参考文献

Abadi et al., 2016

Abadi, M., Chu, A., Goodfellow, I., McMahan, H. B., Mironov, I., Talwar, K., & Zhang, L. (2016). Deep learning with differential privacy. ACM SIGSAC Conference on Computer and Communications Security (pp. 308–318).

Adi et al., 2018

Adi, Y., Baum, C., Cisse, M., Pinkas, B., & Keshet, J. (2018). Turning your weakness into a strength: watermarking deep neural networks by backdooring. USENIX Security Symposium (pp. 1615–1631).

Agarwal et al., 2020

Agarwal, S., Farid, H., Fried, O., & Agrawala, M. (2020). Detecting deep-fake videos from phoneme-viseme mismatches. IEEE/CVF Computer Vision and Pattern Recognition Conference Workshop.

Alayrac et al., 2019

Alayrac, J.-B., Uesato, J., Huang, P.-S., Fawzi, A., Stanforth, R., & Kohli, P. (2019). Are labels required for improving adversarial robustness? Advances in Neural Information Processing Systems, 32.

Amerini et al., 2019

Amerini, I., Galteri, L., Caldelli, R., & Del Bimbo, A. (2019). Deepfake video detection through optical flow based cnn. International Conference on Computer Vision Workshop.

Amsaleg et al., 2015

Amsaleg, L., Chelly, O., Furon, T., Girard, S., Houle, M. E., Kawarabayashi, K.-i., & Nett, M. (2015). Estimating local intrinsic dimensionality. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 29–38).

Andriushchenko et al., 2020

Andriushchenko, M., Croce, F., Flammarion, N., & Hein, M. (2020). Square attack: a query-efficient black-box adversarial attack via random search. European Conference on Computer Vision (pp. 484–501).

Aono et al., 2017

Aono, Y., Hayashi, T., Wang, L., Moriai, S., & others. (2017). Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security, 13(5), 1333–1345.

Ateniese et al., 2015

Ateniese, G., Mancini, L. V., Spognardi, A., Villani, A., Vitali, D., & Felici, G. (2015). Hacking smart machines with smarter ones: how to extract meaningful data from machine learning classifiers. International Journal of Security and Networks, 10(3), 137–150.

Athalye et al., 2018a

Athalye, A., Carlini, N., & Wagner, D. (2018). Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. International Conference on Machine Learning (pp. 274–283).

Athalye et al., 2018b

Athalye, A., Engstrom, L., Ilyas, A., & Kwok, K. (2018). Synthesizing robust adversarial examples. International Conference on Machine Learning (pp. 284–293).

Bagdasaryan et al., 2020

Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., & Shmatikov, V. (2020). How to backdoor federated learning. International Conference on Artificial Intelligence and Statistics (pp. 2938–2948).

Bai et al., 2020a

Bai, Y., Zeng, Y., Jiang, Y., Xia, S.-T., Ma, X., & Wang, Y. (2020). Improving adversarial robustness via channel-wise activation suppressing. International Conference on Learning Representations.

Bai et al., 2020b

Bai, Y., Guo, Y., Wei, J., Lu, L., Wang, R., & Wang, Y. (2020). Fake generated painting detection via frequency analysis. ICIP.

Bai et al., 2021

Bai, Y., Mei, J., Yuille, A. L., & Xie, C. (2021). Are transformers more robust than cnns? Advances in Neural Information Processing Systems, 34, 26831–26843.

Barreno et al., 2006

Barreno, M., Nelson, B., Sears, R., Joseph, A. D., & Tygar, J. D. (2006). Can machine learning be secure? ACM Symposium on Information, Computer and Communications Security (pp. 16–25).

Basu et al., 2021

Basu, S., Pope, P., & Feizi, S. (2021). Influence functions in deep learning are fragile. International Conference on Learning Representations.

Belghazi et al., 2018

Belghazi, M. I., Baratin, A., Rajeswar, S., Ozair, S., Bengio, Y., Courville, A., & Hjelm, R. D. (2018). Mine: mutual information neural estimation. arXiv preprint arXiv:1801.04062.

Bendale & Boult, 2016

Bendale, A., & Boult, T. E. (2016). Towards open set deep networks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1563–1572).

Bender et al., 2018

Bender, G., Kindermans, P.-J., Zoph, B., Vasudevan, V., & Le, Q. (2018). Understanding and simplifying one-shot architecture search. International Conference on Machine Learning (pp. 550–559).

Bengio & others, 2009

Bengio, Y., & others. (2009). Learning deep architectures for ai. Foundations and trends® in Machine Learning, 2(1), 1–127.

Bhagoji et al., 2017

Bhagoji, A. N., Cullina, D., & Mittal, P. (2017). Dimensionality reduction as a defense against evasion attacks on machine learning classifiers. arXiv preprint arXiv:1704.02654, 2(1).

Bhojanapalli et al., 2021

Bhojanapalli, S., Chakrabarti, A., Glasner, D., Li, D., Unterthiner, T., & Veit, A. (2021). Understanding robustness of transformers for image classification. IEEE/CVF International Conference on Computer Vision (pp. 10231–10241).

Biggio et al., 2013

Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., … Roli, F. (2013). Evasion attacks against machine learning at test time. Joint European Conference on Machine Learning and Knowledge Discovery in Databases (pp. 387–402).

Biggio et al., 2012

Biggio, B., Nelson, B., & Laskov, P. (2012). Poisoning attacks against support vector machines. International Conference on International Conference on Machine Learning (pp. 1467–1474). Madison, WI, USA: Omnipress.

Blanchard et al., 2017

Blanchard, P., Mhamdi, E., Guerraoui, R., & Stainer, J. (2017). Machine learning with adversaries: byzantine tolerant gradient descent. Neural Information Processing Systems.

Bone et al., 2014

Bone, D., Li, M., Black, M. P., & Narayanan, S. S. (2014). Intoxicated speech detection: a fusion framework with speaker-normalized hierarchical functionals and gmm supervectors. Computer Speech & Language, 28(2), 375–391.

Boneh et al., 2005

Boneh, D., Goh, E.-J., & Nissim, K. (2005). Evaluating 2-dnf formulas on ciphertexts. Theory of Cryptography Conference (pp. 325–341).

Borgnia et al., 2021

Borgnia, E., Cherepanova, V., Fowl, L., Ghiasi, A., Geiping, J., Goldblum, M., … Gupta, A. (2021). Strong data augmentation sanitizes poisoning and backdoor attacks without an accuracy tradeoff. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 3855–3859).

Botoeva et al., 2020

Botoeva, E., Kouvaros, P., Kronqvist, J., Lomuscio, A., & Misener, R. (2020). Efficient verification of relu-based neural networks via dependency analysis. AAAI Conference on Artificial Intelligence (pp. 3291–3299).

Brakerski et al., 2014

Brakerski, Z., Gentry, C., & Vaikuntanathan, V. (2014). (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory, 6(3), 1–36.

Brendel et al., 2018

Brendel, W., Rauber, J., & Bethge, M. (2018). Decision-based adversarial attacks: reliable attacks against black-box machine learning models. International Conference on Learning Representations.

Brown et al., 2017

Brown, T. B., Mané, D., Roy, A., Abadi, M., & Gilmer, J. (2017). Adversarial patch. arXiv preprint arXiv:1712.09665.

Buades et al., 2005

Buades, A., Coll, B., & Morel, J.-M. (2005). A non-local algorithm for image denoising. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 60–65).

Bunel et al., 2020

Bunel, R., Mudigonda, P., Turkaslan, I., Torr, P., Lu, J., & Kohli, P. (2020). Branch and bound for piecewise linear neural network verification. Journal of Machine Learning Research, 21(2020).

Cai et al., 2018

Cai, Q.-Z., Liu, C., & Song, D. (2018). Curriculum adversarial training. International Joint Conference on Artificial Intelligence (pp. 3740–3747).

Cao et al., 2022

Cao, J., Ma, C., Yao, T., Chen, S., Ding, S., & Yang, X. (2022). End-to-end reconstruction-classification learning for face forgery detection. IEEE/CVF Computer Vision and Pattern Recognition Conference.

Cao et al., 2021a

Cao, S., Zou, Q., Mao, X., Ye, D., & Wang, Z. (2021). Metric learning for anti-compression facial forgery detection. ACM MM.

Cao et al., 2021b

Cao, X., Jia, J., & Gong, N. Z. (2021). Ipguard: protecting intellectual property of deep neural networks via fingerprinting the classification boundary. ACM Asia Conference on Computer and Communications Security (pp. 14–25).

Cao et al., 2021c

Cao, Y., Wang, N., Xiao, C., Yang, D., Fang, J., Yang, R., … Li, B. (2021). Invisible for both camera and lidar: security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. IEEE Symposium on Security and Privacy (pp. 176–194).

Carlini et al., 2020

Carlini, N., Jagielski, M., & Mironov, I. (2020). Cryptanalytic extraction of neural network models. Annual International Cryptology Conference (pp. 189–218).

Carlini et al., 2019

Carlini, N., Liu, C., Erlingsson, Ú., Kos, J., & Song, D. (2019). The secret sharer: evaluating and testing unintended memorization in neural networks. USENIX Security Symposium (pp. 267–284).

Carlini et al., 2021

Carlini, N., Tramer, F., Wallace, E., Jagielski, M., Herbert-Voss, A., Lee, K., … others. (2021). Extracting training data from large language models. USENIX Security Symposium (pp. 2633–2650).

Carlini & Wagner, 2016

Carlini, N., & Wagner, D. (2016). Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311.

Carlini & Wagner, 2017a

Carlini, N., & Wagner, D. (2017). Adversarial examples are not easily detected: bypassing ten detection methods. ACM Workshop on Artificial Intelligence and Security (pp. 3–14).

Carlini & Wagner, 2017b

Carlini, N., & Wagner, D. (2017). Magnet and" efficient defenses against adversarial attacks" are not robust to adversarial examples. arXiv preprint arXiv:1711.08478.

Carlini & Wagner, 2017c

Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. IEEE Symposium on Security and Privacy (pp. 39–57).

Carmon et al., 2019

Carmon, Y., Raghunathan, A., Schmidt, L., Duchi, J. C., & Liang, P. S. (2019). Unlabeled data improves adversarial robustness. Advances in Neural Information Processing Systems, 32.

Caron et al., 2018

Caron, M., Bojanowski, P., Joulin, A., & Douze, M. (2018). Deep clustering for unsupervised learning of visual features. European Conference on Computer Vision (pp. 132–149).

Cazenavette et al., 2021

Cazenavette, G., Murdock, C., & Lucey, S. (2021). Architectural adversarial robustness: the case for deep pursuit. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 7150–7158).

Chan et al., 2022

Chan, S.-H., Dong, Y., Zhu, J., Zhang, X., & Zhou, J. (2022). Baddet: backdoor attacks on object detection. arXiv preprint arXiv:2205.14497.

Chang et al., 2000

Chang, S. G., Yu, B., & Vetterli, M. (2000). Adaptive wavelet thresholding for image denoising and compression. IEEE Transactions on Image Processing, 9(9), 1532–1546.

Chaudhuri & Monteleoni, 2008

Chaudhuri, K., & Monteleoni, C. (2008). Privacy-preserving logistic regression. Advances in Neural Information Processing Systems, 21.

Chen et al., 2018a

Chen, B., Carvalho, W., Baracaldo, N., Ludwig, H., Edwards, B., Lee, T., … Srivastava, B. (2018). Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728.

Chen et al., 2018b

Chen, F., Luo, M., Dong, Z., Li, Z., & He, X. (2018). Federated meta-learning with fast convergence and efficient communication. arXiv preprint arXiv:1802.07876.

Chen et al., 2020a

Chen, H., Zhang, B., Xue, S., Gong, X., Liu, H., Ji, R., & Doermann, D. (2020). Anti-bandit neural architecture search for model defense. European Conference on Computer Vision (pp. 70–85).

Chen et al., 2019

Chen, H., Fu, C., Zhao, J., & Koushanfar, F. (2019). Deepinspect: a black-box trojan detection and mitigation framework for deep neural networks. International Joint Conference on Artificial Intelligence (pp. 4658–4664).

Chen et al., 2022

Chen, J., Wang, J., Peng, T., Sun, Y., Cheng, P., Ji, S., … Song, D. (2022). Copy, right? a testing framework for copyright protection of deep learning models. IEEE Symposium on Security and Privacy (pp. 824–841).

Chen et al., 2015

Chen, J., Kang, X., Liu, Y., & Wang, Z. J. (2015). Median filtering forensics based on convolutional neural networks. IEEE Signal Processing Letters, 22(11), 1849–1853.

Chen et al., 2021a

Chen, K., Meng, Y., Sun, X., Guo, S., Zhang, T., Li, J., & Fan, C. (2021). Badpre: task-agnostic backdoor attacks to pre-trained nlp foundation models. arXiv preprint arXiv:2110.02467.

Chen et al., 2017a

Chen, P.-Y., Zhang, H., Sharma, Y., Yi, J., & Hsieh, C.-J. (2017). Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. ACM Workshop on Artificial Intelligence and Security (pp. 15–26).

Chen et al., 2020b

Chen, R., Chen, X., Ni, B., & Ge, Y. (2020). Simswap: an efficient framework for high fidelity face swapping. ACM International Conference on Multimedia (pp. 2003–2011).

Chen et al., 2021b

Chen, S., Yao, T., Chen, Y., Ding, S., Li, J., & Ji, R. (2021). Local relation learning for face forgery detection. AAAI.

Chen et al., 2021c

Chen, T., Zhang, Z., Liu, S., Chang, S., & Wang, Z. (2021). Robust overfitting may be mitigated by properly learned smoothening. International Conference on Learning Representations.

Chen et al., 2021d

Chen, X., Salem, A., Chen, D., Backes, M., Ma, S., Shen, Q., … Zhang, Y. (2021). Badnl: backdoor attacks against nlp models with semantic-preserving improvements. Annual Computer Security Applications Conference (pp. 554–569).

Chen et al., 2017b

Chen, X., Liu, C., Li, B., Lu, K., & Song, D. (2017). Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526.

Chen & Yang, 2021

Chen, Z., & Yang, H. (2021). Attentive semantic exploring for manipulated face detection. ICASSP.

Cheng et al., 2021

Cheng, K., Fan, T., Jin, Y., Liu, Y., Chen, T., Papadopoulos, D., & Yang, Q. (2021). Secureboost: a lossless federated learning framework. IEEE Intelligent Systems, 36(6), 87–98.

Cheng et al., 2019a

Cheng, M., Le, T., Chen, P.-Y., Zhang, H., Yi, J., & Hsieh, C.-J. (2019). Query-efficient hard-label black-box attack: an optimization-based approach. International Conference on Learning Representation.

Cheng et al., 2019b

Cheng, S., Dong, Y., Pang, T., Su, H., & Zhu, J. (2019). Improving black-box adversarial attacks with a transfer-based prior. Advances in Neural Information Processing Systems, 32.

Cho et al., 2014

Cho, K., Van Merriënboer, B., Bahdanau, D., & Bengio, Y. (2014). On the properties of neural machine translation: encoder-decoder approaches. arXiv preprint arXiv:1409.1259.

Ciftci et al., 2020

Ciftci, U. A., Demir, I., & Yin, L. (2020). Fakecatcher: detection of synthetic portrait videos using biological signals. IEEE Transactions on Pattern Analysis and Machine Intelligence.

Clevert et al., 2016

Clevert, D.-A., Unterthiner, T., & Hochreiter, S. (2016). Fast and accurate deep network learning by exponential linear units (elus). International Conference on Learning Representations.

Cohen et al., 2019

Cohen, J., Rosenfeld, E., & Kolter, Z. (2019). Certified adversarial robustness via randomized smoothing. International Conference on Machine Learning (pp. 1310–1320).

Cortes & Vapnik, 2004

Cortes, C., & Vapnik, V. N. (2004). Support-vector networks. Machine Learning, 20, 273-297.

Croce & Hein, 2020a

Croce, F., & Hein, M. (2020). Minimally distorted adversarial examples with a fast adaptive boundary attack. International Conference on Machine Learning (pp. 2196–2205).

Croce & Hein, 2020b

Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. International Conference on Machine Learning (pp. 2206–2216).

Cubuk et al., 2019

Cubuk, E. D., Zoph, B., Mane, D., Vasudevan, V., & Le, Q. V. (2019). Autoaugment: learning augmentation strategies from data. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 113–123).

Cummins et al., 2017

Cummins, N., Schmitt, M., Amiriparian, S., Krajewski, J., & Schuller, B. (2017). “you sound ill, take the day off”: automatic recognition of speech affected by upper respiratory tract infection. IEEE Engineering in Medicine and Biology Society (pp. 3806–3809).

DAlonzo & Tegmark, 2022

D'Alonzo, S., & Tegmark, M. (2022). Machine-learning media bias. Plos one, 17(8), e0271947.

DarvishRouhani et al., 2019

Darvish Rouhani, B., Chen, H., & Koushanfar, F. (2019). Deepsigns: an end-to-end watermarking framework for ownership protection of deep neural networks. International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 485–497).

Das et al., 2017

Das, N., Shanbhogue, M., Chen, S.-T., Hohman, F., Chen, L., Kounavis, M. E., & Chau, D. H. (2017). Keeping the bad guys out: protecting and vaccinating deep learning with jpeg compression. arXiv preprint arXiv:1705.02900.

Dathathri et al., 2018

Dathathri, S., Zheng, S., Yin, T., Murray, R. M., & Yue, Y. (2018). Detecting adversarial examples via neural fingerprinting. arXiv preprint arXiv:1803.03870.

Davis, 1976

Davis, R. (1976). Use of meta level knowledge in the construction and maintenance of large knowledge bases. Stanford University.

DePalma et al., 2021

De Palma, A., Bunel, R., Desmaison, A., Dvijotham, K., Kohli, P., Torr, P. H., & Kumar, M. P. (2021). Improved branch and bound for neural network verification via lagrangian decomposition. arXiv preprint arXiv:2104.06718.

DeGrave et al., 2021

DeGrave, A. J., Janizek, J. D., & Lee, S.-I. (2021). Ai for radiographic covid-19 detection selects shortcuts over signal. Nature Machine Intelligence, 3(7), 610–619.

Deng et al., 2009

Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., & Fei-Fei, L. (2009). Imagenet: a large-scale hierarchical image database. IEEE Conference on Computer Vision and Pattern Recognition (pp. 248–255).

Deng et al., 2019

Deng, J., Guo, J., Xue, N., & Zafeiriou, S. (2019). Arcface: additive angular margin loss for deep face recognition. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 4690–4699).

Deng et al., 2020

Deng, Y., Kamani, M. M., & Mahdavi, M. (2020). Adaptive personalized federated learning. arXiv preprint arXiv:2003.13461.

Devaguptapu et al., 2021

Devaguptapu, C., Agarwal, D., Mittal, G., Gopalani, P., & Balasubramanian, V. N. (2021). On adversarial robustness: a neural architecture search perspective. IEEE/CVF International Conference on Computer Vision (pp. 152–161).

DeVries & Taylor, 2017

DeVries, T., & Taylor, G. W. (2017). Improved regularization of convolutional neural networks with cutout. arXiv preprint arXiv:1708.04552.

Ding et al., 2019

Ding, G. W., Sharma, Y., Lui, K. Y. C., & Huang, R. (2019). Mma training: direct input space margin maximization through adversarial training. International Conference on Learning Representations.

Ding et al., 2021

Ding, Y., Thakur, N., & Li, B. (2021). Does a gan leave distinct model-specific fingerprints? BMVC.

Dolhansky et al., 2019

Dolhansky, B., Howes, R., Pflaum, B., Baram, N., & Ferrer, C. C. (2019). The deepfake detection challenge (dfdc) preview dataset. arXiv preprint arXiv:1910.08854.

Dong et al., 2020

Dong, Y., Deng, Z., Pang, T., Zhu, J., & Su, H. (2020). Adversarial distributional training for robust deep learning. Advances in Neural Information Processing Systems, 33, 8270–8283.

Dong et al., 2018

Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., & Li, J. (2018). Boosting adversarial attacks with momentum. IEEE Conference on Computer Vision and Pattern Recognition (pp. 9185–9193).

Dong et al., 2019

Dong, Y., Pang, T., Su, H., & Zhu, J. (2019). Evading defenses to transferable adversarial examples by translation-invariant attacks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 4312–4321).

Dosovitskiy et al., 2021

Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., … others. (2021). An image is worth 16x16 words: transformers for image recognition at scale. International Conference on Learning Representations.

Duan et al., 2020

Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A. K., & Yang, Y. (2020). Adversarial camouflage: hiding physical-world attacks with natural styles. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1000–1008).

Duchi et al., 2011

Duchi, J., Hazan, E., & Singer, Y. (2011). Adaptive subgradient methods for online learning and stochastic optimization. Journal of Machine Learning Research, 12(7).

Duddu et al., 2020

Duddu, V., Boutet, A., & Shejwalkar, V. (2020). Quantifying privacy leakage in graph embedding. EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (pp. 76–85).

Durall et al., 2019

Durall, R., Keuper, M., Pfreundt, F.-J., & Keuper, J. (2019). Unmasking deepfakes with simple features. arXiv preprint arXiv:1911.00686.

Dvijotham et al., 2018a

Dvijotham, K., Gowal, S., Stanforth, R., Arandjelovic, R., O'Donoghue, B., Uesato, J., & Kohli, P. (2018). Training verified learners with learned verifiers. arXiv preprint arXiv:1805.10265.

Dvijotham et al., 2018b

Dvijotham, K., Stanforth, R., Gowal, S., Mann, T. A., & Kohli, P. (2018). A dual approach to scalable verification of deep networks. UAI (p. 3).

Dwork, 2006

Dwork, C. (2006). Differential privacy. International Conference on Automata, Languages and Programming.

Dwork, 2011

Dwork, C. (2011). A firm foundation for private data analysis. Communications of the ACM, 54(1), 86–95.

Dwork et al., 2006a

Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., & Naor, M. (2006). Our data, ourselves: privacy via distributed noise generation. International Conference on the Theory and Applications of Cryptographic Techniques (pp. 486–503).

Dwork et al., 2006b

Dwork, C., McSherry, F., Nissim, K., & Smith, A. (2006). Calibrating noise to sensitivity in private data analysis. Theory of Cryptography Conference (pp. 265–284).

Dwork et al., 2014

Dwork, C., Roth, A., & others. (2014). The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4), 211–407.

Dwork et al., 2010

Dwork, C., Rothblum, G. N., & Vadhan, S. (2010). Boosting and differential privacy. IEEE Annual Symposium on Foundations of Computer Science (pp. 51–60).

Engstrom et al., 2018a

Engstrom, L., Ilyas, A., & Athalye, A. (2018). Evaluating and understanding the robustness of adversarial logit pairing. arXiv preprint arXiv:1807.10272.

Engstrom et al., 2018b

Engstrom, L., Tran, B., Tsipras, D., Schmidt, L., & Madry, A. (2018). A rotation and a translation suffice: fooling cnns with simple transformations.

Ester et al., 1996

Ester, M., Kriegel, H.-P., Sander, J., Xu, X., & others. (1996). A density-based algorithm for discovering clusters in large spatial databases with noise. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 226–231).

Eykholt et al., 2018

Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., … Song, D. (2018). Robust physical-world attacks on deep learning visual classification. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1625–1634).

Fallah et al., 2020

Fallah, A., Mokhtari, A., & Ozdaglar, A. (2020). Personalized federated learning: a meta-learning approach. arXiv preprint arXiv:2002.07948.

Fan & Vercauteren, 2012

Fan, J., & Vercauteren, F. (2012). Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive.

Fang et al., 2020

Fang, M., Gong, N. Z., & Liu, J. (2020). Influence function based data poisoning attacks to top-n recommender systems. The Web Conference 2020 (pp. 3019–3025).

Fawzi et al., 2016

Fawzi, A., Moosavi-Dezfooli, S.-M., & Frossard, P. (2016). Robustness of classifiers: from adversarial to random noise. Advances in Neural Information Processing Systems, 29.

Feinman et al., 2017

Feinman, R., Curtin, R. R., Shintre, S., & Gardner, A. B. (2017). Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410.

Feng et al., 2019

Feng, J., Cai, Q.-Z., & Zhou, Z.-H. (2019). Learning to confuse: generating training time adversarial data with auto-encoder. Advances in Neural Information Processing Systems, 32.

Fernandes et al., 2019

Fernandes, S., Raj, S., Ortiz, E., Vintila, I., Salter, M., Urosevic, G., & Jha, S. (2019). Predicting heart rate variations of deepfake videos using neural ode. International Conference on Computer Vision Workshop.

Fredrikson et al., 2015

Fredrikson, M., Jha, S., & Ristenpart, T. (2015). Model inversion attacks that exploit confidence information and basic countermeasures. ACM SIGSAC Conference on Computer and Communications Security (pp. 1322–1333).

Fredrikson et al., 2014

Fredrikson, M., Lantz, E., Jha, S., Lin, S., Page, D., & Ristenpart, T. (2014). Privacy in pharmacogenetics: an $\$End-to-End$\$ case study of personalized warfarin dosing. USENIX Security Symposium (pp. 17–32).

Fridrich & Kodovsky, 2012

Fridrich, J., & Kodovsky, J. (2012). Rich models for steganalysis of digital images. IEEE Transactions on Information Forensics and Security, 7(3), 868–882.

Frosst et al., 2019

Frosst, N., Papernot, N., & Hinton, G. (2019). Analyzing and improving representations with the soft nearest neighbor loss. International Conference on Machine Learning (pp. 2012–2020).

Gal et al., 2022

Gal, R., Patashnik, O., Maron, H., Bermano, A. H., Chechik, G., & Cohen-Or, D. (2022). Stylegan-nada: clip-guided domain adaptation of image generators. ACM Transactions on Graphics, 41(4), 1–13.

Gal & Ghahramani, 2016

Gal, Y., & Ghahramani, Z. (2016). A theoretically grounded application of dropout in recurrent neural networks. Advances in Neural Information Processing Systems, 29.

Garrido et al., 2014

Garrido, P., Valgaerts, L., Rehmsen, O., Thormahlen, T., Perez, P., & Theobalt, C. (2014). Automatic face reenactment. IEEE Conference on Computer Vision and Pattern Recognition (pp. 4217–4224).

Gaschnig, 1979

Gaschnig, J. (1979). Preliminary performance analysis of the prospector consultant system for mineral exploration. International Joint Conference on Artificial Intelligence (pp. 308–310).

Geiping et al., 2020

Geiping, J., Bauermeister, H., Dröge, H., & Moeller, M. (2020). Inverting gradients-how easy is it to break privacy in federated learning? Advances in Neural Information Processing Systems, 33, 16937–16947.

Geiping et al., 2021

Geiping, J., Fowl, L. H., Huang, W. R., Czaja, W., Taylor, G., Moeller, M., & Goldstein, T. (2021). Witches' brew: industrial scale data poisoning via gradient matching. International Conference on Learning Representations.

Gentry, 2009

Gentry, C. (2009). A fully homomorphic encryption scheme. Stanford university.

Ghosh et al., 2017

Ghosh, A., Kumar, H., & Sastry, P. S. (2017). Robust loss functions under label noise for deep neural networks. AAAI Conference on Artificial Intelligence.

Gilmer et al., 2019

Gilmer, J., Ford, N., Carlini, N., & Cubuk, E. (2019). Adversarial examples are a natural consequence of test error in noise. International Conference on Machine Learning (pp. 2280–2289).

Glorot et al., 2011

Glorot, X., Bordes, A., & Bengio, Y. (2011). Deep sparse rectifier neural networks. International Conference on Artificial Intelligence and Statistics (pp. 315–323).

Goldblum et al., 2020

Goldblum, M., Fowl, L., Feizi, S., & Goldstein, T. (2020). Adversarially robust distillation. AAAI Conference on Artificial Intelligence (pp. 3996–4003).

Golub & Vorst, 2000

Golub, G. H., & Van der Vorst, H. A. (2000). Eigenvalue computation in the 20th century. Journal of Computational and Applied Mathematics, 123(1-2), 35–65.

Gong et al., 2020

Gong, C., Ren, T., Ye, M., & Liu, Q. (2020). Maxup: a simple way to improve generalization of neural network training. arXiv preprint arXiv:2002.09024.

Gong et al., 2017

Gong, Z., Wang, W., & Ku, W.-S. (2017). Adversarial and clean data are not twins. arXiv preprint arXiv:1704.04960.

Goodfellow, 2019

Goodfellow, I. (2019). A research agenda: dynamic models to defend against correlated attacks. International Conference on Learning Representations.

Goodfellow et al., 2014

Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., … Bengio, Y. (2014). Generative adversarial nets. Advances in Neural Information Processing Systems, 27.

Goodfellow et al., 2013

Goodfellow, I., Warde-Farley, D., Mirza, M., Courville, A., & Bengio, Y. (2013). Maxout networks. International Conference on Machine Learning (pp. 1319–1327).

Goodfellow et al., 2015

Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. International Conference on Learning Representations.

Gowal et al., 2019

Gowal, S., Dvijotham, K. D., Stanforth, R., Bunel, R., Qin, C., Uesato, J., … Kohli, P. (2019). Scalable verified training for provably robust image classification. International Conference on Computer Vision (pp. 4842–4851).

Gowal et al., 2021

Gowal, S., Rebuffi, S.-A., Wiles, O., Stimberg, F., Calian, D. A., & Mann, T. A. (2021). Improving robustness using generated data. Advances in Neural Information Processing Systems, 34, 4218–4233.

Gretton et al., 2012

Gretton, A., Borgwardt, K. M., Rasch, M. J., Schölkopf, B., & Smola, A. (2012). A kernel two-sample test. The Journal of Machine Learning Research, 13(1), 723–773.

Grosse et al., 2017

Grosse, K., Manoharan, P., Papernot, N., Backes, M., & McDaniel, P. (2017). On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280.

Gu et al., 2017

Gu, T., Dolan-Gavitt, B., & Garg, S. (2017). Badnets: identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733.

Guarnera et al., 2020

Guarnera, L., Giudice, O., & Battiato, S. (2020). Deepfake detection by analyzing convolutional traces. IEEE/CVF Computer Vision and Pattern Recognition Conference Workshop.

Guerraoui et al., 2018

Guerraoui, R., Rouault, S., & others. (2018). The hidden vulnerability of distributed learning in byzantium. International Conference on Machine Learning (pp. 3521–3530).

Guo et al., 2020

Guo, M., Yang, Y., Xu, R., Liu, Z., & Lin, D. (2020). When nas meets robustness: in search of robust architectures against adversarial attacks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 631–640).

Guo et al., 2019

Guo, W., Wang, L., Xing, X., Du, M., & Song, D. (2019). Tabor: a highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763.

Guo et al., 2021

Guo, Z., Yang, G., Chen, J., & Sun, X. (2021). Fake face detection via adaptive manipulation traces extraction network. CVIU.

Gupta & Rahtu, 2019

Gupta, P., & Rahtu, E. (2019). Ciidefence: defeating adversarial attacks by fusing class-specific image inpainting and image denoising. IEEE/CVF International Conference on Computer Vision (pp. 6708–6717).

Gupta et al., 2021

Gupta, U., Stripelis, D., Lam, P. K., Thompson, P., Ambite, J. L., & Ver Steeg, G. (2021). Membership inference attacks on deep regression models for neuroimaging. Medical Imaging with Deep Learning (pp. 228–251).

Gurobi, 2020

Gurobi, L. (2020). “Gurobi - the fastest solver - gurobi,” Gurobi Optimization.

Hampel, 1974

Hampel, F. R. (1974). The influence curve and its role in robust estimation. Journal of the American Statistical Association, 69(346), 383–393.

Hartigan & Wong, 1979

Hartigan, J. A., & Wong, M. A. (1979). Algorithm as 136: a k-means clustering algorithm. Journal of the Royal Statistical Society: Series C (Applied Statistics), 28(1), 100–108.

Hayes et al., 2019

Hayes, J., Melis, L., Danezis, G., & De Cristofaro, E. (2019). Logan: membership inference attacks against generative models. Privacy Enhancing Technologies, 2019(1), 133–152.

He et al., 2021a

He, J., Erfani, S., Ma, X., Bailey, J., Chi, Y., & Hua, X.-S. (2021). Alpha-iou: a family of power intersection over union losses for bounding box regression. Advances in Neural Information Processing Systems, 34, 20230–20242.

He et al., 2022

He, K., Chen, X., Xie, S., Li, Y., Dollár, P., & Girshick, R. (2022). Masked autoencoders are scalable vision learners. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 16000–16009).

He et al., 2020

He, K., Fan, H., Wu, Y., Xie, S., & Girshick, R. (2020). Momentum contrast for unsupervised visual representation learning. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 9729–9738).

He et al., 2015

He, K., Zhang, X., Ren, S., & Sun, J. (2015). Delving deep into rectifiers: surpassing human-level performance on imagenet classification. International Conference on Computer Vision (pp. 1026–1034).

He et al., 2016

He, K., Zhang, X., Ren, S., & Sun, J. (2016). Deep residual learning for image recognition. IEEE Conference on Computer Vision and Pattern Recognition (pp. 770–778).

He et al., 2019

He, P., Li, H., & Wang, H. (2019). Detection of fake images via the ensemble of deep representations from multi color spaces. ICIP.

He et al., 2021b

He, X., Jia, J., Backes, M., Gong, N. Z., & Zhang, Y. (2021). Stealing links from graph neural networks. USENIX Security Symposium (pp. 2669–2686).

Hein & Andriushchenko, 2017

Hein, M., & Andriushchenko, M. (2017). Formal guarantees on the robustness of a classifier against adversarial manipulation. Advances in Neural Information Processing Systems, 30.

Hendrycks & Gimpel, 2016a

Hendrycks, D., & Gimpel, K. (2016). Early methods for detecting adversarial images. arXiv preprint arXiv:1608.00530.

Hendrycks & Gimpel, 2016b

Hendrycks, D., & Gimpel, K. (2016). Gaussian error linear units (gelus). arXiv preprint arXiv:1606.08415.

Hinton et al., 2015

Hinton, G., Vinyals, O., Dean, J., & others. (2015). Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531, 2(7).

Hinton & Salakhutdinov, 2006

Hinton, G. E., & Salakhutdinov, R. R. (2006). Reducing the dimensionality of data with neural networks. Science, 313(5786), 504–507.

Hitaj et al., 2017

Hitaj, B., Ateniese, G., & Perez-Cruz, F. (2017). Deep models under the gan: information leakage from collaborative deep learning. ACM SIGSAC Conference on Computer and Communications Security (pp. 603–618).

Ho et al., 2020

Ho, J., Jain, A., & Abbeel, P. (2020). Denoising diffusion probabilistic models. Advances in Neural Information Processing Systems, 33, 6840–6851.

Hochreiter & Schmidhuber, 1997

Hochreiter, S., & Schmidhuber, J. (1997). Long short-term memory. Neural Computation, 9(8), 1735–1780.

Homer et al., 2008

Homer, N., Szelinger, S., Redman, M., Duggan, D., Tembe, W., Muehling, J., … Craig, D. W. (2008). Resolving individuals contributing trace amounts of dna to highly complex mixtures using high-density snp genotyping microarrays. PLOS Genetics, 4(8), e1000167.

Hong et al., 2018

Hong, S., Yan, X., Huang, T. S., & Lee, H. (2018). Learning hierarchical semantic image manipulation through structured representations. Advances in Neural Information Processing Systems, 31.

Hosseini et al., 2021

Hosseini, R., Yang, X., & Xie, P. (2021). Dsrna: differentiable search of robust neural architectures. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 6196–6205).

Hu et al., 2019

Hu, S., Yu, T., Guo, C., Chao, W.-L., & Weinberger, K. Q. (2019). A new defense against adversarial images: turning a weakness into a strength. Advances in Neural Information Processing Systems, 32.

Hu et al., 2020

Hu, X., Zhang, Z., Jiang, Z., Chaudhuri, S., Yang, Z., & Nevatia, R. (2020). Span: spatial pyramid attention network for image manipulation localization. European Conference on Computer Vision (pp. 312–328).

Huang et al., 2023

Huang, H., Ma, X., Erfani, S. M., & Bailey, J. (2023). Distilling cognitive backdoor patterns within an image. The Eleventh International Conference on Learning Representations. URL: https://openreview.net/forum?id=S3D9NLzjnQ5

Huang et al., 2020a

Huang, H., Ma, X., Erfani, S. M., Bailey, J., & Wang, Y. (2020). Unlearnable examples: making personal data unexploitable. International Conference on Learning Representations.

Huang et al., 2021

Huang, H., Wang, Y., Erfani, S., Gu, Q., Bailey, J., & Ma, X. (2021). Exploring architectural ingredients of adversarially robust deep neural networks. Advances in Neural Information Processing Systems, 34, 5545–5559.

Huang et al., 2016

Huang, R., Xu, B., Schuurmans, D., & Szepesvári, C. (2016). Learning with a strong adversary. International Conference on Learning Representations.

Huang et al., 2020b

Huang, W. R., Geiping, J., Fowl, L., Taylor, G., & Goldstein, T. (2020). Metapoison: practical general-purpose clean-label data poisoning. Advances in Neural Information Processing Systems, 33, 12080–12091.

Ilyas et al., 2018

Ilyas, A., Engstrom, L., Athalye, A., & Lin, J. (2018). Black-box adversarial attacks with limited queries and information. International Conference on Machine Learning (pp. 2137–2146).

Ilyas et al., 2019

Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., & Madry, A. (2019). Adversarial examples are not bugs, they are features. Advances in Neural Information Processing Systems, 32.

Izmailov et al., 2018

Izmailov, P., Podoprikhin, D., Garipov, T., Vetrov, D., & Wilson, A. G. (2018). Averaging weights leads to wider optima and better generalization. Conference on Uncertainty in Artificial Intelligence (pp. 876–885).

Jagielski et al., 2020

Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., & Papernot, N. (2020). High accuracy and high fidelity extraction of neural networks. USENIX Security Symposium (pp. 1345–1362).

Jagielski et al., 2018

Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., & Li, B. (2018). Manipulating machine learning: poisoning attacks and countermeasures for regression learning. IEEE Symposium on Security and Privacy (pp. 19–35).

Jarrett et al., 2009

Jarrett, K., Kavukcuoglu, K., Ranzato, Marc'Aurelio, & LeCun, Y. (2009). What is the best multi-stage architecture for object recognition? International Conference on Computer Vision (pp. 2146–2153).

Jeong & Shin, 2020

Jeong, J., & Shin, J. (2020). Consistency regularization for certified robustness of smoothed classifiers. Advances in Neural Information Processing Systems, 33, 10558–10570.

Jeong et al., 2022

Jeong, Y., Kim, D., Min, S., Joe, S., Gwon, Y., & Choi, J. (2022). Bihpf: bilateral high-pass filters for robust deepfake detection. IEEE/CVF Winter Conference on Applications of Computer Vision (pp. 48–57).

Jia et al., 2021

Jia, H., Choquette-Choo, C. A., Chandrasekaran, V., & Papernot, N. (2021). Entangled watermarks as a defense against model extraction. USENIX Security Symposium (pp. 1937–1954).

Jia & Rinard, 2021

Jia, K., & Rinard, M. (2021). Exploiting verified neural networks via floating point numerical error. International Static Analysis Symposium (pp. 191–205).

Jia et al., 2019a

Jia, R., Raghunathan, A., Göksel, K., & Liang, P. (2019). Certified robustness to adversarial word substitutions. arXiv preprint arXiv:1909.00986.

Jia et al., 2019b

Jia, X., Wei, X., Cao, X., & Foroosh, H. (2019). Comdefend: an efficient image compression model to defend adversarial examples. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 6084–6092).

Jiang et al., 2019

Jiang, Y., Konečn\`y, J., Rush, K., & Kannan, S. (2019). Improving federated learning personalization via model agnostic meta learning. arXiv preprint arXiv:1909.12488.

Jin et al., 2019

Jin, G., Shen, S., Zhang, D., Dai, F., & Zhang, Y. (2019). Ape-gan: adversarial perturbation elimination with gan. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 3842–3846).

Jin & Wang, 2018

Jin, H., & Wang, S. (2018 , October 9). Voice-based determination of physical and emotional characteristics of users. US Patent 10,096,319.

Jin et al., 2021

Jin, X., Chen, P.-Y., Hsu, C.-Y., Yu, C.-M., & Chen, T. (2021). Cafe: catastrophic data leakage in vertical federated learning. Advances in Neural Information Processing Systems, 34, 994–1006.

Jolliffe, 2002

Jolliffe, I. T. (2002). Principal component analysis for special types of data. Springer.

Jovanovic et al., 2021

Jovanović, N., Balunović, M., Baader, M., & Vechev, M. (2021). Certified defenses: why tighter relaxations may hurt training. arXiv preprint arXiv:2102.06700.

Jumper et al., 2021

Jumper, J., Evans, R., Pritzel, A., Green, T., Figurnov, M., Ronneberger, O., … others. (2021). Highly accurate protein structure prediction with alphafold. Nature, 596(7873), 583–589.

Jung et al., 2020

Jung, T., Kim, S., & Kim, K. (2020). Deepvision: deepfakes detection using human eye blinking pattern. IEEE Access.

Juuti et al., 2019

Juuti, M., Szyller, S., Marchal, S., & Asokan, N. (2019). Prada: protecting against dnn model stealing attacks. IEEE European Symposium on Security and Privacy (pp. 512–527).

Kannan et al., 2018

Kannan, H., Kurakin, A., & Goodfellow, I. (2018). Adversarial logit pairing. arXiv preprint arXiv:1803.06373.

Karimireddy et al., 2020

Karimireddy, S. P., Kale, S., Mohri, M., Reddi, S., Stich, S., & Suresh, A. T. (2020). Scaffold: stochastic controlled averaging for federated learning. International Conference on Machine Learning (pp. 5132–5143).

Karras et al., 2020

Karras, T., Laine, S., Aittala, M., Hellsten, J., Lehtinen, J., & Aila, T. (2020). Analyzing and improving the image quality of stylegan. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 8110–8119).

Kearns & Li, 1993

Kearns, M., & Li, M. (1993). Learning in the presence of malicious errors. SIAM Journal on Computing, 22(4), 807–837.

Kesarwani et al., 2018

Kesarwani, M., Mukhoty, B., Arya, V., & Mehta, S. (2018). Model extraction warning in mlaas paradigm. Annual Computer Security Applications Conference (pp. 371–380).

Kifer & Lin, 2010

Kifer, D., & Lin, B.-R. (2010). Towards an axiomatization of statistical privacy and utility. ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (pp. 147–158).

Kim et al., 2022

Kim, G., Kwon, T., & Ye, J. C. (2022). Diffusionclip: text-guided diffusion models for robust image manipulation. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2426–2435).

Kingma & Ba, 2015

Kingma, D. P., & Ba, J. (2015). Adam: a method for stochastic optimization. International Conference on Learning Representations.

Kingma & Welling, 2013

Kingma, D. P., & Welling, M. (2013). Auto-encoding variational bayes. arXiv preprint arXiv:1312.6114.

Koffas et al., 2021

Koffas, S., Xu, J., Conti, M., & Picek, S. (2021). Can you hear it? backdoor attacks via ultrasonic triggers. arXiv preprint arXiv:2107.14569.

Koh & Liang, 2017

Koh, P. W., & Liang, P. (2017). Understanding black-box predictions via influence functions. International Conference on Machine Learning (pp. 1885–1894).

Koh et al., 2022

Koh, P. W., Steinhardt, J., & Liang, P. (2022). Stronger data poisoning attacks break data sanitization defenses. Machine Learning, 111(1), 1–47.

Korshunova et al., 2017

Korshunova, I., Shi, W., Dambre, J., & Theis, L. (2017). Fast face-swap using convolutional neural networks. International Conference on Computer Vision (pp. 3677–3685).

Krizhevsky et al., 2017

Krizhevsky, A., Sutskever, I., & Hinton, G. E. (2017). Imagenet classification with deep convolutional neural networks. Communications of the ACM, 60(6), 84–90.

Kumar et al., 2020

Kumar, R. S. S., Nyström, M., Lambert, J., Marshall, A., Goertzel, M., Comissoneru, A., … Xia, S. (2020). Adversarial machine learning-industry perspectives. IEEE Security and Privacy Workshops (pp. 69–75).

Kurakin et al., 2016

Kurakin, A., Goodfellow, I., & Bengio, S. (2016). Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236.

Kurakin et al., 2018

Kurakin, A., Goodfellow, I. J., & Bengio, S. (2018). Adversarial examples in the physical world. Artificial Intelligence Safety and Security (pp. 99–112). Chapman and Hall/CRC.

LeMerrer et al., 2020

Le Merrer, E., Perez, P., & Trédan, G. (2020). Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications, 32(13), 9233–9244.

Lee et al., 2018

Lee, K., Lee, K., Lee, H., & Shin, J. (2018). A simple unified framework for detecting out-of-distribution samples and adversarial attacks. Advances in Neural Information Processing Systems, 31.

Lee et al., 2020

Lee, S., Lee, J., & Park, S. (2020). Lipschitz-certifiable training with a tight outer bound. Advances in Neural Information Processing Systems, 33, 16891–16902.

Leino & Fredrikson, 2020

Leino, K., & Fredrikson, M. (2020). Stolen memories: leveraging model memorization for calibrated $\$White-Box$\$ membership inference. USENIX Security Symposium (pp. 1605–1622).

Leino et al., 2021

Leino, K., Wang, Z., & Fredrikson, M. (2021). Globally-robust neural networks. International Conference on Machine Learning (pp. 6212–6222).

Levine & Feizi, 2021

Levine, A., & Feizi, S. (2021). Deep partition aggregation: provable defense against general poisoning attacks. International Conference on Learning Representations.

Li et al., 2021a

Li, A., Ke, Q., Ma, X., Weng, H., Zong, Z., Xue, F., & Zhang, R. (2021). Noise doesn't lie: towards universal detection of deep inpainting. International Joint Conference on Artificial Intelligence.

Li et al., 2019a

Li, B., Chen, C., Wang, W., & Carin, L. (2019). Certified adversarial robustness with additive noise. Advances in Neural Information Processing Systems, 32.

Li et al., 2020a

Li, H., Li, B., Tan, S., & Huang, J. (2020). Identification of deep network generated images using disparities in color components. Signal Processing.

Li et al., 2004

Li, J., Wang, Y., Tan, T., & Jain, A. K. (2004). Live face detection based on the analysis of fourier spectra. BTHI.

Li et al., 2020b

Li, L., Bao, J., Yang, H., Chen, D., & Wen, F. (2020). Advancing high fidelity identity swapping for forgery detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 5074–5083).

Li et al., 2020c

Li, L., Bao, J., Zhang, T., Yang, H., Chen, D., Wen, F., & Guo, B. (2020). Face x-ray for more general face forgery detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 5001–5010).

Li et al., 2023

Li, L., Qi, X., Xie, T., & Li, B. (2023). Sok: certified robustness for deep neural networks. IEEE Symposium on Security and Privacy.

Li et al., 2019b

Li, Q., Haque, S., Anil, C., Lucas, J., Grosse, R. B., & Jacobsen, J.-H. (2019). Preventing gradient attenuation in lipschitz constrained convolutional networks. Advances in Neural Information Processing Systems, 32.

Li et al., 2020d

Li, T., Sahu, A. K., Zaheer, M., Sanjabi, M., Talwalkar, A., & Smith, V. (2020). Federated optimization in heterogeneous networks. Proceedings of Machine Learning and Systems, 2, 429–450.

Li et al., 2017

Li, T., Bolkart, T., Black, M. J., Li, H., & Romero, J. (2017). Learning a model of facial shape and expression from 4d scans. ACM Transactions on Graphics, 36(6).

Li & Li, 2017

Li, X., & Li, F. (2017). Adversarial examples detection in deep networks with convolutional filter statistics. International Conference on Computer Vision (pp. 5764–5772).

Li et al., 2021b

Li, Y., Yang, Z., Wang, Y., & Xu, C. (2021). Neural architecture dilation for adversarial robustness. Advances in Neural Information Processing Systems, 34, 29578–29589.

Li et al., 2021c

Li, Y., Lyu, X., Koren, N., Lyu, L., Li, B., & Ma, X. (2021). Anti-backdoor learning: training clean models on poisoned data. Advances in Neural Information Processing Systems, 34, 14900–14912.

Li et al., 2021d

Li, Y., Li, Y., Lv, Y., Jiang, Y., & Xia, S.-T. (2021). Hidden backdoor attack against semantic segmentation models. arXiv preprint arXiv:2103.04038.

Li et al., 2022

Li, Y., Zhong, H., Ma, X., Jiang, Y., & Xia, S.-T. (2022). Few-shot backdoor attacks on visual object tracking. arXiv preprint arXiv:2201.13178.

Li et al., 2018

Li, Y., Chang, M.-C., & Lyu, S. (2018). In ictu oculi: exposing ai created fake videos by detecting eye blinking. IEEE International Workshop on Information Forensics and Security (pp. 1–7).

Li et al., 2021e

Li, Y., Li, Y., Wu, B., Li, L., He, R., & Lyu, S. (2021). Invisible backdoor attack with sample-specific triggers. IEEE/CVF International Conference on Computer Vision (pp. 16463–16472).

Liao et al., 2018

Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., & Zhu, J. (2018). Defense against adversarial attacks using high-level representation guided denoiser. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1778–1787).

Lin et al., 2019

Lin, J., Song, C., He, K., Wang, L., & Hopcroft, J. E. (2019). Nesterov accelerated gradient and scale invariance for adversarial attacks. arXiv preprint arXiv:1908.06281.

Lin et al., 2014

Lin, T.-Y., Maire, M., Belongie, S., Hays, J., Perona, P., Ramanan, D., … Zitnick, C. L. (2014). Microsoft coco: common objects in context. European Conference on Computer Vision (pp. 740–755).

Liu et al., 2019a

Liu, G., Wang, C., Peng, K., Huang, H., Li, Y., & Cheng, W. (2019). Socinf: membership inference attacks on social media health data with machine learning. IEEE Transactions on Computational Social Systems, 6(5), 907–921.

Liu et al., 2019b

Liu, H., Simonyan, K., & Yang, Y. (2019). Darts: differentiable architecture search. International Conference on Learning Representations.

Liu et al., 2018a

Liu, K., Dolan-Gavitt, B., & Garg, S. (2018). Fine-pruning: defending against backdooring attacks on deep neural networks. International Symposium on Research in Attacks, Intrusions, and Defenses (pp. 273–294).

Liu et al., 2017

Liu, W., Wen, Y., Yu, Z., Li, M., Raj, B., & Song, L. (2017). Sphereface: deep hypersphere embedding for face recognition. IEEE Conference on Computer Vision and Pattern Recognition (pp. 212–220).

Liu et al., 2016a

Liu, W., Wen, Y., Yu, Z., & Yang, M. (2016). Large-margin softmax loss for convolutional neural networks. International Conference on Machine Learning (pp. 507–516).

Liu et al., 2022

Liu, X., Liu, Y., Chen, J., & Liu, X. (2022). Pscc-net: progressive spatio-channel correlation network for image manipulation detection and localization. IEEE Transactions on Circuits and Systems for Video Technology.

Liu et al., 2016b

Liu, Y., Chen, X., Liu, C., & Song, D. (2016). Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770.

Liu et al., 2018b

Liu, Y., Ma, S., Aafer, Y., Lee, W.-C., Zhai, J., Wang, W., & Zhang, X. (2018). Trojaning attack on neural networks. Network and Distributed Systems Security Symposium.

Liu et al., 2020

Liu, Y., Ma, X., Bailey, J., & Lu, F. (2020). Reflection backdoor: a natural backdoor attack on deep neural networks. European Conference on Computer Vision (pp. 182–199).

Liu et al., 2021

Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., … Guo, B. (2021). Swin transformer: hierarchical vision transformer using shifted windows. IEEE/CVF International Conference on Computer Vision (pp. 10012–10022).

Long et al., 2020

Long, Y., Wang, L., Bu, D., Bindschaedler, V., Wang, X., Tang, H., … Chen, K. (2020). A pragmatic approach to membership inferences on machine learning models. IEEE European Symposium on Security and Privacy (pp. 521–534).

Lorenz et al., 2022

Lorenz, P., Keuper, M., & Keuper, J. (2022). Unfolding local growth rate estimates for (almost) perfect adversarial detection. International Conference on Computer Vision Theory and Applications.

Lukas et al., 2019

Lukas, N., Zhang, Y., & Kerschbaum, F. (2019). Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888.

Lukavs et al., 2006

Lukáš, J., Fridrich, J., & Goljan, M. (2006). Detecting digital image forgeries using sensor pattern noise. SPIE.

Lyu et al., 2015

Lyu, C., Huang, K., & Liang, H.-N. (2015). A unified gradient regularization family for adversarial examples. IEEE International Conference on Data Mining (pp. 301–309).

Lyu et al., 2022

Lyu, L., Yu, H., Ma, X., Chen, C., Sun, L., Zhao, J., … Philip, S. Y. (2022). Privacy and robustness in federated learning: attacks and defenses. IEEE Transactions on Neural Networks and Learning Systems.

Ma et al., 2018

Ma, X., Li, B., Wang, Y., Erfani, S. M., Wijewickrema, S., Schoenebeck, G., … Bailey, J. (2018). Characterizing adversarial subspaces using local intrinsic dimensionality. International Conference on Learning Representations.

Madry et al., 2018

Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards deep learning models resistant to adversarial attacks. International Conference on Learning Representations.

Mahalanobis, 1936

Mahalanobis, P. C. (1936). On the generalized distance in statistics. Proceedings of the National Institute of Sciences, 2, 49–55.

Mahloujifar & Mahmoody, 2017

Mahloujifar, S., & Mahmoody, M. (2017). Blockwise p-tampering attacks on cryptographic primitives, extractors, and learners. Theory of Cryptography Conference (pp. 245–279).

Mahloujifar et al., 2019

Mahloujifar, S., Mahmoody, M., & Mohammed, A. (2019). Universal multi-party poisoning attacks. International Conference on Machine Learning (pp. 4274–4283).

Mahmood et al., 2021

Mahmood, K., Mahmood, R., & Van Dijk, M. (2021). On the robustness of vision transformers to adversarial examples. IEEE/CVF International Conference on Computer Vision (pp. 7838–7847).

Marfoq et al., 2021

Marfoq, O., Neglia, G., Bellet, A., Kameni, L., & Vidal, R. (2021). Federated multi-task learning under a mixture of distributions. Advances in Neural Information Processing Systems, 34, 15434–15447.

McMahan et al., 2017

McMahan, B., Moore, E., Ramage, D., Hampson, S., & y Arcas, B. A. (2017). Communication-efficient learning of deep networks from decentralized data. Artificial intelligence and statistics (pp. 1273–1282).

McMahan et al., 2016

McMahan, H. B., Moore, E., Ramage, D., & y Arcas, B. A. (2016). Federated learning of deep networks using model averaging. arXiv preprint arXiv:1602.05629, 2.

McSherry & Talwar, 2007

McSherry, F., & Talwar, K. (2007). Mechanism design via differential privacy. IEEE Annual Symposium on Foundations of Computer Science (pp. 94–103).

McSherry, 2009

McSherry, F. D. (2009). Privacy integrated queries: an extensible platform for privacy-preserving data analysis. ACM SIGMOD International Conference on Management of Data (pp. 19–30).

Mei & Zhu, 2015

Mei, S., & Zhu, X. (2015). Using machine teaching to identify optimal training-set attacks on machine learners. AAAI Conference on Artificial Intelligence.

Melis et al., 2019

Melis, L., Song, C., De Cristofaro, E., & Shmatikov, V. (2019). Exploiting unintended feature leakage in collaborative learning. IEEE Symposium on Security and Privacy (pp. 691–706).

Meng & Chen, 2017

Meng, D., & Chen, H. (2017). Magnet: a two-pronged defense against adversarial examples. ACM SIGSAC Conference on Computer and Communications Security (pp. 135–147).

Metzen et al., 2017

Metzen, J. H., Genewein, T., Fischer, V., & Bischoff, B. (2017). On detecting adversarial perturbations. International Conference on Learning Representations.

Micikevicius et al., 2018

Micikevicius, P., Narang, S., Alben, J., Diamos, G., Elsen, E., Garcia, D., … others. (2018). Mixed precision training. International Conference on Learning Representations.

Mikolov et al., 2013

Mikolov, T., Sutskever, I., Chen, K., Corrado, G. S., & Dean, J. (2013). Distributed representations of words and phrases and their compositionality. Advances in Neural Information Processing Systems, 26.

Minsky, 1974

Minsky, M. (1974). A framework for representing knowledge.

Mittal et al., 2020

Mittal, T., Bhattacharya, U., Chandra, R., Bera, A., & Manocha, D. (2020). Emotions don't lie: an audio-visual deepfake detection method using affective cues. ACM International Conference on Multimedia (pp. 2823–2832).

Miyato et al., 2016

Miyato, T., Maeda, S.-i., Koyama, M., Nakae, K., & Ishii, S. (2016). Distributional smoothing with virtual adversarial training. International Conference on Learning Representations.

Moosavi-Dezfooli et al., 2016

Moosavi-Dezfooli, S.-M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2574–2582).

Moura & Bjorner, 2008

Moura, L. d., & Bjørner, N. (2008). Z3: an efficient smt solver. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (pp. 337–340).

Munoz-Gonzalez et al., 2017

Muñoz-González, L., Biggio, B., Demontis, A., Paudice, A., Wongrassamee, V., Lupu, E. C., & Roli, F. (2017). Towards poisoning of deep learning algorithms with back-gradient optimization. ACM Workshop on Artificial Intelligence and Security (pp. 27–38).

Munoz-Gonzalez et al., 2019

Muñoz-González, L., Pfitzner, B., Russo, M., Carnerero-Cano, J., & Lupu, E. C. (2019). Poisoning attacks with generative adversarial nets. arXiv preprint arXiv:1906.07773.

Nair & Hinton, 2010

Nair, V., & Hinton, G. E. (2010). Rectified linear units improve restricted boltzmann machines. International Conference on Machine Learning.

Nakkiran, 2019

Nakkiran, P. (2019). Adversarial robustness may be at odds with simplicity. arXiv preprint arXiv:1901.00532.

Nasr et al., 2019a

Nasr, M., Shokri, R., & Houmansadr, A. (2019). Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. IEEE Symposium on Security and Privacy (SP).

Nasr et al., 2019b

Nasr, M., Shokri, R., & Houmansadr, A. (2019). Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. IEEE Symposium on Security and Privacy (pp. 739–753).

Nelson et al., 2008

Nelson, B., Barreno, M., Chi, F. J., Joseph, A. D., Rubinstein, B. I., Saini, U., … Xia, K. (2008). Exploiting machine learning to subvert your spam filter. LEET, 8(1), 9.

Nesterov, 1983

Nesterov, Y. (1983). A method for unconstrained convex minimization problem with the rate of convergence o (1/kˆ 2). Doklady ANSSSR (pp. 543–547).

Newell & Simon, 1956

Newell, A., & Simon, H. (1956). The logic theory machine–a complex information processing system. IRE Transactions on Information Theory, 2(3), 61–79.

Nguyen et al., 2019

Nguyen, H. H., Yamagishi, J., & Echizen, I. (2019). Capsule-forensics: using capsule networks to detect forged images and videos. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 2307–2311).

Nguyen & Tran, 2020

Nguyen, T. A., & Tran, A. (2020). Input-aware dynamic backdoor attack. Advances in Neural Information Processing Systems, 33, 3454–3464.

Ning et al., 2020

Ning, X., Zhao, J., Li, W., Zhao, T., Yang, H., & Wang, Y. (2020). Multi-shot nas for discovering adversarially robust convolutional neural architectures at targeted capacities. arXiv preprint arXiv:2012.11835.

Nirkin et al., 2022

Nirkin, Y., Keller, Y., & Hassner, T. (2022). Fsganv2: improved subject agnostic face swapping and reenactment. IEEE Transactions on Pattern Analysis and Machine Intelligence.

Nissim et al., 2007

Nissim, K., Raskhodnikova, S., & Smith, A. (2007). Smooth sensitivity and sampling in private data analysis. ACM Symposium on Theory of Computing (pp. 75–84).

Novac et al., 2017

Novac, O. C., Novac, M., Gordan, C., Berczes, T., & Bujdosó, G. (2017). Comparative study of google android, apple ios and microsoft windows phone mobile operating systems. Engineering of Modern Electric Systems (pp. 154–159).

Nokland, 2015

Nøkland, A. (2015). Improving back-propagation by adding an adversarial gradient. arXiv preprint arXiv:1510.04189.

Oh et al., 2019

Oh, S. J., Schiele, B., & Fritz, M. (2019). Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning (pp. 121–144). Springer.

Oord et al., 2018

Oord, A. v. d., Li, Y., & Vinyals, O. (2018). Representation learning with contrastive predictive coding. arXiv preprint arXiv:1807.03748.

Orekondy et al., 2019

Orekondy, T., Schiele, B., & Fritz, M. (2019). Knockoff nets: stealing functionality of black-box models. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 4954–4963).

Pan et al., 2020

Pan, X., Zhang, M., Ji, S., & Yang, M. (2020). Privacy risks of general-purpose language models. IEEE Symposium on Security and Privacy (pp. 1314–1331).

Pan et al., 2012

Pan, X., Zhang, X., & Lyu, S. (2012). Exposing image splicing with inconsistent local noise variances. IEEE International Conference on Computational Photography (pp. 1–10).

Pang et al., 2018

Pang, T., Du, C., Dong, Y., & Zhu, J. (2018). Towards robust detection of adversarial examples. Advances in Neural Information Processing Systems, 31.

Papernot et al., 2017

Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z. B., & Swami, A. (2017). Practical black-box attacks against machine learning. ACM on Asia Conference on Computer and Communications Security (pp. 506–519).

Papernot et al., 2016a

Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z. B., & Swami, A. (2016). The limitations of deep learning in adversarial settings. IEEE European Symposium on Security and Privacy (pp. 372–387).

Papernot et al., 2016b

Papernot, N., McDaniel, P., Wu, X., Jha, S., & Swami, A. (2016). Distillation as a defense to adversarial perturbations against deep neural networks. IEEE Symposium on Security and Privacy (pp. 582–597).

Patashnik et al., 2021

Patashnik, O., Wu, Z., Shechtman, E., Cohen-Or, D., & Lischinski, D. (2021). Styleclip: text-driven manipulation of stylegan imagery. IEEE/CVF International Conference on Computer Vision (pp. 2085–2094).

Pathak et al., 2016

Pathak, D., Krahenbuhl, P., Donahue, J., Darrell, T., & Efros, A. A. (2016). Context encoders: feature learning by inpainting. IEEE Conference on Computer Vision and Pattern Recognition (pp. 2536–2544).

Phan et al., 2016

Phan, N., Wang, Y., Wu, X., & Dou, D. (2016). Differential privacy preservation for deep auto-encoders: an application of human behavior prediction. AAAI Conference on Artificial Intelligence.

Phan et al., 2017

Phan, N., Wu, X., & Dou, D. (2017). Preserving differential privacy in convolutional deep belief networks. Machine learning, 106(9), 1681–1704.

Pillutla et al., 2019

Pillutla, K., Kakade, S. M., & Harchaoui, Z. (2019). Robust aggregation for federated learning. arXiv preprint arXiv:1912.13445.

Prakash et al., 2018

Prakash, A., Moran, N., Garber, S., DiLillo, A., & Storer, J. (2018). Deflecting adversarial attacks with pixel deflection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 8571–8580).

Pyrgelis et al., 2018

Pyrgelis, A., Troncoso, C., & Cristofaro, E. D. (2018). Knock knock, who's there? membership inference on aggregate location data. Network and Distributed System Security Symposium. The Internet Society.

Pyrgelis et al., 2020

Pyrgelis, A., Troncoso, C., & De Cristofaro, E. (2020). Measuring membership privacy on aggregate location time-series. ACM on Measurement and Analysis of Computing Systems, 4(2), 1–28.

Qi et al., 2021

Qi, F., Li, M., Chen, Y., Zhang, Z., Liu, Z., Wang, Y., & Sun, M. (2021). Hidden killer: invisible textual backdoor attacks with syntactic trigger. arXiv preprint arXiv:2105.12400.

Qian, 1999

Qian, N. (1999). On the momentum term in gradient descent learning algorithms. Neural Networks, 12(1), 145–151.

Qian et al., 2020

Qian, Y., Yin, G., Sheng, L., Chen, Z., & Shao, J. (2020). Thinking in frequency: face forgery detection by mining frequency-aware clues. ECCV.

Qiao et al., 2019

Qiao, X., Yang, Y., & Li, H. (2019). Defending neural backdoors via generative distribution modeling. Advances in Neural Information Processing Systems, 32.

Qin et al., 2019

Qin, C., Martens, J., Gowal, S., Krishnan, D., Dvijotham, K., Fawzi, A., … Kohli, P. (2019). Adversarial robustness through local linearization. Advances in Neural Information Processing Systems, 32.

Radford et al., 2021

Radford, A., Kim, J. W., Hallacy, C., Ramesh, A., Goh, G., Agarwal, S., … others. (2021). Learning transferable visual models from natural language supervision. International Conference on Machine Learning (pp. 8748–8763).

Ramachandran et al., 2017

Ramachandran, P., Zoph, B., & Le, Q. V. (2017). Searching for activation functions. arXiv preprint arXiv:1710.05941.

Rebuffi et al., 2021a

Rebuffi, S.-A., Gowal, S., Calian, D. A., Stimberg, F., Wiles, O., & Mann, T. (2021). Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946.

Rebuffi et al., 2021b

Rebuffi, S.-A., Gowal, S., Calian, D. A., Stimberg, F., Wiles, O., & Mann, T. A. (2021). Data augmentation can improve robustness. Advances in Neural Information Processing Systems, 34, 29935–29948.

Redmon & Farhadi, 2017

Redmon, J., & Farhadi, A. (2017). Yolo9000: better, faster, stronger. IEEE Conference on Computer Vision and Pattern Recognition (pp. 7263–7271).

Rezatofighi et al., 2019

Rezatofighi, H., Tsoi, N., Gwak, J., Sadeghian, A., Reid, I., & Savarese, S. (2019). Generalized intersection over union: a metric and a loss for bounding box regression. IEEE/CVF Conference on Computer Vision and Pattern Recognition.

Rice et al., 2020

Rice, L., Wong, E., & Kolter, Z. (2020). Overfitting in adversarially robust deep learning. International Conference on Machine Learning (pp. 8093–8104).

Rivest et al., 1978

Rivest, R. L., Adleman, L., Dertouzos, M. L., & others. (1978). On data banks and privacy homomorphisms. Foundations of Secure Computation, 4(11), 169–180.

Ronneberger et al., 2015

Ronneberger, O., Fischer, P., & Brox, T. (2015). U-net: convolutional networks for biomedical image segmentation. International Conference on Medical Image Computing and Computer Assisted Intervention (pp. 234–241).

Roth et al., 2019

Roth, K., Kilcher, Y., & Hofmann, T. (2019). The odds are odd: a statistical test for detecting adversarial examples. International Conference on Machine Learning (pp. 5498–5507).

Rubinstein et al., 2009

Rubinstein, B., Nelson, B., Ling, H., Joseph, A. D., & Tygar, J. D. (2009). Antidote: understanding and defending against poisoning of anomaly detectors. Acm Sigcomm Conference on Internet Measurement.

Rudin & others, 1976

Rudin, W., & others. (1976). Principles of mathematical analysis. Vol. 3. McGraw-hill New York.

Rumelhart et al., 1986

Rumelhart, D. E., Hinton, G. E., & Williams, R. J. (1986). Learning representations by back-propagating errors. Nature, 323(6088), 533–536.

Russakovsky et al., 2015

Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., … others. (2015). Imagenet large scale visual recognition challenge. International journal of computer vision, 115(3), 211–252.

Saha et al., 2020

Saha, A., Subramanya, A., & Pirsiavash, H. (2020). Hidden trigger backdoor attacks. AAAI Conference on Artificial Intelligence (pp. 11957–11965).

Salem et al., 2019

Salem, A., Zhang, Y., Humbert, M., Fritz, M., & Backes, M. (2019). Ml-leaks: model and data independent membership inference attacks and defenses on machine learning models. Network and Distributed Systems Security Symposium.

Salman et al., 2019

Salman, H., Yang, G., Zhang, H., Hsieh, C.-J., & Zhang, P. (2019). A convex relaxation barrier to tight robustness verification of neural networks. Advances in Neural Information Processing Systems, 32.

Samangouei et al., 2018

Samangouei, P., Kabkab, M., & Chellappa, R. (2018). Defense-gan: protecting classifiers against adversarial attacks using generative models. International Conference on Learning Representations.

Sattler et al., 2020

Sattler, F., Müller, K.-R., & Samek, W. (2020). Clustered federated learning: model-agnostic distributed multitask optimization under privacy constraints. IEEE Transactions on Neural Networks and Learning Systems, 32(8), 3710–3722.

Schmidt et al., 2018

Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., & Madry, A. (2018). Adversarially robust generalization requires more data. Advances in Neural Information Processing Systems, 31.

Schroff et al., 2015

Schroff, F., Kalenichenko, D., & Philbin, J. (2015). Facenet: a unified embedding for face recognition and clustering. IEEE Conference on Computer Vision and Pattern Recognition (pp. 815–823).

Schuller et al., 2015

Schuller, B., Steidl, S., Batliner, A., Nöth, E., Vinciarelli, A., Burkhardt, F., … others. (2015). A survey on perceived speaker traits: personality, likability, pathology, and the first challenge. Computer Speech & Language, 29(1), 100–131.

Schultz & Joachims, 2003

Schultz, M., & Joachims, T. (2003). Learning a distance metric from relative comparisons. Advances in Neural Information Processing Systems, 16.

Segal et al., 2009

Segal, A., Haehnel, D., & Thrun, S. (2009). Generalized-icp. Robotics: science and systems (p. 435).

Shafahi et al., 2018

Shafahi, A., Huang, W. R., Najibi, M., Suciu, O., Studer, C., Dumitras, T., & Goldstein, T. (2018). Poison frogs! targeted clean-label poisoning attacks on neural networks. Advances in Neural Information Processing Systems, 31.

Shafahi et al., 2019

Shafahi, A., Najibi, M., Ghiasi, M. A., Xu, Z., Dickerson, J., Studer, C., … Goldstein, T. (2019). Adversarial training for free! Advances in Neural Information Processing Systems, 32.

Shafi & Silvio, 1982

Shafi, G., & Silvio, M. (1982). Probabilistic encryption & how to play mental poker keeping secret all partial information. ACM Symposium on Theory of Computing (pp. 365–377).

Shaham et al., 2015

Shaham, U., Yamada, Y., & Negahban, S. (2015). Understanding adversarial training: increasing local stability of neural nets through robust optimization. arXiv preprint arXiv:1511.05432.

Shao et al., 2021

Shao, R., Shi, Z., Yi, J., Chen, P.-Y., & Hsieh, C.-J. (2021). On the adversarial robustness of vision transformers. arXiv preprint arXiv:2103.15670.

Sharif et al., 2016

Sharif, M., Bhagavatula, S., Bauer, L., & Reiter, M. K. (2016). Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. ACM SIGSAC Conference on Computer and Communications Security (pp. 1528–1540).

Sharir et al., 2020

Sharir, O., Peleg, B., & Shoham, Y. (2020). The cost of training nlp models: a concise overview. arXiv preprint arXiv:2004.08900.

Shen et al., 2016

Shen, S., Tople, S., & Saxena, P. (2016). Auror: defending against poisoning attacks in collaborative deep learning systems. Conference on Computer Security Applications.

Shen & Sanghavi, 2019

Shen, Y., & Sanghavi, S. (2019). Learning with bad training data via iterative trimmed loss minimization. International Conference on Machine Learning (pp. 5739–5748).

Shokri et al., 2017

Shokri, R., Stronati, M., Song, C., & Shmatikov, V. (2017). Membership inference attacks against machine learning models. IEEE Symposium on Security and Privacy (pp. 3–18).

Siarohin et al., 2019

Siarohin, A., Lathuilière, S., Tulyakov, S., Ricci, E., & Sebe, N. (2019). First order motion model for image animation. Advances in Neural Information Processing Systems, 32.

Silver et al., 2016

Silver, D., Huang, A., Maddison, C. J., Guez, A., Sifre, L., Van Den Driessche, G., … others. (2016). Mastering the game of go with deep neural networks and tree search. Nature, 529(7587), 484–489.

Silver et al., 2017

Silver, D., Schrittwieser, J., Simonyan, K., Antonoglou, I., Huang, A., Guez, A., … others. (2017). Mastering the game of go without human knowledge. Nature, 550(7676), 354–359.

Simon-Gabriel et al., 2019

Simon-Gabriel, C.-J., Ollivier, Y., Bottou, L., Schölkopf, B., & Lopez-Paz, D. (2019). First-order adversarial vulnerability of neural networks and input dimension. International Conference on Machine Learning (pp. 5809–5817).

Simonyan & Zisserman, 2015

Simonyan, K., & Zisserman, A. (2015). Very deep convolutional networks for large-scale image recognition. International Conference on Learning Representations.

Singh et al., 2019a

Singh, G., Ganvir, R., Püschel, M., & Vechev, M. (2019). Beyond the single neuron convex barrier for neural network certification. Advances in Neural Information Processing Systems, 32.

Singh et al., 2019b

Singh, G., Gehr, T., Püschel, M., & Vechev, M. (2019). An abstract domain for certifying neural networks. ACM on Programming Languages, 3(POPL), 1–30.

Smith & Topin, 2018

Smith, L. N., & Topin, N. (2018). Super-convergence: very fast training of residual networks using large learning rates.

Smith et al., 2017

Smith, V., Chiang, C.-K., Sanjabi, M., & Talwalkar, A. S. (2017). Federated multi-task learning. Advances in Neural Information Processing Systems, 30.

Song & Raghunathan, 2020

Song, C., & Raghunathan, A. (2020). Information leakage in embedding models. ACM SIGSAC Conference on Computer and Communications Security (pp. 377–390).

Song et al., 2017

Song, C., Ristenpart, T., & Shmatikov, V. (2017). Machine learning models that remember too much. ACM SIGSAC Conference on Computer and Communications Security (pp. 587–601).

Song et al., 2021a

Song, J., Meng, C., & Ermon, S. (2021). Denoising diffusion implicit models. International Conference on Learning Representations.

Song et al., 2021b

Song, L., Wu, W., Fu, C., Qian, C., Loy, C. C., & He, R. (2021). Everything's talkin': pareidolia face reenactment. IEEE/CVF Conference on Computer Vision and Pattern Recognition.

Song & Mittal, 2021

Song, L., & Mittal, P. (2021). Systematic evaluation of privacy risks of machine learning models. USENIX Security Symposium (pp. 2615–2632).

Song et al., 2013

Song, S., Chaudhuri, K., & Sarwate, A. D. (2013). Stochastic gradient descent with differentially private updates. IEEE Global Conference on Signal and Information Processing (pp. 245–248).

Srivastava et al., 2014

Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., & Salakhutdinov, R. (2014). Dropout: a simple way to prevent neural networks from overfitting. Journal of Machine Learning Research, 15(1), 1929–1958.

Su et al., 2017

Su, D., Cao, J., Li, N., Bertino, E., Lyu, M., & Jin, H. (2017). Differentially private k-means clustering and a hybrid approach to private optimization. ACM Transactions on Privacy and Security, 20(4), 1–33.

Su et al., 2018

Su, D., Zhang, H., Chen, H., Yi, J., Chen, P.-Y., & Gao, Y. (2018). Is robustness the cost of accuracy?–a comprehensive study on the robustness of 18 deep image classification models. European Conference on Computer Vision (pp. 631–648).

Sun et al., 2022a

Sun, J., Wang, X., Zhang, Y., Li, X., Zhang, Q., Liu, Y., & Wang, J. (2022). Fenerf: face editing in neural radiance fields. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 7672–7682).

Sun et al., 2022b

Sun, K., Yao, T., Chen, S., Ding, S., Li, J., & Ji, R. (2022). Dual contrastive learning for general face forgery detection. AAAI.

Sun et al., 2022c

Sun, Y., Zhang, T., Ma, X., Zhou, P., Lou, J., Xu, Z., … Sun, L. (2022). Backdoor attacks on crowd counting. ACM International Conference on Multimedia (pp. 5351–5360).

Sun et al., 2019

Sun, Z., Kairouz, P., Suresh, A. T., & McMahan, H. B. (2019). Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963.

Suwajanakorn et al., 2017

Suwajanakorn, S., Seitz, S. M., & Kemelmacher-Shlizerman, I. (2017). Synthesizing obama: learning lip sync from audio. ACM Transactions on Graphics, 36(4), 1–13.

Szegedy et al., 2016

Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., & Wojna, Z. (2016). Rethinking the inception architecture for computer vision. IEEE Conference on Computer Vision and Pattern Recognition (pp. 2818–2826).

Szegedy et al., 2014

Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing properties of neural networks. International Conference on Learning Representations.

Szyller et al., 2021

Szyller, S., Atli, B. G., Marchal, S., & Asokan, N. (2021). Dawn: dynamic adversarial watermarking of neural networks. ACM International Conference on Multimedia (pp. 4417–4425).

TDinh et al., 2020

T Dinh, C., Tran, N., & Nguyen, J. (2020). Personalized federated learning with moreau envelopes. Advances in Neural Information Processing Systems, 33, 21394–21405.

Tan & Le, 2019

Tan, M., & Le, Q. (2019). Efficientnet: rethinking model scaling for convolutional neural networks. International Conference on Machine Learning (pp. 6105–6114).

Tanay & Griffin, 2016

Tanay, T., & Griffin, L. (2016). A boundary tilting perspective on the phenomenon of adversarial examples. arXiv preprint arXiv:1608.07690.

Tang et al., 2020

Tang, R., Du, M., Liu, N., Yang, F., & Hu, X. (2020). An embarrassingly simple approach for trojan attack in deep neural networks. ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (pp. 218–228).

Tang et al., 2021

Tang, S., Gong, R., Wang, Y., Liu, A., Wang, J., Chen, X., … others. (2021). Robustart: benchmarking robustness on architecture design and training techniques. arXiv preprint arXiv:2109.05211.

Teng et al., 2020

Teng, J., Lee, G.-H., & Yuan, Y. (2020). \$\ell_1\$ Adversarial Robustness Certificates: a Randomized Smoothing Approach.

Tian et al., 2018

Tian, S., Yang, G., & Cai, Y. (2018). Detecting adversarial examples through image transformation. AAAI Conference on Artificial Intelligence.

Tian et al., 2020

Tian, Y., Sun, C., Poole, B., Krishnan, D., Schmid, C., & Isola, P. (2020). What makes for good views for contrastive learning? Advances in Neural Information Processing Systems, 33, 6827–6839.

Tian et al., 2021

Tian, Y., Ren, J., Chai, M., Olszewski, K., Peng, X., Metaxas, D. N., & Tulyakov, S. (2021). A good image generator is what you need for high-resolution video synthesis. International Conference on Learning Representations.

Tieleman et al., 2012

Tieleman, T., Hinton, G., & others. (2012). Lecture 6.5-rmsprop: divide the gradient by a running average of its recent magnitude. COURSERA: Neural networks for machine learning, 4(2), 26–31.

Tramer et al., 2020

Tramer, F., Carlini, N., Brendel, W., & Madry, A. (2020). On adaptive attacks to adversarial example defenses. Advances in Neural Information Processing Systems, 33, 1633–1645.

Tramer et al., 2018

Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., & McDaniel, P. (2018). Ensemble adversarial training: attacks and defenses. International Conference on Learning Representations.

Tramer et al., 2016

Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., & Ristenpart, T. (2016). Stealing machine learning models via prediction $\$APIs$\$. USENIX Security Symposium (pp. 601–618).

Tran et al., 2018

Tran, B., Li, J., & Madry, A. (2018). Spectral signatures in backdoor attacks. Advances in Neural Information Processing Systems, 31.

Trinh et al., 2021

Trinh, L., Tsang, M., Rambhatla, S., & Liu, Y. (2021). Interpretable and trustworthy deepfake detection via dynamic prototypes. IEEE/CVF Winter Conference on Applications of Computer Vision.

Truex et al., 2019

Truex, S., Liu, L., Gursoy, M. E., Yu, L., & Wei, W. (2019). Demystifying membership inference attacks in machine learning as a service. IEEE Transactions on Services Computing.

Tsuzuku et al., 2018

Tsuzuku, Y., Sato, I., & Sugiyama, M. (2018). Lipschitz-margin training: scalable certification of perturbation invariance for deep neural networks. Advances in Neural Information Processing Systems, 31.

Tu et al., 2019

Tu, C.-C., Ting, P., Chen, P.-Y., Liu, S., Zhang, H., Yi, J., … Cheng, S.-M. (2019). Autozoom: autoencoder-based zeroth order optimization method for attacking black-box neural networks. AAAI Conference on Artificial Intelligence (pp. 742–749).

Turner et al., 2018

Turner, A., Tsipras, D., & Madry, A. (2018). Clean-label backdoor attacks.

Uchida et al., 2017

Uchida, Y., Nagai, Y., Sakazawa, S., & Satoh, Shin'ichi. (2017). Embedding watermarks into deep neural networks. ACM on International Conference on Multimedia Retrieval (pp. 269–277).

Maaten & Hinton, 2008

Van der Maaten, L., & Hinton, G. (2008). Visualizing data using t-sne. Journal of Machine Learning Research, 9(11).

Vanhaesebrouck et al., 2017

Vanhaesebrouck, P., Bellet, A., & Tommasi, M. (2017). Decentralized collaborative learning of personalized models over networks. Artificial Intelligence and Statistics (pp. 509–517).

Vaswani et al., 2017

Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., … Polosukhin, I. (2017). Attention is all you need. Advances in Neural Information Processing Systems, 30.

Wald, 1939

Wald, A. (1939). Contributions to the theory of statistical estimation and testing hypotheses. The Annals of Mathematical Statistics, 10(4), 299–326.

Wald, 1945

Wald, A. (1945). Statistical decision functions which minimize the maximum risk. Annals of Mathematics, pp. 265–280.

Wald, 1992

Wald, A. (1992). Statistical decision functions. Breakthroughs in Statistics (pp. 342–357). Springer.

Wang & Gong, 2018

Wang, B., & Gong, N. Z. (2018). Stealing hyperparameters in machine learning. IEEE Symposium on Security and Privacy (pp. 36–52).

Wang et al., 2019a

Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., & Zhao, B. Y. (2019). Neural cleanse: identifying and mitigating backdoor attacks in neural networks. IEEE Symposium on Security and Privacy (pp. 707–723).

Wang & Deng, 2021

Wang, C., & Deng, W. (2021). Representative forgery mining for fake face detection. IEEE/CVF Computer Vision and Pattern Recognition Conference.

Wang et al., 2017

Wang, D., Ye, M., & Xu, J. (2017). Differentially private empirical risk minimization revisited: faster and more general. Advances in Neural Information Processing Systems, 30.

Wang et al., 2018a

Wang, H., Wang, Y., Zhou, Z., Ji, X., Gong, D., Zhou, J., … Liu, W. (2018). Cosface: large margin cosine loss for deep face recognition. IEEE Conference on Computer Vision and Pattern Recognition (pp. 5265–5274).

Wang et al., 2020a

Wang, H., Sreenivasan, K., Rajput, S., Vishwakarma, H., Agarwal, S., Sohn, J.-y., … Papailiopoulos, D. (2020). Attack of the tails: yes, you really can backdoor federated learning. Advances in Neural Information Processing Systems, 33, 16070–16084.

Wang et al., 2020b

Wang, R., Zhang, G., Liu, S., Chen, P.-Y., Xiong, J., & Wang, M. (2020). Practical detection of trojan neural networks: data-limited and data-free cases. European Conference on Computer Vision (pp. 222–238).

Wang et al., 2021a

Wang, S., Zhang, H., Xu, K., Lin, X., Jana, S., Hsieh, C.-J., & Kolter, J. Z. (2021). Beta-crown: efficient bound propagation with per-neuron split constraints for neural network robustness verification. Advances in Neural Information Processing Systems, 34, 29909–29921.

Wang et al., 2022

Wang, S., Nepal, S., Abuadbba, A., Rudolph, C., & Grobler, M. (2022). Adversarial detection by latent style transformations. IEEE Transactions on Information Forensics and Security, 17, 1099–1114.

Wang et al., 2020c

Wang, S., Nepal, S., Rudolph, C., Grobler, M., Chen, S., & Chen, T. (2020). Backdoor attacks against transfer learning with pre-trained deep learning models. IEEE Transactions on Services Computing.

Wang et al., 2018b

Wang, T.-C., Liu, M.-Y., Zhu, J.-Y., Tao, A., Kautz, J., & Catanzaro, B. (2018). High-resolution image synthesis and semantic manipulation with conditional gans. IEEE Conference on Computer Vision and Pattern Recognition (pp. 8798–8807).

Wang et al., 2014

Wang, W., Dong, J., & Tan, T. (2014). Exploring dct coefficient quantization effects for local tampering detection. IEEE Transactions on Information Forensics and Security, 9(10), 1653–1666.

Wang et al., 2019b

Wang, Y., Ma, X., Bailey, J., Yi, J., Zhou, B., & Gu, Q. (2019). On the convergence and robustness of adversarial training. International Conference on Machine Learning (pp. 6586–6595).

Wang et al., 2019c

Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., & Gu, Q. (2019). Improving adversarial robustness requires revisiting misclassified examples. International Conference on Learning Representations.

Wang et al., 2021b

Wang, Z., Liu, C., & Cui, X. (2021). Evilmodel: hiding malware inside of neural network models. IEEE Symposium on Computers and Communications (pp. 1–7).

Wen et al., 2016

Wen, Y., Zhang, K., Li, Z., & Qiao, Y. (2016). A discriminative feature learning approach for deep face recognition. European Conference on Computer Vision (pp. 499–515).

Weng et al., 2018

Weng, L., Zhang, H., Chen, H., Song, Z., Hsieh, C.-J., Daniel, L., … Dhillon, I. (2018). Towards fast computation of certified robustness for relu networks. International Conference on Machine Learning (pp. 5276–5285).

Wenger et al., 2021

Wenger, E., Passananti, J., Bhagoji, A. N., Yao, Y., Zheng, H., & Zhao, B. Y. (2021). Backdoor attacks against deep learning systems in the physical world. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 6206–6215).

Wierstra et al., 2014

Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. Journal of Machine Learning Research, 15(1), 949–980.

Wold et al., 1987

Wold, S., Esbensen, K., & Geladi, P. (1987). Principal component analysis. Chemometrics and Intelligent Laboratory Systems, 2(1-3), 37–52.

Wong et al., 2020

Wong, E., Rice, L., & Kolter, J. Z. (2020). Fast is better than free: revisiting adversarial training. International Conference on Learning Representations.

Wu et al., 2021

Wu, B., Chen, J., Cai, D., He, X., & Gu, Q. (2021). Do wider neural networks really help adversarial robustness? Advances in Neural Information Processing Systems, 34, 7054–7067.

Wu et al., 2020a

Wu, C., Yang, X., Zhu, S., & Mitra, P. (2020). Mitigating backdoor attacks in federated learning. arXiv preprint arXiv:2011.01767.

Wu & Wang, 2021

Wu, D., & Wang, Y. (2021). Adversarial neuron pruning purifies backdoored deep models. Advances in Neural Information Processing Systems, 34, 16913–16925.

Wu et al., 2020b

Wu, D., Wang, Y., Xia, S.-T., Bailey, J., & Ma, X. (2020). Skip connections matter: on the transferability of adversarial examples generated with resnets. arXiv preprint arXiv:2002.05990.

Wu et al., 2020c

Wu, D., Xia, S.-T., & Wang, Y. (2020). Adversarial weight perturbation helps robust generalization. Advances in Neural Information Processing Systems, 33, 2958–2969.

Wu et al., 2019

Wu, Y., AbdAlmageed, W., & Natarajan, P. (2019). Mantra-net: manipulation tracing network for detection and localization of image forgeries with anomalous features. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 9543–9552).

Wu et al., 2020d

Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., & Philip, S. Y. (2020). A comprehensive survey on graph neural networks. IEEE Transactions on Neural Networks and Learning Systems, 32(1), 4–24.

Xi et al., 2021

Xi, Z., Pang, R., Ji, S., & Wang, T. (2021). Graph backdoor. USENIX Security Symposium (pp. 1523–1540).

Xia et al., 2021

Xia, W., Yang, Y., Xue, J.-H., & Wu, B. (2021). Tedigan: text-guided diverse face image generation and manipulation. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2256–2265).

Xiao et al., 2018a

Xiao, C., Li, B., Zhu, J. Y., He, W., Liu, M., & Song, D. (2018). Generating adversarial examples with adversarial networks. International Joint Conference on Artificial Intelligence (pp. 3905–3911).

Xiao et al., 2018b

Xiao, K. Y., Tjeng, V., Shafiullah, N. M., & Madry, A. (2018). Training for faster adversarial robustness verification via inducing relu stability. arXiv preprint arXiv:1809.03008.

Xie et al., 2021

Xie, C., Chen, M., Chen, P.-Y., & Li, B. (2021). Crfl: certifiably robust federated learning against backdoor attacks. International Conference on Machine Learning (pp. 11372–11382).

Xie et al., 2019a

Xie, C., Huang, K., Chen, P.-Y., & Li, B. (2019). Dba: distributed backdoor attacks against federated learning. International Conference on Learning Representations.

Xie et al., 2020

Xie, C., Tan, M., Gong, B., Yuille, A., & Le, Q. V. (2020). Smooth adversarial training. arXiv preprint arXiv:2006.14536.

Xie et al., 2018

Xie, C., Wang, J., Zhang, Z., Ren, Z., & Yuille, A. (2018). Mitigating adversarial effects through randomization. International Conference on Learning Representations.

Xie et al., 2019b

Xie, C., Wu, Y., Maaten, L. v. d., Yuille, A. L., & He, K. (2019). Feature denoising for improving adversarial robustness. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 501–509).

Xie et al., 2019c

Xie, C., Zhang, Z., Zhou, Y., Bai, S., Wang, J., Ren, Z., & Yuille, A. L. (2019). Improving transferability of adversarial examples with input diversity. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2730–2739).

Xu et al., 2021

Xu, J., Xue, M., & Picek, S. (2021). Explainability-based backdoor attacks against graph neural networks. ACM Workshop on Wireless Security and Machine Learning (pp. 31–36).

Xu et al., 2020

Xu, K., Zhang, G., Liu, S., Fan, Q., Sun, M., Chen, H., … Lin, X. (2020). Adversarial t-shirt! evading person detectors in a physical world. European Conference on Computer Vision (pp. 665–681).

Xu et al., 2018

Xu, W., Evans, D., & Qi, Y. (2018). Feature squeezing: detecting adversarial examples in deep neural networks. Network and Distributed Systems Security Symposium.

Xu et al., 2022

Xu, Y., Yin, Y., Jiang, L., Wu, Q., Zheng, C., Loy, C. C., … Wu, W. (2022). Transeditor: transformer-based dual-space gan for highly controllable facial editing. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 7683–7692).

Yang et al., 2017

Yang, C., Wu, Q., Li, H., & Chen, Y. (2017). Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340.

Yang et al., 2020a

Yang, C.-Z., Ma, J., Wang, S., & Liew, A. W.-C. (2020). Preventing deepfake attacks on speaker authentication by dynamic lip movement analysis. TIFS.

Yang et al., 2020b

Yang, G., Duan, T., Hu, J. E., Salman, H., Razenshteyn, I., & Li, J. (2020). Randomized smoothing of all shapes and sizes. International Conference on Machine Learning (pp. 10693–10705).

Yang et al., 2020c

Yang, H., Zhang, J., Dong, H., Inkawhich, N., Gardner, A., Touchet, A., … Li, H. (2020). Dverge: diversifying vulnerabilities for enhanced robust generation of ensembles. Advances in Neural Information Processing Systems, 33, 5505–5515.

Yang et al., 2019a

Yang, Q., Liu, Y., Chen, T., & Tong, Y. (2019). Federated machine learning: concept and applications. ACM Transactions on Intelligent Systems and Technology, 10(2), 1–19.

Yang et al., 2019b

Yang, S., Ren, B., Zhou, X., & Liu, L. (2019). Parallel distributed logistic regression for vertical federated learning without third-party coordinator. arXiv preprint arXiv:1911.09824.

Yang et al., 2019c

Yang, X., Li, Y., & Lyu, S. (2019). Exposing deep fakes using inconsistent head poses. ICASSP.

Yang et al., 2022

Yang, Y., Liu, T. Y., & Mirzasoleiman, B. (2022). Not all poisons are created equal: robust training against data poisoning. International Conference on Machine Learning (pp. 25154–25165).

Yao, 1982

Yao, A. C. (1982). Protocols for secure computations. IEEE Annual Symposium on Foundations of Computer Science (pp. 160–164).

Yao et al., 2019

Yao, Y., Li, H., Zheng, H., & Zhao, B. Y. (2019). Latent backdoor attacks on deep neural networks. ACM SIGSAC Conference on Computer and Communications Security (pp. 2041–2055).

Ye et al., 2022

Ye, J., Liu, X., You, Z., Li, G., & Liu, B. (2022). Drinet: dynamic backdoor attack against automatic speech recognization models. Applied Sciences, 12(12), 5786.

Yeom et al., 2018

Yeom, S., Giacomelli, I., Fredrikson, M., & Jha, S. (2018). Privacy risk in machine learning: analyzing the connection to overfitting. IEEE Computer Security Foundations Symposium (pp. 268–282).

Yin et al., 2018

Yin, D., Chen, Y., Kannan, R., & Bartlett, P. (2018). Byzantine-robust distributed learning: towards optimal statistical rates. International Conference on Machine Learning (pp. 5650–5659).

Yin et al., 2021

Yin, H., Mallya, A., Vahdat, A., Alvarez, J. M., Kautz, J., & Molchanov, P. (2021). See through gradients: image batch recovery via gradinversion. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 16337–16346).

Yu et al., 2020

Yu, H., Yang, K., Zhang, T., Tsai, Y.-Y., Ho, T.-Y., & Jin, Y. (2020). Cloudleak: large-scale deep learning models stealing through adversarial examples. Network and Distributed System Security Symposium.

Yu et al., 2022

Yu, S., Tack, J., Mo, S., Kim, H., Kim, J., Ha, J.-W., & Shin, J. (2022). Generating videos with dynamics-aware implicit generative adversarial networks. arXiv preprint arXiv:2202.10571.

Yuan et al., 2022

Yuan, X., Ding, L., Zhang, L., Li, X., & Wu, D. O. (2022). Es attack: model stealing against deep neural networks without data hurdles. IEEE Transactions on Emerging Topics in Computational Intelligence.

Yun et al., 2019

Yun, S., Han, D., Oh, S. J., Chun, S., Choe, J., & Yoo, Y. (2019). Cutmix: regularization strategy to train strong classifiers with localizable features. International Conference on Computer Vision (pp. 6023–6032).

Zeiler, 2012

Zeiler, M. D. (2012). Adadelta: an adaptive learning rate method. arXiv preprint arXiv:1212.5701.

Zhai et al., 2021

Zhai, T., Li, Y., Zhang, Z., Wu, B., Jiang, Y., & Xia, S.-T. (2021). Backdoor attack against speaker verification. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 2560–2564).

Zhang et al., 2021a

Zhang, B., Lu, Z., Cai, T., He, D., & Wang, L. (2021). Towards certifying \$\ell_\infty\$ robustness using Neural networks with \$\ell_\infty\$-dist Neurons.

Zhang et al., 2019a

Zhang, D., Zhang, T., Lu, Y., Zhu, Z., & Dong, B. (2019). You only propagate once: accelerating adversarial training via maximal principle. Advances in Neural Information Processing Systems, 32.

Zhang et al., 2019b

Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., & Jordan, M. (2019). Theoretically principled trade-off between robustness and accuracy. International Conference on Machine Learning (pp. 7472–7482).

Zhang et al., 2018a

Zhang, H., Cisse, M., Dauphin, Y. N., & Lopez-Paz, D. (2018). Mixup: beyond empirical risk minimization. International Conference on Learning Representations.

Zhang et al., 2018b

Zhang, J., Gu, Z., Jang, J., Wu, H., Stoecklin, M. P., Huang, H., & Molloy, I. (2018). Protecting intellectual property of deep neural networks with watermarking. ACM Asia Conference on Computer and Communications Security (pp. 159–172).

Zhang et al., 2017

Zhang, J., Zheng, K., Mou, W., & Wang, L. (2017). Efficient private erm for smooth objectives. arXiv preprint arXiv:1703.09947.

Zhang et al., 2020a

Zhang, J., Chen, D., Liao, J., Fang, H., Zhang, W., Zhou, W., … Yu, N. (2020). Model watermarking for image processing networks. AAAI Conference on Artificial Intelligence (pp. 12805–12812).

Zhang et al., 2021b

Zhang, J., Chen, D., Liao, J., Zhang, W., Feng, H., Hua, G., & Yu, N. (2021). Deep model intellectual property protection via deep watermarking. IEEE Transactions on Pattern Analysis and Machine Intelligence.

Zhang et al., 2020b

Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., & Kankanhalli, M. (2020). Attacks which do not kill training make adversarial learning stronger. International Conference on Machine Learning (pp. 11278–11287).

Zhang et al., 2020c

Zhang, J., Zhu, J., Niu, G., Han, B., Sugiyama, M., & Kankanhalli, M. (2020). Geometry-aware instance-reweighted adversarial training. International Conference on Learning Representations.

Zhang et al., 2012

Zhang, J., Zhang, Z., Xiao, X., Yang, Y., & Winslett, M. (2012). Functional mechanism: regression analysis under differential privacy. arXiv preprint arXiv:1208.0219.

Zhang et al., 2022

Zhang, R., Guo, S., Wang, J., Xie, X., & Tao, D. (2022). A survey on gradient inversion: attacks, defenses and future directions. International Joint Conference on Artificial Intelligence.

Zhang & Zhu, 2017

Zhang, R., & Zhu, Q. (2017). A game-theoretic analysis of label flipping attacks on distributed support vector machines. Conference on Information Sciences and Systems (pp. 1–6).

Zhang et al., 2018c

Zhang, X., Ji, S., & Wang, T. (2018). Differentially private releasing via deep generative model (technical report). arXiv preprint arXiv:1801.01594.

Zhang et al., 2021c

Zhang, Z., Jia, J., Wang, B., & Gong, N. Z. (2021). Backdoor attacks to graph neural networks. ACM Symposium on Access Control Models and Technologies (pp. 15–26).

Zhang & Sabuncu, 2018

Zhang, Z., & Sabuncu, M. (2018). Generalized cross entropy loss for training deep neural networks with noisy labels. Advances in Neural Information Processing Systems, 31.

Zhao et al., 2020a

Zhao, B., Mopuri, K. R., & Bilen, H. (2020). Idlg: improved deep leakage from gradients. arXiv preprint arXiv:2001.02610.

Zhao et al., 2021a

Zhao, H., Zhou, W., Chen, D., Wei, T., Zhang, W., & Yu, N. (2021). Multi-attentional deepfake detection. IEEE/CVF Computer Vision and Pattern Recognition Conference.

Zhao et al., 2020b

Zhao, P., Chen, P.-Y., Das, P., Ramamurthy, K. N., & Lin, X. (2020). Bridging mode connectivity in loss landscapes and adversarial robustness. International Conference on Learning Representations.

Zhao et al., 2020c

Zhao, S., Ma, X., Zheng, X., Bailey, J., Chen, J., & Jiang, Y.-G. (2020). Clean-label backdoor attacks on video recognition models. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 14443–14452).

Zhao et al., 2021b

Zhao, T., Xu, X., Xu, M., Ding, H., Xiong, Y., & Xia, W. (2021). Learning self-consistency for deepfake detection. International Conference on Computer Vision.

Zheng et al., 2020a

Zheng, H., Zhang, Z., Gu, J., Lee, H., & Prakash, A. (2020). Efficient adversarial training with transferable adversarial examples. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1181–1190).

Zheng et al., 2021

Zheng, Y., Bao, J., Chen, D., Zeng, M., & Wen, F. (2021). Exploring temporal coherence for more general video face forgery detection. International Conference on Computer Vision.

Zheng et al., 2020b

Zheng, Z., Wang, P., Liu, W., Li, J., Ye, R., & Ren, D. (2020). Distance-iou loss: faster and better learning for bounding box regression. AAAI Conference on Artificial Intelligence (pp. 12993–13000).

Zhou et al., 2016

Zhou, B., Khosla, A., Lapedriza, A., Oliva, A., & Torralba, A. (2016). Learning deep features for discriminative localization. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2921–2929).

Zhou et al., 2017

Zhou, P., Han, X., Morariu, V. I., & Davis, L. S. (2017). Two-stream neural networks for tampered face detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (pp. 1831–1839).

Zhou et al., 2018a

Zhou, P., Han, X., Morariu, V. I., & Davis, L. S. (2018). Learning rich features for image manipulation detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1053–1061).

Zhou et al., 2018b

Zhou, Y., Song, Y., & Berg, T. L. (2018). Image2gif: generating cinemagraphs using recurrent deep q-networks. IEEE Winter Conference on Applications of Computer Vision (pp. 170–178).

Zhu et al., 2019a

Zhu, C., Huang, W. R., Li, H., Taylor, G., Studer, C., & Goldstein, T. (2019). Transferable clean-label poisoning attacks on deep neural nets. International Conference on Machine Learning (pp. 7614–7623).

Zhu et al., 2021

Zhu, J., Yao, J., Han, B., Zhang, J., Liu, T., Niu, G., … Yang, H. (2021). Reliable adversarial distillation with unreliable teachers. International Conference on Learning Representations.

Zhu & Blaschko, 2021

Zhu, J., & Blaschko, M. B. (2021). R-gap: recursive gradient attack on privacy. International Conference on Learning Representations.

Zhu et al., 2019b

Zhu, L., Liu, Z., & Han, S. (2019). Deep leakage from gradients. Advances in Neural Information Processing Systems, 32.

Zi et al., 2021

Zi, B., Zhao, S., Ma, X., & Jiang, Y.-G. (2021). Revisiting adversarial robustness distillation: robust soft labels make student better. IEEE/CVF International Conference on Computer Vision (pp. 16443–16452).

Zombori et al., 2021

Zombori, D., Bánhelyi, B., Csendes, T., Megyeri, I., & Jelasity, M. (2021). Fooling a complete neural network verifier.

Zou et al., 2022

Zou, Z., Zhao, R., Shi, T., Qiu, S., & Shi, Z. (2022). Castle in the sky: dynamic sky replacement and harmonization in videos. IEEE Transactions on Image Processing.

, 2020

方滨兴. (2020). 人工智能安全. BEIJING BOOK CO. INC.

et al., 2020

梁瑞刚, 吕培卓, 赵月, 陈鹏, 邢豪, 张颖君, … others. (2020). 视听觉深度伪造检测技术研究综述. 信息安全学报, 5(2), 1–17.

et al., 2006

王珏, 周志华, & 周傲英. (2006). 机器学习及其应用. Vol. 4. 清华大学出版社有限公司.

et al., 2021

谢宸琪, 张保稳, & 易平. (2021). 人工智能模型水印研究综述. 计算机科学, 48(7), 9–16.