{"id":"https://openalex.org/W3074128044","doi":"https://doi.org/10.1109/tnnls.2020.3041202","title":"Detection of Backdoors in Trained Classifiers Without Access to the Training Set","display_name":"Detection of Backdoors in Trained Classifiers Without Access to the Training Set","publication_year":2020,"publication_date":"2020-12-17","ids":{"openalex":"https://openalex.org/W3074128044","doi":"https://doi.org/10.1109/tnnls.2020.3041202","mag":"3074128044","pmid":"https://pubmed.ncbi.nlm.nih.gov/33326384"},"language":"en","primary_location":{"id":"doi:10.1109/tnnls.2020.3041202","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnnls.2020.3041202","pdf_url":null,"source":{"id":"https://openalex.org/S4210175523","display_name":"IEEE Transactions on Neural Networks and Learning Systems","issn_l":"2162-237X","issn":["2162-237X","2162-2388"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Neural Networks and Learning Systems","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","pubmed"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Zhen Xiang","orcid":"https://orcid.org/0000-0002-4284-2041"},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Zhen Xiang","raw_affiliation_strings":["School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA, USA"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA, USA","institution_ids":["https://openalex.org/I130769515"]}]},{"author_position":"middle","author":{"id":null,"display_name":"David J. Miller","orcid":"https://orcid.org/0000-0001-8848-1643"},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"David J. Miller","raw_affiliation_strings":["School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA, USA"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA, USA","institution_ids":["https://openalex.org/I130769515"]}]},{"author_position":"last","author":{"id":null,"display_name":"George Kesidis","orcid":null},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"George Kesidis","raw_affiliation_strings":["School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA, USA"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA, USA","institution_ids":["https://openalex.org/I130769515"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I130769515"],"apc_list":null,"apc_paid":null,"fwci":1.7672,"has_fulltext":false,"cited_by_count":29,"citation_normalized_percentile":{"value":0.88198173,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":"33","issue":"3","first_page":"1177","last_page":"1191"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9976000189781189,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9976000189781189,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.0006000000284984708,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.00019999999494757503,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.995199978351593},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.7019000053405762},{"id":"https://openalex.org/keywords/training-set","display_name":"Training set","score":0.5587000250816345},{"id":"https://openalex.org/keywords/one-class-classification","display_name":"One-class classification","score":0.453900009393692},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.39890000224113464},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.390500009059906},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.3887999951839447},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.3797999918460846}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.995199978351593},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7099000215530396},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.7019000053405762},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6158999800682068},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.5587000250816345},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.4819999933242798},{"id":"https://openalex.org/C34872919","wikidata":"https://www.wikidata.org/wiki/Q7092302","display_name":"One-class classification","level":3,"score":0.453900009393692},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.39890000224113464},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.390500009059906},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.3887999951839447},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.3797999918460846},{"id":"https://openalex.org/C75294576","wikidata":"https://www.wikidata.org/wiki/Q5165192","display_name":"Contextual image classification","level":3,"score":0.3646000027656555},{"id":"https://openalex.org/C169903167","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Test set","level":2,"score":0.3598000109195709},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.3292999863624573},{"id":"https://openalex.org/C2984842247","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep neural networks","level":3,"score":0.32589998841285706},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3127000033855438},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.30979999899864197},{"id":"https://openalex.org/C77052588","wikidata":"https://www.wikidata.org/wiki/Q644307","display_name":"Constant false alarm rate","level":2,"score":0.30550000071525574},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.2888999879360199},{"id":"https://openalex.org/C110083411","wikidata":"https://www.wikidata.org/wiki/Q1744628","display_name":"Statistical classification","level":2,"score":0.2842000126838684},{"id":"https://openalex.org/C123860398","wikidata":"https://www.wikidata.org/wiki/Q6934605","display_name":"Multiclass classification","level":3,"score":0.2808000147342682}],"mesh":[{"descriptor_ui":"D000465","descriptor_name":"Algorithms","qualifier_ui":null,"qualifier_name":null,"is_major_topic":true},{"descriptor_ui":"D000465","descriptor_name":"Algorithms","qualifier_ui":null,"qualifier_name":null,"is_major_topic":true},{"descriptor_ui":"D000465","descriptor_name":"Algorithms","qualifier_ui":null,"qualifier_name":null,"is_major_topic":true},{"descriptor_ui":"D016571","descriptor_name":"Neural Networks, Computer","qualifier_ui":null,"qualifier_name":null,"is_major_topic":true},{"descriptor_ui":"D016571","descriptor_name":"Neural Networks, Computer","qualifier_ui":null,"qualifier_name":null,"is_major_topic":true},{"descriptor_ui":"D016571","descriptor_name":"Neural Networks, Computer","qualifier_ui":null,"qualifier_name":null,"is_major_topic":true},{"descriptor_ui":"D019359","descriptor_name":"Knowledge","qualifier_ui":null,"qualifier_name":null,"is_major_topic":false},{"descriptor_ui":"D019359","descriptor_name":"Knowledge","qualifier_ui":null,"qualifier_name":null,"is_major_topic":false},{"descriptor_ui":"D019359","descriptor_name":"Knowledge","qualifier_ui":null,"qualifier_name":null,"is_major_topic":false}],"locations_count":2,"locations":[{"id":"doi:10.1109/tnnls.2020.3041202","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnnls.2020.3041202","pdf_url":null,"source":{"id":"https://openalex.org/S4210175523","display_name":"IEEE Transactions on Neural Networks and Learning Systems","issn_l":"2162-237X","issn":["2162-237X","2162-2388"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Neural Networks and Learning Systems","raw_type":"journal-article"},{"id":"pmid:33326384","is_oa":false,"landing_page_url":"https://pubmed.ncbi.nlm.nih.gov/33326384","pdf_url":null,"source":{"id":"https://openalex.org/S4306525036","display_name":"PubMed","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1299303238","host_organization_name":"National Institutes of Health","host_organization_lineage":["https://openalex.org/I1299303238"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE transactions on neural networks and learning systems","raw_type":null}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320338279","display_name":"Air Force Office of Scientific Research","ror":"https://ror.org/011e9bt93"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":32,"referenced_works":["https://openalex.org/W1989898472","https://openalex.org/W2063541597","https://openalex.org/W2095577883","https://openalex.org/W2107397716","https://openalex.org/W2168175751","https://openalex.org/W2180612164","https://openalex.org/W2194775991","https://openalex.org/W2243397390","https://openalex.org/W2543927648","https://openalex.org/W2603766943","https://openalex.org/W2753783305","https://openalex.org/W2807363941","https://openalex.org/W2934843808","https://openalex.org/W2942091739","https://openalex.org/W2963178695","https://openalex.org/W2963196925","https://openalex.org/W2964246311","https://openalex.org/W2973217491","https://openalex.org/W2980257194","https://openalex.org/W2996800219","https://openalex.org/W3007264885","https://openalex.org/W3012113073","https://openalex.org/W3015716673","https://openalex.org/W3094566724","https://openalex.org/W6631190155","https://openalex.org/W6637162671","https://openalex.org/W6640425456","https://openalex.org/W6746897123","https://openalex.org/W6756074407","https://openalex.org/W6756333562","https://openalex.org/W6766253520","https://openalex.org/W6770766581"],"related_works":[],"abstract_inverted_index":{"With":[0],"wide":[1],"deployment":[2],"of":[3,23,83,168,179,302],"deep":[4],"neural":[5],"network":[6],"(DNN)":[7],"classifiers,":[8,129],"there":[9],"is":[10,63,167,275,293],"great":[11,169],"potential":[12],"for":[13,269,328],"harm":[14],"from":[15,70,161,262],"adversarial":[16],"learning":[17,241],"attacks.":[18],"Recently,":[19],"a":[20,30,55,66,71,100,173,180,194,199,228,300,308,348],"special":[21],"type":[22],"data":[24,337],"poisoning":[25],"(DP)":[26],"attack,":[27],"known":[28],"as":[29,154,156],"backdoor":[31,61,77,101,208,234,330],"(or":[32],"Trojan),":[33],"was":[34],"proposed.":[35],"These":[36],"attacks":[37,78,209],"do":[38],"not":[39,80,139],"seek":[40],"to":[41,47,52,54,92,142,149,157,254,258,265,314,359],"degrade":[42],"classification":[43,163],"accuracy,":[44],"but":[45,147],"rather":[46],"have":[48,140],"the":[49,60,84,90,94,105,136,143,150,162,177,214,222,233,247,256,283,325,361],"classifier":[50,85,152,174,257],"learn":[51],"classify":[53],"target":[56,106,225],"class":[57,73,263,266],"t<sup>\u2217</sup>":[58],"whenever":[59],"pattern":[62,102,235],"present":[64],"in":[65,126,132,227,322],"test":[67,119,319],"example":[68],"originally":[69],"source":[72,223],"s<sup>\u2217</sup>":[74],".":[75],"Launching":[76],"does":[79,138],"require":[81,279],"knowledge":[82],"or":[86,117],"its":[87,341],"training":[88,95,145],"process-only":[89],"ability":[91],"poison":[93],"set":[96],"with":[97,104,187,324],"exemplars":[98],"containing":[99],"(labeled":[103],"class).":[107],"Defenses":[108],"against":[109,206],"backdoors":[110],"can":[111,355],"be":[112,176,185,357],"deployed":[113],"before/during":[114],"training,":[115],"post-training,":[116],"at":[118],"time.":[120],"Here,":[121],"we":[122],"address":[123],"post-training":[124],"detection":[125,203,316,352],"DNN":[127,216],"image":[128],"seldom":[130],"considered":[131],"existing":[133],"works,":[134],"wherein":[135],"defender":[137],"access":[141],"poisoned":[144],"set,":[146],"only":[148],"trained":[151,215],"itself,":[153],"well":[155],"clean":[158],"(unpoisoned)":[159],"examples":[160,261],"domain.":[164],"This":[165,292],"scenario":[166],"interest":[170],"because":[171],"e.g.,":[172,356],"may":[175,191],"basis":[178],"phone":[181],"app":[182],"that":[183,276],"will":[184],"shared":[186],"many":[188],"users.":[189],"Detection":[190],"thus":[192],"reveal":[193],"widespread":[195],"attack.":[196],"We":[197,298,318],"propose":[198],"purely":[200],"unsupervised":[201],"anomaly":[202],"(AD)":[204],"defense":[205,344],"imperceptible":[207],"that:":[210],"1)":[211],"detects":[212],"whether":[213],"has":[217],"been":[218],"backdoor-attacked;":[219],"2)":[220],"infers":[221],"and":[224,306,334,336,339],"classes":[226],"detected":[229],"attack;":[230],"3)":[231],"estimates":[232],"itself.":[236],"Our":[237,273,343],"AD":[238],"approach":[239,313],"involves":[240],"(via":[242],"suitable":[243],"cost":[244,304],"function":[245],"minimization)":[246],"minimum":[248],"size/norm":[249],"perturbation":[250],"(putative":[251],"backdoor)":[252],"required":[253],"induce":[255],"misclassify":[259],"(most)":[260],"s":[264],"t":[267],",":[268],"all":[270],"(s,t)":[271],"pairs.":[272],"hypothesis":[274,311],"nonattacked":[277],"pairs":[278],"large":[280],"perturbations,":[281],"while":[282],"attacked":[284],"pair":[285],"(s<sup>\u2217</sup>,":[286],"t<sup>\u2217</sup>)":[287],"requires":[288,346],"much":[289],"smaller":[290],"ones.":[291],"convincingly":[294],"borne":[295],"out":[296],"experimentally.":[297],"identify":[299],"variety":[301],"plausible":[303],"functions":[305],"devise":[307],"novel,":[309],"robust":[310],"testing":[312],"perform":[315],"inference.":[317],"our":[320],"approach,":[321],"comparison":[323],"state-of-the-art":[326],"methods,":[327],"several":[329],"patterns,":[331],"attack":[332],"settings":[333],"mechanisms,":[335],"sets":[338],"demonstrate":[340],"favorability.":[342],"essentially":[345],"setting":[347],"single":[349],"hyperparameter":[350],"(the":[351],"threshold),":[353],"which":[354],"chosen":[358],"fix":[360],"system's":[362],"false":[363],"positive":[364],"rate.":[365]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":7},{"year":2020,"cited_by_count":1}],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2020-08-24T00:00:00"}