{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T13:30:19Z","timestamp":1770730219930,"version":"3.49.0"},"reference-count":575,"publisher":"Emerald","issue":"2-3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,4,29]]},"abstract":"<jats:p>The success of machine learning algorithms relies not only on achieving good performance but also on ensuring trustworthiness across diverse applications and scenarios. Trustworthy machine learning seeks to handle critical problems in addressing the issues of robustness, privacy, security, reliability, and other desirable properties. The broad research area has achieved remarkable advancement and brings various emerging topics along with the progress. We present this survey to provide a systematic overview of the research problems under trustworthy machine learning covering the perspectives from data to model. Starting with fundamental data-centric learning, the survey reviews learning with noisy data, long-tailed distribution, out-of-distribution data, and adversarial examples to achieve robustness. Delving into private and secured learning, the survey elaborates on core methodologies differential privacy, different attacking threats, and learning paradigms, to realize privacy protection and enhance security. Finally, it introduces several trendy issues related to the foundation models, including jailbreak prompts, watermarking, and hallucination, as well as causal learning and reasoning. The survey integrates commonly isolated research problems in a unified manner, which provides general problem setups, detailed sub-directions, and further discussion on its challenges or future developments. We hope the comprehensive investigation presented in this survey can serve as a clear introduction for the problemevolution from data to models and also bring new insight for developing trustworthy machine learning.<\/jats:p>","DOI":"10.1561\/3300000043","type":"journal-article","created":{"date-parts":[[2025,4,29]],"date-time":"2025-04-29T03:24:41Z","timestamp":1745897081000},"page":"74-246","source":"Crossref","is-referenced-by-count":4,"title":["Trustworthy Machine Learning: From Data to Models"],"prefix":"10.1561","volume":"7","author":[{"given":"Bo","family":"Han","sequence":"first","affiliation":[{"name":"Hong Kong Baptist University","place":["Hong Kong Japan"]},{"name":"RIKEN","place":["Hong Kong Japan"]}]},{"given":"Jiangchao","family":"Yao","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University","place":["Chaina"]}]},{"given":"Tongliang","family":"Liu","sequence":"additional","affiliation":[{"name":"University of Sydney","place":["Australia UAE Japan"]},{"name":"MBZUAI","place":["Australia UAE Japan"]},{"name":"RIKEN","place":["Australia UAE Japan"]}]},{"given":"Bo","family":"Li","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign","place":["USA"]}]},{"given":"Sanmi","family":"Koyejo","sequence":"additional","affiliation":[{"name":"Stanford University","place":["USA"]}]},{"given":"Feng","family":"Liu","sequence":"additional","affiliation":[{"name":"University of Melbourne","place":["Australia"]}]}],"member":"140","published-online":{"date-parts":[[2025,4,29]]},"reference":[{"key":"2025121807031415900_ref001","article-title":"Watermarking GPT outputs","author":"Aaronson","year":"2022"},{"key":"2025121807031415900_ref002","article-title":"Deep learning with differential privacy","author":"Abadi","year":"2016","journal-title":"CCS"},{"key":"2025121807031415900_ref003","article-title":"Causal Modelling Agents: Causal Graph Discovery through Synergising Metadata-and Data-driven Reasoning","author":"Abdulaal","year":"2023","journal-title":"The Twelfth International Conference on Learning Representations"},{"key":"2025121807031415900_ref004","doi-asserted-by":"crossref","DOI":"10.1038\/s41586-024-07487-w","article-title":"Accurate structure prediction of biomolecular interactions with AlphaFold 3","author":"Abramson","year":"2024","journal-title":"Nature"},{"key":"2025121807031415900_ref005","article-title":"Gpt-4 technical report","author":"Achiam","year":"2023","journal-title":"arXiv preprintarXiv:2303.08774"},{"key":"2025121807031415900_ref006","article-title":"Invariance Principle Meets In- formation Bottleneck for Out-of-Distribution Generalization","author":"Ahuja","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref007","article-title":"The falcon series of open language models","author":"Almazrouei","year":"2023","journal-title":"arXiv preprint arXiv:2311.16867"},{"key":"2025121807031415900_ref008","doi-asserted-by":"crossref","DOI":"10.1186\/s12909-023-04698-z","article-title":"Revolutionizing healthcare: the role of artificial intelligence in clinical practice","author":"Alowais","year":"2023","journal-title":"BMC medical education"},{"key":"2025121807031415900_ref009","article-title":"Federated Learning With Quantized Global Model Updates","author":"Amiri","year":"2020","journal-title":"arXiv preprint arXiv:2006.10672"},{"key":"2025121807031415900_ref010","doi-asserted-by":"crossref","DOI":"10.1109\/TWC.2020.2974748","article-title":"Federated Learning Over Wire- less Fading Channels","author":"Amiri","year":"2020","journal-title":"IEEE Transactions on Wireless Communi- cations"},{"key":"2025121807031415900_ref011","article-title":"Mirror: Model inversion for deep learning network with high fidelity","author":"An","year":"2022","journal-title":"NDSS"},{"key":"2025121807031415900_ref012","article-title":"Understanding and improving fast adversarial training","author":"Andriushchenko","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref013","doi-asserted-by":"crossref","DOI":"10.1109\/LWC.2019.2917133","article-title":"Efficient Training Management for Mobile Crowd-Machine Learn- ing: A Deep Reinforcement Learning Approach","author":"Anh","year":"2019","journal-title":"IEEE Wireless Communications Letters"},{"key":"2025121807031415900_ref014","article-title":"Many-shot jailbreaking","author":"Anil","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref015","article-title":"In- variant Risk Minimization","author":"Arjovsky","year":"2019","journal-title":"arXiv preprint arXiv:1907.02893"},{"key":"2025121807031415900_ref016","article-title":"Ensemble of Averages: Improving Model Selection and Boosting Performance in Domain Generalization","author":"Arpit","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref017","doi-asserted-by":"crossref","DOI":"10.1609\/aaaiss.v4i1.31764","article-title":"Cause and effect: Can large language models truly understand causality?","author":"Ashwani","year":"2024","journal-title":"Proceedings of the AAAI Symposium Series"},{"key":"2025121807031415900_ref018","article-title":"The hidden uniform cluster prior in self-supervised learning","author":"Assran","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref019","article-title":"On the Effectiveness of Out-of-Distribution Data in Self-Supervised Long-Tail Learning.","author":"Bai","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref020","article-title":"Leak, cheat, repeat: Data contamination and evaluation malpractices in closed-source LLMs","author":"Balloccu","year":"2024","journal-title":"arXiv preprint arXiv:2402.03927"},{"key":"2025121807031415900_ref021","article-title":"Causal struc- ture learning supervised by large language model","author":"Ban","year":"2023","journal-title":"arXiv preprint arXiv:2311.11689"},{"key":"2025121807031415900_ref022","article-title":"From query tools to causal architects: Harnessing large language models for advanced causal discovery from data","author":"Ban","year":"2023","journal-title":"arXiv preprint arXiv:2306.16902"},{"key":"2025121807031415900_ref023","first-page":"194","article-title":"Seven failure points when engineering a retrieval augmented generation system","author":"Barnett","year":"2024","journal-title":"Proceedings of the IEEE\/ACM 3rd International Conference on AI Engineering-Software Engineer- ing for AI"},{"key":"2025121807031415900_ref024","article-title":"Can machine learning be secure?","author":"Barreno","year":"2006","journal-title":"ACM CCS"},{"key":"2025121807031415900_ref025","article-title":"A little is enough: Circumventing defenses for distributed learning","author":"Baruch","year":"2019","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref026","article-title":"Towards open set deep networks","author":"Bendale","year":"2016","journal-title":"CVPR"},{"key":"2025121807031415900_ref027","doi-asserted-by":"crossref","DOI":"10.1109\/OJITS.2022.3181510","article-title":"Autonomous vehicles on the edge: A survey on autonomous vehicle racing","author":"Betz","year":"2022","journal-title":"IEEE Open Journal of Intelligent Transportation Systems"},{"key":"2025121807031415900_ref028","article-title":"Poisoning attacks against support vector machines","author":"Biggio","year":"2012","journal-title":"ICML"},{"key":"2025121807031415900_ref029","article-title":"Support vector machines under adversarial label noise","author":"Biggio","year":"2011","journal-title":"ACML"},{"key":"2025121807031415900_ref030","article-title":"Language models are few-shot learners","author":"Brown","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref031","article-title":"Language models are few-shot learners","author":"Brown","year":"2020","journal-title":"arXiv preprint arXiv:2005.14165"},{"key":"2025121807031415900_ref032","article-title":"Discovering latent knowledge in language models without supervision","author":"Burns","year":"2022","journal-title":"arXiv preprint arXiv:2212.03827"},{"key":"2025121807031415900_ref033","article-title":"Is Knowledge All Large Language Models Needed for Causal Reasoning?","author":"Cai","year":"2023","journal-title":"arXiv preprint arXiv:2401.00139"},{"key":"2025121807031415900_ref034","article-title":"Take a look at it! rethinking how to evaluate language model jailbreak","author":"Cai","year":"2024","journal-title":"ACL"},{"key":"2025121807031415900_ref035","article-title":"En- visioning Outlier Exposure by Large Language Models for Out-of- Distribution Detection","author":"Cao","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref036","article-title":"Understanding distributed poisoning attack in federated learning","author":"Cao","year":"2019","journal-title":"ICPADS"},{"key":"2025121807031415900_ref037","article-title":"Learn- ing imbalanced datasets with label-distribution-aware margin loss","author":"Cao","year":"2019","journal-title":"Advances in neural information processing systems"},{"key":"2025121807031415900_ref038","article-title":"Ai in finance: challenges, techniques, and opportunities","author":"Cao","year":"2022","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"2025121807031415900_ref039","article-title":"Membership inference attacks from first principles","author":"Carlini","year":"2022","journal-title":"IEEE SP"},{"key":"2025121807031415900_ref040","article-title":"Are aligned neural networks adversarially aligned?","author":"Carlini","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref041","article-title":"Unlabeled data improves adversarial robustness","author":"Carmon","year":"2019","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref042","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3616865","article-title":"Fairness in Machine Learning: A Survey","volume":"166","author":"Caton","year":"2024","journal-title":"ACM Comput. Surv."},{"key":"2025121807031415900_ref043","article-title":"SWAD: Domain Generalization by Seeking Flat Minima","author":"Cha","year":"2021","journal-title":"NeurIPS"},{"issue":"3","key":"2025121807031415900_ref044","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3641289","article-title":"A survey on evaluation of large language models","volume":"15","author":"Chang","year":"2024","journal-title":"ACM transactions on intelligent systems and technology"},{"key":"2025121807031415900_ref045","article-title":"Deepwalking backwards: from embeddings back to graphs","author":"Chanpuriya","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref046","article-title":"Jailbreaking black box large language models in twenty queries","author":"Chao","year":"2023","journal-title":"arXiv preprint arXiv:2310.08419"},{"key":"2025121807031415900_ref047","article-title":"Privacy-preserving logistic regression","author":"Chaudhuri","year":"2008","journal-title":"NIPS"},{"key":"2025121807031415900_ref048","article-title":"Gan-leaks: A tax- onomy of membership inference attacks against generative models","author":"Chen","year":"2020","journal-title":"ACM SIGSAC"},{"key":"2025121807031415900_ref049","article-title":"Robust Classification via a Single Diffusion Model","author":"Chen","year":"2024","journal-title":"ICML"},{"issue":"1","key":"2025121807031415900_ref050","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1146\/annurev-biodatasci-092820-114757","article-title":"Ethical machine learning in healthcare","volume":"4","author":"Chen","year":"2021","journal-title":"Annual review of biomedical data science"},{"key":"2025121807031415900_ref051","article-title":"Redundancy-adaptive multimodal learning for imperfect data","author":"Chen","year":"2023","journal-title":"arXiv preprint arXiv:2310.14496"},{"key":"2025121807031415900_ref052","article-title":"Boundary Unlearning","author":"Chen","year":"2023","journal-title":"CVPR"},{"issue":"6","key":"2025121807031415900_ref053","doi-asserted-by":"crossref","first-page":"719","DOI":"10.1038\/s41551-023-01056-8","article-title":"Algorithmic fairness in artificial intelligence for medicine and healthcare","volume":"7","author":"Chen","year":"2023","journal-title":"Nature biomedical engineering"},{"key":"2025121807031415900_ref054","article-title":"Knowledge-enriched distributional model inversion attacks","author":"Chen","year":"2021","journal-title":"ICCV"},{"key":"2025121807031415900_ref055","article-title":"Robust overfitting may be mitigated by properly learned smoothening","author":"Chen","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref056","article-title":"A simple framework for contrastive learning of visual representations","author":"Chen","year":"2020","journal-title":"ICML"},{"key":"2025121807031415900_ref057","article-title":"Big self-supervised models are strong semi-supervised learners","author":"Chen","year":"2020"},{"key":"2025121807031415900_ref058","article-title":"Infogan: Interpretable representation learning by information maximizing generative adversarial nets","author":"Chen","year":"2016","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref059","first-page":"19277","article-title":"Area: adaptive reweighting via effective area for long- tailed classification","author":"Chen","year":"2023","journal-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision"},{"key":"2025121807031415900_ref060","article-title":"Text Embedding Inversion Security for Multilingual Language Models","author":"Chen","year":"2024","journal-title":"ACL"},{"key":"2025121807031415900_ref061","article-title":"How Interpretable Are Interpretable Graph Neural Networks?","author":"Chen","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref062","article-title":"Does Invariant Graph Learning via Environment Augmentation Learn Invariance?","author":"Chen","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref063","article-title":"Understanding and Improving Feature Learning for Out- of-Distribution Generalization","author":"Chen","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref064","article-title":"Learning Causally Invariant Representations for Out-of-Distribution Generalization on Graphs","author":"Chen","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref065","article-title":"Pareto Invariant Risk Minimization","author":"Chen","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref066","article-title":"HALC: Object Hallucination Reduction via Adaptive Focal-Contrast De- coding","author":"Chen","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref067","article-title":"Resur- recting Label Propagation for Graphs with Heterophily and Label Noise","author":"Cheng","year":"2024","journal-title":"KDD"},{"key":"2025121807031415900_ref068","article-title":"Resur- recting Label Propagation for Graphs with Heterophily and Label Noise","author":"Cheng","year":"2024","journal-title":"KDD"},{"key":"2025121807031415900_ref069","article-title":"Unveiling Causal Reasoning in Large Language Models: Reality or Mirage?","author":"Chi","year":"2024","journal-title":"The Thirty-eighth Annual Conference on Neural Information Processing Systems"},{"key":"2025121807031415900_ref070","article-title":"Unveiling Causal Reasoning in Large Language Models: Reality or Mirage?","author":"Chi","year":"2024","journal-title":"The Thirty-eighth Annual Conference on Neural Information Processing Systems"},{"key":"2025121807031415900_ref071","article-title":"Heterogeneous ensemble knowledge transfer for training large mod- els in federated learning","author":"Cho","year":"2022","journal-title":"arXiv preprint arXiv:2204.12703"},{"key":"2025121807031415900_ref072","article-title":"Breaking down the defenses: A compar- ative survey of attacks on large language models","author":"Chowdhury","year":"2024","journal-title":"arXiv preprint arXiv:2403.04786"},{"key":"2025121807031415900_ref073","article-title":"Deep reinforcement learning from human preferences","author":"Christiano","year":"2017","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref074","doi-asserted-by":"crossref","first-page":"694","DOI":"10.1007\/978-3-030-58526-6_41","volume-title":"Computer Vision\u2013ECCV 2020: 16th European Conference, Glasgow, UK, August 23\u201328, 2020, Proceed- ings, Part XXIX 16","author":"Chu","year":"2020"},{"key":"2025121807031415900_ref075","first-page":"16670","article-title":"Robust contrastive learning against noisy views","author":"Chuang","year":"2022","journal-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition"},{"key":"2025121807031415900_ref076","article-title":"Dola: Decoding by contrasting layers improves factuality in large language models","author":"Chuang","year":"2023","journal-title":"arXiv preprint arXiv:2309.03883"},{"key":"2025121807031415900_ref077","article-title":"Learning from partial labels","author":"Cour","year":"2011","journal-title":"The Journal of Machine Learning Research"},{"key":"2025121807031415900_ref078","article-title":"Environment Infer- ence for Invariant Learning","author":"Creager","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref079","doi-asserted-by":"crossref","DOI":"10.1016\/j.inffus.2022.07.024","article-title":"Non-IID data and Continual Learning processes in Federated Learning: A long road ahead","author":"Criado","year":"2022","journal-title":"Information Fusion"},{"key":"2025121807031415900_ref080","doi-asserted-by":"crossref","DOI":"10.1109\/TPAMI.2023.3261988","article-title":"Dif- fusion models in vision: A survey","author":"Croitoru","year":"2023","journal-title":"IEEE TPAMI"},{"key":"2025121807031415900_ref081","article-title":"Randaug- ment: Practical automated data augmentation with a reduced search space","author":"Cubuk","year":"2020","journal-title":"CVPR workshops"},{"key":"2025121807031415900_ref082","first-page":"9268","article-title":"Class- balanced loss based on effective number of samples","author":"Cui","year":"2019","journal-title":"Proceedings of the IEEE\/CVF conference on computer vision and pattern recog- nition"},{"key":"2025121807031415900_ref083","article-title":"Sinkhorn Distances: Lightspeed Computation of Optimal Transport","author":"Cuturi","year":"2013","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref084","article-title":"Nrgnn: Learning a label noise resistant graph neural network on sparsely and noisily labeled graphs","author":"Dai","year":"2021","journal-title":"KDD"},{"key":"2025121807031415900_ref085","article-title":"Safe rlhf: Safe reinforcement learning from human feed- back","author":"Dai","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref086","article-title":"En- hancing One-Shot Federated Learning Through Data and Ensemble Co-Boosting","author":"Dai","year":"2024","journal-title":"The Twelfth International Conference on Learning Representations"},{"key":"2025121807031415900_ref087","article-title":"Security and privacy challenges of large language models: A survey","author":"Das","year":"2024","journal-title":"arXiv preprint arXiv:2402.00888"},{"key":"2025121807031415900_ref088","article-title":"Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks","author":"Demontis","year":"2019","journal-title":"USENIX security"},{"key":"2025121807031415900_ref089","article-title":"MasterKey: Automated Jailbreak Across Multiple Large Language Model Chatbots","author":"Deng","year":"2023","journal-title":"arXiv preprint arXiv:2307.08715"},{"key":"2025121807031415900_ref090","article-title":"Imagenet: A large-scale hierarchical image database","author":"Deng","year":"2009","journal-title":"CVPR"},{"key":"2025121807031415900_ref091","article-title":"SOPHON: Non-Fine-Tunable Learning to Restrain Task Transferability For Pre-trained Models","author":"Deng","year":"2024","journal-title":"IEEE SP"},{"key":"2025121807031415900_ref092","article-title":"LiBRe: A Practical Bayesian Approach to Adversarial Detection","author":"Deng","year":"2021","journal-title":"CVPR"},{"key":"2025121807031415900_ref093","article-title":"Heterogeneity for the win: One-shot federated clustering","author":"Dennis","year":"2021","journal-title":"International Conference on Machine Learning"},{"key":"2025121807031415900_ref094","first-page":"15404","article-title":"Learning of visual relations: The devil is in the tails","author":"Desai","year":"2021","journal-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision"},{"key":"2025121807031415900_ref095","article-title":"Bert: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2018","journal-title":"arXiv preprint arXiv:1810.04805"},{"key":"2025121807031415900_ref096","article-title":"BERT: Pre-training of Deep Bidirectional Transformers for Language Un- derstanding","author":"Devlin","year":"2019","journal-title":"NAACL"},{"key":"2025121807031415900_ref097","article-title":"End-To-End Causal Effect Estimation from Unstructured Natural Language Data","author":"Dhawan","year":"2024","journal-title":"The Thirty-eighth Annual Conference on Neural Information Processing Systems"},{"key":"2025121807031415900_ref098","doi-asserted-by":"crossref","first-page":"1218","DOI":"10.1609\/aaai.v35i2.16209","article-title":"Similarity reasoning and filtration for image-text matching","author":"Diao","year":"2021","journal-title":"Proceedings of the AAAI conference on artificial intelligence"},{"key":"2025121807031415900_ref099","article-title":"MMA Training: Direct Input Space Margin Maximization through Adver- sarial Training","author":"Ding","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref100","article-title":"A Wolf in Sheep\u2019s Clothing: Generalized Nested Jailbreak Prompts can Fool Large Language Models Easily","author":"Ding","year":"2023","journal-title":"NAACL"},{"key":"2025121807031415900_ref101","article-title":"Extremely simple activation shaping for out-of-distribution detection","author":"Djurisic","year":"2023"},{"key":"2025121807031415900_ref102","article-title":"Towards understanding and reducing graph structural noise for GNNs","author":"Dong","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref103","doi-asserted-by":"crossref","first-page":"0210","DOI":"10.23919\/MIPRO.2018.8400040","article-title":"Explainable artificial intelligence: A survey","author":"Do\u0161ilovi\u0107","year":"2018","journal-title":"2018 41st International convention on information and communication technology, electronics and micro- electronics (MIPRO)"},{"key":"2025121807031415900_ref104","article-title":"Noise-robust graph learning by estimating and leveraging pairwise interactions","author":"Du","year":"2021","journal-title":"TMLR"},{"key":"2025121807031415900_ref105","article-title":"Are diffusion models vulnerable to membership inference attacks?","author":"Duan","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref106","article-title":"The llama 3 herd of models","author":"Dubey","year":"2024","journal-title":"arXiv"},{"key":"2025121807031415900_ref107","article-title":"Our data, ourselves: Privacy via distributed noise genera- tion","author":"Dwork","year":"2006","journal-title":"Advances in Cryptology \u2013 EUROCRYPT"},{"key":"2025121807031415900_ref108","article-title":"The algorithmic foundations of differ- ential privacy","author":"Dwork","year":"2014","journal-title":"Foundations and Trends\u00ae in Theoretical Computer Science"},{"key":"2025121807031415900_ref109","article-title":"On the origin of hallucinations in conversational models: Is it the datasets or the models?","author":"Dziri","year":"2022","journal-title":"arXiv preprint arXiv:2204.07931"},{"key":"2025121807031415900_ref110","article-title":"Secure aggregation with heterogeneous quantization in federated learning","author":"ElKordy","year":"2020","journal-title":"arXiv preprint arxiv:2009.14388"},{"key":"2025121807031415900_ref111","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v36i6.20610","article-title":"Zero-shot out-of-distribution detection based on the pre-trained model clip","author":"Esmaeilpour","year":"2022","journal-title":"AAAI"},{"key":"2025121807031415900_ref112","article-title":"SalUn: Empowering Machine Unlearning via Gradient-based Weight Saliency in Both Image Classification and Generation","author":"Fan","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref113","article-title":"A survey on data poisoning attacks and defenses","author":"Fan","year":"2022","journal-title":"DSC"},{"key":"2025121807031415900_ref114","article-title":"Data Determines Distributional Robustness in Contrastive Language Image Pre-training (CLIP)","author":"Fang","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref115","article-title":"Is out-of-distribution detection learnable?","author":"Fang","year":"2022"},{"key":"2025121807031415900_ref116","article-title":"Causal- structure driven augmentations for text ood generalization","author":"Feder","year":"2024","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref117","doi-asserted-by":"crossref","DOI":"10.1609\/aies.v7i1.31647","article-title":"Red-Teaming for Generative AI: Silver Bullet or Security Theater?","author":"Feffer","year":"2024","journal-title":"AIES"},{"key":"2025121807031415900_ref118","doi-asserted-by":"crossref","DOI":"10.7551\/mitpress\/7287.001.0001","volume-title":"WordNet: An Electronic Lexical Database","author":"Fellbaum","year":"1998"},{"key":"2025121807031415900_ref119","first-page":"3417","article-title":"Exploring classification equilibrium in long-tailed object detection","author":"Feng","year":"2021","journal-title":"Proceedings of the IEEE\/CVF International conference on computer vision"},{"key":"2025121807031415900_ref120","article-title":"Provably Consistent Partial-Label Learning","author":"Feng","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref121","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v38i11.29084","article-title":"BaCon: Boosting Imbal- anced Semi-supervised Learning via Balanced Feature-Level Con- trastive Learning","author":"Feng","year":"2024","journal-title":"AAAI"},{"key":"2025121807031415900_ref122","article-title":"Learning from noisy correspondence with tri-partition for cross-modal matching","author":"Feng","year":"2023","journal-title":"IEEE Transactions on Multimedia"},{"key":"2025121807031415900_ref123","article-title":"The stable signature: Rooting watermarks in latent diffusion mod- els","author":"Fernandez","year":"2023","journal-title":"ICCV"},{"key":"2025121807031415900_ref124","article-title":"Exploring the Limits of Out-of-Distribution Detection","author":"Fort","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref125","article-title":"The Lottery Ticket Hypothesis: Training Pruned Neural Networks","author":"Frankle","year":"2018","journal-title":"CoRR"},{"key":"2025121807031415900_ref126","article-title":"Privacy in pharmacogenetics: An {End-to-End} case study of personalized warfarin dosing","author":"Fredrikson","year":"2014","journal-title":"USENIX Security"},{"key":"2025121807031415900_ref127","article-title":"Model inversion attacks that exploit confidence information and basic countermea- sures","author":"Fredrikson","year":"2015","journal-title":"CCS"},{"key":"2025121807031415900_ref128","article-title":"A Probabilistic Fluctuation based Membership Inference Attack for Diffusion Models","author":"Fu","year":"2023","journal-title":"arXiv e-prints"},{"key":"2025121807031415900_ref129","article-title":"Model Will Tell: Training Membership Inference for Diffusion Models","author":"Fu","year":"2024","journal-title":"arXiv preprint arXiv:2403.08487"},{"key":"2025121807031415900_ref130","article-title":"Differentially private empirical risk minimization with input perturbation","author":"Fukuchi","year":"2017","journal-title":"Discovery Science"},{"key":"2025121807031415900_ref131","article-title":"WOODS: Benchmarks for Out-of-Distribution Generalization in Time Series","author":"Gagnon-Audet","year":"2023","journal-title":"TMLR"},{"key":"2025121807031415900_ref132","article-title":"Erasing the Bias: Fine-Tuning Foundation Models for Semi-Supervised Learning","author":"Gan","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref133","article-title":"Erasing concepts from diffusion models","author":"Gandikota","year":"2023","journal-title":"ICCV"},{"key":"2025121807031415900_ref134","article-title":"Domain- Adversarial Training of Neural Networks","author":"Ganin","year":"2016","journal-title":"Journal of Mache Learning Research"},{"key":"2025121807031415900_ref135","article-title":"A survey on heterogeneous federated learning","author":"Gao","year":"2022","journal-title":"arXiv preprint arXiv:2210.04505"},{"key":"2025121807031415900_ref136","article-title":"Rarr: Researching and revising what language models say, using language models","author":"Gao","year":"2022","journal-title":"arXiv preprint arXiv:2210.08726"},{"key":"2025121807031415900_ref137","article-title":"Maximum Mean Discrepancy Test is Aware of Adversarial Attacks","author":"Gao","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref138","article-title":"An efficient framework for clustered federated learning","author":"Ghosh","year":"2020","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref139","article-title":"Eternal sunshine of the spotless net: Selective forgetting in deep networks","author":"Golatkar","year":"2020","journal-title":"CVPR"},{"key":"2025121807031415900_ref140","article-title":"Generative adversarial nets","author":"Goodfellow","year":"2014","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref141","article-title":"Explaining and Harnessing Adversarial Examples","author":"Goodfellow","year":"2015","journal-title":"ICLR"},{"key":"2025121807031415900_ref142","article-title":"A Kernel Two-Sample Test","author":"Gretton","year":"2012","journal-title":"J. Mach. Learn. Res."},{"key":"2025121807031415900_ref143","article-title":"Bootstrap your own latent-a new approach to self-supervised learning","author":"Grill","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref144","article-title":"On the learnability of watermarks for language models","author":"Gu","year":"2023","journal-title":"arXiv preprint arXiv:2312.04469"},{"key":"2025121807031415900_ref145","article-title":"Agent smith: A single image can jailbreak one million multimodal llm agents exponentially fast","author":"Gu","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref146","doi-asserted-by":"crossref","first-page":"1500","DOI":"10.1162\/tacl_a_00615","article-title":"Hallucinations in large multilingual translation models","volume":"11","author":"Guerreiro","year":"2023","journal-title":"Transactions of the Association for Computational Linguistics"},{"key":"2025121807031415900_ref147","article-title":"One-shot federated learning","author":"Guha","year":"2019","journal-title":"arXiv preprint arXiv:1902.11175"},{"key":"2025121807031415900_ref148","article-title":"GOOD: A Graph Out-of- Distribution Benchmark","author":"Gui","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref149","article-title":"In Search of Lost Domain Generalization","author":"Gulrajani","year":"2021","journal-title":"ICLR"},{"key":"2025121807031415900_ref150","article-title":"On calibra- tion of modern neural networks","author":"Guo","year":"2017","journal-title":"ICML"},{"key":"2025121807031415900_ref151","article-title":"Domain watermark: Effective and harmless dataset copyright pro- tection is closed at hand","author":"Guo","year":"2024","journal-title":"NeurIPS"},{"issue":"3","key":"2025121807031415900_ref152","doi-asserted-by":"crossref","first-page":"736","DOI":"10.1162\/qss_a_00310","article-title":"A critical review of large language models: Sensitivity, bias, and the path toward specialized ai","volume":"5","author":"Hajikhani","year":"2024","journal-title":"Quan- titative Science Studies"},{"key":"2025121807031415900_ref153","first-page":"31","article-title":"Masking: A new perspective of noisy supervision","author":"Han","year":"2018","journal-title":"Ad- vances in neural information processing systems"},{"key":"2025121807031415900_ref154","first-page":"31","article-title":"Co-teaching: Robust training of deep neural networks with extremely noisy labels","author":"Han","year":"2018","journal-title":"Advances in neural informa- tion processing systems"},{"key":"2025121807031415900_ref155","article-title":"Reinforcement learning- based black-box model inversion attacks","author":"Han","year":"2023","journal-title":"CVPR"},{"key":"2025121807031415900_ref156","first-page":"7517","article-title":"Noisy correspon- dence learning with meta similarity correction","author":"Han","year":"2023","journal-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition"},{"key":"2025121807031415900_ref157","first-page":"26679","article-title":"Learning to Rematch Mismatched Pairs for Robust Cross-Modal Retrieval","author":"Han","year":"2024","journal-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition"},{"key":"2025121807031415900_ref158","article-title":"Frequency Domain Adversarial Training for Robust Volumetric Medical Segmentation","author":"Hanif","year":"2023","journal-title":"MICCAI"},{"key":"2025121807031415900_ref159","article-title":"Logan: Membership inference attacks against generative models","author":"Hayes","year":"2017","journal-title":"arXiv preprint arXiv:1705.07663"},{"key":"2025121807031415900_ref160","article-title":"Momentum contrast for unsupervised visual representation learning","author":"He","year":"2020","journal-title":"CVPR"},{"key":"2025121807031415900_ref161","article-title":"Data-efficient image recognition with contrastive predictive coding","author":"Henaff","year":"2020","journal-title":"ICML"},{"key":"2025121807031415900_ref162","article-title":"A Baseline for Detecting Mis- classified and Out-of-Distribution Examples in Neural Networks","author":"Hendrycks","year":"2017","journal-title":"ICLR"},{"key":"2025121807031415900_ref163","article-title":"Deep anomaly detection with outlier exposure","author":"Hendrycks","year":"2018","journal-title":"ICLR"},{"key":"2025121807031415900_ref164","article-title":"Clipscore: A reference-free evaluation metric for image captioning","author":"Hessel","year":"2021","journal-title":"arXiv preprint arXiv:2104.08718"},{"key":"2025121807031415900_ref165","doi-asserted-by":"crossref","DOI":"10.1007\/s40593-021-00239-1","article-title":"Ethics of AI in education: Towards a community- wide framework","author":"Holmes","year":"2022","journal-title":"International Journal of Artificial Intelligence in Education"},{"key":"2025121807031415900_ref166","article-title":"On Harmonizing Implicit Subpopulations","author":"Hong","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref167","article-title":"Long-Tailed Partial Label Learning via Dynamic Rebalancing","author":"Hong","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref168","first-page":"6626","article-title":"Disentangling label distribution for long-tailed visual recognition","author":"Hong","year":"2021","journal-title":"Proceedings of the IEEE\/CVF conference on computer vision and pattern recognition"},{"key":"2025121807031415900_ref169","article-title":"Curiosity-driven Red-teaming for Large Language Models","author":"Hong","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref170","article-title":"Your Transferability Barrier is Fragile: Free-Lunch for Transferring the Non-Transferable Learning","author":"Hong","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref171","article-title":"Improving Non-Transferable Represen- tation Learning by Harnessing Content and Style","author":"Hong","year":"2024","journal-title":"ICLR"},{"issue":"9","key":"2025121807031415900_ref172","first-page":"5149","article-title":"Meta- learning in neural networks: A survey","volume":"44","author":"Hospedales","year":"2021","journal-title":"IEEE transactions on pattern analysis and machine intelligence"},{"key":"2025121807031415900_ref173","article-title":"Sem- stamp: A semantic watermark with paraphrastic robustness for text generation","author":"Hou","year":"2023","journal-title":"arXiv preprint arXiv:2310.03991"},{"key":"2025121807031415900_ref174","article-title":"Scheduling and Aggre- gation Design for Asynchronous Federated Learning Over Wireless Networks","author":"Hu","year":"2022","journal-title":"IEEE Journal on Selected Areas in Communications"},{"key":"2025121807031415900_ref175","doi-asserted-by":"crossref","DOI":"10.1145\/3523273","article-title":"Membership inference attacks on machine learning: A survey","author":"Hu","year":"2022","journal-title":"ACM CSUR"},{"issue":"8","key":"2025121807031415900_ref176","doi-asserted-by":"crossref","first-page":"9595","DOI":"10.1109\/TPAMI.2023.3247939","article-title":"Cross-modal retrieval with partially mismatched pairs","volume":"45","author":"Hu","year":"2023","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2025121807031415900_ref177","article-title":"Does Distributionally Robust Supervised Learning Give Robust Classifiers?","author":"Hu","year":"2018","journal-title":"ICML"},{"key":"2025121807031415900_ref178","article-title":"Demystifying ver- batim memorization in large language models","author":"Huang","year":"2024","journal-title":"arXiv preprint arXiv:2407.17817"},{"key":"2025121807031415900_ref179","article-title":"Opera: Alleviating hallucination in multi-modal large language models via over-trust penalty and retrospection-allocation","author":"Huang","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref180","article-title":"On the importance of gradients for detecting distributional shifts in the wild","author":"Huang","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref181","doi-asserted-by":"crossref","first-page":"926","DOI":"10.1609\/aaai.v37i1.25172","article-title":"Nlip: Noise-robust language-image pre-training","volume":"37","author":"Huang","year":"2023","journal-title":"Pro- ceedings of the AAAI Conference on Artificial Intelligence"},{"key":"2025121807031415900_ref182","article-title":"Harmful fine-tuning attacks and defenses for large language models: A survey","author":"Huang","year":"2024","journal-title":"arXiv preprint arXiv:2409.18169"},{"key":"2025121807031415900_ref183","article-title":"Metapoison: Practical general-purpose clean-label data poisoning","author":"Huang","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref184","article-title":"On the Comparison between Multi-modal and Single- modal Contrastive Learning","author":"Huang","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref185","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v36i6.20654","article-title":"Uncertainty- Aware Learning against Label Noise on Imbalanced Datasets","author":"Huang","year":"2022","journal-title":"AAAI"},{"key":"2025121807031415900_ref186","first-page":"29406","article-title":"Learning with noisy correspondence for cross-modal match- ing","volume":"34","author":"Huang","year":"2021","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref187","article-title":"Noise-robust Vision-language Pre-training with Positive-negative Learning","author":"Huang","year":"2024","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2025121807031415900_ref188","doi-asserted-by":"crossref","DOI":"10.1109\/TIP.2023.3326398","article-title":"Fast adversarial training with adaptive step size","author":"Huang","year":"2023","journal-title":"IEEE Transactions on Image Processing"},{"issue":"5","key":"2025121807031415900_ref189","doi-asserted-by":"crossref","first-page":"419","DOI":"10.3233\/IDA-2006-10503","article-title":"Learning from ambiguously labeled examples","volume":"10","author":"H\u00fcllermeier","year":"2006","journal-title":"Intell. Data Anal."},{"key":"2025121807031415900_ref190","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9781139025751","volume-title":"Causal inference in statistics, social, and biomedical sciences","author":"Imbens","year":"2015"},{"key":"2025121807031415900_ref191","article-title":"Towards practical differentially private convex optimization","author":"Iyengar","year":"2019","journal-title":"SP"},{"key":"2025121807031415900_ref192","article-title":"Manipulating machine learning: Poisoning attacks and countermeasures for regression learning","author":"Jagielski","year":"2018","journal-title":"IEEE symposium on security and privacy (SP)"},{"key":"2025121807031415900_ref193","doi-asserted-by":"crossref","DOI":"10.1145\/3571730","article-title":"Survey of hallucination in natural language generation","author":"Ji","year":"2023","journal-title":"ACM Computing Surveys"},{"key":"2025121807031415900_ref194","article-title":"Model Sparsity Can Simplify Machine Unlearning","author":"Jia","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref195","article-title":"Prior-Guided Adversarial Initialization for Fast Adversarial Training","author":"Jia","year":"2022","journal-title":"ECCV"},{"key":"2025121807031415900_ref196","article-title":"LAS-AT: Adversarial Training with Learnable Attack Strategy","author":"Jia","year":"2022","journal-title":"CVPR"},{"key":"2025121807031415900_ref197","volume-title":"AAAI","author":"Jia","year":"2024"},{"key":"2025121807031415900_ref198","article-title":"LLM4Causal: Democratized Causal Tools for Everyone via Large Language Model","author":"Jiang","year":"2024","journal-title":"First Conference on Language Modeling"},{"key":"2025121807031415900_ref199","article-title":"Test-Time Robust Personalization for Federated Learning","author":"Jiang","year":"2023"},{"key":"2025121807031415900_ref200","article-title":"Negative Label Guided OOD Detection with Pretrained Vision-Language Models","author":"Jiang","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref201","article-title":"Self-damaging contrastive learning","author":"Jiang","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref202","article-title":"Cladder: Assessing causal reasoning in language models","author":"Jin","year":"2023","journal-title":"Thirty-seventh conference on neural information processing systems"},{"key":"2025121807031415900_ref203","article-title":"Can Large Language Models Infer Cau- sation from Correlation?","author":"Jin","year":"2024","journal-title":"The Twelfth International Conference on Learning Representations"},{"key":"2025121807031415900_ref204","article-title":"Efficient causal graph discovery using large language models","author":"Jiralerspong","year":"2024","journal-title":"arXiv preprint arXiv:2402.01207"},{"key":"2025121807031415900_ref205","doi-asserted-by":"crossref","DOI":"10.1126\/science.aaa8415","article-title":"Machine learning: Trends, perspectives, and prospects","author":"Jordan","year":"2015","journal-title":"Science"},{"key":"2025121807031415900_ref206","article-title":"Make some noise: Reliable and efficient single-step adversarial training","author":"Jorge Aranda","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref207","article-title":"Language models (mostly) know what they know","author":"Kadavath","year":"2022","journal-title":"arXiv preprint arXiv:2207.05221"},{"key":"2025121807031415900_ref208","article-title":"Label-only model inversion attacks via boundary repulsion","author":"Kahla","year":"2022","journal-title":"CVPR"},{"key":"2025121807031415900_ref209","doi-asserted-by":"crossref","DOI":"10.1561\/2200000083","article-title":"Advances and open problems in federated learning","author":"Kairouz","year":"2021","journal-title":"Foundations and Trends\u00ae in Machine Learning"},{"key":"2025121807031415900_ref210","article-title":"Decoupling Representation and Classifier for Long-Tailed Recognition","author":"Kang","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref211","article-title":"A style-based generator architecture for generative adversarial networks","author":"Karras","year":"2019","journal-title":"CVPR"},{"key":"2025121807031415900_ref212","article-title":"Training ood detectors in their natural habitats","author":"Katz-Samuels","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref213","first-page":"103","article-title":"Strik- ing the right balance with uncertainty","author":"Khan","year":"2019","journal-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition"},{"key":"2025121807031415900_ref214","article-title":"Adaptive Gradient- Based Meta-Learning Methods","author":"Khodak","year":"2019","journal-title":"CoRR"},{"key":"2025121807031415900_ref215","article-title":"Private convex empirical risk minimization and high-dimensional regression","author":"Kifer","year":"2012","journal-title":"COLT"},{"key":"2025121807031415900_ref216","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v35i9.16989","article-title":"Understanding catastrophic overfitting in single-step adversarial training","author":"Kim","year":"2021","journal-title":"AAAI"},{"key":"2025121807031415900_ref217","article-title":"Distribution Aligning Refinery of Pseudo-label for Imbalanced Semi- supervised Learning","author":"Kim","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref218","article-title":"Auto-encoding variational bayes","author":"Kingma","year":"2013","journal-title":"arXiv preprint arXiv:1312.6114"},{"key":"2025121807031415900_ref219","article-title":"A watermark for large language models","author":"Kirchenbauer","year":"2023","journal-title":"ICML"},{"issue":"4","key":"2025121807031415900_ref220","doi-asserted-by":"crossref","first-page":"383","DOI":"10.1038\/s42256-024-00820-y","article-title":"The benefits, risks and bounds of personalizing the alignment of large language models to individuals","volume":"6","author":"Kirk","year":"2024","journal-title":"Nature Machine Intelligence"},{"key":"2025121807031415900_ref221","article-title":"Causal reasoning and large language models: Opening a new frontier for causality","author":"K\u0131c\u0131man","year":"2023","journal-title":"arXiv preprint arXiv:2305.00050"},{"key":"2025121807031415900_ref222","article-title":"WILDS: A Benchmark of in-the-Wild Distribution Shifts","author":"Koh","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref223","article-title":"From group to individual labels using deep features","author":"Kotzias","year":"2015","journal-title":"SIGKDD"},{"key":"2025121807031415900_ref224","article-title":"Out-of-Distribution Gen- eralization via Risk Extrapolation (REx)","author":"Krueger","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref225","article-title":"Temperature Schedules for self-supervised contrastive methods on long-tail data","author":"Kukleva","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref226","first-page":"133","article-title":"A literature survey on open source large language models","author":"Kukreja","year":"2024","journal-title":"Proceedings of the 2024 7th International Conference on Computers in Management and Business"},{"key":"2025121807031415900_ref227","article-title":"Multi-Agent Causal Discovery Using Large Language Models","author":"Le","year":"2024","journal-title":"arXiv preprint arXiv:2407.15073"},{"key":"2025121807031415900_ref228","doi-asserted-by":"crossref","DOI":"10.1038\/nature14539","article-title":"Deep learning","author":"LeCun","year":"2015","journal-title":"Nature"},{"key":"2025121807031415900_ref229","article-title":"Certified robustness to adversarial examples with differential pri-vacy","author":"Lecuyer","year":"2019","journal-title":"SP"},{"key":"2025121807031415900_ref230","article-title":"Identifying appropriate intellectual property protection mechanisms for machine learning models: A systematization of watermarking, fingerprinting, model access, and attacks","author":"Lederer","year":"2023","journal-title":"IEEE Transactions on Neural Networks and Learning Systems"},{"key":"2025121807031415900_ref231","article-title":"ABC: Auxiliary Balanced Classi- fier for Class-imbalanced Semi-supervised Learning","author":"Lee","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref232","article-title":"Concentrated differentially private gradient descent with adaptive per-iteration privacy budget","author":"Lee","year":"2018","journal-title":"KDD"},{"key":"2025121807031415900_ref233","article-title":"A Simple Unified Frame- work for Detecting Out-of-Distribution Samples and Adversarial Attacks","author":"Lee","year":"2018","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref234","article-title":"Robust Evaluation of Diffusion-Based Adversarial Purification","author":"Lee","year":"2023","journal-title":"ICCV"},{"key":"2025121807031415900_ref235","first-page":"34586","article-title":"Factuality enhanced language models for open- ended text generation","volume":"35","author":"Lee","year":"2022","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref236","article-title":"Mitigating object hallucinations in large vision-language models through visual contrastive decoding","author":"Leng","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref237","article-title":"Still no lie detector for language models: Probing empirical and conceptual roadblocks","author":"Levinstein","year":"2024","journal-title":"Philosophical Studies"},{"key":"2025121807031415900_ref238","article-title":"LotteryFL: Personalized and Communication-Efficient Federated Learning with Lottery Ticket Hypothesis on Non-IID Datasets","author":"Li","year":"2020"},{"key":"2025121807031415900_ref239","article-title":"Towards Understanding Clean Generalization and Robust Overfitting in Adversarial Training","author":"Li","year":"2023","journal-title":"arXiv preprint arXiv:2306.01271"},{"key":"2025121807031415900_ref240","article-title":"Rethinking the impact of noisy labels in graph classification: A utility and privacy perspective","author":"Li","year":"2024","journal-title":"Neural Networks"},{"key":"2025121807031415900_ref241","article-title":"Sentence Embedding Leaks More Information than You Expect: Generative Embedding Inversion Attack to Recover the Whole Sentence","author":"Li","year":"2023","journal-title":"ACL"},{"key":"2025121807031415900_ref242","first-page":"12888","article-title":"Blip: Bootstrapping language-image pre-training for unified vision-language understanding and generation","author":"Li","year":"2022","journal-title":"International conference on machine learning"},{"key":"2025121807031415900_ref243","article-title":"DivideMix: Learning with Noisy Labels as Semi-supervised Learning","author":"Li","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref244","article-title":"Inference-time intervention: Eliciting truthful answers from a lan- guage model","author":"Li","year":"2024","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref245","article-title":"Data augmentation alone can improve adversarial training","author":"Li","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref246","article-title":"RealTCD: Temporal Causal Discovery from Interventional Data with Large Language Model","author":"Li","year":"2024","journal-title":"arXiv preprint arXiv:2404.14786v2"},{"key":"2025121807031415900_ref247","article-title":"Practical One-Shot Federated Learning for Cross-Silo Setting","author":"Li","year":"2020","journal-title":"arXiv preprint arXiv:2010.01017"},{"key":"2025121807031415900_ref248","doi-asserted-by":"crossref","DOI":"10.1109\/CVPR46437.2021.01057","article-title":"Model-Contrastive Federated Learning","author":"Li","year":"2021"},{"key":"2025121807031415900_ref249","article-title":"Hidden backdoors in human-centric language models","author":"Li","year":"2021","journal-title":"ACM SIGSAC"},{"key":"2025121807031415900_ref250","article-title":"Federated Optimization in Heterogeneous Networks","author":"Li","year":"2020"},{"key":"2025121807031415900_ref251","article-title":"Fair Resource Allocation in Federated Learning","author":"Li","year":"2020","journal-title":"International Conference on Learning Representations"},{"key":"2025121807031415900_ref252","article-title":"Contrastive learning of graphs under label noise","author":"Li","year":"2024","journal-title":"Neural Networks"},{"key":"2025121807031415900_ref253","article-title":"Deep Domain Generalization via Conditional Invariant Adversarial Networks","author":"Li","year":"2018","journal-title":"ECCV"},{"key":"2025121807031415900_ref254","article-title":"Unified robust training for graph neural networks against label noise","author":"Li","year":"2021","journal-title":"PAKDD"},{"key":"2025121807031415900_ref255","article-title":"Backdoor learning: A survey","author":"Li","year":"2022","journal-title":"IEEE TNNLS"},{"key":"2025121807031415900_ref256","article-title":"Textbooks are all you need ii: phi-1.5 technical report","author":"Li","year":"2023","journal-title":"arXiv preprint arXiv:2309.05463"},{"key":"2025121807031415900_ref257","article-title":"Think Locally, Act Globally: Federated Learning with Local and Global Representations","author":"Liang","year":"2020","journal-title":"CoRR"},{"key":"2025121807031415900_ref258","article-title":"Defense against adversarial attacks using high-level representation guided denoiser","author":"Liao","year":"2018","journal-title":"CVPR"},{"key":"2025121807031415900_ref259","doi-asserted-by":"crossref","DOI":"10.1109\/COMST.2020.2986024","article-title":"Federated Learning in Mobile Edge Networks: A Comprehensive Survey","author":"Lim","year":"2020","journal-title":"IEEE Communications Surveys Tutorials"},{"key":"2025121807031415900_ref260","article-title":"On the Over-Memorization During Natural, Robust and Catastrophic Overfitting","author":"Lin","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref261","article-title":"Layer-Aware Analysis of Catastrophic Overfitting: Revealing the Pseudo-Robust Shortcut Dependency","author":"Lin","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref262","article-title":"Eliminating catastrophic overfitting via abnormal adversarial examples regularization","author":"Lin","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref263","article-title":"Focal loss for dense object detection","author":"Lin","year":"2017","journal-title":"ICCV"},{"key":"2025121807031415900_ref264","doi-asserted-by":"crossref","DOI":"10.18653\/v1\/2023.emnlp-main.82","article-title":"Text-Transport: Toward Learning Causal Effects of Natural Language","author":"Lin","year":"2023","journal-title":"The 2023 Conference on Empirical Methods in Natural Language Processing"},{"key":"2025121807031415900_ref265","article-title":"Multi-granularity correspondence learning from long-term noisy videos","author":"Lin","year":"2024","journal-title":"arXiv preprint arXiv:2401.16702"},{"key":"2025121807031415900_ref266","article-title":"Spurious Feature Diversification Improves Out-of-distribution Generalization","author":"Lin","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref267","article-title":"ZIN: When and How to Learn Invariance Without Environment Partition?","author":"Lin","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref268","doi-asserted-by":"crossref","DOI":"10.1145\/3649449","article-title":"A survey of text watermarking in the era of large language models","author":"Liu","year":"2024","journal-title":"ACM Computing Surveys"},{"key":"2025121807031415900_ref269","article-title":"When machine learning meets privacy: A survey and outlook","author":"Liu","year":"2021","journal-title":"ACM CSUR"},{"key":"2025121807031415900_ref270","article-title":"On the Loss Landscape of Adversarial Training: Identifying Chal- lenges and How to Overcome Them","author":"Liu","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref271","article-title":"Discovery of the Hidden World with Large Language Models","author":"Liu","year":"2024","journal-title":"Proceedings of the Thirty-eighth Annual Conference on Neural Information Processing Systems"},{"key":"2025121807031415900_ref272","article-title":"Just Train Twice: Improving Group Robustness without Training Group Information","author":"Liu","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref273","article-title":"Adversarial tuning: Defending against jailbreak attacks for llms","author":"Liu","year":"2024","journal-title":"arXiv preprint arXiv:2406.06622"},{"key":"2025121807031415900_ref274","article-title":"Mitigating hallucination in large multi-modal models via robust instruction tuning","author":"Liu","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref275","article-title":"Gradient-leaks: Enabling black-box membership inference attacks against machine learning models","author":"Liu","year":"2023","journal-title":"IEEE TIFS"},{"key":"2025121807031415900_ref276","article-title":"Key instance detection in multi-instance learning","author":"Liu","year":"2012","journal-title":"ACML"},{"key":"2025121807031415900_ref277","article-title":"A survey on hallucination in large vision- language models","author":"Liu","year":"2024","journal-title":"arXiv preprint arXiv:2402.00253"},{"key":"2025121807031415900_ref278","article-title":"Visual instruction tuning","author":"Liu","year":"2024","journal-title":"Advances in neural information processing systems"},{"key":"2025121807031415900_ref279","article-title":"Self-supervised Learning is More Robust to Dataset Imbalance","author":"Liu","year":"2021","journal-title":"ICLR"},{"key":"2025121807031415900_ref280","article-title":"Heterogeneous Risk Minimization","author":"Liu","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref281","article-title":"Fine-pruning: Defending against backdooring attacks on deep neural networks","author":"Liu","year":"2018","journal-title":"RAID"},{"key":"2025121807031415900_ref282","article-title":"Membership inference attacks against machine learning models via prediction sensitivity","author":"Liu","year":"2022","journal-title":"IEEE TDSC"},{"key":"2025121807031415900_ref283","article-title":"Client-Edge- Cloud Hierarchical Federated Learning","author":"Liu","year":"2020","journal-title":"2020 IEEE Interna- tional Conference on Communications, ICC 2020, Dublin, Ireland, June 7-11, 2020"},{"key":"2025121807031415900_ref284","article-title":"Model Inversion Attacks on Homogeneous and Heterogeneous Graph Neural Networks","author":"Liu","year":"2023","journal-title":"SecureComm"},{"key":"2025121807031415900_ref285","first-page":"20331","article-title":"Early-learning regularization prevents memorization of noisy labels","volume":"33","author":"Liu","year":"2020","journal-title":"Advances in neural information processing systems"},{"key":"2025121807031415900_ref286","first-page":"14153","article-title":"Robust training under label noise by over-parameterization","author":"Liu","year":"2022","journal-title":"International Conference on Machine Learning"},{"key":"2025121807031415900_ref287","article-title":"Energy-based Out-of-distribution Detection","author":"Liu","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref288","article-title":"AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models","author":"Liu","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref289","article-title":"Protecting your llms with information bottleneck","author":"Liu","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref290","article-title":"Large-scale long-tailed recognition in an open world","author":"Liu","year":"2019","journal-title":"CVPR"},{"key":"2025121807031415900_ref291","article-title":"Challenging common assumptions in the unsu- pervised learning of disentangled representations","author":"Locatello","year":"2019","journal-title":"international conference on machine learning"},{"key":"2025121807031415900_ref292","article-title":"Label- Noise Learning with Intrinsically Long-Tailed Data","author":"Lu","year":"2023","journal-title":"ICCV"},{"key":"2025121807031415900_ref293","article-title":"Revive Re-weighting in Imbalanced Learning by Density Ratio Estimation","author":"Luo","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref294","article-title":"Causality inspired representation learning for domain generaliza- tion","author":"Lv","year":"2022","journal-title":"CVPR"},{"key":"2025121807031415900_ref295","article-title":"Charac- terizing Adversarial Subspaces Using Local Intrinsic Dimensionality","author":"Ma","year":"2018","journal-title":"ICLR"},{"key":"2025121807031415900_ref296","doi-asserted-by":"crossref","DOI":"10.1109\/TIP.2024.3374221","article-title":"Cross-modal Retrieval with Noisy Correspondence via Consistency Refining and Mining","author":"Ma","year":"2024","journal-title":"IEEE Transactions on Image Processing"},{"key":"2025121807031415900_ref297","article-title":"Video-chatgpt: Towards detailed video understanding via large vision and language models","author":"Maaz","year":"2023","journal-title":"arXiv preprint arXiv:2306.05424"},{"key":"2025121807031415900_ref298","article-title":"Towards Deep Learning Models Resistant to Adversarial Attacks","author":"Madry","year":"2018","journal-title":"ICLR"},{"key":"2025121807031415900_ref299","article-title":"Domain Generalization using Causal Matching","author":"Mahajan","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref300","article-title":"Does CLIP\u2019s generalization performance mainly stem from high train-test similarity?","author":"Mayilvahanan","year":"2024","journal-title":"ICLR"},{"issue":"6","key":"2025121807031415900_ref301","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3457607","article-title":"A survey on bias and fairness in machine learning","volume":"54","author":"Mehrabi","year":"2021","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"2025121807031415900_ref302","article-title":"Magnet: a two-pronged defense against adversarial examples","author":"Meng","year":"2017","journal-title":"ACM SIGSAC"},{"key":"2025121807031415900_ref303","article-title":"Long-tail learning via logit adjustment","author":"Menon","year":"2020","journal-title":"arXiv preprint arXiv:2007.07314"},{"key":"2025121807031415900_ref304","article-title":"Interpretable and Generalizable Graph Learning via Stochastic Attention Mechanism","author":"Miao","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref305","article-title":"A watermark- conditioned diffusion model for ip protection","author":"Min","year":"2024","journal-title":"arXiv preprint arXiv:2403.10893"},{"key":"2025121807031415900_ref306","article-title":"Delving into Out-of-Distribution Detection with Vision-Language Represen- tations","author":"Ming","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref307","article-title":"Poem: Out-of-distribution detection with posterior sampling","author":"Ming","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref308","doi-asserted-by":"crossref","DOI":"10.1093\/bib\/bbx044","article-title":"Deep learning for healthcare: review, opportunities and challenges","author":"Miotto","year":"2018","journal-title":"Briefings in bioinformatics"},{"key":"2025121807031415900_ref309","article-title":"Conditional generative adversarial nets","author":"Mirza","year":"2014","journal-title":"arXiv preprint arXiv:1411.1784"},{"issue":"8","key":"2025121807031415900_ref310","doi-asserted-by":"crossref","first-page":"1979","DOI":"10.1109\/TPAMI.2018.2858821","article-title":"Virtual Ad- versarial Training: A Regularization Method for Supervised and Semi-Supervised Learning","volume":"41","author":"Miyato","year":"2019","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"2025121807031415900_ref311","article-title":"Text embeddings reveal (almost) as much as text","author":"Morris","year":"2023","journal-title":"EMNLP"},{"key":"2025121807031415900_ref312","doi-asserted-by":"crossref","DOI":"10.1145\/3128572.3140451","article-title":"Towards poisoning of deep learning algorithms with back-gradient optimization","author":"Mu\u00f1oz-Gonz\u00e1lez","year":"2017","journal-title":"AISec"},{"issue":"44","key":"2025121807031415900_ref313","doi-asserted-by":"crossref","first-page":"22071","DOI":"10.1073\/pnas.1900654116","article-title":"Definitions, methods, and applications in interpretable machine learning","volume":"116","author":"Murdoch","year":"2019","journal-title":"Proceedings of the National Academy of Sciences"},{"key":"2025121807031415900_ref314","article-title":"Stochastic Gradient Methods for Distributionally Robust Optimization with f-divergences","author":"Namkoong","year":"2016","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref315","article-title":"Learning with Noisy Labels","author":"Natarajan","year":"2013","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref316","article-title":"Oracle efficient private non-convex optimization","author":"Neel","year":"2020","journal-title":"ICML"},{"key":"2025121807031415900_ref317","article-title":"Exploiting machine learning to subvert your spam filter.","author":"Nelson","year":"2008","journal-title":"LEET"},{"key":"2025121807031415900_ref318","article-title":"Label-Only Model Inversion Attacks via Knowledge Trans- fer","author":"Nguyen","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref319","article-title":"Re-thinking model inversion attacks against deep neural networks","author":"Nguyen","year":"2023","journal-title":"CVPR"},{"key":"2025121807031415900_ref320","article-title":"A survey of machine unlearning","author":"Nguyen","year":"2022","journal-title":"arXiv preprint arXiv:2209.02299"},{"key":"2025121807031415900_ref321","article-title":"Out- of-Distribution Detection with Negative Prompts","author":"Nie","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref322","article-title":"Diffusion Models for Adversarial Purification","author":"Nie","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref323","doi-asserted-by":"crossref","DOI":"10.1109\/ICC.2019.8761315","article-title":"Client Selection for Federated Learning with Heterogeneous Resources in Mobile Edge","author":"Nishio","year":"2019","journal-title":"ICC 2019 - 2019 IEEE International Conference on Communications (ICC)"},{"key":"2025121807031415900_ref324","doi-asserted-by":"crossref","DOI":"10.1016\/j.jiixd.2024.02.001","article-title":"A survey on membership inference attacks and defenses in Machine Learning","author":"Niu","year":"2024","journal-title":"Journal of Information and Intelligence"},{"key":"2025121807031415900_ref325","article-title":".","author":"Niu","year":"2020","journal-title":"IEEE Transactions on Artificial Intelligence"},{"key":"2025121807031415900_ref326","article-title":"Learning graph neural networks with noisy labels","author":"NT","year":"2019","journal-title":"ICLR Learning from Limited Labeled Data Workshop"},{"key":"2025121807031415900_ref327","article-title":"Private graph extraction via feature explanations","author":"Olatunji","year":"2023","journal-title":"PETS"},{"key":"2025121807031415900_ref328","doi-asserted-by":"crossref","DOI":"10.1145\/3595292","article-title":"I know what you trained last summer: A survey on stealing machine learning models and defences","author":"Oliynyk","year":"2023","journal-title":"ACM Computing Surveys"},{"key":"2025121807031415900_ref329","article-title":"Representa- tion learning with contrastive predictive coding","author":"Oord","year":"2018","journal-title":"arXiv preprint arXiv:1807.03748"},{"key":"2025121807031415900_ref330","doi-asserted-by":"crossref","DOI":"10.1016\/j.asoc.2020.106384","article-title":"Deep learning for financial applications: A survey","author":"Ozbayoglu","year":"2020","journal-title":"Applied soft computing"},{"key":"2025121807031415900_ref331","article-title":"Two Coupled Rejection Metrics Can Tell Adversarial Examples Apart","author":"Pang","year":"2022","journal-title":"CVPR"},{"key":"2025121807031415900_ref332","doi-asserted-by":"crossref","DOI":"10.1073\/pnas.2015509117","article-title":"Prevalence of neu- ral collapse during the terminal phase of deep learning training","author":"Papyan","year":"2020","journal-title":"Proceedings of the National Academy of Sciences"},{"key":"2025121807031415900_ref333","article-title":"Learning explanations that are hard to vary","author":"Parascandolo","year":"2021","journal-title":"ICLR"},{"key":"2025121807031415900_ref334","article-title":"The Neglected Tails in Vision-Language Models","author":"Parashar","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref335","article-title":"Canary extrac- tion in natural language understanding models","author":"Parikh","year":"2022","journal-title":"arXiv preprint arXiv:2203.13920"},{"key":"2025121807031415900_ref336","article-title":"Few-round learning for federated learning","author":"Park","year":"2021","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref337","first-page":"79155","article-title":"The RefinedWeb dataset for Falcon LLM: Outperforming curated corpora with web data only","volume":"36","author":"Penedo","year":"2023","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref338","article-title":"MAP: MAsk-Pruning for Source-Free Model Intellectual Property Protection","author":"Peng","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref339","article-title":"Address instance-level label prediction in multiple instance learning","author":"Peng","year":"2019","journal-title":"arXiv preprint arXiv:1905.12226"},{"key":"2025121807031415900_ref340","article-title":"Pseudo-Private Data Guided Model Inversion Attacks","author":"Peng","year":"2024","journal-title":"NeurIPS"},{"issue":"3","key":"2025121807031415900_ref341","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3494672","article-title":"A review on fairness in machine learning","volume":"55","author":"Pessach","year":"2022","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"2025121807031415900_ref342","doi-asserted-by":"crossref","DOI":"10.1111\/rssb.12167","article-title":"Causal inference by using invariant prediction: identification and confidence inter- vals","author":"Peters","year":"2016","journal-title":"Journal of the Royal Statistical Society: Series B (Statistical Methodology)"},{"key":"2025121807031415900_ref343","volume-title":"Elements of Causal Inference: Foundations and Learning Algorithms","author":"Peters","year":"2017"},{"key":"2025121807031415900_ref344","volume-title":"Elements of causal inference: foundations and learning algorithms","author":"Peters","year":"2017"},{"key":"2025121807031415900_ref345","article-title":"Discovering environments with XRM","author":"Pezeshki","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref346","article-title":"Heterogeneous gaussian mechanism: Preserving differential privacy in deep learning with provable robustness","author":"Phan","year":"2019","journal-title":"IJCAI"},{"key":"2025121807031415900_ref347","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v30i1.10165","article-title":"Differential pri- vacy preservation for deep auto-encoders: an application of human behavior prediction","author":"Phan","year":"2016","journal-title":"AAAI"},{"key":"2025121807031415900_ref348","article-title":"Vi- sual adversarial examples jailbreak large language models","author":"Qi","year":"2023","journal-title":"arXiv preprint arXiv:2306.13213"},{"key":"2025121807031415900_ref349","article-title":"Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!","author":"Qi","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref350","article-title":"Learning to poison large language models during instruction tuning","author":"Qiang","year":"2024","journal-title":"arXiv preprint arXiv:2402.13459"},{"key":"2025121807031415900_ref351","doi-asserted-by":"crossref","first-page":"4948","DOI":"10.1145\/3503161.3547922","article-title":"Deep eviden- tial learning with noisy correspondence for cross-modal retrieval","author":"Qin","year":"2022","journal-title":"Proceedings of the 30th ACM International Conference on Mul- timedia"},{"key":"2025121807031415900_ref352","first-page":"24829","article-title":"Cross-modal active complementary learning with self-refining cor- respondence","volume":"36","author":"Qin","year":"2023","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref353","article-title":"Gen- eralized federated learning via sharpness aware minimization","author":"Qu","year":"2022","journal-title":"International conference on machine learning"},{"key":"2025121807031415900_ref354","article-title":"Learning transferable visual models from natural language supervision","author":"Radford","year":"2021","journal-title":"International conference on machine learning"},{"key":"2025121807031415900_ref355","article-title":"Learning transferable visual models from natural language supervision","author":"Radford","year":"2021","journal-title":"ICML"},{"issue":"8","key":"2025121807031415900_ref356","first-page":"9","article-title":"Language models are unsupervised multitask learners","volume":"1","author":"Radford","year":"2019","journal-title":"OpenAI blog"},{"key":"2025121807031415900_ref357","article-title":"A General Framework For Detecting Anomalous Inputs to DNN Classifiers","author":"Raghuram","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref358","article-title":"Fishr: Invariant Gradient Variances for Out-of-distribution Generalization","author":"Rame","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref359","article-title":"Diverse Weight Averaging for Out-of-Distribution Generalization","author":"Rame","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref360","article-title":"A survey of hallucination in large foundation models","author":"Rawte","year":"2023","journal-title":"arXiv preprint arXiv:2309.05922"},{"key":"2025121807031415900_ref361","article-title":"Adaptive Federated Opti- mization","author":"Reddi","year":"2020","journal-title":"arXiv preprint arXiv:2003.00295"},{"key":"2025121807031415900_ref362","doi-asserted-by":"crossref","DOI":"10.1016\/S0165-1765(01)00524-9","article-title":"The Pareto, Zipf and other power laws","author":"Reed","year":"2001","journal-title":"Economics letters"},{"key":"2025121807031415900_ref363","doi-asserted-by":"crossref","DOI":"10.1109\/JSAC.2020.3036971","article-title":"Accelerating DNN Training in Wireless Federated Edge Learning Systems","author":"Ren","year":"2021","journal-title":"IEEE Journal on Selected Areas in Communications"},{"key":"2025121807031415900_ref364","article-title":"Investigating the factual knowledge boundary of large language models with retrieval augmentation","author":"Ren","year":"2023","journal-title":"arXiv preprint arXiv:2307.11019"},{"key":"2025121807031415900_ref365","article-title":"Overfitting in adversarially robust deep learning","author":"Rice","year":"2020","journal-title":"ICML"},{"key":"2025121807031415900_ref366","article-title":"Smoothllm: Defending large language models against jailbreaking attacks","author":"Robey","year":"2023","journal-title":"arXiv preprint arXiv:2310.03684"},{"key":"2025121807031415900_ref367","article-title":"Invariant Models for Causal Transfer Learning","author":"Rojas-Carulla","year":"2018","journal-title":"Journal of Machine Learning Research"},{"key":"2025121807031415900_ref368","article-title":"High-resolution image synthesis with latent diffusion models","author":"Rombach","year":"2022","journal-title":"CVPR"},{"key":"2025121807031415900_ref369","article-title":"Domain-Adjusted Regression or: ERM May Already Learn Features Sufficient for Out- of-Distribution Generalization","author":"Rosenfeld","year":"2022","journal-title":"arXiv preprint arXiv:2202.06856"},{"key":"2025121807031415900_ref370","article-title":"On Characterizing the Trade-off in Invariant Representation Learning","author":"Sadeghi","year":"2022","journal-title":"TMLR"},{"key":"2025121807031415900_ref371","article-title":"Distri- butionally Robust Neural Networks","author":"Sagawa","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref372","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v34i07.6871","article-title":"Hidden trigger backdoor attacks","author":"Saha","year":"2020","journal-title":"AAAI"},{"key":"2025121807031415900_ref373","article-title":"Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models","author":"Samangouei","year":"2018","journal-title":"ICLR"},{"key":"2025121807031415900_ref374","article-title":"Is a Caption Worth a Thousand Images? A Study on Representation Learning","author":"Santurkar","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref375","article-title":"Adversarially robust generalization requires more data","author":"Schmidt","year":"2018","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref376","article-title":"wav2vec: Unsupervised pre-training for speech recognition","author":"Schneider","year":"2019","journal-title":"arXiv preprint arXiv:1904.05862"},{"key":"2025121807031415900_ref377","doi-asserted-by":"crossref","DOI":"10.1109\/JPROC.2021.3058954","article-title":"Toward causal representation learning","author":"Sch\u00f6lkopf","year":"2021","journal-title":"Proceedings of the IEEE"},{"key":"2025121807031415900_ref378","doi-asserted-by":"crossref","first-page":"2016","DOI":"10.1145\/1529282.1529731","article-title":"Open source vs. closed source software: towards measuring security","author":"Schryen","year":"2009","journal-title":"Proceedings of the 2009 ACM symposium on Applied Computing"},{"key":"2025121807031415900_ref379","article-title":"Reinforcement learning from human feedback: Progress and challenges","author":"Schulman","year":"2023","journal-title":"Berkeley EECS Colloquium. YouTube www. youtube. com\/watch"},{"issue":"4","key":"2025121807031415900_ref380","doi-asserted-by":"crossref","first-page":"860","DOI":"10.1093\/cid\/ciad633","article-title":"Black box warning: large language models and the future of infectious diseases consultation","volume":"78","author":"Schwartz","year":"2024","journal-title":"Clinical infectious diseases"},{"key":"2025121807031415900_ref381","article-title":"SSD: A Unified Frame- work for Self-Supervised Outlier Detection","author":"Sehwag","year":"2021","journal-title":"ICLR"},{"key":"2025121807031415900_ref382","article-title":".","author":"Shafahi","year":"2019","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref383","article-title":"Exploring the Landscape of Machine Unlearning: A Survey and Taxonomy","author":"Shaik","year":"2023","journal-title":"arXiv preprint arXiv:2305.06360"},{"key":"2025121807031415900_ref384","doi-asserted-by":"crossref","first-page":"2556","DOI":"10.18653\/v1\/P18-1238","article-title":"Concep- tual captions: A cleaned, hypernymed, image alt-text dataset for automatic image captioning","author":"Sharma","year":"2018","journal-title":"Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)"},{"key":"2025121807031415900_ref385","article-title":"Hot Pluggable Federated Learning","author":"Shen","year":"2024","journal-title":"International Workshop on Federated Foundation Models in Conjunction with NeurIPS 2024"},{"key":"2025121807031415900_ref386","article-title":"Finding mnemon: Reviving memories of node embeddings","author":"Shen","year":"2022","journal-title":"CCS"},{"key":"2025121807031415900_ref387","article-title":"Online Adversarial Purifica- tion based on Self-supervised Learning","author":"Shi","year":"2021","journal-title":"ICLR"},{"key":"2025121807031415900_ref388","article-title":"Replug: Retrieval-augmented black- box language models","author":"Shi","year":"2023","journal-title":"arXiv preprint arXiv:2301.12652"},{"key":"2025121807031415900_ref389","article-title":"Gradient Matching for Domain Generalization","author":"Shi","year":"2022","journal-title":"ICLR"},{"key":"2025121807031415900_ref390","doi-asserted-by":"crossref","DOI":"10.1080\/08839514.2023.2193461","article-title":"Towards Autonomous Driving Model Resistant to Adver- sarial Attack","author":"Shibly","year":"2023","journal-title":"Appl. Artif. Intell."},{"key":"2025121807031415900_ref391","article-title":"Member- ship inference attacks against machine learning models","author":"Shokri","year":"2017","journal-title":"SP"},{"key":"2025121807031415900_ref392","article-title":"Eclipse Attacks on Overlay Networks: Threats and Defenses","author":"Singh","year":"2006","journal-title":"IEEE INFOCOM"},{"key":"2025121807031415900_ref393","article-title":"Feder- ated Multi-Task Learning","author":"Smith","year":"2018"},{"key":"2025121807031415900_ref394","article-title":"Fixmatch: Simpli- fying semi-supervised learning with consistency and confidence","author":"Sohn","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref395","article-title":"Information leakage in embed- ding models","author":"Song","year":"2020","journal-title":"CCS"},{"key":"2025121807031415900_ref396","article-title":"Learning from noisy labels with deep neural networks: A survey","author":"Song","year":"2022","journal-title":"IEEE TNNLS"},{"key":"2025121807031415900_ref397","article-title":"A survey of the implementations of model inversion attacks","author":"Song","year":"2022","journal-title":"DCCN"},{"key":"2025121807031415900_ref398","article-title":"Stochastic gradient descent with differentially private updates","author":"Song","year":"2013","journal-title":"GlobalSIP"},{"key":"2025121807031415900_ref399","article-title":"Generative Modeling by Estimating Gradients of the Data Distribution","author":"Song","year":"2019","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref400","article-title":"Rankfeat: Rank-1 feature removal for out-of-distribution detection","author":"Song","year":"2022"},{"key":"2025121807031415900_ref401","doi-asserted-by":"crossref","DOI":"10.7551\/mitpress\/1754.001.0001","volume-title":"Causation, prediction, and search","author":"Spirtes","year":"2001"},{"key":"2025121807031415900_ref402","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-14880-5_2","article-title":"Asynchronous Federated Learning for Geospatial Applications","author":"Sprague","year":"2019","journal-title":"ECML PKDD 2018 Workshops"},{"issue":"3","key":"2025121807031415900_ref403","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1016\/S1063-5203(03)00023-X","article-title":"Grassmannian frames with applications to coding and communication","volume":"14","author":"Strohmer","year":"2003","journal-title":"Applied and computa- tional harmonic analysis"},{"key":"2025121807031415900_ref404","article-title":"Plug and Play Attacks: Towards Robust and Flexible Model Inversion Attacks","author":"Struppek","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref405","article-title":"Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks","author":"Stutz","year":"2020","journal-title":"ICML"},{"key":"2025121807031415900_ref406","article-title":"Deep CORAL: Correlation Alignment for Deep Domain Adaptation","author":"Sun","year":"2016","journal-title":"ECCV"},{"key":"2025121807031415900_ref407","first-page":"1","article-title":"MOSS: An Open Conversational Large Language Model","author":"Sun","year":"2024","journal-title":"Machine Intelligence Research"},{"key":"2025121807031415900_ref408","article-title":"Adaptive Federated Learning and Digital Twin for Industrial Internet of Things","author":"Sun","year":"2020","journal-title":"IEEE Transactions on Industrial Informatics"},{"key":"2025121807031415900_ref409","article-title":"ReAct: Out-of-distribution Detec- tion With Rectified Activations","author":"Sun","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref410","article-title":"DICE: Leveraging Sparsification for Out-of- Distribution Detection","author":"Sun","year":"2022","journal-title":"ECCV"},{"key":"2025121807031415900_ref411","article-title":"Out-of-distribution Detection with Deep Nearest Neighbors","author":"Sun","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref412","article-title":"Coprotector: Protect open-source code against unauthorized training usage with data poisoning","author":"Sun","year":"2022","journal-title":"WWW"},{"key":"2025121807031415900_ref413","article-title":"Intriguing properties of neural net- works","author":"Szegedy","year":"2014","journal-title":"ICLR"},{"key":"2025121807031415900_ref414","article-title":"CSI: Novelty Detection via Contrastive Learning on Distributionally Shifted Instances","author":"Tack","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref415","article-title":"Provably Invariant Learning without Domain Information","author":"Tan","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref416","article-title":"FedML Parrot: A Scalable Federated Learning System via Heterogeneity-aware Scheduling on Sequential and Hierarchical Training","author":"Tang","year":"2023","journal-title":"arXiv preprint arXiv:2303.01778"},{"key":"2025121807031415900_ref417","article-title":"FusionLLM: A Decentralized LLM Training System on Geo-distributed GPUs with Adaptive Compression","author":"Tang","year":"2024"},{"key":"2025121807031415900_ref418","article-title":"Communication-efficient decen- tralized learning with sparsification and adaptive peer selection","author":"Tang","year":"2020","journal-title":"2020 IEEE 40th International Conference on Distributed Computing Systems (ICDCS)"},{"key":"2025121807031415900_ref419","article-title":"Communication- efficient distributed deep learning: A comprehensive survey","author":"Tang","year":"2020","journal-title":"arXiv preprint arXiv:2003.06307"},{"key":"2025121807031415900_ref420","article-title":"GossipFL: A Decentral- ized Federated Learning Framework with Sparsified and Adaptive Communication","author":"Tang","year":"2022","journal-title":"IEEE Transactions on Parallel and Distributed Systems"},{"key":"2025121807031415900_ref421","article-title":"FuseFL: One-Shot Federated Learning through the Lens of Causality with Progressive Model Fusion","author":"Tang","year":"2024","journal-title":"The Thirty-eighth Annual Conference on Neural Information Processing Systems"},{"key":"2025121807031415900_ref422","doi-asserted-by":"crossref","DOI":"10.1145\/3673038.3673142","article-title":"Bandwidth-Aware and Overlap-Weighted Compression for Communication-Efficient Federated Learning","author":"Tang","year":"2024","journal-title":"53rd International Conference on Parallel Processing"},{"key":"2025121807031415900_ref423","article-title":"eSGD: Communication Efficient Distributed Deep Learning on the Edge","author":"Tao","year":"2018","journal-title":"USENIX Workshop on Hot Topics in Edge Computing (HotEdge 18)"},{"key":"2025121807031415900_ref424","article-title":"Gemini 1.5: Unlocking multimodal understanding across millions of tokens of context","author":"Team","year":"2024","journal-title":"arXiv preprint arXiv:2403.05530"},{"key":"2025121807031415900_ref425","article-title":"ID and OOD Performance Are Sometimes Inversely Correlated on Real-world Datasets","author":"Teney","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref426","article-title":"Un- rolling sgd: Understanding factors influencing machine unlearning","author":"Thudi","year":"2022","journal-title":"IEEE EuroS&P"},{"key":"2025121807031415900_ref427","article-title":"On the necessity of auditable algorithmic definitions for machine unlearning","author":"Thudi","year":"2022","journal-title":"USENIX Security"},{"key":"2025121807031415900_ref428","article-title":"Divide and contrast: Self-supervised learning from uncurated data","author":"Tian","year":"2021","journal-title":"ICCV"},{"key":"2025121807031415900_ref429","article-title":"Data poison-ing attacks against federated learning systems","author":"Tolpegin","year":"2020","journal-title":"ESORICs"},{"key":"2025121807031415900_ref430","article-title":"Llama: Open and efficient foundation language models","author":"Touvron","year":"2023","journal-title":"arXiv preprint arXiv:2302.13971"},{"key":"2025121807031415900_ref431","article-title":"Embedding watermarks into deep neural networks","author":"Uchida","year":"2017","journal-title":"ICMR"},{"key":"2025121807031415900_ref432","article-title":"The inaturalist species classification and detection dataset","author":"Van","year":"2018","journal-title":"CVPR"},{"key":"2025121807031415900_ref433","article-title":"Principles of Risk Minimization for Learning The- ory","author":"Vapnik","year":"1991","journal-title":"NIPS"},{"key":"2025121807031415900_ref434","article-title":"Causal inference using llm-guided discovery","author":"Vashishtha","year":"2023","journal-title":"arXiv preprint arXiv:2310.15117"},{"key":"2025121807031415900_ref435","article-title":"Operationalizing a threat model for red-teaming large language models (llms)","author":"Verma","year":"2024","journal-title":"arXiv preprint arXiv:2407.14937"},{"key":"2025121807031415900_ref436","article-title":"On Calibration and Out-of-Domain Generalization","author":"Wald","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref437","article-title":"SoLar: Sinkhorn Label Refinery for Imbalanced Partial- Label Learning","author":"Wang","year":"2022","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref438","article-title":"ViM: Out-Of- Distribution with Virtual-logit Matching","author":"Wang","year":"2022","journal-title":"CVPR"},{"key":"2025121807031415900_ref439","article-title":"Domain Specified Optimization for Deployment Authorization","author":"Wang","year":"2023","journal-title":"CVPR"},{"key":"2025121807031415900_ref440","article-title":"CLIPN for Zero-Shot OOD Detection: Teaching CLIP to Say No","author":"Wang","year":"2023","journal-title":"ICCV"},{"key":"2025121807031415900_ref441","article-title":"An llm-free multi-dimensional benchmark for mllms hallucination evaluation","author":"Wang","year":"2023","journal-title":"arXiv preprint arXiv:2311.07397"},{"key":"2025121807031415900_ref442","article-title":"Variational model inversion attacks","author":"Wang","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref443","article-title":"Generative adversarial networks: introduction and outlook","author":"Wang","year":"2017","journal-title":"IEEE\/CAA JAS"},{"key":"2025121807031415900_ref444","article-title":"Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection","author":"Wang","year":"2023","journal-title":"CVPR"},{"key":"2025121807031415900_ref445","article-title":"Non- transferable learning: A new approach for model ownership ver- ification and applicability authorization","author":"Wang","year":"2022","journal-title":"ICLR"},{"key":"2025121807031415900_ref446","article-title":"Learning to augment distributions for out-of-distribution detection","author":"Wang","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref447","article-title":"Unlearning with Control: Assessing Real-world Utility for Large Language Model Unlearning","author":"Wang","year":"2024","journal-title":"arXiv preprint arXiv:2406.09179"},{"key":"2025121807031415900_ref448","article-title":"A Sober Look at the Robustness of CLIPs to Spurious Features","author":"Wang","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref449","article-title":"Probabilistic Margins for Instance Reweighting in Adversarial Training","author":"Wang","year":"2021","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref450","article-title":"Learning with group noise","author":"Wang","year":"2021","journal-title":"AAAI"},{"key":"2025121807031415900_ref451","article-title":"A Unified Analysis of Federated Learn- ing with Arbitrary Client Participation","author":"Wang","year":"2022","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref452","article-title":"Dataset Distillation","author":"Wang","year":"2020"},{"key":"2025121807031415900_ref453","doi-asserted-by":"crossref","DOI":"10.1016\/j.jpdc.2019.03.003","article-title":"The security of machine learning in an adversarial setting: A survey","author":"Wang","year":"2019","journal-title":"Journal of Parallel and Distributed Computing"},{"key":"2025121807031415900_ref454","article-title":"Balance, imbalance, and rebalance: Understanding robust overfitting from a minimax game perspective","author":"Wang","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref455","article-title":"Improving Adversarial Robustness Requires Revisiting Misclassified Examples","author":"Wang","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref456","article-title":"Tackling the Data Heterogeneity in Asynchronous Federated Learning with Cached Update Calibration","author":"Wang","year":"2024","journal-title":"International Conference on Learning Representations"},{"key":"2025121807031415900_ref457","article-title":"Defending against Data-Free Model Extraction by Distributionally Robust Defensive Training","author":"Wang","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref458","article-title":"NoisyGL: A Comprehensive Benchmark for Graph Neural Networks under Label Noise","author":"Wang","year":"2024","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref459","article-title":"A unified generalization analysis of re-weighting and logit-adjustment for imbalanced learning","author":"Wang","year":"2024","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref460","article-title":"Machine unlearning of features and labels","author":"Warnecke","year":"2023","journal-title":"NDSS"},{"key":"2025121807031415900_ref461","article-title":"Mitigating neural network overconfidence with logit normalization","author":"Wei","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref462","article-title":"Fairness Improves Learning from Noisily Labeled Long-Tailed Data","author":"Wei","year":"2023"},{"key":"2025121807031415900_ref463","article-title":"Robust Long-Tailed Learning under Label Noise","author":"Wei","year":"2021"},{"key":"2025121807031415900_ref464","article-title":"Clnode: Curriculum learning for node classification","author":"Wei","year":"2023","journal-title":"WSDM"},{"key":"2025121807031415900_ref465","article-title":"Jailbreak and guard aligned language models with only few in-context demonstra- tions","author":"Wei","year":"2023","journal-title":"arXiv preprint arXiv:2310.06387"},{"key":"2025121807031415900_ref466","article-title":"Treering watermarks: Fingerprints for diffusion images that are invisible and robust","author":"Wen","year":"2023","journal-title":"arXiv preprint arXiv:2305.20030"},{"key":"2025121807031415900_ref467","article-title":"Fast is better than free: Revisiting adversarial training","author":"Wong","year":"2020","journal-title":"ICLR"},{"key":"2025121807031415900_ref468","article-title":"Adversarial Weight Perturbation Helps Robust Generalization","author":"Wu","year":"2020","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref469","first-page":"1","article-title":"On decoder-only architecture for speech-to-text and large language model integration","author":"Wu","year":"2023","journal-title":"2023 IEEE Automatic Speech Recognition and Understanding Workshop (ASRU)"},{"key":"2025121807031415900_ref470","article-title":"Robust Heterophilic Graph Learning against Label Noise for Anomaly Detection","author":"Wu","year":"2024","journal-title":"IJCAI"},{"key":"2025121807031415900_ref471","first-page":"8659","article-title":"Adversarial robustness under long-tailed distribution","author":"Wu","year":"2021","journal-title":"Proceedings of the IEEE\/CVF conference on computer vision and pattern recognition"},{"key":"2025121807031415900_ref472","article-title":"Adversarial label flips attack on support vector machines","author":"Xiao","year":"2012","journal-title":"ECAI"},{"key":"2025121807031415900_ref473","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v38i14.29536","article-title":"Enhancing Evolving Domain Generalization through Dy- namic Latent Representations","author":"Xie","year":"2024","journal-title":"AAAI"},{"key":"2025121807031415900_ref474","article-title":"Dba: Distributed backdoor attacks against federated learning","author":"Xie","year":"2019","journal-title":"ICLR"},{"key":"2025121807031415900_ref475","doi-asserted-by":"crossref","DOI":"10.1038\/s42256-023-00765-8","article-title":"Defending ChatGPT against jailbreak attack via self- reminders","author":"Xie","year":"2023","journal-title":"Nature Machine Intelligence"},{"key":"2025121807031415900_ref476","article-title":"Differential privacy stochas- tic gradient descent with adaptive privacy budget allocation","author":"Xie","year":"2021","journal-title":"ICCECE"},{"key":"2025121807031415900_ref477","article-title":"Asynchronous Federated Learning on Heterogeneous Devices: A Survey","author":"Xu","year":"2021","journal-title":"Computer Science Review"},{"key":"2025121807031415900_ref478","article-title":"Machine unlearning: A survey","author":"Xu","year":"2023","journal-title":"ACM Computing Surveys"},{"key":"2025121807031415900_ref479","article-title":"Hufu: A Modality- Agnositc Watermarking System for Pre-Trained Transformers via Permutation Equivariance","author":"Xu","year":"2024","journal-title":"arXiv preprint arXiv:2403.05842"},{"key":"2025121807031415900_ref480","article-title":"Instructional fingerprinting of large language models","author":"Xu","year":"2024","journal-title":"arXiv preprint arXiv:2401.12255"},{"key":"2025121807031415900_ref481","article-title":"Bandwidth Allocation for Multiple Federated Learning Services in Wireless Edge Networks","author":"Xu","year":"2021","journal-title":"CoRR"},{"key":"2025121807031415900_ref482","article-title":"An LLM can Fool Itself: A Prompt-Based Adversarial Attack","author":"Xu","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref483","article-title":"Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations","author":"Xue","year":"2021","journal-title":"IEEE Transactions on Artificial Intelligence"},{"key":"2025121807031415900_ref484","article-title":"Toward understanding the influence of individual clients in federated learning","author":"Xue","year":"2021","journal-title":"AAAI"},{"key":"2025121807031415900_ref485","article-title":"Membership inference attacks against deep learning models via logits distribution","author":"Yan","year":"2022","journal-title":"IEEE TDSC"},{"key":"2025121807031415900_ref486","article-title":"Generative poi- soning attack method against neural networks","author":"Yang","year":"2017","journal-title":"arXiv preprint arXiv:1703.01340"},{"key":"2025121807031415900_ref487","article-title":"Anarchic Feder- ated Learning","author":"Yang","year":"2022","journal-title":"Proceedings of the 39th International Conference on Machine Learning"},{"key":"2025121807031415900_ref488","doi-asserted-by":"crossref","DOI":"10.1007\/s11263-024-02117-4","article-title":"Generalized out-of- distribution detection: A survey","author":"Yang","year":"2024","journal-title":"IJCV"},{"key":"2025121807031415900_ref489","article-title":"Bicro: Noisy correspondence rectification for multi-modality data via bi-directional cross-modal similarity consistency","author":"Yang","year":"2023","journal-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition"},{"key":"2025121807031415900_ref490","first-page":"37991","article-title":"Inducing neural collapse in imbalanced learning: Do we really need a learnable classifier at the end of deep neural network?","volume":"35","author":"Yang","year":"2022","journal-title":"Advances in neural information processing systems"},{"key":"2025121807031415900_ref491","article-title":"Change is Hard: A Closer Look at Subpopulation Shift","author":"Yang","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref492","article-title":"Adversarial neural net- work inversion via auxiliary knowledge alignment","author":"Yang","year":"2019","journal-title":"arXiv preprint arXiv:1902.08552"},{"key":"2025121807031415900_ref493","article-title":"Em- powering Graph Invariance Learning with Deep Spurious Infomax","author":"Yao","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref494","doi-asserted-by":"crossref","DOI":"10.1609\/aaai.v34i07.6959","article-title":"Deep discriminative CNN with temporal ensembling for ambiguously- labeled image classification","author":"Yao","year":"2020","journal-title":"AAAI"},{"key":"2025121807031415900_ref495","article-title":".","author":"Yao","year":"2024","journal-title":"High-Confidence Computing"},{"key":"2025121807031415900_ref496","article-title":"Leave- one-out distinguishability in machine learning","author":"Ye","year":"2023","journal-title":"arXiv preprint arXiv:2309.17310"},{"key":"2025121807031415900_ref497","article-title":"Enhanced membership inference attacks against machine learning models","author":"Ye","year":"2022","journal-title":"ACM SIGSAC"},{"key":"2025121807031415900_ref498","article-title":"Privacy risk in machine learning: Analyzing the connection to overfitting","author":"Yeom","year":"2018","journal-title":"IEEE CSF"},{"key":"2025121807031415900_ref499","article-title":"Jailbreak attacks and defenses against large language models: A survey","author":"Yi","year":"2024","journal-title":"arXiv preprint arXiv:2407.04295"},{"key":"2025121807031415900_ref500","first-page":"5704","article-title":"Feature transfer learning for face recognition with under-represented data","author":"Yin","year":"2019","journal-title":"Proceedings of the IEEE\/CVF conference on computer vision and pattern recognition"},{"key":"2025121807031415900_ref501","article-title":"Fed- erated Continual Learning with Weighted Inter-client Transfer","author":"Yoon","year":"2021","journal-title":"Proceedings of the 38th International Conference on Machine Learning"},{"key":"2025121807031415900_ref502","article-title":"Adversarial Purification with Score-based Generative Models","author":"Yoon","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref503","article-title":"Understanding robust overfitting of adversarial training and be- yond","author":"Yu","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref504","article-title":"Large scale private learning via low-rank reparametrization","author":"Yu","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref505","article-title":"Maximum margin partial label learn- ing","author":"Yu","year":"2016","journal-title":"ACML"},{"key":"2025121807031415900_ref506","article-title":"Hallucidoctor: Mitigating hallucinatory toxicity in visual instruction data","author":"Yu","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref507","article-title":"Salvaging federated learning by local adaptation","author":"Yu","year":"2020","journal-title":"arXiv preprint arXiv:2002.04758"},{"key":"2025121807031415900_ref508","article-title":"Learning on graphs under label noise","author":"Yuan","year":"2023","journal-title":"ICASSP"},{"key":"2025121807031415900_ref509","article-title":"Pseudo label-guided model inversion attack via conditional genera- tive adversarial network","author":"Yuan","year":"2023","journal-title":"AAAI"},{"key":"2025121807031415900_ref510","article-title":"Gpt-4 is too smart to be safe: Stealthy chat with llms via cipher","author":"Yuan","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref511","article-title":"Less is more: Mitigating multi- modal hallucination from an eos decision perspective","author":"Yue","year":"2024","journal-title":"arXiv preprint arXiv:2402.14545"},{"key":"2025121807031415900_ref512","article-title":"Low-Cost High-Power Membership Inference Attacks","author":"Zarifzadeh","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref513","article-title":"Barlow twins: Self-supervised learning via redundancy reduction","author":"Zbontar","year":"2021","journal-title":"ICML"},{"key":"2025121807031415900_ref514","article-title":"Causal parrots: Large language models may talk causality but are not causal","author":"Ze\u010devi\u0107","year":"2023","journal-title":"arXiv preprint arXiv:2308.13067"},{"key":"2025121807031415900_ref515","article-title":"Huref: Human-readable fingerprint for large language models","author":"Zeng","year":"2023","journal-title":"NeurIPS"},{"key":"2025121807031415900_ref516","article-title":"Unsupervised Non-transferable Text Classification","author":"Zeng","year":"2022","journal-title":"EMNLP"},{"key":"2025121807031415900_ref517","article-title":"How johnny can persuade llms to jailbreak them: Rethinking persuasion to challenge ai safety by humanizing llms","author":"Zeng","year":"2024","journal-title":"ACL"},{"key":"2025121807031415900_ref518","article-title":"Autodefense: Multi-agent llm defense against jailbreak attacks","author":"Zeng","year":"2024","journal-title":"arXiv preprint arXiv:2403.04783"},{"key":"2025121807031415900_ref519","article-title":"Under- standing Why Generalized Reweighting Does Not Improve Over ERM","author":"Zhai","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref520","article-title":"A survey on federated learning","author":"Zhang","year":"2021","journal-title":"Knowledge-Based Systems"},{"key":"2025121807031415900_ref521","doi-asserted-by":"crossref","DOI":"10.1145\/3446776","article-title":"Understanding deep learning (still) requires rethinking generalization","author":"Zhang","year":"2021","journal-title":"Communications of the ACM"},{"key":"2025121807031415900_ref522","article-title":"Forget-Me- Not: Learning to Forget in Text-to-Image Diffusion Models","author":"Zhang","year":"2023","journal-title":"arXiv preprint arXiv:2211.08332"},{"key":"2025121807031415900_ref523","article-title":"Theoretically Principled Trade-off between Robustness and Accuracy","author":"Zhang","year":"2019","journal-title":"ICML"},{"key":"2025121807031415900_ref524","article-title":"Improving Accuracy-robustness Trade-off via Pixel Reweighted Adversarial Training","author":"Zhang","year":"2024","journal-title":"ICML"},{"key":"2025121807031415900_ref525","article-title":"Poi- sonGAN: Generative poisoning attacks against federated learning in edge computing systems","author":"Zhang","year":"2020","journal-title":"IEEE Internet of Things Journal"},{"key":"2025121807031415900_ref526","article-title":"Rich Feature Con- struction for the Optimization-Generalization Dilemma","author":"Zhang","year":"2022"},{"key":"2025121807031415900_ref527","article-title":"Dense: Data-free one-shot federated learning","author":"Zhang","year":"2022","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2025121807031415900_ref528","doi-asserted-by":"crossref","DOI":"10.1109\/TPAMI.2021.3064850","article-title":"Deep model intellectual property protection via deep wa- termarking","author":"Zhang","year":"2021","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2025121807031415900_ref529","article-title":"Geometry-aware Instance-reweighted Adversarial Training","author":"Zhang","year":"2021","journal-title":"ICLR"},{"key":"2025121807031415900_ref530","article-title":"Out-of-distribution detection based on in-distribution data patterns memorization with modern hopfield energy","author":"Zhang","year":"2023","journal-title":"ICLR"},{"key":"2025121807031415900_ref531","article-title":"Correct-N-Contrast: a Contrastive Approach for Improving Robust- ness to Spurious Correlations","author":"Zhang","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref532","article-title":"Partial label learning via feature-aware disambiguation","author":"Zhang","year":"2016","journal-title":"SIGKDD"},{"key":"2025121807031415900_ref533","article-title":"How language model hallucinations can snowball","author":"Zhang","year":"2023","journal-title":"arXiv preprint arXiv:2305.13534"},{"key":"2025121807031415900_ref534","article-title":"Text Revealer: Private Text Reconstruction via Model Inversion Attacks against Transformers","author":"Zhang","year":"2022","journal-title":"arXiv preprint arXiv:2209.10505"},{"key":"2025121807031415900_ref535","article-title":"Detecting Adversarial Data by Probing Multiple Perturbations Using Expected Perturbation Score","author":"Zhang","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref536","first-page":"2361","article-title":"Distribution alignment: A unified framework for long-tail visual recognition","author":"Zhang","year":"2021","journal-title":"Proceedings of the IEEE\/CVF conference on computer vision and pattern recognition"},{"key":"2025121807031415900_ref537","article-title":"Long-tailed diffusion models with oriented calibration","author":"Zhang","year":"2024","journal-title":"ICLR"},{"key":"2025121807031415900_ref538","article-title":"The secret revealer: Generative model-inversion attacks against deep neural networks","author":"Zhang","year":"2020","journal-title":"CVPR"},{"key":"2025121807031415900_ref539","article-title":"Deep long-tailed learning: A survey","author":"Zhang","year":"2023","journal-title":"IEEE TPAMI"},{"key":"2025121807031415900_ref540","article-title":"Deep long-tailed learning: A survey","author":"Zhang","year":"2023","journal-title":"TPAMI"},{"key":"2025121807031415900_ref541","article-title":"CausalAdv: Adversarial Robustness through the Lens of Causality","author":"Zhang","year":"2022","journal-title":"ICLR"},{"key":"2025121807031415900_ref542","article-title":"Siren\u2019s song in the AI ocean: a survey on hallucination in large language models","author":"Zhang","year":"2023","journal-title":"arXiv preprint arXiv:2309.01219"},{"key":"2025121807031415900_ref543","article-title":"Infer- ence attacks against graph neural networks","author":"Zhang","year":"2022","journal-title":"USENIX Security"},{"key":"2025121807031415900_ref544","article-title":"Graphmi: Extracting private graph data from graph neural networks","author":"Zhang","year":"2021","journal-title":"IJCAI"},{"issue":"5","key":"2025121807031415900_ref545","first-page":"5091","article-title":"Modality- invariant asymmetric networks for cross-modal hashing","volume":"35","author":"Zhang","year":"2022","journal-title":"IEEE Transactions on Knowledge and Data Engineering"},{"key":"2025121807031415900_ref546","article-title":"PARDEN, Can You Repeat That? Defending against Jailbreaks via Repetition","author":"Zhang","year":"2024","journal-title":"arXiv preprint arXiv:2405.07932"},{"key":"2025121807031415900_ref547","article-title":"On Learning Invariant Representations for Domain Adaptation","author":"Zhao","year":"2019","journal-title":"ICML"},{"key":"2025121807031415900_ref548","article-title":"Fundamental Limits and Tradeoffs in Invariant Representation Learning","author":"Zhao","year":"2022","journal-title":"Journal of Machine Learning Research"},{"key":"2025121807031415900_ref549","article-title":"Efficient label con- tamination attacks against black-box learning models.","author":"Zhao","year":"2017","journal-title":"IJCAI"},{"key":"2025121807031415900_ref550","doi-asserted-by":"crossref","first-page":"5823","DOI":"10.18653\/v1\/2023.acl-long.320","article-title":"Verify-and-Edit: A Knowledge-Enhanced Chain-of-Thought Framework","author":"Zhao","year":"2023","journal-title":"Proceed- ings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)"},{"key":"2025121807031415900_ref551","article-title":"Prov- able robust watermarking for ai-generated text","author":"Zhao","year":"2023","journal-title":"arXiv preprint arXiv:2306.17439"},{"key":"2025121807031415900_ref552","article-title":"Protecting language genera- tion models via invisible watermarking","author":"Zhao","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref553","article-title":"Watermarking for Large Language Model","author":"Zhao","year":"2024","journal-title":"Tutorials of ACL"},{"key":"2025121807031415900_ref554","article-title":"Weak-to-strong jailbreaking on large language models","author":"Zhao","year":"2024","journal-title":"arXiv preprint arXiv:2401.17256"},{"key":"2025121807031415900_ref555","article-title":"Knowing what llms do not know: A simple yet effective self-detection method","author":"Zhao","year":"2023","journal-title":"arXiv preprint arXiv:2310.17918"},{"key":"2025121807031415900_ref556","article-title":"A recipe for watermarking diffusion models","author":"Zhao","year":"2023","journal-title":"arXiv preprint arXiv:2303.10137"},{"key":"2025121807031415900_ref557","first-page":"27381","article-title":"Mitigating Noisy Correspondence by Geometrical Structure Consistency Learning","author":"Zhao","year":"2024","journal-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition"},{"key":"2025121807031415900_ref558","first-page":"10394","article-title":"Deep supervised cross-modal retrieval","author":"Zhen","year":"2019","journal-title":"Proceedings of the IEEE\/CVF conference on computer vision and pattern recognition"},{"key":"2025121807031415900_ref559","article-title":"BEM: Balanced and Entropy-Based Mix for Long-Tailed Semi-Supervised Learning","author":"Zheng","year":"2024","journal-title":"CVPR"},{"key":"2025121807031415900_ref560","article-title":"Towards Efficient Training and Evaluation of Robust Models against l_0 Bounded Adversarial Perturbations","author":"Zhong","year":"2023","journal-title":"ICML"},{"key":"2025121807031415900_ref561","article-title":"A comprehensive survey on pretrained foundation models: A history from bert to chatgpt","author":"Zhou","year":"2024","journal-title":"International Journal of Machine Learning and Cybernetics"},{"key":"2025121807031415900_ref562","article-title":"Distilled one-shot federated learning","author":"Zhou","year":"2020","journal-title":"arXiv preprint arXiv:2009.07999"},{"key":"2025121807031415900_ref563","article-title":"CausalBench: A Comprehensive Benchmark for Causal Learning Capability of Large Language Models","author":"Zhou","year":"2024","journal-title":"arXiv preprint arXiv:2404.06349"},{"key":"2025121807031415900_ref564","article-title":"On Strengthening and Defending Graph Reconstruction Attack with Markov Chain Approximation","author":"Zhou","year":"2023","journal-title":"ICML"},{"issue":"1","key":"2025121807031415900_ref565","doi-asserted-by":"crossref","first-page":"44","DOI":"10.1093\/nsr\/nwx106","article-title":"A brief introduction to weakly supervised learning","volume":"5","author":"Zhou","year":"2017","journal-title":"National Science Review"},{"key":"2025121807031415900_ref566","article-title":".","author":"Zhou","year":"2023"},{"key":"2025121807031415900_ref567","article-title":"Con- trastive Learning with Boosted Memorization","author":"Zhou","year":"2022","journal-title":"ICML"},{"key":"2025121807031415900_ref568","article-title":"Transferable clean-label poisoning attacks on deep neural nets","author":"Zhu","year":"2019","journal-title":"ICML"},{"key":"2025121807031415900_ref569","doi-asserted-by":"crossref","DOI":"10.1016\/j.patrec.2022.10.017","article-title":"Adversarial training of LSTM-ED based anomaly detection for complex time-series in cyber-physical- social systems","author":"Zhu","year":"2022","journal-title":"Pattern Recognit. Lett."},{"key":"2025121807031415900_ref570","article-title":"Decoupling the Class Label and the Target Concept in Machine Unlearning","author":"Zhu","year":"2024","journal-title":"arXiv preprint arXiv:2406.08288"},{"key":"2025121807031415900_ref571","volume-title":"Introduction to semi-supervised learning","author":"Zhu","year":"2022"},{"key":"2025121807031415900_ref572","article-title":"Semi-supervised learning literature survey","author":"Zhu","year":"2005"},{"key":"2025121807031415900_ref573","article-title":"Robust Node Classification on Graph Data with Graph and Label Noise","author":"Zhu","year":"2024","journal-title":"AAAI"},{"key":"2025121807031415900_ref574","article-title":"A comprehensive survey on transfer learning","author":"Zhuang","year":"2020","journal-title":"Proceedings of the IEEE"},{"key":"2025121807031415900_ref575","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023","journal-title":"arXiv preprint arXiv:2307.15043"}],"container-title":["Foundations and Trends\u00ae in Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/ftsec\/article-pdf\/7\/2-3\/74\/11046591\/3300000043en.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/www.emerald.com\/ftsec\/article-pdf\/7\/2-3\/74\/11046591\/3300000043en.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,18]],"date-time":"2025-12-18T12:04:15Z","timestamp":1766059455000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.emerald.com\/ftsec\/article\/7\/2-3\/74\/1328590\/Trustworthy-Machine-Learning-From-Data-to-Models"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,29]]},"references-count":575,"journal-issue":{"issue":"2-3","published-print":{"date-parts":[[2025,4,29]]}},"URL":"https:\/\/doi.org\/10.1561\/3300000043","relation":{},"ISSN":["2474-1558","2474-1566"],"issn-type":[{"value":"2474-1558","type":"print"},{"value":"2474-1566","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,4,29]]}}}