{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,7,9]],"date-time":"2024-07-09T02:33:33Z","timestamp":1720492413386},"reference-count":51,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2022,9,1]],"date-time":"2022-09-01T00:00:00Z","timestamp":1661990400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2022,9,1]],"date-time":"2022-09-01T00:00:00Z","timestamp":1661990400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2022,9,1]],"date-time":"2022-09-01T00:00:00Z","timestamp":1661990400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2022,9,1]],"date-time":"2022-09-01T00:00:00Z","timestamp":1661990400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2022,9,1]],"date-time":"2022-09-01T00:00:00Z","timestamp":1661990400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,9,1]],"date-time":"2022-09-01T00:00:00Z","timestamp":1661990400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2022,9]]},"DOI":"10.1016\/j.cose.2022.102814","type":"journal-article","created":{"date-parts":[[2022,6,28]],"date-time":"2022-06-28T18:31:47Z","timestamp":1656441107000},"page":"102814","update-policy":"http:\/\/dx.doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":2,"special_numbering":"C","title":["Backdoor smoothing: Demystifying backdoor attacks on deep neural networks"],"prefix":"10.1016","volume":"120","author":[{"ORCID":"http:\/\/orcid.org\/0000-0002-5401-4171","authenticated-orcid":false,"given":"Kathrin","family":"Grosse","sequence":"first","affiliation":[]},{"given":"Taesung","family":"Lee","sequence":"additional","affiliation":[]},{"ORCID":"http:\/\/orcid.org\/0000-0001-7752-509X","authenticated-orcid":false,"given":"Battista","family":"Biggio","sequence":"additional","affiliation":[]},{"given":"Youngja","family":"Park","sequence":"additional","affiliation":[]},{"given":"Michael","family":"Backes","sequence":"additional","affiliation":[]},{"given":"Ian","family":"Molloy","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2022.102814_bib0001","doi-asserted-by":"crossref","first-page":"102277","DOI":"10.1016\/j.cose.2021.102277","article-title":"Neural network laundering: removing black-box backdoor watermarks from deep neural networks","volume":"106","author":"Aiken","year":"2021","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2022.102814_bib0002","series-title":"ICML","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples","volume":"vol.\u00a080","author":"Athalye","year":"2018"},{"key":"10.1016\/j.cose.2022.102814_bib0003","series-title":"CCS","article-title":"Quantitative verification of neural networks and its security applications","author":"Baluta","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0004","series-title":"Machine Learning and Knowledge Discovery in Databases (ECML PKDD)","article-title":"Evasion attacks against machine learning at test time","volume":"vol. 8190","author":"Biggio","year":"2013"},{"issue":"4","key":"10.1016\/j.cose.2022.102814_bib0005","doi-asserted-by":"crossref","first-page":"984","DOI":"10.1109\/TKDE.2013.57","article-title":"Security evaluation of pattern classifiers under attack","volume":"26","author":"Biggio","year":"2014","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"10.1016\/j.cose.2022.102814_bib0006","doi-asserted-by":"crossref","first-page":"317","DOI":"10.1016\/j.patcog.2018.07.023","article-title":"Wild patterns: ten years after the rise of adversarial machine learning","volume":"84","author":"Biggio","year":"2018","journal-title":"Pattern Recognit."},{"key":"10.1016\/j.cose.2022.102814_bib0007","series-title":"Workshop on Artificial Intelligence Safety at AAAI","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"Chen","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0008","unstructured":"Chen, X., Liu, C., Li, B., Lu, K., Song, D., 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526."},{"key":"10.1016\/j.cose.2022.102814_bib0009","unstructured":"Cin\u00e0, A. E., Grosse, K., Vascon, S., Demontis, A., Biggio, B., Roli, F., Pelillo, M., 2021. Backdoor learning curves: explaining backdoor poisoning beyond influence functions. arXiv preprint arXiv:2106.07214."},{"key":"10.1016\/j.cose.2022.102814_bib0010","series-title":"ICML","article-title":"Certified adversarial robustness via randomized smoothing","author":"Cohen","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0011","series-title":"KDD","first-page":"99","article-title":"Adversarial classification","author":"Dalvi","year":"2004"},{"key":"10.1016\/j.cose.2022.102814_bib0012","series-title":"2020 25th International Conference on Pattern Recognition (ICPR)","first-page":"7411","article-title":"Generalization comparison of deep neural networks via output sensitivity","author":"Forouzesh","year":"2021"},{"key":"10.1016\/j.cose.2022.102814_bib0013","series-title":"2018 International Joint Conference on Neural Networks (IJCNN)","first-page":"1","article-title":"Attack strength vs. detectability dilemma in adversarial machine learning","author":"Frederickson","year":"2018"},{"issue":"1","key":"10.1016\/j.cose.2022.102814_bib0014","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1080\/00031305.1989.10475612","article-title":"Some implementations of the boxplot","volume":"43","author":"Frigge","year":"1989","journal-title":"Am. Stat."},{"key":"10.1016\/j.cose.2022.102814_bib0015","series-title":"Proceedings of the 35th Annual Computer Security Applications Conference","first-page":"113","article-title":"Strip: a defence against trojan attacks on deep neural networks","author":"Gao","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0016","unstructured":"Gilmer, J., Adams, R. P., Goodfellow, I. J., Andersen, D., Dahl, G. E., 2018. Motivating the rules of the game for adversarial example research. CoRR abs\/1807.06732"},{"key":"10.1016\/j.cose.2022.102814_bib0017","doi-asserted-by":"crossref","first-page":"47230","DOI":"10.1109\/ACCESS.2019.2909068","article-title":"Badnets: evaluating backdooring attacks on deep neural networks","volume":"7","author":"Gu","year":"2019","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2022.102814_bib0018","unstructured":"Guo, W., Wang, L., Xing, X., Du, M., Song, D., 2019. Tabor: a highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763."},{"key":"10.1016\/j.cose.2022.102814_bib0019","series-title":"CVPR","article-title":"Deep residual learning for image recognition","author":"He","year":"2016"},{"key":"10.1016\/j.cose.2022.102814_bib0020","series-title":"WWW","article-title":"Certified robustness of community detection against adversarial structural perturbation via randomized smoothing","author":"Jia","year":"2020"},{"key":"10.1016\/j.cose.2022.102814_bib0021","series-title":"ICLR","article-title":"Fantastic generalization measures and where to find them","author":"Jiang","year":"2020"},{"issue":"1\/2","key":"10.1016\/j.cose.2022.102814_bib0022","doi-asserted-by":"crossref","first-page":"81","DOI":"10.2307\/2332226","article-title":"A new measure of rank correlation","volume":"30","author":"Kendall","year":"1938","journal-title":"Biometrika"},{"key":"10.1016\/j.cose.2022.102814_bib0023","series-title":"Technical Report","article-title":"Learning Multiple Layers of Features from Tiny Images","author":"Krizhevsky","year":"2009"},{"key":"10.1016\/j.cose.2022.102814_bib0024","series-title":"NeurIPS","article-title":"Tight certificates of adversarial robustness for randomly smoothed classifiers","author":"Lee","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0025","series-title":"International Conference on Artificial Intelligence and Statistics","first-page":"3938","article-title":"Wasserstein smoothing: certified robustness against Wasserstein adversarial attacks","author":"Levine","year":"2020"},{"key":"10.1016\/j.cose.2022.102814_bib0026","series-title":"ICLR","article-title":"Neural attention distillation: erasing backdoor triggers from deep neural networks","author":"Li","year":"2021"},{"key":"10.1016\/j.cose.2022.102814_bib0027","series-title":"International Symposium on Research in Attacks, Intrusions, and Defenses","first-page":"273","article-title":"Fine-pruning: defending against backdooring attacks on deep neural networks","author":"Liu","year":"2018"},{"key":"10.1016\/j.cose.2022.102814_bib0028","series-title":"CCS","article-title":"Abs: scanning neural networks for back-doors by artificial brain stimulation","author":"Liu","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0029","series-title":"NDSS","article-title":"Trojaning attack on neural networks","author":"Liu","year":"2018"},{"key":"10.1016\/j.cose.2022.102814_bib0030","series-title":"CVPR","first-page":"1765","article-title":"Universal adversarial perturbations","author":"Moosavi-Dezfooli","year":"2017"},{"key":"10.1016\/j.cose.2022.102814_bib0031","series-title":"ICLR","article-title":"Wanet\u2013imperceptible warping-based backdoor attack","author":"Nguyen","year":"2021"},{"key":"10.1016\/j.cose.2022.102814_bib0032","series-title":"ICLR","article-title":"Sensitivity and generalization in neural networks: an empirical study","author":"Novak","year":"2018"},{"key":"10.1016\/j.cose.2022.102814_bib0033","series-title":"Contributions to Probability and Statistics: Essays in Honor of Harold Hotelling","author":"Olkin","year":"1960"},{"key":"10.1016\/j.cose.2022.102814_bib0034","doi-asserted-by":"crossref","unstructured":"Pearson, K., 1895. Notes on regression and inheritance in the case of two parents proceedings of the royal society of London, 58, 240\u2013242.","DOI":"10.1098\/rspl.1895.0041"},{"key":"10.1016\/j.cose.2022.102814_bib0035","series-title":"International Conference on Machine Learning","first-page":"8230","article-title":"Certified robustness to label-flipping attacks via randomized smoothing","author":"Rosenfeld","year":"2020"},{"key":"10.1016\/j.cose.2022.102814_bib0036","series-title":"NeurIPS","article-title":"Provably robust deep learning via adversarially trained smoothed classifiers","author":"Salman","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0037","series-title":"NeurIPS","article-title":"Poison frogs! targeted clean-label poisoning attacks on neural networks","author":"Shafahi","year":"2018"},{"key":"10.1016\/j.cose.2022.102814_bib0038","series-title":"AAAI","article-title":"Sensitivity analysis of deep neural networks","author":"Shu","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0039","series-title":"Proceedings of the 2014 International Conference on Learning Representations","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2014"},{"key":"10.1016\/j.cose.2022.102814_bib0040","series-title":"European Symposium of Security and Privacy","article-title":"Bypassing backdoor detection algorithms in deep learning","author":"Tan","year":"2020"},{"key":"10.1016\/j.cose.2022.102814_bib0041","series-title":"NeurIPS","article-title":"Spectral signatures in backdoor attacks","author":"Tran","year":"2018"},{"key":"10.1016\/j.cose.2022.102814_bib0042","series-title":"Power Analysis, Sample Size, and Assessment of Statistical Assumptions-Improving the Evidential Value of Lighting research","author":"Uttley","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0043","series-title":"IEEE Symposium on Security and Privacy","article-title":"Neural cleanse: identifying and mitigating backdoor attacks in neural networks","author":"Wang","year":"2019"},{"issue":"3","key":"10.1016\/j.cose.2022.102814_bib0044","doi-asserted-by":"crossref","first-page":"1177","DOI":"10.1109\/TNNLS.2020.3041202","article-title":"Detection of backdoors in trained classifiers without access to the training set","volume":"33","author":"Xiang","year":"2020","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"10.1016\/j.cose.2022.102814_bib0045","doi-asserted-by":"crossref","first-page":"102280","DOI":"10.1016\/j.cose.2021.102280","article-title":"Reverse engineering imperceptible backdoor attacks on deep neural networks for detection and training set cleansing","volume":"106","author":"Xiang","year":"2021","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2022.102814_bib0046","unstructured":"Xiao, H., Rasul, K., Vollgraf, R., 2017. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747."},{"key":"10.1016\/j.cose.2022.102814_bib0047","series-title":"ICLR","article-title":"Understanding deep learning requires rethinking generalization","author":"Zhang","year":"2017"},{"key":"10.1016\/j.cose.2022.102814_bib0048","series-title":"ICLR","article-title":"Bridging mode connectivity in loss landscapes and adversarial robustness","author":"Zhao","year":"2020"},{"key":"10.1016\/j.cose.2022.102814_bib0049","series-title":"ICML","article-title":"Transferable clean-label poisoning attacks on deep neural nets","author":"Zhu","year":"2019"},{"key":"10.1016\/j.cose.2022.102814_bib0050","series-title":"Proceedings of the 28th ACM International Conference on Multimedia","first-page":"3173","article-title":"Gangsweep: Sweep out neural backdoors by GAN","author":"Zhu","year":"2020"},{"key":"10.1016\/j.cose.2022.102814_bib0051","series-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","first-page":"16453","article-title":"Clear: clean-up sample-targeted backdoor in neural networks","author":"Zhu","year":"2021"}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404822002085?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404822002085?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2024,3,29]],"date-time":"2024-03-29T00:43:35Z","timestamp":1711673015000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404822002085"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,9]]},"references-count":51,"alternative-id":["S0167404822002085"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2022.102814","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2022,9]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Backdoor smoothing: Demystifying backdoor attacks on deep neural networks","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2022.102814","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2022 Elsevier Ltd. All rights reserved.","name":"copyright","label":"Copyright"}],"article-number":"102814"}}