参考文献¶
- Abadi et al., 2016
Abadi, M., Chu, A., Goodfellow, I., McMahan, H. B., Mironov, I., Talwar, K., & Zhang, L. (2016). Deep learning with differential privacy. ACM SIGSAC Conference on Computer and Communications Security (pp. 308–318).
- Adi et al., 2018
Adi, Y., Baum, C., Cisse, M., Pinkas, B., & Keshet, J. (2018). Turning your weakness into a strength: watermarking deep neural networks by backdooring. USENIX Security Symposium (pp. 1615–1631).
- Agarwal et al., 2020
Agarwal, S., Farid, H., Fried, O., & Agrawala, M. (2020). Detecting deep-fake videos from phoneme-viseme mismatches. IEEE/CVF Computer Vision and Pattern Recognition Conference Workshop.
- Alayrac et al., 2019
Alayrac, J.-B., Uesato, J., Huang, P.-S., Fawzi, A., Stanforth, R., & Kohli, P. (2019). Are labels required for improving adversarial robustness? Advances in Neural Information Processing Systems, 32.
- Amerini et al., 2019
Amerini, I., Galteri, L., Caldelli, R., & Del Bimbo, A. (2019). Deepfake video detection through optical flow based cnn. International Conference on Computer Vision Workshop.
- Amsaleg et al., 2015
Amsaleg, L., Chelly, O., Furon, T., Girard, S., Houle, M. E., Kawarabayashi, K.-i., & Nett, M. (2015). Estimating local intrinsic dimensionality. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 29–38).
- Andriushchenko et al., 2020
Andriushchenko, M., Croce, F., Flammarion, N., & Hein, M. (2020). Square attack: a query-efficient black-box adversarial attack via random search. European Conference on Computer Vision (pp. 484–501).
- Aono et al., 2017
Aono, Y., Hayashi, T., Wang, L., Moriai, S., & others. (2017). Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security, 13(5), 1333–1345.
- Ateniese et al., 2015
Ateniese, G., Mancini, L. V., Spognardi, A., Villani, A., Vitali, D., & Felici, G. (2015). Hacking smart machines with smarter ones: how to extract meaningful data from machine learning classifiers. International Journal of Security and Networks, 10(3), 137–150.
- Athalye et al., 2018a
Athalye, A., Carlini, N., & Wagner, D. (2018). Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. International Conference on Machine Learning (pp. 274–283).
- Athalye et al., 2018b
Athalye, A., Engstrom, L., Ilyas, A., & Kwok, K. (2018). Synthesizing robust adversarial examples. International Conference on Machine Learning (pp. 284–293).
- Bagdasaryan et al., 2020
Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., & Shmatikov, V. (2020). How to backdoor federated learning. International Conference on Artificial Intelligence and Statistics (pp. 2938–2948).
- Bai et al., 2020a
Bai, Y., Zeng, Y., Jiang, Y., Xia, S.-T., Ma, X., & Wang, Y. (2020). Improving adversarial robustness via channel-wise activation suppressing. International Conference on Learning Representations.
- Bai et al., 2020b
Bai, Y., Guo, Y., Wei, J., Lu, L., Wang, R., & Wang, Y. (2020). Fake generated painting detection via frequency analysis. ICIP.
- Bai et al., 2021
Bai, Y., Mei, J., Yuille, A. L., & Xie, C. (2021). Are transformers more robust than cnns? Advances in Neural Information Processing Systems, 34, 26831–26843.
- Barreno et al., 2006
Barreno, M., Nelson, B., Sears, R., Joseph, A. D., & Tygar, J. D. (2006). Can machine learning be secure? ACM Symposium on Information, Computer and Communications Security (pp. 16–25).
- Basu et al., 2021
Basu, S., Pope, P., & Feizi, S. (2021). Influence functions in deep learning are fragile. International Conference on Learning Representations.
- Belghazi et al., 2018
Belghazi, M. I., Baratin, A., Rajeswar, S., Ozair, S., Bengio, Y., Courville, A., & Hjelm, R. D. (2018). Mine: mutual information neural estimation. arXiv preprint arXiv:1801.04062.
- Bendale & Boult, 2016
Bendale, A., & Boult, T. E. (2016). Towards open set deep networks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1563–1572).
- Bender et al., 2018
Bender, G., Kindermans, P.-J., Zoph, B., Vasudevan, V., & Le, Q. (2018). Understanding and simplifying one-shot architecture search. International Conference on Machine Learning (pp. 550–559).
- Bengio & others, 2009
Bengio, Y., & others. (2009). Learning deep architectures for ai. Foundations and trends® in Machine Learning, 2(1), 1–127.
- Bhagoji et al., 2017
Bhagoji, A. N., Cullina, D., & Mittal, P. (2017). Dimensionality reduction as a defense against evasion attacks on machine learning classifiers. arXiv preprint arXiv:1704.02654, 2(1).
- Bhojanapalli et al., 2021
Bhojanapalli, S., Chakrabarti, A., Glasner, D., Li, D., Unterthiner, T., & Veit, A. (2021). Understanding robustness of transformers for image classification. IEEE/CVF International Conference on Computer Vision (pp. 10231–10241).
- Biggio et al., 2013
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., … Roli, F. (2013). Evasion attacks against machine learning at test time. Joint European Conference on Machine Learning and Knowledge Discovery in Databases (pp. 387–402).
- Biggio et al., 2012
Biggio, B., Nelson, B., & Laskov, P. (2012). Poisoning attacks against support vector machines. International Conference on International Conference on Machine Learning (pp. 1467–1474). Madison, WI, USA: Omnipress.
- Blanchard et al., 2017
Blanchard, P., Mhamdi, E., Guerraoui, R., & Stainer, J. (2017). Machine learning with adversaries: byzantine tolerant gradient descent. Neural Information Processing Systems.
- Bone et al., 2014
Bone, D., Li, M., Black, M. P., & Narayanan, S. S. (2014). Intoxicated speech detection: a fusion framework with speaker-normalized hierarchical functionals and gmm supervectors. Computer Speech & Language, 28(2), 375–391.
- Boneh et al., 2005
Boneh, D., Goh, E.-J., & Nissim, K. (2005). Evaluating 2-dnf formulas on ciphertexts. Theory of Cryptography Conference (pp. 325–341).
- Borgnia et al., 2021
Borgnia, E., Cherepanova, V., Fowl, L., Ghiasi, A., Geiping, J., Goldblum, M., … Gupta, A. (2021). Strong data augmentation sanitizes poisoning and backdoor attacks without an accuracy tradeoff. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 3855–3859).
- Botoeva et al., 2020
Botoeva, E., Kouvaros, P., Kronqvist, J., Lomuscio, A., & Misener, R. (2020). Efficient verification of relu-based neural networks via dependency analysis. AAAI Conference on Artificial Intelligence (pp. 3291–3299).
- Brakerski et al., 2014
Brakerski, Z., Gentry, C., & Vaikuntanathan, V. (2014). (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory, 6(3), 1–36.
- Brendel et al., 2018
Brendel, W., Rauber, J., & Bethge, M. (2018). Decision-based adversarial attacks: reliable attacks against black-box machine learning models. International Conference on Learning Representations.
- Brown et al., 2017
Brown, T. B., Mané, D., Roy, A., Abadi, M., & Gilmer, J. (2017). Adversarial patch. arXiv preprint arXiv:1712.09665.
- Buades et al., 2005
Buades, A., Coll, B., & Morel, J.-M. (2005). A non-local algorithm for image denoising. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 60–65).
- Bunel et al., 2020
Bunel, R., Mudigonda, P., Turkaslan, I., Torr, P., Lu, J., & Kohli, P. (2020). Branch and bound for piecewise linear neural network verification. Journal of Machine Learning Research, 21(2020).
- Cai et al., 2018
Cai, Q.-Z., Liu, C., & Song, D. (2018). Curriculum adversarial training. International Joint Conference on Artificial Intelligence (pp. 3740–3747).
- Cao et al., 2022
Cao, J., Ma, C., Yao, T., Chen, S., Ding, S., & Yang, X. (2022). End-to-end reconstruction-classification learning for face forgery detection. IEEE/CVF Computer Vision and Pattern Recognition Conference.
- Cao et al., 2021a
Cao, S., Zou, Q., Mao, X., Ye, D., & Wang, Z. (2021). Metric learning for anti-compression facial forgery detection. ACM MM.
- Cao et al., 2021b
Cao, X., Jia, J., & Gong, N. Z. (2021). Ipguard: protecting intellectual property of deep neural networks via fingerprinting the classification boundary. ACM Asia Conference on Computer and Communications Security (pp. 14–25).
- Cao et al., 2021c
Cao, Y., Wang, N., Xiao, C., Yang, D., Fang, J., Yang, R., … Li, B. (2021). Invisible for both camera and lidar: security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. IEEE Symposium on Security and Privacy (pp. 176–194).
- Carlini et al., 2020
Carlini, N., Jagielski, M., & Mironov, I. (2020). Cryptanalytic extraction of neural network models. Annual International Cryptology Conference (pp. 189–218).
- Carlini et al., 2019
Carlini, N., Liu, C., Erlingsson, Ú., Kos, J., & Song, D. (2019). The secret sharer: evaluating and testing unintended memorization in neural networks. USENIX Security Symposium (pp. 267–284).
- Carlini et al., 2021
Carlini, N., Tramer, F., Wallace, E., Jagielski, M., Herbert-Voss, A., Lee, K., … others. (2021). Extracting training data from large language models. USENIX Security Symposium (pp. 2633–2650).
- Carlini & Wagner, 2016
Carlini, N., & Wagner, D. (2016). Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311.
- Carlini & Wagner, 2017a
Carlini, N., & Wagner, D. (2017). Adversarial examples are not easily detected: bypassing ten detection methods. ACM Workshop on Artificial Intelligence and Security (pp. 3–14).
- Carlini & Wagner, 2017b
Carlini, N., & Wagner, D. (2017). Magnet and" efficient defenses against adversarial attacks" are not robust to adversarial examples. arXiv preprint arXiv:1711.08478.
- Carlini & Wagner, 2017c
Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. IEEE Symposium on Security and Privacy (pp. 39–57).
- Carmon et al., 2019
Carmon, Y., Raghunathan, A., Schmidt, L., Duchi, J. C., & Liang, P. S. (2019). Unlabeled data improves adversarial robustness. Advances in Neural Information Processing Systems, 32.
- Caron et al., 2018
Caron, M., Bojanowski, P., Joulin, A., & Douze, M. (2018). Deep clustering for unsupervised learning of visual features. European Conference on Computer Vision (pp. 132–149).
- Cazenavette et al., 2021
Cazenavette, G., Murdock, C., & Lucey, S. (2021). Architectural adversarial robustness: the case for deep pursuit. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 7150–7158).
- Chan et al., 2022
Chan, S.-H., Dong, Y., Zhu, J., Zhang, X., & Zhou, J. (2022). Baddet: backdoor attacks on object detection. arXiv preprint arXiv:2205.14497.
- Chang et al., 2000
Chang, S. G., Yu, B., & Vetterli, M. (2000). Adaptive wavelet thresholding for image denoising and compression. IEEE Transactions on Image Processing, 9(9), 1532–1546.
- Chaudhuri & Monteleoni, 2008
Chaudhuri, K., & Monteleoni, C. (2008). Privacy-preserving logistic regression. Advances in Neural Information Processing Systems, 21.
- Chen et al., 2018a
Chen, B., Carvalho, W., Baracaldo, N., Ludwig, H., Edwards, B., Lee, T., … Srivastava, B. (2018). Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728.
- Chen et al., 2018b
Chen, F., Luo, M., Dong, Z., Li, Z., & He, X. (2018). Federated meta-learning with fast convergence and efficient communication. arXiv preprint arXiv:1802.07876.
- Chen et al., 2020a
Chen, H., Zhang, B., Xue, S., Gong, X., Liu, H., Ji, R., & Doermann, D. (2020). Anti-bandit neural architecture search for model defense. European Conference on Computer Vision (pp. 70–85).
- Chen et al., 2019
Chen, H., Fu, C., Zhao, J., & Koushanfar, F. (2019). Deepinspect: a black-box trojan detection and mitigation framework for deep neural networks. International Joint Conference on Artificial Intelligence (pp. 4658–4664).
- Chen et al., 2022
Chen, J., Wang, J., Peng, T., Sun, Y., Cheng, P., Ji, S., … Song, D. (2022). Copy, right? a testing framework for copyright protection of deep learning models. IEEE Symposium on Security and Privacy (pp. 824–841).
- Chen et al., 2015
Chen, J., Kang, X., Liu, Y., & Wang, Z. J. (2015). Median filtering forensics based on convolutional neural networks. IEEE Signal Processing Letters, 22(11), 1849–1853.
- Chen et al., 2021a
Chen, K., Meng, Y., Sun, X., Guo, S., Zhang, T., Li, J., & Fan, C. (2021). Badpre: task-agnostic backdoor attacks to pre-trained nlp foundation models. arXiv preprint arXiv:2110.02467.
- Chen et al., 2017a
Chen, P.-Y., Zhang, H., Sharma, Y., Yi, J., & Hsieh, C.-J. (2017). Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. ACM Workshop on Artificial Intelligence and Security (pp. 15–26).
- Chen et al., 2020b
Chen, R., Chen, X., Ni, B., & Ge, Y. (2020). Simswap: an efficient framework for high fidelity face swapping. ACM International Conference on Multimedia (pp. 2003–2011).
- Chen et al., 2021b
Chen, S., Yao, T., Chen, Y., Ding, S., Li, J., & Ji, R. (2021). Local relation learning for face forgery detection. AAAI.
- Chen et al., 2021c
Chen, T., Zhang, Z., Liu, S., Chang, S., & Wang, Z. (2021). Robust overfitting may be mitigated by properly learned smoothening. International Conference on Learning Representations.
- Chen et al., 2021d
Chen, X., Salem, A., Chen, D., Backes, M., Ma, S., Shen, Q., … Zhang, Y. (2021). Badnl: backdoor attacks against nlp models with semantic-preserving improvements. Annual Computer Security Applications Conference (pp. 554–569).
- Chen et al., 2017b
Chen, X., Liu, C., Li, B., Lu, K., & Song, D. (2017). Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526.
- Chen & Yang, 2021
Chen, Z., & Yang, H. (2021). Attentive semantic exploring for manipulated face detection. ICASSP.
- Cheng et al., 2021
Cheng, K., Fan, T., Jin, Y., Liu, Y., Chen, T., Papadopoulos, D., & Yang, Q. (2021). Secureboost: a lossless federated learning framework. IEEE Intelligent Systems, 36(6), 87–98.
- Cheng et al., 2019a
Cheng, M., Le, T., Chen, P.-Y., Zhang, H., Yi, J., & Hsieh, C.-J. (2019). Query-efficient hard-label black-box attack: an optimization-based approach. International Conference on Learning Representation.
- Cheng et al., 2019b
Cheng, S., Dong, Y., Pang, T., Su, H., & Zhu, J. (2019). Improving black-box adversarial attacks with a transfer-based prior. Advances in Neural Information Processing Systems, 32.
- Cho et al., 2014
Cho, K., Van Merriënboer, B., Bahdanau, D., & Bengio, Y. (2014). On the properties of neural machine translation: encoder-decoder approaches. arXiv preprint arXiv:1409.1259.
- Ciftci et al., 2020
Ciftci, U. A., Demir, I., & Yin, L. (2020). Fakecatcher: detection of synthetic portrait videos using biological signals. IEEE Transactions on Pattern Analysis and Machine Intelligence.
- Clevert et al., 2016
Clevert, D.-A., Unterthiner, T., & Hochreiter, S. (2016). Fast and accurate deep network learning by exponential linear units (elus). International Conference on Learning Representations.
- Cohen et al., 2019
Cohen, J., Rosenfeld, E., & Kolter, Z. (2019). Certified adversarial robustness via randomized smoothing. International Conference on Machine Learning (pp. 1310–1320).
- Cortes & Vapnik, 2004
Cortes, C., & Vapnik, V. N. (2004). Support-vector networks. Machine Learning, 20, 273-297.
- Croce & Hein, 2020a
Croce, F., & Hein, M. (2020). Minimally distorted adversarial examples with a fast adaptive boundary attack. International Conference on Machine Learning (pp. 2196–2205).
- Croce & Hein, 2020b
Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. International Conference on Machine Learning (pp. 2206–2216).
- Cubuk et al., 2019
Cubuk, E. D., Zoph, B., Mane, D., Vasudevan, V., & Le, Q. V. (2019). Autoaugment: learning augmentation strategies from data. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 113–123).
- Cummins et al., 2017
Cummins, N., Schmitt, M., Amiriparian, S., Krajewski, J., & Schuller, B. (2017). “you sound ill, take the day off”: automatic recognition of speech affected by upper respiratory tract infection. IEEE Engineering in Medicine and Biology Society (pp. 3806–3809).
- DAlonzo & Tegmark, 2022
D'Alonzo, S., & Tegmark, M. (2022). Machine-learning media bias. Plos one, 17(8), e0271947.
- DarvishRouhani et al., 2019
Darvish Rouhani, B., Chen, H., & Koushanfar, F. (2019). Deepsigns: an end-to-end watermarking framework for ownership protection of deep neural networks. International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 485–497).
- Das et al., 2017
Das, N., Shanbhogue, M., Chen, S.-T., Hohman, F., Chen, L., Kounavis, M. E., & Chau, D. H. (2017). Keeping the bad guys out: protecting and vaccinating deep learning with jpeg compression. arXiv preprint arXiv:1705.02900.
- Dathathri et al., 2018
Dathathri, S., Zheng, S., Yin, T., Murray, R. M., & Yue, Y. (2018). Detecting adversarial examples via neural fingerprinting. arXiv preprint arXiv:1803.03870.
- Davis, 1976
Davis, R. (1976). Use of meta level knowledge in the construction and maintenance of large knowledge bases. Stanford University.
- DePalma et al., 2021
De Palma, A., Bunel, R., Desmaison, A., Dvijotham, K., Kohli, P., Torr, P. H., & Kumar, M. P. (2021). Improved branch and bound for neural network verification via lagrangian decomposition. arXiv preprint arXiv:2104.06718.
- DeGrave et al., 2021
DeGrave, A. J., Janizek, J. D., & Lee, S.-I. (2021). Ai for radiographic covid-19 detection selects shortcuts over signal. Nature Machine Intelligence, 3(7), 610–619.
- Deng et al., 2009
Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., & Fei-Fei, L. (2009). Imagenet: a large-scale hierarchical image database. IEEE Conference on Computer Vision and Pattern Recognition (pp. 248–255).
- Deng et al., 2019
Deng, J., Guo, J., Xue, N., & Zafeiriou, S. (2019). Arcface: additive angular margin loss for deep face recognition. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 4690–4699).
- Deng et al., 2020
Deng, Y., Kamani, M. M., & Mahdavi, M. (2020). Adaptive personalized federated learning. arXiv preprint arXiv:2003.13461.
- Devaguptapu et al., 2021
Devaguptapu, C., Agarwal, D., Mittal, G., Gopalani, P., & Balasubramanian, V. N. (2021). On adversarial robustness: a neural architecture search perspective. IEEE/CVF International Conference on Computer Vision (pp. 152–161).
- DeVries & Taylor, 2017
DeVries, T., & Taylor, G. W. (2017). Improved regularization of convolutional neural networks with cutout. arXiv preprint arXiv:1708.04552.
- Ding et al., 2019
Ding, G. W., Sharma, Y., Lui, K. Y. C., & Huang, R. (2019). Mma training: direct input space margin maximization through adversarial training. International Conference on Learning Representations.
- Ding et al., 2021
Ding, Y., Thakur, N., & Li, B. (2021). Does a gan leave distinct model-specific fingerprints? BMVC.
- Dolhansky et al., 2019
Dolhansky, B., Howes, R., Pflaum, B., Baram, N., & Ferrer, C. C. (2019). The deepfake detection challenge (dfdc) preview dataset. arXiv preprint arXiv:1910.08854.
- Dong et al., 2020
Dong, Y., Deng, Z., Pang, T., Zhu, J., & Su, H. (2020). Adversarial distributional training for robust deep learning. Advances in Neural Information Processing Systems, 33, 8270–8283.
- Dong et al., 2018
Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., & Li, J. (2018). Boosting adversarial attacks with momentum. IEEE Conference on Computer Vision and Pattern Recognition (pp. 9185–9193).
- Dong et al., 2019
Dong, Y., Pang, T., Su, H., & Zhu, J. (2019). Evading defenses to transferable adversarial examples by translation-invariant attacks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 4312–4321).
- Dosovitskiy et al., 2021
Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., … others. (2021). An image is worth 16x16 words: transformers for image recognition at scale. International Conference on Learning Representations.
- Duan et al., 2020
Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A. K., & Yang, Y. (2020). Adversarial camouflage: hiding physical-world attacks with natural styles. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1000–1008).
- Duchi et al., 2011
Duchi, J., Hazan, E., & Singer, Y. (2011). Adaptive subgradient methods for online learning and stochastic optimization. Journal of Machine Learning Research, 12(7).
- Duddu et al., 2020
Duddu, V., Boutet, A., & Shejwalkar, V. (2020). Quantifying privacy leakage in graph embedding. EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (pp. 76–85).
- Durall et al., 2019
Durall, R., Keuper, M., Pfreundt, F.-J., & Keuper, J. (2019). Unmasking deepfakes with simple features. arXiv preprint arXiv:1911.00686.
- Dvijotham et al., 2018a
Dvijotham, K., Gowal, S., Stanforth, R., Arandjelovic, R., O'Donoghue, B., Uesato, J., & Kohli, P. (2018). Training verified learners with learned verifiers. arXiv preprint arXiv:1805.10265.
- Dvijotham et al., 2018b
Dvijotham, K., Stanforth, R., Gowal, S., Mann, T. A., & Kohli, P. (2018). A dual approach to scalable verification of deep networks. UAI (p. 3).
- Dwork, 2006
Dwork, C. (2006). Differential privacy. International Conference on Automata, Languages and Programming.
- Dwork, 2011
Dwork, C. (2011). A firm foundation for private data analysis. Communications of the ACM, 54(1), 86–95.
- Dwork et al., 2006a
Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., & Naor, M. (2006). Our data, ourselves: privacy via distributed noise generation. International Conference on the Theory and Applications of Cryptographic Techniques (pp. 486–503).
- Dwork et al., 2006b
Dwork, C., McSherry, F., Nissim, K., & Smith, A. (2006). Calibrating noise to sensitivity in private data analysis. Theory of Cryptography Conference (pp. 265–284).
- Dwork et al., 2014
Dwork, C., Roth, A., & others. (2014). The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4), 211–407.
- Dwork et al., 2010
Dwork, C., Rothblum, G. N., & Vadhan, S. (2010). Boosting and differential privacy. IEEE Annual Symposium on Foundations of Computer Science (pp. 51–60).
- Engstrom et al., 2018a
Engstrom, L., Ilyas, A., & Athalye, A. (2018). Evaluating and understanding the robustness of adversarial logit pairing. arXiv preprint arXiv:1807.10272.
- Engstrom et al., 2018b
Engstrom, L., Tran, B., Tsipras, D., Schmidt, L., & Madry, A. (2018). A rotation and a translation suffice: fooling cnns with simple transformations.
- Ester et al., 1996
Ester, M., Kriegel, H.-P., Sander, J., Xu, X., & others. (1996). A density-based algorithm for discovering clusters in large spatial databases with noise. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 226–231).
- Eykholt et al., 2018
Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., … Song, D. (2018). Robust physical-world attacks on deep learning visual classification. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1625–1634).
- Fallah et al., 2020
Fallah, A., Mokhtari, A., & Ozdaglar, A. (2020). Personalized federated learning: a meta-learning approach. arXiv preprint arXiv:2002.07948.
- Fan & Vercauteren, 2012
Fan, J., & Vercauteren, F. (2012). Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive.
- Fang et al., 2020
Fang, M., Gong, N. Z., & Liu, J. (2020). Influence function based data poisoning attacks to top-n recommender systems. The Web Conference 2020 (pp. 3019–3025).
- Fawzi et al., 2016
Fawzi, A., Moosavi-Dezfooli, S.-M., & Frossard, P. (2016). Robustness of classifiers: from adversarial to random noise. Advances in Neural Information Processing Systems, 29.
- Feinman et al., 2017
Feinman, R., Curtin, R. R., Shintre, S., & Gardner, A. B. (2017). Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410.
- Feng et al., 2019
Feng, J., Cai, Q.-Z., & Zhou, Z.-H. (2019). Learning to confuse: generating training time adversarial data with auto-encoder. Advances in Neural Information Processing Systems, 32.
- Fernandes et al., 2019
Fernandes, S., Raj, S., Ortiz, E., Vintila, I., Salter, M., Urosevic, G., & Jha, S. (2019). Predicting heart rate variations of deepfake videos using neural ode. International Conference on Computer Vision Workshop.
- Fredrikson et al., 2015
Fredrikson, M., Jha, S., & Ristenpart, T. (2015). Model inversion attacks that exploit confidence information and basic countermeasures. ACM SIGSAC Conference on Computer and Communications Security (pp. 1322–1333).
- Fredrikson et al., 2014
Fredrikson, M., Lantz, E., Jha, S., Lin, S., Page, D., & Ristenpart, T. (2014). Privacy in pharmacogenetics: an $\$End-to-End$\$ case study of personalized warfarin dosing. USENIX Security Symposium (pp. 17–32).
- Fridrich & Kodovsky, 2012
Fridrich, J., & Kodovsky, J. (2012). Rich models for steganalysis of digital images. IEEE Transactions on Information Forensics and Security, 7(3), 868–882.
- Frosst et al., 2019
Frosst, N., Papernot, N., & Hinton, G. (2019). Analyzing and improving representations with the soft nearest neighbor loss. International Conference on Machine Learning (pp. 2012–2020).
- Gal et al., 2022
Gal, R., Patashnik, O., Maron, H., Bermano, A. H., Chechik, G., & Cohen-Or, D. (2022). Stylegan-nada: clip-guided domain adaptation of image generators. ACM Transactions on Graphics, 41(4), 1–13.
- Gal & Ghahramani, 2016
Gal, Y., & Ghahramani, Z. (2016). A theoretically grounded application of dropout in recurrent neural networks. Advances in Neural Information Processing Systems, 29.
- Garrido et al., 2014
Garrido, P., Valgaerts, L., Rehmsen, O., Thormahlen, T., Perez, P., & Theobalt, C. (2014). Automatic face reenactment. IEEE Conference on Computer Vision and Pattern Recognition (pp. 4217–4224).
- Gaschnig, 1979
Gaschnig, J. (1979). Preliminary performance analysis of the prospector consultant system for mineral exploration. International Joint Conference on Artificial Intelligence (pp. 308–310).
- Geiping et al., 2020
Geiping, J., Bauermeister, H., Dröge, H., & Moeller, M. (2020). Inverting gradients-how easy is it to break privacy in federated learning? Advances in Neural Information Processing Systems, 33, 16937–16947.
- Geiping et al., 2021
Geiping, J., Fowl, L. H., Huang, W. R., Czaja, W., Taylor, G., Moeller, M., & Goldstein, T. (2021). Witches' brew: industrial scale data poisoning via gradient matching. International Conference on Learning Representations.
- Gentry, 2009
Gentry, C. (2009). A fully homomorphic encryption scheme. Stanford university.
- Ghosh et al., 2017
Ghosh, A., Kumar, H., & Sastry, P. S. (2017). Robust loss functions under label noise for deep neural networks. AAAI Conference on Artificial Intelligence.
- Gilmer et al., 2019
Gilmer, J., Ford, N., Carlini, N., & Cubuk, E. (2019). Adversarial examples are a natural consequence of test error in noise. International Conference on Machine Learning (pp. 2280–2289).
- Glorot et al., 2011
Glorot, X., Bordes, A., & Bengio, Y. (2011). Deep sparse rectifier neural networks. International Conference on Artificial Intelligence and Statistics (pp. 315–323).
- Goldblum et al., 2020
Goldblum, M., Fowl, L., Feizi, S., & Goldstein, T. (2020). Adversarially robust distillation. AAAI Conference on Artificial Intelligence (pp. 3996–4003).
- Golub & Vorst, 2000
Golub, G. H., & Van der Vorst, H. A. (2000). Eigenvalue computation in the 20th century. Journal of Computational and Applied Mathematics, 123(1-2), 35–65.
- Gong et al., 2020
Gong, C., Ren, T., Ye, M., & Liu, Q. (2020). Maxup: a simple way to improve generalization of neural network training. arXiv preprint arXiv:2002.09024.
- Gong et al., 2017
Gong, Z., Wang, W., & Ku, W.-S. (2017). Adversarial and clean data are not twins. arXiv preprint arXiv:1704.04960.
- Goodfellow, 2019
Goodfellow, I. (2019). A research agenda: dynamic models to defend against correlated attacks. International Conference on Learning Representations.
- Goodfellow et al., 2014
Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., … Bengio, Y. (2014). Generative adversarial nets. Advances in Neural Information Processing Systems, 27.
- Goodfellow et al., 2013
Goodfellow, I., Warde-Farley, D., Mirza, M., Courville, A., & Bengio, Y. (2013). Maxout networks. International Conference on Machine Learning (pp. 1319–1327).
- Goodfellow et al., 2015
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. International Conference on Learning Representations.
- Gowal et al., 2019
Gowal, S., Dvijotham, K. D., Stanforth, R., Bunel, R., Qin, C., Uesato, J., … Kohli, P. (2019). Scalable verified training for provably robust image classification. International Conference on Computer Vision (pp. 4842–4851).
- Gowal et al., 2021
Gowal, S., Rebuffi, S.-A., Wiles, O., Stimberg, F., Calian, D. A., & Mann, T. A. (2021). Improving robustness using generated data. Advances in Neural Information Processing Systems, 34, 4218–4233.
- Gretton et al., 2012
Gretton, A., Borgwardt, K. M., Rasch, M. J., Schölkopf, B., & Smola, A. (2012). A kernel two-sample test. The Journal of Machine Learning Research, 13(1), 723–773.
- Grosse et al., 2017
Grosse, K., Manoharan, P., Papernot, N., Backes, M., & McDaniel, P. (2017). On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280.
- Gu et al., 2017
Gu, T., Dolan-Gavitt, B., & Garg, S. (2017). Badnets: identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733.
- Guarnera et al., 2020
Guarnera, L., Giudice, O., & Battiato, S. (2020). Deepfake detection by analyzing convolutional traces. IEEE/CVF Computer Vision and Pattern Recognition Conference Workshop.
- Guerraoui et al., 2018
Guerraoui, R., Rouault, S., & others. (2018). The hidden vulnerability of distributed learning in byzantium. International Conference on Machine Learning (pp. 3521–3530).
- Guo et al., 2020
Guo, M., Yang, Y., Xu, R., Liu, Z., & Lin, D. (2020). When nas meets robustness: in search of robust architectures against adversarial attacks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 631–640).
- Guo et al., 2019
Guo, W., Wang, L., Xing, X., Du, M., & Song, D. (2019). Tabor: a highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763.
- Guo et al., 2021
Guo, Z., Yang, G., Chen, J., & Sun, X. (2021). Fake face detection via adaptive manipulation traces extraction network. CVIU.
- Gupta & Rahtu, 2019
Gupta, P., & Rahtu, E. (2019). Ciidefence: defeating adversarial attacks by fusing class-specific image inpainting and image denoising. IEEE/CVF International Conference on Computer Vision (pp. 6708–6717).
- Gupta et al., 2021
Gupta, U., Stripelis, D., Lam, P. K., Thompson, P., Ambite, J. L., & Ver Steeg, G. (2021). Membership inference attacks on deep regression models for neuroimaging. Medical Imaging with Deep Learning (pp. 228–251).
- Gurobi, 2020
Gurobi, L. (2020). “Gurobi - the fastest solver - gurobi,” Gurobi Optimization.
- Hampel, 1974
Hampel, F. R. (1974). The influence curve and its role in robust estimation. Journal of the American Statistical Association, 69(346), 383–393.
- Hartigan & Wong, 1979
Hartigan, J. A., & Wong, M. A. (1979). Algorithm as 136: a k-means clustering algorithm. Journal of the Royal Statistical Society: Series C (Applied Statistics), 28(1), 100–108.
- Hayes et al., 2019
Hayes, J., Melis, L., Danezis, G., & De Cristofaro, E. (2019). Logan: membership inference attacks against generative models. Privacy Enhancing Technologies, 2019(1), 133–152.
- He et al., 2021a
He, J., Erfani, S., Ma, X., Bailey, J., Chi, Y., & Hua, X.-S. (2021). Alpha-iou: a family of power intersection over union losses for bounding box regression. Advances in Neural Information Processing Systems, 34, 20230–20242.
- He et al., 2022
He, K., Chen, X., Xie, S., Li, Y., Dollár, P., & Girshick, R. (2022). Masked autoencoders are scalable vision learners. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 16000–16009).
- He et al., 2020
He, K., Fan, H., Wu, Y., Xie, S., & Girshick, R. (2020). Momentum contrast for unsupervised visual representation learning. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 9729–9738).
- He et al., 2015
He, K., Zhang, X., Ren, S., & Sun, J. (2015). Delving deep into rectifiers: surpassing human-level performance on imagenet classification. International Conference on Computer Vision (pp. 1026–1034).
- He et al., 2016
He, K., Zhang, X., Ren, S., & Sun, J. (2016). Deep residual learning for image recognition. IEEE Conference on Computer Vision and Pattern Recognition (pp. 770–778).
- He et al., 2019
He, P., Li, H., & Wang, H. (2019). Detection of fake images via the ensemble of deep representations from multi color spaces. ICIP.
- He et al., 2021b
He, X., Jia, J., Backes, M., Gong, N. Z., & Zhang, Y. (2021). Stealing links from graph neural networks. USENIX Security Symposium (pp. 2669–2686).
- Hein & Andriushchenko, 2017
Hein, M., & Andriushchenko, M. (2017). Formal guarantees on the robustness of a classifier against adversarial manipulation. Advances in Neural Information Processing Systems, 30.
- Hendrycks & Gimpel, 2016a
Hendrycks, D., & Gimpel, K. (2016). Early methods for detecting adversarial images. arXiv preprint arXiv:1608.00530.
- Hendrycks & Gimpel, 2016b
Hendrycks, D., & Gimpel, K. (2016). Gaussian error linear units (gelus). arXiv preprint arXiv:1606.08415.
- Hinton et al., 2015
Hinton, G., Vinyals, O., Dean, J., & others. (2015). Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531, 2(7).
- Hinton & Salakhutdinov, 2006
Hinton, G. E., & Salakhutdinov, R. R. (2006). Reducing the dimensionality of data with neural networks. Science, 313(5786), 504–507.
- Hitaj et al., 2017
Hitaj, B., Ateniese, G., & Perez-Cruz, F. (2017). Deep models under the gan: information leakage from collaborative deep learning. ACM SIGSAC Conference on Computer and Communications Security (pp. 603–618).
- Ho et al., 2020
Ho, J., Jain, A., & Abbeel, P. (2020). Denoising diffusion probabilistic models. Advances in Neural Information Processing Systems, 33, 6840–6851.
- Hochreiter & Schmidhuber, 1997
Hochreiter, S., & Schmidhuber, J. (1997). Long short-term memory. Neural Computation, 9(8), 1735–1780.
- Homer et al., 2008
Homer, N., Szelinger, S., Redman, M., Duggan, D., Tembe, W., Muehling, J., … Craig, D. W. (2008). Resolving individuals contributing trace amounts of dna to highly complex mixtures using high-density snp genotyping microarrays. PLOS Genetics, 4(8), e1000167.
- Hong et al., 2018
Hong, S., Yan, X., Huang, T. S., & Lee, H. (2018). Learning hierarchical semantic image manipulation through structured representations. Advances in Neural Information Processing Systems, 31.
- Hosseini et al., 2021
Hosseini, R., Yang, X., & Xie, P. (2021). Dsrna: differentiable search of robust neural architectures. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 6196–6205).
- Hu et al., 2019
Hu, S., Yu, T., Guo, C., Chao, W.-L., & Weinberger, K. Q. (2019). A new defense against adversarial images: turning a weakness into a strength. Advances in Neural Information Processing Systems, 32.
- Hu et al., 2020
Hu, X., Zhang, Z., Jiang, Z., Chaudhuri, S., Yang, Z., & Nevatia, R. (2020). Span: spatial pyramid attention network for image manipulation localization. European Conference on Computer Vision (pp. 312–328).
- Huang et al., 2023
Huang, H., Ma, X., Erfani, S. M., & Bailey, J. (2023). Distilling cognitive backdoor patterns within an image. The Eleventh International Conference on Learning Representations. URL: https://openreview.net/forum?id=S3D9NLzjnQ5
- Huang et al., 2020a
Huang, H., Ma, X., Erfani, S. M., Bailey, J., & Wang, Y. (2020). Unlearnable examples: making personal data unexploitable. International Conference on Learning Representations.
- Huang et al., 2021
Huang, H., Wang, Y., Erfani, S., Gu, Q., Bailey, J., & Ma, X. (2021). Exploring architectural ingredients of adversarially robust deep neural networks. Advances in Neural Information Processing Systems, 34, 5545–5559.
- Huang et al., 2016
Huang, R., Xu, B., Schuurmans, D., & Szepesvári, C. (2016). Learning with a strong adversary. International Conference on Learning Representations.
- Huang et al., 2020b
Huang, W. R., Geiping, J., Fowl, L., Taylor, G., & Goldstein, T. (2020). Metapoison: practical general-purpose clean-label data poisoning. Advances in Neural Information Processing Systems, 33, 12080–12091.
- Ilyas et al., 2018
Ilyas, A., Engstrom, L., Athalye, A., & Lin, J. (2018). Black-box adversarial attacks with limited queries and information. International Conference on Machine Learning (pp. 2137–2146).
- Ilyas et al., 2019
Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., & Madry, A. (2019). Adversarial examples are not bugs, they are features. Advances in Neural Information Processing Systems, 32.
- Izmailov et al., 2018
Izmailov, P., Podoprikhin, D., Garipov, T., Vetrov, D., & Wilson, A. G. (2018). Averaging weights leads to wider optima and better generalization. Conference on Uncertainty in Artificial Intelligence (pp. 876–885).
- Jagielski et al., 2020
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., & Papernot, N. (2020). High accuracy and high fidelity extraction of neural networks. USENIX Security Symposium (pp. 1345–1362).
- Jagielski et al., 2018
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., & Li, B. (2018). Manipulating machine learning: poisoning attacks and countermeasures for regression learning. IEEE Symposium on Security and Privacy (pp. 19–35).
- Jarrett et al., 2009
Jarrett, K., Kavukcuoglu, K., Ranzato, Marc'Aurelio, & LeCun, Y. (2009). What is the best multi-stage architecture for object recognition? International Conference on Computer Vision (pp. 2146–2153).
- Jeong & Shin, 2020
Jeong, J., & Shin, J. (2020). Consistency regularization for certified robustness of smoothed classifiers. Advances in Neural Information Processing Systems, 33, 10558–10570.
- Jeong et al., 2022
Jeong, Y., Kim, D., Min, S., Joe, S., Gwon, Y., & Choi, J. (2022). Bihpf: bilateral high-pass filters for robust deepfake detection. IEEE/CVF Winter Conference on Applications of Computer Vision (pp. 48–57).
- Jia et al., 2021
Jia, H., Choquette-Choo, C. A., Chandrasekaran, V., & Papernot, N. (2021). Entangled watermarks as a defense against model extraction. USENIX Security Symposium (pp. 1937–1954).
- Jia & Rinard, 2021
Jia, K., & Rinard, M. (2021). Exploiting verified neural networks via floating point numerical error. International Static Analysis Symposium (pp. 191–205).
- Jia et al., 2019a
Jia, R., Raghunathan, A., Göksel, K., & Liang, P. (2019). Certified robustness to adversarial word substitutions. arXiv preprint arXiv:1909.00986.
- Jia et al., 2019b
Jia, X., Wei, X., Cao, X., & Foroosh, H. (2019). Comdefend: an efficient image compression model to defend adversarial examples. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 6084–6092).
- Jiang et al., 2019
Jiang, Y., Konečn\`y, J., Rush, K., & Kannan, S. (2019). Improving federated learning personalization via model agnostic meta learning. arXiv preprint arXiv:1909.12488.
- Jin et al., 2019
Jin, G., Shen, S., Zhang, D., Dai, F., & Zhang, Y. (2019). Ape-gan: adversarial perturbation elimination with gan. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 3842–3846).
- Jin & Wang, 2018
Jin, H., & Wang, S. (2018 , October 9). Voice-based determination of physical and emotional characteristics of users. US Patent 10,096,319.
- Jin et al., 2021
Jin, X., Chen, P.-Y., Hsu, C.-Y., Yu, C.-M., & Chen, T. (2021). Cafe: catastrophic data leakage in vertical federated learning. Advances in Neural Information Processing Systems, 34, 994–1006.
- Jolliffe, 2002
Jolliffe, I. T. (2002). Principal component analysis for special types of data. Springer.
- Jovanovic et al., 2021
Jovanović, N., Balunović, M., Baader, M., & Vechev, M. (2021). Certified defenses: why tighter relaxations may hurt training. arXiv preprint arXiv:2102.06700.
- Jumper et al., 2021
Jumper, J., Evans, R., Pritzel, A., Green, T., Figurnov, M., Ronneberger, O., … others. (2021). Highly accurate protein structure prediction with alphafold. Nature, 596(7873), 583–589.
- Jung et al., 2020
Jung, T., Kim, S., & Kim, K. (2020). Deepvision: deepfakes detection using human eye blinking pattern. IEEE Access.
- Juuti et al., 2019
Juuti, M., Szyller, S., Marchal, S., & Asokan, N. (2019). Prada: protecting against dnn model stealing attacks. IEEE European Symposium on Security and Privacy (pp. 512–527).
- Kannan et al., 2018
Kannan, H., Kurakin, A., & Goodfellow, I. (2018). Adversarial logit pairing. arXiv preprint arXiv:1803.06373.
- Karimireddy et al., 2020
Karimireddy, S. P., Kale, S., Mohri, M., Reddi, S., Stich, S., & Suresh, A. T. (2020). Scaffold: stochastic controlled averaging for federated learning. International Conference on Machine Learning (pp. 5132–5143).
- Karras et al., 2020
Karras, T., Laine, S., Aittala, M., Hellsten, J., Lehtinen, J., & Aila, T. (2020). Analyzing and improving the image quality of stylegan. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 8110–8119).
- Kearns & Li, 1993
Kearns, M., & Li, M. (1993). Learning in the presence of malicious errors. SIAM Journal on Computing, 22(4), 807–837.
- Kesarwani et al., 2018
Kesarwani, M., Mukhoty, B., Arya, V., & Mehta, S. (2018). Model extraction warning in mlaas paradigm. Annual Computer Security Applications Conference (pp. 371–380).
- Kifer & Lin, 2010
Kifer, D., & Lin, B.-R. (2010). Towards an axiomatization of statistical privacy and utility. ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (pp. 147–158).
- Kim et al., 2022
Kim, G., Kwon, T., & Ye, J. C. (2022). Diffusionclip: text-guided diffusion models for robust image manipulation. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2426–2435).
- Kingma & Ba, 2015
Kingma, D. P., & Ba, J. (2015). Adam: a method for stochastic optimization. International Conference on Learning Representations.
- Kingma & Welling, 2013
Kingma, D. P., & Welling, M. (2013). Auto-encoding variational bayes. arXiv preprint arXiv:1312.6114.
- Koffas et al., 2021
Koffas, S., Xu, J., Conti, M., & Picek, S. (2021). Can you hear it? backdoor attacks via ultrasonic triggers. arXiv preprint arXiv:2107.14569.
- Koh & Liang, 2017
Koh, P. W., & Liang, P. (2017). Understanding black-box predictions via influence functions. International Conference on Machine Learning (pp. 1885–1894).
- Koh et al., 2022
Koh, P. W., Steinhardt, J., & Liang, P. (2022). Stronger data poisoning attacks break data sanitization defenses. Machine Learning, 111(1), 1–47.
- Korshunova et al., 2017
Korshunova, I., Shi, W., Dambre, J., & Theis, L. (2017). Fast face-swap using convolutional neural networks. International Conference on Computer Vision (pp. 3677–3685).
- Krizhevsky et al., 2017
Krizhevsky, A., Sutskever, I., & Hinton, G. E. (2017). Imagenet classification with deep convolutional neural networks. Communications of the ACM, 60(6), 84–90.
- Kumar et al., 2020
Kumar, R. S. S., Nyström, M., Lambert, J., Marshall, A., Goertzel, M., Comissoneru, A., … Xia, S. (2020). Adversarial machine learning-industry perspectives. IEEE Security and Privacy Workshops (pp. 69–75).
- Kurakin et al., 2016
Kurakin, A., Goodfellow, I., & Bengio, S. (2016). Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236.
- Kurakin et al., 2018
Kurakin, A., Goodfellow, I. J., & Bengio, S. (2018). Adversarial examples in the physical world. Artificial Intelligence Safety and Security (pp. 99–112). Chapman and Hall/CRC.
- LeMerrer et al., 2020
Le Merrer, E., Perez, P., & Trédan, G. (2020). Adversarial frontier stitching for remote neural network watermarking. Neural Computing and Applications, 32(13), 9233–9244.
- Lee et al., 2018
Lee, K., Lee, K., Lee, H., & Shin, J. (2018). A simple unified framework for detecting out-of-distribution samples and adversarial attacks. Advances in Neural Information Processing Systems, 31.
- Lee et al., 2020
Lee, S., Lee, J., & Park, S. (2020). Lipschitz-certifiable training with a tight outer bound. Advances in Neural Information Processing Systems, 33, 16891–16902.
- Leino & Fredrikson, 2020
Leino, K., & Fredrikson, M. (2020). Stolen memories: leveraging model memorization for calibrated $\$White-Box$\$ membership inference. USENIX Security Symposium (pp. 1605–1622).
- Leino et al., 2021
Leino, K., Wang, Z., & Fredrikson, M. (2021). Globally-robust neural networks. International Conference on Machine Learning (pp. 6212–6222).
- Levine & Feizi, 2021
Levine, A., & Feizi, S. (2021). Deep partition aggregation: provable defense against general poisoning attacks. International Conference on Learning Representations.
- Li et al., 2021a
Li, A., Ke, Q., Ma, X., Weng, H., Zong, Z., Xue, F., & Zhang, R. (2021). Noise doesn't lie: towards universal detection of deep inpainting. International Joint Conference on Artificial Intelligence.
- Li et al., 2019a
Li, B., Chen, C., Wang, W., & Carin, L. (2019). Certified adversarial robustness with additive noise. Advances in Neural Information Processing Systems, 32.
- Li et al., 2020a
Li, H., Li, B., Tan, S., & Huang, J. (2020). Identification of deep network generated images using disparities in color components. Signal Processing.
- Li et al., 2004
Li, J., Wang, Y., Tan, T., & Jain, A. K. (2004). Live face detection based on the analysis of fourier spectra. BTHI.
- Li et al., 2020b
Li, L., Bao, J., Yang, H., Chen, D., & Wen, F. (2020). Advancing high fidelity identity swapping for forgery detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 5074–5083).
- Li et al., 2020c
Li, L., Bao, J., Zhang, T., Yang, H., Chen, D., Wen, F., & Guo, B. (2020). Face x-ray for more general face forgery detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 5001–5010).
- Li et al., 2023
Li, L., Qi, X., Xie, T., & Li, B. (2023). Sok: certified robustness for deep neural networks. IEEE Symposium on Security and Privacy.
- Li et al., 2019b
Li, Q., Haque, S., Anil, C., Lucas, J., Grosse, R. B., & Jacobsen, J.-H. (2019). Preventing gradient attenuation in lipschitz constrained convolutional networks. Advances in Neural Information Processing Systems, 32.
- Li et al., 2020d
Li, T., Sahu, A. K., Zaheer, M., Sanjabi, M., Talwalkar, A., & Smith, V. (2020). Federated optimization in heterogeneous networks. Proceedings of Machine Learning and Systems, 2, 429–450.
- Li et al., 2017
Li, T., Bolkart, T., Black, M. J., Li, H., & Romero, J. (2017). Learning a model of facial shape and expression from 4d scans. ACM Transactions on Graphics, 36(6).
- Li & Li, 2017
Li, X., & Li, F. (2017). Adversarial examples detection in deep networks with convolutional filter statistics. International Conference on Computer Vision (pp. 5764–5772).
- Li et al., 2021b
Li, Y., Yang, Z., Wang, Y., & Xu, C. (2021). Neural architecture dilation for adversarial robustness. Advances in Neural Information Processing Systems, 34, 29578–29589.
- Li et al., 2021c
Li, Y., Lyu, X., Koren, N., Lyu, L., Li, B., & Ma, X. (2021). Anti-backdoor learning: training clean models on poisoned data. Advances in Neural Information Processing Systems, 34, 14900–14912.
- Li et al., 2021d
Li, Y., Li, Y., Lv, Y., Jiang, Y., & Xia, S.-T. (2021). Hidden backdoor attack against semantic segmentation models. arXiv preprint arXiv:2103.04038.
- Li et al., 2022
Li, Y., Zhong, H., Ma, X., Jiang, Y., & Xia, S.-T. (2022). Few-shot backdoor attacks on visual object tracking. arXiv preprint arXiv:2201.13178.
- Li et al., 2018
Li, Y., Chang, M.-C., & Lyu, S. (2018). In ictu oculi: exposing ai created fake videos by detecting eye blinking. IEEE International Workshop on Information Forensics and Security (pp. 1–7).
- Li et al., 2021e
Li, Y., Li, Y., Wu, B., Li, L., He, R., & Lyu, S. (2021). Invisible backdoor attack with sample-specific triggers. IEEE/CVF International Conference on Computer Vision (pp. 16463–16472).
- Liao et al., 2018
Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., & Zhu, J. (2018). Defense against adversarial attacks using high-level representation guided denoiser. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1778–1787).
- Lin et al., 2019
Lin, J., Song, C., He, K., Wang, L., & Hopcroft, J. E. (2019). Nesterov accelerated gradient and scale invariance for adversarial attacks. arXiv preprint arXiv:1908.06281.
- Lin et al., 2014
Lin, T.-Y., Maire, M., Belongie, S., Hays, J., Perona, P., Ramanan, D., … Zitnick, C. L. (2014). Microsoft coco: common objects in context. European Conference on Computer Vision (pp. 740–755).
- Liu et al., 2019a
Liu, G., Wang, C., Peng, K., Huang, H., Li, Y., & Cheng, W. (2019). Socinf: membership inference attacks on social media health data with machine learning. IEEE Transactions on Computational Social Systems, 6(5), 907–921.
- Liu et al., 2019b
Liu, H., Simonyan, K., & Yang, Y. (2019). Darts: differentiable architecture search. International Conference on Learning Representations.
- Liu et al., 2018a
Liu, K., Dolan-Gavitt, B., & Garg, S. (2018). Fine-pruning: defending against backdooring attacks on deep neural networks. International Symposium on Research in Attacks, Intrusions, and Defenses (pp. 273–294).
- Liu et al., 2017
Liu, W., Wen, Y., Yu, Z., Li, M., Raj, B., & Song, L. (2017). Sphereface: deep hypersphere embedding for face recognition. IEEE Conference on Computer Vision and Pattern Recognition (pp. 212–220).
- Liu et al., 2016a
Liu, W., Wen, Y., Yu, Z., & Yang, M. (2016). Large-margin softmax loss for convolutional neural networks. International Conference on Machine Learning (pp. 507–516).
- Liu et al., 2022
Liu, X., Liu, Y., Chen, J., & Liu, X. (2022). Pscc-net: progressive spatio-channel correlation network for image manipulation detection and localization. IEEE Transactions on Circuits and Systems for Video Technology.
- Liu et al., 2016b
Liu, Y., Chen, X., Liu, C., & Song, D. (2016). Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770.
- Liu et al., 2018b
Liu, Y., Ma, S., Aafer, Y., Lee, W.-C., Zhai, J., Wang, W., & Zhang, X. (2018). Trojaning attack on neural networks. Network and Distributed Systems Security Symposium.
- Liu et al., 2020
Liu, Y., Ma, X., Bailey, J., & Lu, F. (2020). Reflection backdoor: a natural backdoor attack on deep neural networks. European Conference on Computer Vision (pp. 182–199).
- Liu et al., 2021
Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., … Guo, B. (2021). Swin transformer: hierarchical vision transformer using shifted windows. IEEE/CVF International Conference on Computer Vision (pp. 10012–10022).
- Long et al., 2020
Long, Y., Wang, L., Bu, D., Bindschaedler, V., Wang, X., Tang, H., … Chen, K. (2020). A pragmatic approach to membership inferences on machine learning models. IEEE European Symposium on Security and Privacy (pp. 521–534).
- Lorenz et al., 2022
Lorenz, P., Keuper, M., & Keuper, J. (2022). Unfolding local growth rate estimates for (almost) perfect adversarial detection. International Conference on Computer Vision Theory and Applications.
- Lukas et al., 2019
Lukas, N., Zhang, Y., & Kerschbaum, F. (2019). Deep neural network fingerprinting by conferrable adversarial examples. arXiv preprint arXiv:1912.00888.
- Lukavs et al., 2006
Lukáš, J., Fridrich, J., & Goljan, M. (2006). Detecting digital image forgeries using sensor pattern noise. SPIE.
- Lyu et al., 2015
Lyu, C., Huang, K., & Liang, H.-N. (2015). A unified gradient regularization family for adversarial examples. IEEE International Conference on Data Mining (pp. 301–309).
- Lyu et al., 2022
Lyu, L., Yu, H., Ma, X., Chen, C., Sun, L., Zhao, J., … Philip, S. Y. (2022). Privacy and robustness in federated learning: attacks and defenses. IEEE Transactions on Neural Networks and Learning Systems.
- Ma et al., 2018
Ma, X., Li, B., Wang, Y., Erfani, S. M., Wijewickrema, S., Schoenebeck, G., … Bailey, J. (2018). Characterizing adversarial subspaces using local intrinsic dimensionality. International Conference on Learning Representations.
- Madry et al., 2018
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards deep learning models resistant to adversarial attacks. International Conference on Learning Representations.
- Mahalanobis, 1936
Mahalanobis, P. C. (1936). On the generalized distance in statistics. Proceedings of the National Institute of Sciences, 2, 49–55.
- Mahloujifar & Mahmoody, 2017
Mahloujifar, S., & Mahmoody, M. (2017). Blockwise p-tampering attacks on cryptographic primitives, extractors, and learners. Theory of Cryptography Conference (pp. 245–279).
- Mahloujifar et al., 2019
Mahloujifar, S., Mahmoody, M., & Mohammed, A. (2019). Universal multi-party poisoning attacks. International Conference on Machine Learning (pp. 4274–4283).
- Mahmood et al., 2021
Mahmood, K., Mahmood, R., & Van Dijk, M. (2021). On the robustness of vision transformers to adversarial examples. IEEE/CVF International Conference on Computer Vision (pp. 7838–7847).
- Marfoq et al., 2021
Marfoq, O., Neglia, G., Bellet, A., Kameni, L., & Vidal, R. (2021). Federated multi-task learning under a mixture of distributions. Advances in Neural Information Processing Systems, 34, 15434–15447.
- McMahan et al., 2017
McMahan, B., Moore, E., Ramage, D., Hampson, S., & y Arcas, B. A. (2017). Communication-efficient learning of deep networks from decentralized data. Artificial intelligence and statistics (pp. 1273–1282).
- McMahan et al., 2016
McMahan, H. B., Moore, E., Ramage, D., & y Arcas, B. A. (2016). Federated learning of deep networks using model averaging. arXiv preprint arXiv:1602.05629, 2.
- McSherry & Talwar, 2007
McSherry, F., & Talwar, K. (2007). Mechanism design via differential privacy. IEEE Annual Symposium on Foundations of Computer Science (pp. 94–103).
- McSherry, 2009
McSherry, F. D. (2009). Privacy integrated queries: an extensible platform for privacy-preserving data analysis. ACM SIGMOD International Conference on Management of Data (pp. 19–30).
- Mei & Zhu, 2015
Mei, S., & Zhu, X. (2015). Using machine teaching to identify optimal training-set attacks on machine learners. AAAI Conference on Artificial Intelligence.
- Melis et al., 2019
Melis, L., Song, C., De Cristofaro, E., & Shmatikov, V. (2019). Exploiting unintended feature leakage in collaborative learning. IEEE Symposium on Security and Privacy (pp. 691–706).
- Meng & Chen, 2017
Meng, D., & Chen, H. (2017). Magnet: a two-pronged defense against adversarial examples. ACM SIGSAC Conference on Computer and Communications Security (pp. 135–147).
- Metzen et al., 2017
Metzen, J. H., Genewein, T., Fischer, V., & Bischoff, B. (2017). On detecting adversarial perturbations. International Conference on Learning Representations.
- Micikevicius et al., 2018
Micikevicius, P., Narang, S., Alben, J., Diamos, G., Elsen, E., Garcia, D., … others. (2018). Mixed precision training. International Conference on Learning Representations.
- Mikolov et al., 2013
Mikolov, T., Sutskever, I., Chen, K., Corrado, G. S., & Dean, J. (2013). Distributed representations of words and phrases and their compositionality. Advances in Neural Information Processing Systems, 26.
- Minsky, 1974
Minsky, M. (1974). A framework for representing knowledge.
- Mittal et al., 2020
Mittal, T., Bhattacharya, U., Chandra, R., Bera, A., & Manocha, D. (2020). Emotions don't lie: an audio-visual deepfake detection method using affective cues. ACM International Conference on Multimedia (pp. 2823–2832).
- Miyato et al., 2016
Miyato, T., Maeda, S.-i., Koyama, M., Nakae, K., & Ishii, S. (2016). Distributional smoothing with virtual adversarial training. International Conference on Learning Representations.
- Moosavi-Dezfooli et al., 2016
Moosavi-Dezfooli, S.-M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2574–2582).
- Moura & Bjorner, 2008
Moura, L. d., & Bjørner, N. (2008). Z3: an efficient smt solver. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (pp. 337–340).
- Munoz-Gonzalez et al., 2017
Muñoz-González, L., Biggio, B., Demontis, A., Paudice, A., Wongrassamee, V., Lupu, E. C., & Roli, F. (2017). Towards poisoning of deep learning algorithms with back-gradient optimization. ACM Workshop on Artificial Intelligence and Security (pp. 27–38).
- Munoz-Gonzalez et al., 2019
Muñoz-González, L., Pfitzner, B., Russo, M., Carnerero-Cano, J., & Lupu, E. C. (2019). Poisoning attacks with generative adversarial nets. arXiv preprint arXiv:1906.07773.
- Nair & Hinton, 2010
Nair, V., & Hinton, G. E. (2010). Rectified linear units improve restricted boltzmann machines. International Conference on Machine Learning.
- Nakkiran, 2019
Nakkiran, P. (2019). Adversarial robustness may be at odds with simplicity. arXiv preprint arXiv:1901.00532.
- Nasr et al., 2019a
Nasr, M., Shokri, R., & Houmansadr, A. (2019). Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. IEEE Symposium on Security and Privacy (SP).
- Nasr et al., 2019b
Nasr, M., Shokri, R., & Houmansadr, A. (2019). Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. IEEE Symposium on Security and Privacy (pp. 739–753).
- Nelson et al., 2008
Nelson, B., Barreno, M., Chi, F. J., Joseph, A. D., Rubinstein, B. I., Saini, U., … Xia, K. (2008). Exploiting machine learning to subvert your spam filter. LEET, 8(1), 9.
- Nesterov, 1983
Nesterov, Y. (1983). A method for unconstrained convex minimization problem with the rate of convergence o (1/kˆ 2). Doklady ANSSSR (pp. 543–547).
- Newell & Simon, 1956
Newell, A., & Simon, H. (1956). The logic theory machine–a complex information processing system. IRE Transactions on Information Theory, 2(3), 61–79.
- Nguyen et al., 2019
Nguyen, H. H., Yamagishi, J., & Echizen, I. (2019). Capsule-forensics: using capsule networks to detect forged images and videos. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 2307–2311).
- Nguyen & Tran, 2020
Nguyen, T. A., & Tran, A. (2020). Input-aware dynamic backdoor attack. Advances in Neural Information Processing Systems, 33, 3454–3464.
- Ning et al., 2020
Ning, X., Zhao, J., Li, W., Zhao, T., Yang, H., & Wang, Y. (2020). Multi-shot nas for discovering adversarially robust convolutional neural architectures at targeted capacities. arXiv preprint arXiv:2012.11835.
- Nirkin et al., 2022
Nirkin, Y., Keller, Y., & Hassner, T. (2022). Fsganv2: improved subject agnostic face swapping and reenactment. IEEE Transactions on Pattern Analysis and Machine Intelligence.
- Nissim et al., 2007
Nissim, K., Raskhodnikova, S., & Smith, A. (2007). Smooth sensitivity and sampling in private data analysis. ACM Symposium on Theory of Computing (pp. 75–84).
- Novac et al., 2017
Novac, O. C., Novac, M., Gordan, C., Berczes, T., & Bujdosó, G. (2017). Comparative study of google android, apple ios and microsoft windows phone mobile operating systems. Engineering of Modern Electric Systems (pp. 154–159).
- Nokland, 2015
Nøkland, A. (2015). Improving back-propagation by adding an adversarial gradient. arXiv preprint arXiv:1510.04189.
- Oh et al., 2019
Oh, S. J., Schiele, B., & Fritz, M. (2019). Towards reverse-engineering black-box neural networks. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning (pp. 121–144). Springer.
- Oord et al., 2018
Oord, A. v. d., Li, Y., & Vinyals, O. (2018). Representation learning with contrastive predictive coding. arXiv preprint arXiv:1807.03748.
- Orekondy et al., 2019
Orekondy, T., Schiele, B., & Fritz, M. (2019). Knockoff nets: stealing functionality of black-box models. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 4954–4963).
- Pan et al., 2020
Pan, X., Zhang, M., Ji, S., & Yang, M. (2020). Privacy risks of general-purpose language models. IEEE Symposium on Security and Privacy (pp. 1314–1331).
- Pan et al., 2012
Pan, X., Zhang, X., & Lyu, S. (2012). Exposing image splicing with inconsistent local noise variances. IEEE International Conference on Computational Photography (pp. 1–10).
- Pang et al., 2018
Pang, T., Du, C., Dong, Y., & Zhu, J. (2018). Towards robust detection of adversarial examples. Advances in Neural Information Processing Systems, 31.
- Papernot et al., 2017
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z. B., & Swami, A. (2017). Practical black-box attacks against machine learning. ACM on Asia Conference on Computer and Communications Security (pp. 506–519).
- Papernot et al., 2016a
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z. B., & Swami, A. (2016). The limitations of deep learning in adversarial settings. IEEE European Symposium on Security and Privacy (pp. 372–387).
- Papernot et al., 2016b
Papernot, N., McDaniel, P., Wu, X., Jha, S., & Swami, A. (2016). Distillation as a defense to adversarial perturbations against deep neural networks. IEEE Symposium on Security and Privacy (pp. 582–597).
- Patashnik et al., 2021
Patashnik, O., Wu, Z., Shechtman, E., Cohen-Or, D., & Lischinski, D. (2021). Styleclip: text-driven manipulation of stylegan imagery. IEEE/CVF International Conference on Computer Vision (pp. 2085–2094).
- Pathak et al., 2016
Pathak, D., Krahenbuhl, P., Donahue, J., Darrell, T., & Efros, A. A. (2016). Context encoders: feature learning by inpainting. IEEE Conference on Computer Vision and Pattern Recognition (pp. 2536–2544).
- Phan et al., 2016
Phan, N., Wang, Y., Wu, X., & Dou, D. (2016). Differential privacy preservation for deep auto-encoders: an application of human behavior prediction. AAAI Conference on Artificial Intelligence.
- Phan et al., 2017
Phan, N., Wu, X., & Dou, D. (2017). Preserving differential privacy in convolutional deep belief networks. Machine learning, 106(9), 1681–1704.
- Pillutla et al., 2019
Pillutla, K., Kakade, S. M., & Harchaoui, Z. (2019). Robust aggregation for federated learning. arXiv preprint arXiv:1912.13445.
- Prakash et al., 2018
Prakash, A., Moran, N., Garber, S., DiLillo, A., & Storer, J. (2018). Deflecting adversarial attacks with pixel deflection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 8571–8580).
- Pyrgelis et al., 2018
Pyrgelis, A., Troncoso, C., & Cristofaro, E. D. (2018). Knock knock, who's there? membership inference on aggregate location data. Network and Distributed System Security Symposium. The Internet Society.
- Pyrgelis et al., 2020
Pyrgelis, A., Troncoso, C., & De Cristofaro, E. (2020). Measuring membership privacy on aggregate location time-series. ACM on Measurement and Analysis of Computing Systems, 4(2), 1–28.
- Qi et al., 2021
Qi, F., Li, M., Chen, Y., Zhang, Z., Liu, Z., Wang, Y., & Sun, M. (2021). Hidden killer: invisible textual backdoor attacks with syntactic trigger. arXiv preprint arXiv:2105.12400.
- Qian, 1999
Qian, N. (1999). On the momentum term in gradient descent learning algorithms. Neural Networks, 12(1), 145–151.
- Qian et al., 2020
Qian, Y., Yin, G., Sheng, L., Chen, Z., & Shao, J. (2020). Thinking in frequency: face forgery detection by mining frequency-aware clues. ECCV.
- Qiao et al., 2019
Qiao, X., Yang, Y., & Li, H. (2019). Defending neural backdoors via generative distribution modeling. Advances in Neural Information Processing Systems, 32.
- Qin et al., 2019
Qin, C., Martens, J., Gowal, S., Krishnan, D., Dvijotham, K., Fawzi, A., … Kohli, P. (2019). Adversarial robustness through local linearization. Advances in Neural Information Processing Systems, 32.
- Radford et al., 2021
Radford, A., Kim, J. W., Hallacy, C., Ramesh, A., Goh, G., Agarwal, S., … others. (2021). Learning transferable visual models from natural language supervision. International Conference on Machine Learning (pp. 8748–8763).
- Ramachandran et al., 2017
Ramachandran, P., Zoph, B., & Le, Q. V. (2017). Searching for activation functions. arXiv preprint arXiv:1710.05941.
- Rebuffi et al., 2021a
Rebuffi, S.-A., Gowal, S., Calian, D. A., Stimberg, F., Wiles, O., & Mann, T. (2021). Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946.
- Rebuffi et al., 2021b
Rebuffi, S.-A., Gowal, S., Calian, D. A., Stimberg, F., Wiles, O., & Mann, T. A. (2021). Data augmentation can improve robustness. Advances in Neural Information Processing Systems, 34, 29935–29948.
- Redmon & Farhadi, 2017
Redmon, J., & Farhadi, A. (2017). Yolo9000: better, faster, stronger. IEEE Conference on Computer Vision and Pattern Recognition (pp. 7263–7271).
- Rezatofighi et al., 2019
Rezatofighi, H., Tsoi, N., Gwak, J., Sadeghian, A., Reid, I., & Savarese, S. (2019). Generalized intersection over union: a metric and a loss for bounding box regression. IEEE/CVF Conference on Computer Vision and Pattern Recognition.
- Rice et al., 2020
Rice, L., Wong, E., & Kolter, Z. (2020). Overfitting in adversarially robust deep learning. International Conference on Machine Learning (pp. 8093–8104).
- Rivest et al., 1978
Rivest, R. L., Adleman, L., Dertouzos, M. L., & others. (1978). On data banks and privacy homomorphisms. Foundations of Secure Computation, 4(11), 169–180.
- Ronneberger et al., 2015
Ronneberger, O., Fischer, P., & Brox, T. (2015). U-net: convolutional networks for biomedical image segmentation. International Conference on Medical Image Computing and Computer Assisted Intervention (pp. 234–241).
- Roth et al., 2019
Roth, K., Kilcher, Y., & Hofmann, T. (2019). The odds are odd: a statistical test for detecting adversarial examples. International Conference on Machine Learning (pp. 5498–5507).
- Rubinstein et al., 2009
Rubinstein, B., Nelson, B., Ling, H., Joseph, A. D., & Tygar, J. D. (2009). Antidote: understanding and defending against poisoning of anomaly detectors. Acm Sigcomm Conference on Internet Measurement.
- Rudin & others, 1976
Rudin, W., & others. (1976). Principles of mathematical analysis. Vol. 3. McGraw-hill New York.
- Rumelhart et al., 1986
Rumelhart, D. E., Hinton, G. E., & Williams, R. J. (1986). Learning representations by back-propagating errors. Nature, 323(6088), 533–536.
- Russakovsky et al., 2015
Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., … others. (2015). Imagenet large scale visual recognition challenge. International journal of computer vision, 115(3), 211–252.
- Saha et al., 2020
Saha, A., Subramanya, A., & Pirsiavash, H. (2020). Hidden trigger backdoor attacks. AAAI Conference on Artificial Intelligence (pp. 11957–11965).
- Salem et al., 2019
Salem, A., Zhang, Y., Humbert, M., Fritz, M., & Backes, M. (2019). Ml-leaks: model and data independent membership inference attacks and defenses on machine learning models. Network and Distributed Systems Security Symposium.
- Salman et al., 2019
Salman, H., Yang, G., Zhang, H., Hsieh, C.-J., & Zhang, P. (2019). A convex relaxation barrier to tight robustness verification of neural networks. Advances in Neural Information Processing Systems, 32.
- Samangouei et al., 2018
Samangouei, P., Kabkab, M., & Chellappa, R. (2018). Defense-gan: protecting classifiers against adversarial attacks using generative models. International Conference on Learning Representations.
- Sattler et al., 2020
Sattler, F., Müller, K.-R., & Samek, W. (2020). Clustered federated learning: model-agnostic distributed multitask optimization under privacy constraints. IEEE Transactions on Neural Networks and Learning Systems, 32(8), 3710–3722.
- Schmidt et al., 2018
Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., & Madry, A. (2018). Adversarially robust generalization requires more data. Advances in Neural Information Processing Systems, 31.
- Schroff et al., 2015
Schroff, F., Kalenichenko, D., & Philbin, J. (2015). Facenet: a unified embedding for face recognition and clustering. IEEE Conference on Computer Vision and Pattern Recognition (pp. 815–823).
- Schuller et al., 2015
Schuller, B., Steidl, S., Batliner, A., Nöth, E., Vinciarelli, A., Burkhardt, F., … others. (2015). A survey on perceived speaker traits: personality, likability, pathology, and the first challenge. Computer Speech & Language, 29(1), 100–131.
- Schultz & Joachims, 2003
Schultz, M., & Joachims, T. (2003). Learning a distance metric from relative comparisons. Advances in Neural Information Processing Systems, 16.
- Segal et al., 2009
Segal, A., Haehnel, D., & Thrun, S. (2009). Generalized-icp. Robotics: science and systems (p. 435).
- Shafahi et al., 2018
Shafahi, A., Huang, W. R., Najibi, M., Suciu, O., Studer, C., Dumitras, T., & Goldstein, T. (2018). Poison frogs! targeted clean-label poisoning attacks on neural networks. Advances in Neural Information Processing Systems, 31.
- Shafahi et al., 2019
Shafahi, A., Najibi, M., Ghiasi, M. A., Xu, Z., Dickerson, J., Studer, C., … Goldstein, T. (2019). Adversarial training for free! Advances in Neural Information Processing Systems, 32.
- Shafi & Silvio, 1982
Shafi, G., & Silvio, M. (1982). Probabilistic encryption & how to play mental poker keeping secret all partial information. ACM Symposium on Theory of Computing (pp. 365–377).
- Shaham et al., 2015
Shaham, U., Yamada, Y., & Negahban, S. (2015). Understanding adversarial training: increasing local stability of neural nets through robust optimization. arXiv preprint arXiv:1511.05432.
- Shao et al., 2021
Shao, R., Shi, Z., Yi, J., Chen, P.-Y., & Hsieh, C.-J. (2021). On the adversarial robustness of vision transformers. arXiv preprint arXiv:2103.15670.
- Sharif et al., 2016
Sharif, M., Bhagavatula, S., Bauer, L., & Reiter, M. K. (2016). Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. ACM SIGSAC Conference on Computer and Communications Security (pp. 1528–1540).
- Sharir et al., 2020
Sharir, O., Peleg, B., & Shoham, Y. (2020). The cost of training nlp models: a concise overview. arXiv preprint arXiv:2004.08900.
- Shen et al., 2016
Shen, S., Tople, S., & Saxena, P. (2016). Auror: defending against poisoning attacks in collaborative deep learning systems. Conference on Computer Security Applications.
- Shen & Sanghavi, 2019
Shen, Y., & Sanghavi, S. (2019). Learning with bad training data via iterative trimmed loss minimization. International Conference on Machine Learning (pp. 5739–5748).
- Shokri et al., 2017
Shokri, R., Stronati, M., Song, C., & Shmatikov, V. (2017). Membership inference attacks against machine learning models. IEEE Symposium on Security and Privacy (pp. 3–18).
- Siarohin et al., 2019
Siarohin, A., Lathuilière, S., Tulyakov, S., Ricci, E., & Sebe, N. (2019). First order motion model for image animation. Advances in Neural Information Processing Systems, 32.
- Silver et al., 2016
Silver, D., Huang, A., Maddison, C. J., Guez, A., Sifre, L., Van Den Driessche, G., … others. (2016). Mastering the game of go with deep neural networks and tree search. Nature, 529(7587), 484–489.
- Silver et al., 2017
Silver, D., Schrittwieser, J., Simonyan, K., Antonoglou, I., Huang, A., Guez, A., … others. (2017). Mastering the game of go without human knowledge. Nature, 550(7676), 354–359.
- Simon-Gabriel et al., 2019
Simon-Gabriel, C.-J., Ollivier, Y., Bottou, L., Schölkopf, B., & Lopez-Paz, D. (2019). First-order adversarial vulnerability of neural networks and input dimension. International Conference on Machine Learning (pp. 5809–5817).
- Simonyan & Zisserman, 2015
Simonyan, K., & Zisserman, A. (2015). Very deep convolutional networks for large-scale image recognition. International Conference on Learning Representations.
- Singh et al., 2019a
Singh, G., Ganvir, R., Püschel, M., & Vechev, M. (2019). Beyond the single neuron convex barrier for neural network certification. Advances in Neural Information Processing Systems, 32.
- Singh et al., 2019b
Singh, G., Gehr, T., Püschel, M., & Vechev, M. (2019). An abstract domain for certifying neural networks. ACM on Programming Languages, 3(POPL), 1–30.
- Smith & Topin, 2018
Smith, L. N., & Topin, N. (2018). Super-convergence: very fast training of residual networks using large learning rates.
- Smith et al., 2017
Smith, V., Chiang, C.-K., Sanjabi, M., & Talwalkar, A. S. (2017). Federated multi-task learning. Advances in Neural Information Processing Systems, 30.
- Song & Raghunathan, 2020
Song, C., & Raghunathan, A. (2020). Information leakage in embedding models. ACM SIGSAC Conference on Computer and Communications Security (pp. 377–390).
- Song et al., 2017
Song, C., Ristenpart, T., & Shmatikov, V. (2017). Machine learning models that remember too much. ACM SIGSAC Conference on Computer and Communications Security (pp. 587–601).
- Song et al., 2021a
Song, J., Meng, C., & Ermon, S. (2021). Denoising diffusion implicit models. International Conference on Learning Representations.
- Song et al., 2021b
Song, L., Wu, W., Fu, C., Qian, C., Loy, C. C., & He, R. (2021). Everything's talkin': pareidolia face reenactment. IEEE/CVF Conference on Computer Vision and Pattern Recognition.
- Song & Mittal, 2021
Song, L., & Mittal, P. (2021). Systematic evaluation of privacy risks of machine learning models. USENIX Security Symposium (pp. 2615–2632).
- Song et al., 2013
Song, S., Chaudhuri, K., & Sarwate, A. D. (2013). Stochastic gradient descent with differentially private updates. IEEE Global Conference on Signal and Information Processing (pp. 245–248).
- Srivastava et al., 2014
Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., & Salakhutdinov, R. (2014). Dropout: a simple way to prevent neural networks from overfitting. Journal of Machine Learning Research, 15(1), 1929–1958.
- Su et al., 2017
Su, D., Cao, J., Li, N., Bertino, E., Lyu, M., & Jin, H. (2017). Differentially private k-means clustering and a hybrid approach to private optimization. ACM Transactions on Privacy and Security, 20(4), 1–33.
- Su et al., 2018
Su, D., Zhang, H., Chen, H., Yi, J., Chen, P.-Y., & Gao, Y. (2018). Is robustness the cost of accuracy?–a comprehensive study on the robustness of 18 deep image classification models. European Conference on Computer Vision (pp. 631–648).
- Sun et al., 2022a
Sun, J., Wang, X., Zhang, Y., Li, X., Zhang, Q., Liu, Y., & Wang, J. (2022). Fenerf: face editing in neural radiance fields. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 7672–7682).
- Sun et al., 2022b
Sun, K., Yao, T., Chen, S., Ding, S., Li, J., & Ji, R. (2022). Dual contrastive learning for general face forgery detection. AAAI.
- Sun et al., 2022c
Sun, Y., Zhang, T., Ma, X., Zhou, P., Lou, J., Xu, Z., … Sun, L. (2022). Backdoor attacks on crowd counting. ACM International Conference on Multimedia (pp. 5351–5360).
- Sun et al., 2019
Sun, Z., Kairouz, P., Suresh, A. T., & McMahan, H. B. (2019). Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963.
- Suwajanakorn et al., 2017
Suwajanakorn, S., Seitz, S. M., & Kemelmacher-Shlizerman, I. (2017). Synthesizing obama: learning lip sync from audio. ACM Transactions on Graphics, 36(4), 1–13.
- Szegedy et al., 2016
Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., & Wojna, Z. (2016). Rethinking the inception architecture for computer vision. IEEE Conference on Computer Vision and Pattern Recognition (pp. 2818–2826).
- Szegedy et al., 2014
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing properties of neural networks. International Conference on Learning Representations.
- Szyller et al., 2021
Szyller, S., Atli, B. G., Marchal, S., & Asokan, N. (2021). Dawn: dynamic adversarial watermarking of neural networks. ACM International Conference on Multimedia (pp. 4417–4425).
- TDinh et al., 2020
T Dinh, C., Tran, N., & Nguyen, J. (2020). Personalized federated learning with moreau envelopes. Advances in Neural Information Processing Systems, 33, 21394–21405.
- Tan & Le, 2019
Tan, M., & Le, Q. (2019). Efficientnet: rethinking model scaling for convolutional neural networks. International Conference on Machine Learning (pp. 6105–6114).
- Tanay & Griffin, 2016
Tanay, T., & Griffin, L. (2016). A boundary tilting perspective on the phenomenon of adversarial examples. arXiv preprint arXiv:1608.07690.
- Tang et al., 2020
Tang, R., Du, M., Liu, N., Yang, F., & Hu, X. (2020). An embarrassingly simple approach for trojan attack in deep neural networks. ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (pp. 218–228).
- Tang et al., 2021
Tang, S., Gong, R., Wang, Y., Liu, A., Wang, J., Chen, X., … others. (2021). Robustart: benchmarking robustness on architecture design and training techniques. arXiv preprint arXiv:2109.05211.
- Teng et al., 2020
Teng, J., Lee, G.-H., & Yuan, Y. (2020). \$\ell_1\$ Adversarial Robustness Certificates: a Randomized Smoothing Approach.
- Tian et al., 2018
Tian, S., Yang, G., & Cai, Y. (2018). Detecting adversarial examples through image transformation. AAAI Conference on Artificial Intelligence.
- Tian et al., 2020
Tian, Y., Sun, C., Poole, B., Krishnan, D., Schmid, C., & Isola, P. (2020). What makes for good views for contrastive learning? Advances in Neural Information Processing Systems, 33, 6827–6839.
- Tian et al., 2021
Tian, Y., Ren, J., Chai, M., Olszewski, K., Peng, X., Metaxas, D. N., & Tulyakov, S. (2021). A good image generator is what you need for high-resolution video synthesis. International Conference on Learning Representations.
- Tieleman et al., 2012
Tieleman, T., Hinton, G., & others. (2012). Lecture 6.5-rmsprop: divide the gradient by a running average of its recent magnitude. COURSERA: Neural networks for machine learning, 4(2), 26–31.
- Tramer et al., 2020
Tramer, F., Carlini, N., Brendel, W., & Madry, A. (2020). On adaptive attacks to adversarial example defenses. Advances in Neural Information Processing Systems, 33, 1633–1645.
- Tramer et al., 2018
Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., & McDaniel, P. (2018). Ensemble adversarial training: attacks and defenses. International Conference on Learning Representations.
- Tramer et al., 2016
Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., & Ristenpart, T. (2016). Stealing machine learning models via prediction $\$APIs$\$. USENIX Security Symposium (pp. 601–618).
- Tran et al., 2018
Tran, B., Li, J., & Madry, A. (2018). Spectral signatures in backdoor attacks. Advances in Neural Information Processing Systems, 31.
- Trinh et al., 2021
Trinh, L., Tsang, M., Rambhatla, S., & Liu, Y. (2021). Interpretable and trustworthy deepfake detection via dynamic prototypes. IEEE/CVF Winter Conference on Applications of Computer Vision.
- Truex et al., 2019
Truex, S., Liu, L., Gursoy, M. E., Yu, L., & Wei, W. (2019). Demystifying membership inference attacks in machine learning as a service. IEEE Transactions on Services Computing.
- Tsuzuku et al., 2018
Tsuzuku, Y., Sato, I., & Sugiyama, M. (2018). Lipschitz-margin training: scalable certification of perturbation invariance for deep neural networks. Advances in Neural Information Processing Systems, 31.
- Tu et al., 2019
Tu, C.-C., Ting, P., Chen, P.-Y., Liu, S., Zhang, H., Yi, J., … Cheng, S.-M. (2019). Autozoom: autoencoder-based zeroth order optimization method for attacking black-box neural networks. AAAI Conference on Artificial Intelligence (pp. 742–749).
- Turner et al., 2018
Turner, A., Tsipras, D., & Madry, A. (2018). Clean-label backdoor attacks.
- Uchida et al., 2017
Uchida, Y., Nagai, Y., Sakazawa, S., & Satoh, Shin'ichi. (2017). Embedding watermarks into deep neural networks. ACM on International Conference on Multimedia Retrieval (pp. 269–277).
- Maaten & Hinton, 2008
Van der Maaten, L., & Hinton, G. (2008). Visualizing data using t-sne. Journal of Machine Learning Research, 9(11).
- Vanhaesebrouck et al., 2017
Vanhaesebrouck, P., Bellet, A., & Tommasi, M. (2017). Decentralized collaborative learning of personalized models over networks. Artificial Intelligence and Statistics (pp. 509–517).
- Vaswani et al., 2017
Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., … Polosukhin, I. (2017). Attention is all you need. Advances in Neural Information Processing Systems, 30.
- Wald, 1939
Wald, A. (1939). Contributions to the theory of statistical estimation and testing hypotheses. The Annals of Mathematical Statistics, 10(4), 299–326.
- Wald, 1945
Wald, A. (1945). Statistical decision functions which minimize the maximum risk. Annals of Mathematics, pp. 265–280.
- Wald, 1992
Wald, A. (1992). Statistical decision functions. Breakthroughs in Statistics (pp. 342–357). Springer.
- Wang & Gong, 2018
Wang, B., & Gong, N. Z. (2018). Stealing hyperparameters in machine learning. IEEE Symposium on Security and Privacy (pp. 36–52).
- Wang et al., 2019a
Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., & Zhao, B. Y. (2019). Neural cleanse: identifying and mitigating backdoor attacks in neural networks. IEEE Symposium on Security and Privacy (pp. 707–723).
- Wang & Deng, 2021
Wang, C., & Deng, W. (2021). Representative forgery mining for fake face detection. IEEE/CVF Computer Vision and Pattern Recognition Conference.
- Wang et al., 2017
Wang, D., Ye, M., & Xu, J. (2017). Differentially private empirical risk minimization revisited: faster and more general. Advances in Neural Information Processing Systems, 30.
- Wang et al., 2018a
Wang, H., Wang, Y., Zhou, Z., Ji, X., Gong, D., Zhou, J., … Liu, W. (2018). Cosface: large margin cosine loss for deep face recognition. IEEE Conference on Computer Vision and Pattern Recognition (pp. 5265–5274).
- Wang et al., 2020a
Wang, H., Sreenivasan, K., Rajput, S., Vishwakarma, H., Agarwal, S., Sohn, J.-y., … Papailiopoulos, D. (2020). Attack of the tails: yes, you really can backdoor federated learning. Advances in Neural Information Processing Systems, 33, 16070–16084.
- Wang et al., 2020b
Wang, R., Zhang, G., Liu, S., Chen, P.-Y., Xiong, J., & Wang, M. (2020). Practical detection of trojan neural networks: data-limited and data-free cases. European Conference on Computer Vision (pp. 222–238).
- Wang et al., 2021a
Wang, S., Zhang, H., Xu, K., Lin, X., Jana, S., Hsieh, C.-J., & Kolter, J. Z. (2021). Beta-crown: efficient bound propagation with per-neuron split constraints for neural network robustness verification. Advances in Neural Information Processing Systems, 34, 29909–29921.
- Wang et al., 2022
Wang, S., Nepal, S., Abuadbba, A., Rudolph, C., & Grobler, M. (2022). Adversarial detection by latent style transformations. IEEE Transactions on Information Forensics and Security, 17, 1099–1114.
- Wang et al., 2020c
Wang, S., Nepal, S., Rudolph, C., Grobler, M., Chen, S., & Chen, T. (2020). Backdoor attacks against transfer learning with pre-trained deep learning models. IEEE Transactions on Services Computing.
- Wang et al., 2018b
Wang, T.-C., Liu, M.-Y., Zhu, J.-Y., Tao, A., Kautz, J., & Catanzaro, B. (2018). High-resolution image synthesis and semantic manipulation with conditional gans. IEEE Conference on Computer Vision and Pattern Recognition (pp. 8798–8807).
- Wang et al., 2014
Wang, W., Dong, J., & Tan, T. (2014). Exploring dct coefficient quantization effects for local tampering detection. IEEE Transactions on Information Forensics and Security, 9(10), 1653–1666.
- Wang et al., 2019b
Wang, Y., Ma, X., Bailey, J., Yi, J., Zhou, B., & Gu, Q. (2019). On the convergence and robustness of adversarial training. International Conference on Machine Learning (pp. 6586–6595).
- Wang et al., 2019c
Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., & Gu, Q. (2019). Improving adversarial robustness requires revisiting misclassified examples. International Conference on Learning Representations.
- Wang et al., 2021b
Wang, Z., Liu, C., & Cui, X. (2021). Evilmodel: hiding malware inside of neural network models. IEEE Symposium on Computers and Communications (pp. 1–7).
- Wen et al., 2016
Wen, Y., Zhang, K., Li, Z., & Qiao, Y. (2016). A discriminative feature learning approach for deep face recognition. European Conference on Computer Vision (pp. 499–515).
- Weng et al., 2018
Weng, L., Zhang, H., Chen, H., Song, Z., Hsieh, C.-J., Daniel, L., … Dhillon, I. (2018). Towards fast computation of certified robustness for relu networks. International Conference on Machine Learning (pp. 5276–5285).
- Wenger et al., 2021
Wenger, E., Passananti, J., Bhagoji, A. N., Yao, Y., Zheng, H., & Zhao, B. Y. (2021). Backdoor attacks against deep learning systems in the physical world. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 6206–6215).
- Wierstra et al., 2014
Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. Journal of Machine Learning Research, 15(1), 949–980.
- Wold et al., 1987
Wold, S., Esbensen, K., & Geladi, P. (1987). Principal component analysis. Chemometrics and Intelligent Laboratory Systems, 2(1-3), 37–52.
- Wong et al., 2020
Wong, E., Rice, L., & Kolter, J. Z. (2020). Fast is better than free: revisiting adversarial training. International Conference on Learning Representations.
- Wu et al., 2021
Wu, B., Chen, J., Cai, D., He, X., & Gu, Q. (2021). Do wider neural networks really help adversarial robustness? Advances in Neural Information Processing Systems, 34, 7054–7067.
- Wu et al., 2020a
Wu, C., Yang, X., Zhu, S., & Mitra, P. (2020). Mitigating backdoor attacks in federated learning. arXiv preprint arXiv:2011.01767.
- Wu & Wang, 2021
Wu, D., & Wang, Y. (2021). Adversarial neuron pruning purifies backdoored deep models. Advances in Neural Information Processing Systems, 34, 16913–16925.
- Wu et al., 2020b
Wu, D., Wang, Y., Xia, S.-T., Bailey, J., & Ma, X. (2020). Skip connections matter: on the transferability of adversarial examples generated with resnets. arXiv preprint arXiv:2002.05990.
- Wu et al., 2020c
Wu, D., Xia, S.-T., & Wang, Y. (2020). Adversarial weight perturbation helps robust generalization. Advances in Neural Information Processing Systems, 33, 2958–2969.
- Wu et al., 2019
Wu, Y., AbdAlmageed, W., & Natarajan, P. (2019). Mantra-net: manipulation tracing network for detection and localization of image forgeries with anomalous features. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 9543–9552).
- Wu et al., 2020d
Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., & Philip, S. Y. (2020). A comprehensive survey on graph neural networks. IEEE Transactions on Neural Networks and Learning Systems, 32(1), 4–24.
- Xi et al., 2021
Xi, Z., Pang, R., Ji, S., & Wang, T. (2021). Graph backdoor. USENIX Security Symposium (pp. 1523–1540).
- Xia et al., 2021
Xia, W., Yang, Y., Xue, J.-H., & Wu, B. (2021). Tedigan: text-guided diverse face image generation and manipulation. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2256–2265).
- Xiao et al., 2018a
Xiao, C., Li, B., Zhu, J. Y., He, W., Liu, M., & Song, D. (2018). Generating adversarial examples with adversarial networks. International Joint Conference on Artificial Intelligence (pp. 3905–3911).
- Xiao et al., 2018b
Xiao, K. Y., Tjeng, V., Shafiullah, N. M., & Madry, A. (2018). Training for faster adversarial robustness verification via inducing relu stability. arXiv preprint arXiv:1809.03008.
- Xie et al., 2021
Xie, C., Chen, M., Chen, P.-Y., & Li, B. (2021). Crfl: certifiably robust federated learning against backdoor attacks. International Conference on Machine Learning (pp. 11372–11382).
- Xie et al., 2019a
Xie, C., Huang, K., Chen, P.-Y., & Li, B. (2019). Dba: distributed backdoor attacks against federated learning. International Conference on Learning Representations.
- Xie et al., 2020
Xie, C., Tan, M., Gong, B., Yuille, A., & Le, Q. V. (2020). Smooth adversarial training. arXiv preprint arXiv:2006.14536.
- Xie et al., 2018
Xie, C., Wang, J., Zhang, Z., Ren, Z., & Yuille, A. (2018). Mitigating adversarial effects through randomization. International Conference on Learning Representations.
- Xie et al., 2019b
Xie, C., Wu, Y., Maaten, L. v. d., Yuille, A. L., & He, K. (2019). Feature denoising for improving adversarial robustness. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 501–509).
- Xie et al., 2019c
Xie, C., Zhang, Z., Zhou, Y., Bai, S., Wang, J., Ren, Z., & Yuille, A. L. (2019). Improving transferability of adversarial examples with input diversity. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2730–2739).
- Xu et al., 2021
Xu, J., Xue, M., & Picek, S. (2021). Explainability-based backdoor attacks against graph neural networks. ACM Workshop on Wireless Security and Machine Learning (pp. 31–36).
- Xu et al., 2020
Xu, K., Zhang, G., Liu, S., Fan, Q., Sun, M., Chen, H., … Lin, X. (2020). Adversarial t-shirt! evading person detectors in a physical world. European Conference on Computer Vision (pp. 665–681).
- Xu et al., 2018
Xu, W., Evans, D., & Qi, Y. (2018). Feature squeezing: detecting adversarial examples in deep neural networks. Network and Distributed Systems Security Symposium.
- Xu et al., 2022
Xu, Y., Yin, Y., Jiang, L., Wu, Q., Zheng, C., Loy, C. C., … Wu, W. (2022). Transeditor: transformer-based dual-space gan for highly controllable facial editing. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 7683–7692).
- Yang et al., 2017
Yang, C., Wu, Q., Li, H., & Chen, Y. (2017). Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340.
- Yang et al., 2020a
Yang, C.-Z., Ma, J., Wang, S., & Liew, A. W.-C. (2020). Preventing deepfake attacks on speaker authentication by dynamic lip movement analysis. TIFS.
- Yang et al., 2020b
Yang, G., Duan, T., Hu, J. E., Salman, H., Razenshteyn, I., & Li, J. (2020). Randomized smoothing of all shapes and sizes. International Conference on Machine Learning (pp. 10693–10705).
- Yang et al., 2020c
Yang, H., Zhang, J., Dong, H., Inkawhich, N., Gardner, A., Touchet, A., … Li, H. (2020). Dverge: diversifying vulnerabilities for enhanced robust generation of ensembles. Advances in Neural Information Processing Systems, 33, 5505–5515.
- Yang et al., 2019a
Yang, Q., Liu, Y., Chen, T., & Tong, Y. (2019). Federated machine learning: concept and applications. ACM Transactions on Intelligent Systems and Technology, 10(2), 1–19.
- Yang et al., 2019b
Yang, S., Ren, B., Zhou, X., & Liu, L. (2019). Parallel distributed logistic regression for vertical federated learning without third-party coordinator. arXiv preprint arXiv:1911.09824.
- Yang et al., 2019c
Yang, X., Li, Y., & Lyu, S. (2019). Exposing deep fakes using inconsistent head poses. ICASSP.
- Yang et al., 2022
Yang, Y., Liu, T. Y., & Mirzasoleiman, B. (2022). Not all poisons are created equal: robust training against data poisoning. International Conference on Machine Learning (pp. 25154–25165).
- Yao, 1982
Yao, A. C. (1982). Protocols for secure computations. IEEE Annual Symposium on Foundations of Computer Science (pp. 160–164).
- Yao et al., 2019
Yao, Y., Li, H., Zheng, H., & Zhao, B. Y. (2019). Latent backdoor attacks on deep neural networks. ACM SIGSAC Conference on Computer and Communications Security (pp. 2041–2055).
- Ye et al., 2022
Ye, J., Liu, X., You, Z., Li, G., & Liu, B. (2022). Drinet: dynamic backdoor attack against automatic speech recognization models. Applied Sciences, 12(12), 5786.
- Yeom et al., 2018
Yeom, S., Giacomelli, I., Fredrikson, M., & Jha, S. (2018). Privacy risk in machine learning: analyzing the connection to overfitting. IEEE Computer Security Foundations Symposium (pp. 268–282).
- Yin et al., 2018
Yin, D., Chen, Y., Kannan, R., & Bartlett, P. (2018). Byzantine-robust distributed learning: towards optimal statistical rates. International Conference on Machine Learning (pp. 5650–5659).
- Yin et al., 2021
Yin, H., Mallya, A., Vahdat, A., Alvarez, J. M., Kautz, J., & Molchanov, P. (2021). See through gradients: image batch recovery via gradinversion. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 16337–16346).
- Yu et al., 2020
Yu, H., Yang, K., Zhang, T., Tsai, Y.-Y., Ho, T.-Y., & Jin, Y. (2020). Cloudleak: large-scale deep learning models stealing through adversarial examples. Network and Distributed System Security Symposium.
- Yu et al., 2022
Yu, S., Tack, J., Mo, S., Kim, H., Kim, J., Ha, J.-W., & Shin, J. (2022). Generating videos with dynamics-aware implicit generative adversarial networks. arXiv preprint arXiv:2202.10571.
- Yuan et al., 2022
Yuan, X., Ding, L., Zhang, L., Li, X., & Wu, D. O. (2022). Es attack: model stealing against deep neural networks without data hurdles. IEEE Transactions on Emerging Topics in Computational Intelligence.
- Yun et al., 2019
Yun, S., Han, D., Oh, S. J., Chun, S., Choe, J., & Yoo, Y. (2019). Cutmix: regularization strategy to train strong classifiers with localizable features. International Conference on Computer Vision (pp. 6023–6032).
- Zeiler, 2012
Zeiler, M. D. (2012). Adadelta: an adaptive learning rate method. arXiv preprint arXiv:1212.5701.
- Zhai et al., 2021
Zhai, T., Li, Y., Zhang, Z., Wu, B., Jiang, Y., & Xia, S.-T. (2021). Backdoor attack against speaker verification. IEEE International Conference on Acoustics, Speech and Signal Processing (pp. 2560–2564).
- Zhang et al., 2021a
Zhang, B., Lu, Z., Cai, T., He, D., & Wang, L. (2021). Towards certifying \$\ell_\infty\$ robustness using Neural networks with \$\ell_\infty\$-dist Neurons.
- Zhang et al., 2019a
Zhang, D., Zhang, T., Lu, Y., Zhu, Z., & Dong, B. (2019). You only propagate once: accelerating adversarial training via maximal principle. Advances in Neural Information Processing Systems, 32.
- Zhang et al., 2019b
Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., & Jordan, M. (2019). Theoretically principled trade-off between robustness and accuracy. International Conference on Machine Learning (pp. 7472–7482).
- Zhang et al., 2018a
Zhang, H., Cisse, M., Dauphin, Y. N., & Lopez-Paz, D. (2018). Mixup: beyond empirical risk minimization. International Conference on Learning Representations.
- Zhang et al., 2018b
Zhang, J., Gu, Z., Jang, J., Wu, H., Stoecklin, M. P., Huang, H., & Molloy, I. (2018). Protecting intellectual property of deep neural networks with watermarking. ACM Asia Conference on Computer and Communications Security (pp. 159–172).
- Zhang et al., 2017
Zhang, J., Zheng, K., Mou, W., & Wang, L. (2017). Efficient private erm for smooth objectives. arXiv preprint arXiv:1703.09947.
- Zhang et al., 2020a
Zhang, J., Chen, D., Liao, J., Fang, H., Zhang, W., Zhou, W., … Yu, N. (2020). Model watermarking for image processing networks. AAAI Conference on Artificial Intelligence (pp. 12805–12812).
- Zhang et al., 2021b
Zhang, J., Chen, D., Liao, J., Zhang, W., Feng, H., Hua, G., & Yu, N. (2021). Deep model intellectual property protection via deep watermarking. IEEE Transactions on Pattern Analysis and Machine Intelligence.
- Zhang et al., 2020b
Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., & Kankanhalli, M. (2020). Attacks which do not kill training make adversarial learning stronger. International Conference on Machine Learning (pp. 11278–11287).
- Zhang et al., 2020c
Zhang, J., Zhu, J., Niu, G., Han, B., Sugiyama, M., & Kankanhalli, M. (2020). Geometry-aware instance-reweighted adversarial training. International Conference on Learning Representations.
- Zhang et al., 2012
Zhang, J., Zhang, Z., Xiao, X., Yang, Y., & Winslett, M. (2012). Functional mechanism: regression analysis under differential privacy. arXiv preprint arXiv:1208.0219.
- Zhang et al., 2022
Zhang, R., Guo, S., Wang, J., Xie, X., & Tao, D. (2022). A survey on gradient inversion: attacks, defenses and future directions. International Joint Conference on Artificial Intelligence.
- Zhang & Zhu, 2017
Zhang, R., & Zhu, Q. (2017). A game-theoretic analysis of label flipping attacks on distributed support vector machines. Conference on Information Sciences and Systems (pp. 1–6).
- Zhang et al., 2018c
Zhang, X., Ji, S., & Wang, T. (2018). Differentially private releasing via deep generative model (technical report). arXiv preprint arXiv:1801.01594.
- Zhang et al., 2021c
Zhang, Z., Jia, J., Wang, B., & Gong, N. Z. (2021). Backdoor attacks to graph neural networks. ACM Symposium on Access Control Models and Technologies (pp. 15–26).
- Zhang & Sabuncu, 2018
Zhang, Z., & Sabuncu, M. (2018). Generalized cross entropy loss for training deep neural networks with noisy labels. Advances in Neural Information Processing Systems, 31.
- Zhao et al., 2020a
Zhao, B., Mopuri, K. R., & Bilen, H. (2020). Idlg: improved deep leakage from gradients. arXiv preprint arXiv:2001.02610.
- Zhao et al., 2021a
Zhao, H., Zhou, W., Chen, D., Wei, T., Zhang, W., & Yu, N. (2021). Multi-attentional deepfake detection. IEEE/CVF Computer Vision and Pattern Recognition Conference.
- Zhao et al., 2020b
Zhao, P., Chen, P.-Y., Das, P., Ramamurthy, K. N., & Lin, X. (2020). Bridging mode connectivity in loss landscapes and adversarial robustness. International Conference on Learning Representations.
- Zhao et al., 2020c
Zhao, S., Ma, X., Zheng, X., Bailey, J., Chen, J., & Jiang, Y.-G. (2020). Clean-label backdoor attacks on video recognition models. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 14443–14452).
- Zhao et al., 2021b
Zhao, T., Xu, X., Xu, M., Ding, H., Xiong, Y., & Xia, W. (2021). Learning self-consistency for deepfake detection. International Conference on Computer Vision.
- Zheng et al., 2020a
Zheng, H., Zhang, Z., Gu, J., Lee, H., & Prakash, A. (2020). Efficient adversarial training with transferable adversarial examples. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1181–1190).
- Zheng et al., 2021
Zheng, Y., Bao, J., Chen, D., Zeng, M., & Wen, F. (2021). Exploring temporal coherence for more general video face forgery detection. International Conference on Computer Vision.
- Zheng et al., 2020b
Zheng, Z., Wang, P., Liu, W., Li, J., Ye, R., & Ren, D. (2020). Distance-iou loss: faster and better learning for bounding box regression. AAAI Conference on Artificial Intelligence (pp. 12993–13000).
- Zhou et al., 2016
Zhou, B., Khosla, A., Lapedriza, A., Oliva, A., & Torralba, A. (2016). Learning deep features for discriminative localization. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2921–2929).
- Zhou et al., 2017
Zhou, P., Han, X., Morariu, V. I., & Davis, L. S. (2017). Two-stream neural networks for tampered face detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (pp. 1831–1839).
- Zhou et al., 2018a
Zhou, P., Han, X., Morariu, V. I., & Davis, L. S. (2018). Learning rich features for image manipulation detection. IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1053–1061).
- Zhou et al., 2018b
Zhou, Y., Song, Y., & Berg, T. L. (2018). Image2gif: generating cinemagraphs using recurrent deep q-networks. IEEE Winter Conference on Applications of Computer Vision (pp. 170–178).
- Zhu et al., 2019a
Zhu, C., Huang, W. R., Li, H., Taylor, G., Studer, C., & Goldstein, T. (2019). Transferable clean-label poisoning attacks on deep neural nets. International Conference on Machine Learning (pp. 7614–7623).
- Zhu et al., 2021
Zhu, J., Yao, J., Han, B., Zhang, J., Liu, T., Niu, G., … Yang, H. (2021). Reliable adversarial distillation with unreliable teachers. International Conference on Learning Representations.
- Zhu & Blaschko, 2021
Zhu, J., & Blaschko, M. B. (2021). R-gap: recursive gradient attack on privacy. International Conference on Learning Representations.
- Zhu et al., 2019b
Zhu, L., Liu, Z., & Han, S. (2019). Deep leakage from gradients. Advances in Neural Information Processing Systems, 32.
- Zi et al., 2021
Zi, B., Zhao, S., Ma, X., & Jiang, Y.-G. (2021). Revisiting adversarial robustness distillation: robust soft labels make student better. IEEE/CVF International Conference on Computer Vision (pp. 16443–16452).
- Zombori et al., 2021
Zombori, D., Bánhelyi, B., Csendes, T., Megyeri, I., & Jelasity, M. (2021). Fooling a complete neural network verifier.
- Zou et al., 2022
Zou, Z., Zhao, R., Shi, T., Qiu, S., & Shi, Z. (2022). Castle in the sky: dynamic sky replacement and harmonization in videos. IEEE Transactions on Image Processing.
- , 2020
方滨兴. (2020). 人工智能安全. BEIJING BOOK CO. INC.
- et al., 2020
梁瑞刚, 吕培卓, 赵月, 陈鹏, 邢豪, 张颖君, … others. (2020). 视听觉深度伪造检测技术研究综述. 信息安全学报, 5(2), 1–17.
- et al., 2006
王珏, 周志华, & 周傲英. (2006). 机器学习及其应用. Vol. 4. 清华大学出版社有限公司.
- et al., 2021
谢宸琪, 张保稳, & 易平. (2021). 人工智能模型水印研究综述. 计算机科学, 48(7), 9–16.