{"id":"https://openalex.org/W2971308801","doi":"https://doi.org/10.1109/icassp40776.2020.9054581","title":"Revealing Backdoors, Post-Training, in DNN Classifiers via Novel Inference on Optimized Perturbations Inducing Group Misclassification","display_name":"Revealing Backdoors, Post-Training, in DNN Classifiers via Novel Inference on Optimized Perturbations Inducing Group Misclassification","publication_year":2020,"publication_date":"2020-04-09","ids":{"openalex":"https://openalex.org/W2971308801","doi":"https://doi.org/10.1109/icassp40776.2020.9054581","mag":"2971308801"},"language":"en","primary_location":{"id":"doi:10.1109/icassp40776.2020.9054581","is_oa":false,"landing_page_url":"https://doi.org/10.1109/icassp40776.2020.9054581","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)","raw_type":"proceedings-article"},"type":"preprint","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/1908.10498","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5085283385","display_name":"Zhen Xiang","orcid":"https://orcid.org/0000-0002-4284-2041"},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Zhen Xiang","raw_affiliation_strings":["School of EECS, Pennsylvania State University","Pennsylvania State University,School of EECS"],"affiliations":[{"raw_affiliation_string":"School of EECS, Pennsylvania State University","institution_ids":["https://openalex.org/I130769515"]},{"raw_affiliation_string":"Pennsylvania State University,School of EECS","institution_ids":["https://openalex.org/I130769515"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101739086","display_name":"David J. Miller","orcid":"https://orcid.org/0000-0001-8848-1643"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"David J. Miller","raw_affiliation_strings":["Anomalee Inc"],"affiliations":[{"raw_affiliation_string":"Anomalee Inc","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5063903486","display_name":"George Kesidis","orcid":"https://orcid.org/0000-0001-7947-8127"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"George Kesidis","raw_affiliation_strings":["Anomalee Inc"],"affiliations":[{"raw_affiliation_string":"Anomalee Inc","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5085283385"],"corresponding_institution_ids":["https://openalex.org/I130769515"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.00670847,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"3827","last_page":"3831"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9945999979972839,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.951200008392334,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.998510479927063},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.7202057242393494},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6771394610404968},{"id":"https://openalex.org/keywords/training-set","display_name":"Training set","score":0.589222252368927},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5713228583335876},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.5057048797607422},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.47939276695251465},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.4518935978412628},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.4285159707069397},{"id":"https://openalex.org/keywords/test-set","display_name":"Test set","score":0.4193943738937378},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.22938111424446106}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.998510479927063},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.7202057242393494},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6771394610404968},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.589222252368927},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5713228583335876},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.5057048797607422},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.47939276695251465},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.4518935978412628},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.4285159707069397},{"id":"https://openalex.org/C169903167","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Test set","level":2,"score":0.4193943738937378},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.22938111424446106}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1109/icassp40776.2020.9054581","is_oa":false,"landing_page_url":"https://doi.org/10.1109/icassp40776.2020.9054581","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)","raw_type":"proceedings-article"},{"id":"mag:2971308801","is_oa":true,"landing_page_url":"https://arxiv.org/pdf/1908.10498","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"arXiv (Cornell University)","raw_type":null},{"id":"doi:10.17023/mzsg-a077","is_oa":true,"landing_page_url":"https://doi.org/10.17023/mzsg-a077","pdf_url":null,"source":{"id":"https://openalex.org/S7407051697","display_name":"IEEE RESOURCE CENTERS","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"mag:2971308801","is_oa":true,"landing_page_url":"https://arxiv.org/pdf/1908.10498","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"arXiv (Cornell University)","raw_type":null},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":16,"referenced_works":["https://openalex.org/W2095577883","https://openalex.org/W2180612164","https://openalex.org/W2194775991","https://openalex.org/W2243397390","https://openalex.org/W2753783305","https://openalex.org/W2807363941","https://openalex.org/W2934843808","https://openalex.org/W2963196925","https://openalex.org/W6637162671","https://openalex.org/W6640425456","https://openalex.org/W6743581629","https://openalex.org/W6746897123","https://openalex.org/W6756074407","https://openalex.org/W6756333562","https://openalex.org/W6761341598","https://openalex.org/W6767031719"],"related_works":["https://openalex.org/W3113332968","https://openalex.org/W3015716673","https://openalex.org/W2980257194","https://openalex.org/W3116171232","https://openalex.org/W3206645831","https://openalex.org/W3009216305","https://openalex.org/W3093748630","https://openalex.org/W3210951978","https://openalex.org/W3083185154","https://openalex.org/W3154022904","https://openalex.org/W3037511928","https://openalex.org/W3136316983","https://openalex.org/W3165705900","https://openalex.org/W3213133223","https://openalex.org/W3133575190","https://openalex.org/W2988471847","https://openalex.org/W2963196925","https://openalex.org/W3011583396","https://openalex.org/W3206667797","https://openalex.org/W2950184605"],"abstract_inverted_index":{"Recently,":[0],"a":[1,17,40,50,85,147,156,172,177,207,251],"special":[2],"type":[3],"of":[4,60,100,154],"data":[5,237],"poisoning":[6],"(DP)":[7],"attack":[8,240],"targeting":[9],"Deep":[10],"Neural":[11],"Network":[12],"(DNN)":[13],"classifiers,":[14,106],"known":[15],"as":[16,131,133],"backdoor,":[18],"was":[19],"proposed.":[20],"These":[21],"attacks":[22,55,102,187],"do":[23],"not":[24,57,116],"seek":[25],"to":[26,32,37,39,73,119,126,134,217,262],"degrade":[27],"classification":[28,139],"accuracy,":[29],"but":[30,124],"rather":[31],"have":[33,117],"the":[34,44,61,71,75,92,113,120,127,138,152,192,200,220,264],"classifier":[35,62,129,149],"learn":[36],"classify":[38],"target":[41,93,203],"class":[42],"whenever":[43],"backdoor":[45,54,88,101,186,221,235],"pattern":[46,89],"is":[47,142,215],"present":[48],"in":[49,103,109,206,228],"test":[51,224],"example.":[52],"Launching":[53],"does":[56,115],"require":[58],"knowledge":[59],"or":[63],"its":[64,244],"training":[65,76,122],"process":[66],"-":[67],"it":[68,214],"only":[69,125],"needs":[70],"ability":[72],"poison":[74],"set":[77],"with":[78,91,163,230],"(a":[79],"sufficient":[80],"number":[81],"of)":[82],"exemplars":[83],"containing":[84],"sufficiently":[86],"strong":[87],"(labeled":[90],"class).":[94],"Here":[95],"we":[96,211],"address":[97],"post-training":[98,168],"detection":[99,181,255],"DNN":[104,194],"image":[105],"seldom":[107],"considered":[108],"existing":[110],"works,":[111],"wherein":[112],"defender":[114],"access":[118],"poisoned":[121],"set,":[123],"trained":[128,148,193],"itself,":[130],"well":[132],"clean":[135],"examples":[136],"from":[137],"domain.":[140],"This":[141],"an":[143],"important":[144],"scenario":[145],"because":[146],"may":[150,169],"be":[151,161,260],"basis":[153],"e.g.":[155,259],"phone":[157],"app":[158],"that":[159],"will":[160],"shared":[162],"many":[164],"users.":[165],"Detecting":[166],"backdoors":[167],"thus":[170],"reveal":[171],"widespread":[173],"attack.":[174],"We":[175,223],"propose":[176],"purely":[178],"unsupervised":[179],"anomaly":[180],"(AD)":[182],"defense":[183,247],"against":[184],"imperceptible":[185],"that:":[188],"i)":[189],"detects":[190],"whether":[191],"has":[195],"been":[196],"backdoor-attacked;":[197],"ii)":[198],"infers":[199],"source":[201],"and":[202,239,242],"classes":[204],"involved":[205],"detected":[208],"attack;":[209],"iii)":[210],"even":[212],"demonstrate":[213,243],"possible":[216],"accurately":[218],"estimate":[219],"pattern.":[222],"our":[225],"AD":[226],"approach,":[227],"comparison":[229],"alternative":[231],"defenses,":[232],"for":[233],"several":[234],"patterns,":[236],"sets,":[238],"settings":[241],"favorability.":[245],"Our":[246],"essentially":[248],"requires":[249],"setting":[250],"single":[252],"hyperparameter":[253],"(the":[254],"threshold),":[256],"which":[257],"can":[258],"chosen":[261],"fix":[263],"system's":[265],"false":[266],"positive":[267],"rate.":[268]},"counts_by_year":[],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}