & 101070537"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690369","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"615-629","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Phantom: Untargeted Poisoning Attacks on Semi-Supervised Learning"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-5646-1665","authenticated-orcid":false,"given":"Jonathan","family":"Knauer","sequence":"first","affiliation":[{"name":"Technical University of Darmstadt, Darmstadt, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6216-7285","authenticated-orcid":false,"given":"Phillip","family":"Rieger","sequence":"additional","affiliation":[{"name":"Technical University of Darmstadt, Darmstadt, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3559-0296","authenticated-orcid":false,"given":"Hossein","family":"Fereidooni","sequence":"additional","affiliation":[{"name":"KOBIL GmbH, Darmstadt, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6833-3598","authenticated-orcid":false,"given":"Ahmad-Reza","family":"Sadeghi","sequence":"additional","affiliation":[{"name":"Technical University of Darmstadt, Darmstadt, Germany"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2019. PyTorch. https:\/\/pytorch.org."},{"key":"e_1_3_2_1_2_1","unstructured":"2019. PyTorch - GTSRB. https:\/\/pytorch.org\/vision\/0.17\/generated\/torchvision. datasets.GTSRB.html"},{"key":"e_1_3_2_1_3_1","unstructured":"Wendy Kan Addison Howard Eunbyung Park. 2018. ImageNet Object Localization Challenge. https:\/\/kaggle.com\/competitions\/imagenet-object-localizationchallenge"},{"key":"e_1_3_2_1_4_1","unstructured":"Anish Athalye Logan Engstrom Andrew Ilyas and Kevin Kwok. 2018. Synthesizing robust adversarial examples. In ICML. PMLR."},{"key":"e_1_3_2_1_5_1","volume-title":"Mixmatch: A holistic approach to semi-supervised learning. In NeurIPS.","author":"Berthelot David","year":"2019","unstructured":"David Berthelot, Nicholas Carlini, Ian Goodfellow, Nicolas Papernot, Avital Oliver, and Colin A Raffel. 2019. Mixmatch: A holistic approach to semi-supervised learning. In NeurIPS."},{"key":"e_1_3_2_1_6_1","volume-title":"Rachid Guerraoui, and Julien Stainer.","author":"Blanchard Peva","year":"2017","unstructured":"Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. In NIPS."},{"key":"e_1_3_2_1_7_1","volume-title":"USENIX Security","author":"Carlini Nicholas","unstructured":"Nicholas Carlini. 2021. Poisoning the Unlabeled Dataset of Semi-Supervised Learning. In USENIX Security. Usenix Association."},{"key":"e_1_3_2_1_8_1","volume-title":"Poisoning Web-Scale Training Datasets is Practical","author":"Carlini Nicholas","unstructured":"Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tram\u00e8r. 2024. Poisoning Web-Scale Training Datasets is Practical. In IEEE S&P. IEEE Computer Society."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453079"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASRU.2017.8268969"},{"key":"e_1_3_2_1_11_1","volume-title":"AISTATS. JMLR Workshop and Conference Proceedings.","author":"Coates Adam","year":"2011","unstructured":"Adam Coates, Andrew Ng, and Honglak Lee. 2011. An analysis of single-layer networks in unsupervised feature learning. In AISTATS. JMLR Workshop and Conference Proceedings."},{"key":"e_1_3_2_1_12_1","volume-title":"Rethinking Backdoor Data Poisoning Attacks in the Context of Semi-Supervised Learning. arXiv preprint arXiv:2212.02582","author":"Connor Marissa","year":"2022","unstructured":"Marissa Connor and Vincent Emanuele. 2022. Rethinking Backdoor Data Poisoning Attacks in the Context of Semi-Supervised Learning. arXiv preprint arXiv:2212.02582 (2022)."},{"key":"e_1_3_2_1_13_1","unstructured":"Minghong Fang Xiaoyu Cao Jinyuan Jia and Neil Gong. 2020. Local Model Poisoning Attacks to {Byzantine-Robust} Federated Learning. In USENIX Security."},{"key":"e_1_3_2_1_14_1","volume-title":"Unlabeled Backdoor Poisoning in Semi-Supervised Learning. In IEEE International Conference on Multimedia and Expo (ICME). IEEE.","author":"Feng Le","year":"2022","unstructured":"Le Feng, Sheng Li, Zhenxing Qian, and Xinpeng Zhang. 2022. Unlabeled Backdoor Poisoning in Semi-Supervised Learning. In IEEE International Conference on Multimedia and Expo (ICME). IEEE."},{"key":"e_1_3_2_1_15_1","volume-title":"AuthentiSense: A Scalable Behavioral Biometrics Authentication Scheme using Few-Shot Learning for Mobile Platforms. NDSS","author":"Fereidooni Hossein","year":"2023","unstructured":"Hossein Fereidooni, Jan K\u00f6nig, Phillip Rieger, Marco Chilese, Bora G\u00f6kbakan, Moritz Finke, Alexandra Dmitrienko, and Ahmad-Reza Sadeghi. 2023. AuthentiSense: A Scalable Behavioral Biometrics Authentication Scheme using Few-Shot Learning for Mobile Platforms. NDSS (2023)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3522664.3528606"},{"key":"e_1_3_2_1_17_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_18_1","unstructured":"Samuel Harding Prashanth Rajivan Bennett I Bertenthal and Cleotilde Gonzalez. 2018. Human Decisions on Targeted and Non-Targeted Adversarial Sample.. In CogSci."},{"key":"e_1_3_2_1_19_1","volume-title":"Ralf Gommers, Pauli Virtanen, David Cournapeau, Eric Wieser, Julian Taylor","author":"Harris Charles R","year":"2020","unstructured":"Charles R Harris, K Jarrod Millman, St\u00e9fan J Van Der Walt, Ralf Gommers, Pauli Virtanen, David Cournapeau, Eric Wieser, Julian Taylor, Sebastian Berg, Nathaniel J Smith, et al. 2020. Array programming with NumPy. Nature 585, 7825 (2020), 357--362."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.dsp.2007.09.014"},{"key":"e_1_3_2_1_21_1","volume-title":"International joint conference on neural networks (IJCNN)","author":"Houben Sebastian","unstructured":"Sebastian Houben, Johannes Stallkamp, Jan Salmen, Marc Schlipsing, and Christian Igel. 2013. Detection of traffic signs in real-world images: The German Traffic Sign Detection Benchmark. In International joint conference on neural networks (IJCNN). IEEE."},{"key":"e_1_3_2_1_22_1","unstructured":"Xiaolin Hu Kai Li Weiyi Zhang Yi Luo Jean-Marie Lemercier and Timo Gerkmann. 2021. Speech separation using an asynchronous fully recurrent convolutional neural network. In NeurIPS."},{"key":"e_1_3_2_1_23_1","volume-title":"Metapoison: Practical general-purpose clean-label data poisoning. In NeurIPS.","author":"Huang W Ronny","year":"2020","unstructured":"W Ronny Huang, Jonas Geiping, Liam Fowl, Gavin Taylor, and Tom Goldstein. 2020. Metapoison: Practical general-purpose clean-label data poisoning. In NeurIPS."},{"key":"e_1_3_2_1_24_1","volume-title":"Revealed: The Hacking and disinformation team meddling in elections. https:\/\/www.theguardian.com\/world\/2023\/feb\/15\/revealeddisinformation- team-jorge-claim-meddling-elections-tal-hanan","author":"Kirchgaessner Stephanie","year":"2023","unstructured":"Stephanie Kirchgaessner, Manisha Ganguly, David Pegg, Carole Cadwalladr, and Jason Burke. 2023. Revealed: The Hacking and disinformation team meddling in elections. https:\/\/www.theguardian.com\/world\/2023\/feb\/15\/revealeddisinformation- team-jorge-claim-meddling-elections-tal-hanan"},{"key":"e_1_3_2_1_25_1","volume-title":"Phantom: Untargeted Poisoning Attacks on Semi-Supervised Learning. arXiv preprint arXiv:2409.01470","author":"Knauer Jonathan","year":"2024","unstructured":"Jonathan Knauer, Phillip Rieger, Hossein Fereidooni, and Ahmad-Reza Sadeghi. 2024. Phantom: Untargeted Poisoning Attacks on Semi-Supervised Learning. arXiv preprint arXiv:2409.01470 (2024)."},{"key":"e_1_3_2_1_26_1","unstructured":"Alex Krizhevsky Geoffrey Hinton et al. 2009. Learning multiple layers of features from tiny images. Citeseer."},{"key":"e_1_3_2_1_27_1","volume-title":"Proc. IEEE 86","author":"Lecun Y.","year":"1998","unstructured":"Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner. 1998. Gradient-based learning applied to document recognition. Proc. IEEE 86, 11 (1998). https:\/\/doi.org\/10. 1109\/5.726791"},{"key":"e_1_3_2_1_28_1","unstructured":"Chumeng Liang Xiaoyu Wu Yang Hua Jiaru Zhang Yiming Xue Tao Song Zhengui Xue Ruhui Ma and Haibing Guan. 2023. Adversarial Example Does Good: Preventing Painting Imitation from Diffusion Models via Adversarial Examples. In ICML. PMLR."},{"key":"e_1_3_2_1_29_1","volume-title":"A unified framework for data poisoning attack to graph-based semi-supervised learning. NeurIPS","author":"Liu Xuanqing","year":"2019","unstructured":"Xuanqing Liu, Si Si, Xiaojin Zhu, Yang Li, and Cho-Jui Hsieh. 2019. A unified framework for data poisoning attack to graph-based semi-supervised learning. NeurIPS (2019)."},{"key":"e_1_3_2_1_30_1","unstructured":"Yingqi Liu Shiqing Ma Yousra Aafer Wen-Chuan Lee Juan Zhai WeihangWang and Xiangyu Zhang. 2018. Trojaning attack on neural networks. In NDSS."},{"key":"e_1_3_2_1_31_1","volume-title":"Carles Mili\u00e1n Enrique, and Pedro Fern\u00e1ndez de C\u00f3rdoba.","author":"Iglesias Mart\u00ednez Miguel Enrique","year":"2022","unstructured":"Miguel Enrique Iglesias Mart\u00ednez, Miguel \u00c1ngel Garc\u00eda March, Carles Mili\u00e1n Enrique, and Pedro Fern\u00e1ndez de C\u00f3rdoba. 2022. Algorithms for Noise Reduction in Signals: Theory and practical examples based on statistical and convolutional analysis. IOP Publishing."},{"key":"e_1_3_2_1_32_1","unstructured":"Brendan McMahan Eider Moore Daniel Ramage Seth Hampson and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In AISTATS. PMLR."},{"key":"e_1_3_2_1_33_1","unstructured":"Cade Metz. 2020. Twitter bots poised to spread disinformation before election. https:\/\/www.nytimes.com\/2020\/10\/29\/technology\/twitter-bots-poised-tospread- disinformation-before-election.html"},{"key":"e_1_3_2_1_34_1","volume-title":"NIPS Workshop on Deep Learning and Unsupervised Feature Learning.","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning."},{"key":"e_1_3_2_1_35_1","unstructured":"Tuan Anh Nguyen and Anh Tuan Tran. 2021. WaNet-Imperceptible Warpingbased Backdoor Attack. In ICLR."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cviu.2022.103525"},{"key":"e_1_3_2_1_37_1","unstructured":"OpenAI. [n. d.]. ChatGPT: Optimizing Language Models for Dialogue. https: \/\/openai.com\/blog\/chatgpt\/."},{"key":"e_1_3_2_1_38_1","volume-title":"Gpt-4 technical report. arXiv preprint arXiv:2303.08774","author":"AI.","year":"2023","unstructured":"OpenAI. 2023. Gpt-4 technical report. arXiv preprint arXiv:2303.08774 (2023)."},{"key":"e_1_3_2_1_39_1","unstructured":"OpenAI. 2024. https:\/\/openai.com\/index\/introducing-improvements-to-thefine- tuning-api-and-expanding-our-custom-models-program"},{"key":"e_1_3_2_1_40_1","unstructured":"Tianyu Pang Chao Du Yinpeng Dong and Jun Zhu. 2018. Towards robust detection of adversarial examples. In NIPS."},{"key":"e_1_3_2_1_41_1","unstructured":"Tianyu Pang Xiao Yang Yinpeng Dong Hang Su and Jun Zhu. 2021. Accumulative poisoning attacks on real-time data. In NeurIPS."},{"key":"e_1_3_2_1_42_1","unstructured":"Billy Perrigo. 2023. OpenAI used Kenyan workers on less than 2 per hour: Exclusive. https:\/\/time.com\/6247678\/openai-chatgpt-kenya-workers"},{"key":"e_1_3_2_1_43_1","volume-title":"Hierarchical text-conditional image generation with clip latents. arXiv:2204.06125","author":"Ramesh Aditya","year":"2022","unstructured":"Aditya Ramesh, Prafulla Dhariwal, Alex Nichol, Casey Chu, and Mark Chen. 2022. Hierarchical text-conditional image generation with clip latents. arXiv:2204.06125 (2022)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486862"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0165-1684(96)00129-6"},{"key":"e_1_3_2_1_46_1","unstructured":"Ahmed Salem Apratim Bhattacharya Michael Backes Mario Fritz and Yang Zhang. 2020. Updates-Leak: Data set inference and reconstruction attacks in online learning. In USENIX Security."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2023.103502"},{"key":"e_1_3_2_1_48_1","volume-title":"Glaze: Protecting artists from style mimicry by Text-to-Image models. In USENIX Security.","author":"Shan Shawn","year":"2023","unstructured":"Shawn Shan, Jenna Cryan, Emily Wenger, Haitao Zheng, Rana Hanocka, and Ben Y Zhao. 2023. Glaze: Protecting artists from style mimicry by Text-to-Image models. In USENIX Security."},{"key":"e_1_3_2_1_49_1","volume-title":"Nightshade: Prompt-Specific Poisoning Attacks on Textto- Image Generative Models","author":"Shan Shawn","year":"2024","unstructured":"Shawn Shan, Wenxin Ding, Josephine Passananti, Stanley Wu, Haitao Zheng, and Ben Y Zhao. 2024. Nightshade: Prompt-Specific Poisoning Attacks on Textto- Image Generative Models. In IEEE S&P. IEEE Computer Society."},{"key":"e_1_3_2_1_50_1","volume-title":"Membership inference attacks against machine learning models","author":"Shokri Reza","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In IEEE S&P. IEEE."},{"key":"e_1_3_2_1_51_1","volume-title":"Alexey Kurakin, and Chun-Liang Li.","author":"Sohn Kihyuk","year":"2020","unstructured":"Kihyuk Sohn, David Berthelot, Nicholas Carlini, Zizhao Zhang, Han Zhang, Colin A Raffel, Ekin Dogus Cubuk, Alexey Kurakin, and Chun-Liang Li. 2020. Fixmatch: Simplifying semi-supervised learning with consistency and confidence. In NeurIPS."},{"key":"e_1_3_2_1_52_1","unstructured":"Marianna Spring. 2024. Bot or not: Are fake accounts swaying voters towards Reform UK? https:\/\/www.bbc.com\/news\/articles\/c1335nj316lo"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9413901"},{"key":"e_1_3_2_1_54_1","unstructured":"Paul Tassi. 2023. I Never Had Bot Problems On Twitter Until Elon Musk Now They?re Stalking Me. https:\/\/www.forbes.com\/sites\/paultassi\/2023\/12\/29\/i-neverhad- bot-problems-on-twitter-until-elon-musk-now-theyre-stalking-me\/"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2019.8682202"},{"key":"e_1_3_2_1_56_1","volume-title":"Bots and Computational Propaganda: Automation for Communication and Control","author":"Woolley Samuel C.","unstructured":"Samuel C. Woolley. 2020. Bots and Computational Propaganda: Automation for Communication and Control. Cambridge University Press, 89--110."},{"key":"e_1_3_2_1_57_1","unstructured":"Qizhe Xie Zihang Dai Eduard Hovy Thang Luong and Quoc Le. 2020. Unsupervised data augmentation for consistency training. In NeurIPS."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i12.17266"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3116431"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140449"},{"key":"e_1_3_2_1_61_1","volume-title":"Flexmatch: Boosting semi-supervised learning with curriculum pseudo labeling. In NeurIPS.","author":"Zhang Bowen","year":"2021","unstructured":"Bowen Zhang, Yidong Wang, Wenxin Hou, Hao Wu, Jindong Wang, Manabu Okumura, and Takahiro Shinozaki. 2021. Flexmatch: Boosting semi-supervised learning with curriculum pseudo labeling. In NeurIPS."},{"key":"e_1_3_2_1_62_1","unstructured":"Xuezhou Zhang Xiaojin Zhu and Laurent Lessard. 2020. Online data poisoning attacks. In Learning for Dynamics and Control. PMLR."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690369","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690369","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:04:45Z","timestamp":1755842685000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690369"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":62,"alternative-id":["10.1145\/3658644.3690369","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690369","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}