{"id":"https://openalex.org/W2897865027","doi":"https://doi.org/10.1145/3243734.3243757","title":"Model-Reuse Attacks on Deep Learning Systems","display_name":"Model-Reuse Attacks on Deep Learning Systems","publication_year":2018,"publication_date":"2018-10-15","ids":{"openalex":"https://openalex.org/W2897865027","doi":"https://doi.org/10.1145/3243734.3243757","mag":"2897865027"},"language":"en","primary_location":{"id":"doi:10.1145/3243734.3243757","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3243734.3243757","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3243734.3243757","source":null,"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3243734.3243757","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5039596514","display_name":"Yujie Ji","orcid":"https://orcid.org/0009-0009-7797-0391"},"institutions":[{"id":"https://openalex.org/I186143895","display_name":"Lehigh University","ror":"https://ror.org/012afjb06","country_code":"US","type":"education","lineage":["https://openalex.org/I186143895"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Yujie Ji","raw_affiliation_strings":["Lehigh University, Bethlehem, USA"],"affiliations":[{"raw_affiliation_string":"Lehigh University, Bethlehem, USA","institution_ids":["https://openalex.org/I186143895"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022999126","display_name":"Xinyang Zhang","orcid":"https://orcid.org/0000-0001-6474-682X"},"institutions":[{"id":"https://openalex.org/I186143895","display_name":"Lehigh University","ror":"https://ror.org/012afjb06","country_code":"US","type":"education","lineage":["https://openalex.org/I186143895"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xinyang Zhang","raw_affiliation_strings":["Lehigh University, Bethlehem, USA"],"affiliations":[{"raw_affiliation_string":"Lehigh University, Bethlehem, USA","institution_ids":["https://openalex.org/I186143895"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058611515","display_name":"Shouling Ji","orcid":"https://orcid.org/0000-0003-4268-372X"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Shouling Ji","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100400376","display_name":"Xiapu Luo","orcid":"https://orcid.org/0000-0002-9082-3208"},"institutions":[{"id":"https://openalex.org/I14243506","display_name":"Hong Kong Polytechnic University","ror":"https://ror.org/0030zas98","country_code":"HK","type":"education","lineage":["https://openalex.org/I14243506"]}],"countries":["HK"],"is_corresponding":false,"raw_author_name":"Xiapu Luo","raw_affiliation_strings":["Hong Kong Polytechnic University, Hong Kong, Hong Kong"],"affiliations":[{"raw_affiliation_string":"Hong Kong Polytechnic University, Hong Kong, Hong Kong","institution_ids":["https://openalex.org/I14243506"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100428026","display_name":"Ting Wang","orcid":"https://orcid.org/0000-0003-4927-5833"},"institutions":[{"id":"https://openalex.org/I186143895","display_name":"Lehigh University","ror":"https://ror.org/012afjb06","country_code":"US","type":"education","lineage":["https://openalex.org/I186143895"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ting Wang","raw_affiliation_strings":["Lehigh University, Bethlehem, USA"],"affiliations":[{"raw_affiliation_string":"Lehigh University, Bethlehem, USA","institution_ids":["https://openalex.org/I186143895"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5039596514"],"corresponding_institution_ids":["https://openalex.org/I186143895"],"apc_list":null,"apc_paid":null,"fwci":16.0773,"has_fulltext":true,"cited_by_count":180,"citation_normalized_percentile":{"value":0.99156639,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"349","last_page":"363"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9883000254631042,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9873999953269958,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8275592923164368},{"id":"https://openalex.org/keywords/reuse","display_name":"Reuse","score":0.7304481863975525},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.7154738903045654},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5444657802581787},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.5043596029281616},{"id":"https://openalex.org/keywords/class","display_name":"Class (philosophy)","score":0.4516429901123047},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.43846043944358826},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4207783341407776},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3910531997680664}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8275592923164368},{"id":"https://openalex.org/C206588197","wikidata":"https://www.wikidata.org/wiki/Q846574","display_name":"Reuse","level":2,"score":0.7304481863975525},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.7154738903045654},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5444657802581787},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.5043596029281616},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.4516429901123047},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.43846043944358826},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4207783341407776},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3910531997680664},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3243734.3243757","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3243734.3243757","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3243734.3243757","source":null,"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3243734.3243757","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3243734.3243757","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3243734.3243757","source":null,"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1121271761","display_name":null,"funder_award_id":"Program","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G1231421488","display_name":null,"funder_award_id":"under","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2087396116","display_name":null,"funder_award_id":"China","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2484126896","display_name":"SaTC: CORE: Small: Attack-Agnostic Defenses against Adversarial Inputs in Learning Systems","funder_award_id":"1718787","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G3317480652","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G37568934","display_name":null,"funder_award_id":"Grant","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G391238517","display_name":null,"funder_award_id":", and","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5167091242","display_name":null,"funder_award_id":"No. 1","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5219932531","display_name":null,"funder_award_id":"201701","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5532320454","display_name":"Cybertechnology Development and Exploration of Learning Processes in Augmented Reality Team Environments  (CyberlearnAR)","funder_award_id":"2017011","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6301873888","display_name":null,"funder_award_id":"2017009","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6629664187","display_name":null,"funder_award_id":"1718787, 1566526","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7021125818","display_name":null,"funder_award_id":"61772466","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G7178492432","display_name":null,"funder_award_id":"CCF-NSFOCUS","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G7726157001","display_name":null,"funder_award_id":"Grant No.","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8793514500","display_name":null,"funder_award_id":"6177246","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320322598","display_name":"Hong Kong Polytechnic University","ror":"https://ror.org/0030zas98"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2897865027.pdf","grobid_xml":"https://content.openalex.org/works/W2897865027.grobid-xml"},"referenced_works_count":59,"referenced_works":["https://openalex.org/W9657784","https://openalex.org/W1590456070","https://openalex.org/W1686810756","https://openalex.org/W1699449651","https://openalex.org/W1945616565","https://openalex.org/W1988115241","https://openalex.org/W1998808035","https://openalex.org/W2018459374","https://openalex.org/W2051267297","https://openalex.org/W2097117768","https://openalex.org/W2103753221","https://openalex.org/W2107397716","https://openalex.org/W2108807072","https://openalex.org/W2112507308","https://openalex.org/W2117539524","https://openalex.org/W2125908420","https://openalex.org/W2138788987","https://openalex.org/W2146502635","https://openalex.org/W2151773168","https://openalex.org/W2163922914","https://openalex.org/W2167421362","https://openalex.org/W2180612164","https://openalex.org/W2183341477","https://openalex.org/W2194775991","https://openalex.org/W2230740169","https://openalex.org/W2250539671","https://openalex.org/W2293768274","https://openalex.org/W2296452361","https://openalex.org/W2325939864","https://openalex.org/W2336566325","https://openalex.org/W2342840547","https://openalex.org/W2461943168","https://openalex.org/W2510008933","https://openalex.org/W2532717356","https://openalex.org/W2557283755","https://openalex.org/W2560835477","https://openalex.org/W2581082771","https://openalex.org/W2606462007","https://openalex.org/W2618530766","https://openalex.org/W2748789698","https://openalex.org/W2753783305","https://openalex.org/W2773446523","https://openalex.org/W2775907600","https://openalex.org/W2885880192","https://openalex.org/W2919115771","https://openalex.org/W2963149653","https://openalex.org/W2963839617","https://openalex.org/W2963857521","https://openalex.org/W2964040431","https://openalex.org/W2964043980","https://openalex.org/W2964082701","https://openalex.org/W2964233199","https://openalex.org/W2998508934","https://openalex.org/W3003902971","https://openalex.org/W3101609372","https://openalex.org/W3103836116","https://openalex.org/W3137695714","https://openalex.org/W4247200422","https://openalex.org/W4365799834"],"related_works":["https://openalex.org/W2034199088","https://openalex.org/W1551379303","https://openalex.org/W2085319386","https://openalex.org/W2904814116","https://openalex.org/W2157301192","https://openalex.org/W4366150264","https://openalex.org/W2105136957","https://openalex.org/W2076205949","https://openalex.org/W2181883319","https://openalex.org/W2901933342"],"abstract_inverted_index":{"Many":[0],"of":[1,28,38,44,56,86,94,189,223,232],"today's":[2,233],"machine":[3],"learning":[4,120],"(ML)":[5],"systems":[6,104,121,151],"are":[7,47,145],"built":[8],"by":[9,51,159],"reusing":[10],"an":[11],"array":[12],"of,":[13],"often":[14],"pre-trained,":[15],"primitive":[16,29,78,234],"models,":[17],"each":[18],"fulfilling":[19],"distinct":[20],"functionality":[21],"(e.g.,":[22],"feature":[23],"extraction).":[24],"The":[25],"increasing":[26],"use":[27],"models":[30,46,79,100,170,185],"significantly":[31],"simplifies":[32],"and":[33,49,125,137,194,197,250],"expedites":[34],"the":[35,84,149,154,160,168,183,201,208,221,229],"development":[36],"cycles":[37],"ML":[39,87,103,243],"systems.":[40,88,244],"Yet,":[41],"because":[42],"most":[43],"such":[45,143],"contributed":[48],"maintained":[50],"untrusted":[52],"sources,":[53],"their":[54,174,251],"lack":[55],"standardization":[57],"or":[58,214],"regulation":[59],"entails":[60],"profound":[61],"security":[62,85],"implications,":[63],"about":[64,207],"which":[65,226,253],"little":[66,204],"is":[67],"known":[68],"thus":[69,238],"far.":[70],"In":[71],"this":[72],"paper,":[73],"we":[74,140],"demonstrate":[75],"that":[76,142],"malicious":[77,169,184],"pose":[80],"immense":[81],"threats":[82],"to":[83,105,228,241,255],"We":[89,216,245],"present":[90],"a":[91,111],"broad":[92],"class":[93],"model-reuse":[95,224],"attacks":[96,144],"wherein":[97],"maliciously":[98],"crafted":[99],"trigger":[101],"host":[102,150],"misbehave":[106,152],"on":[107,153,177],"targeted":[108,155],"inputs":[109,156],"in":[110,129],"highly":[112],"predictable":[113],"manner.":[114],"By":[115],"empirically":[116],"studying":[117],"four":[118],"deep":[119],"(including":[122],"both":[123],"individual":[124],"ensemble":[126],"systems)":[127],"used":[128,210],"skin":[130],"cancer":[131],"screening,":[132],"speech":[133],"recognition,":[134],"face":[135],"verification,":[136],"autonomous":[138],"steering,":[139],"show":[141],"(i)":[146],"effective":[147,187],"-":[148,167,182,200],"as":[157],"desired":[158],"adversary":[161,202],"with":[162],"high":[163],"probability,":[164],"(ii)":[165],"evasive":[166],"function":[171],"indistinguishably":[172],"from":[173],"benign":[175],"counterparts":[176],"non-targeted":[178],"inputs,":[179],"(iii)":[180],"elastic":[181],"remain":[186],"regardless":[188],"various":[190],"system":[191,212],"design":[192],"choices":[193],"tuning":[195,213],"strategies,":[196],"(iv)":[198],"easy":[199],"needs":[203],"prior":[205],"knowledge":[206],"data":[209],"for":[211,220],"inference.":[215],"provide":[217],"analytical":[218],"justification":[219],"effectiveness":[222],"attacks,":[225],"points":[227],"unprecedented":[230],"complexity":[231],"models.":[235],"This":[236],"issue":[237],"seems":[239],"fundamental":[240],"many":[242],"further":[246],"discuss":[247],"potential":[248],"countermeasures":[249],"challenges,":[252],"lead":[254],"several":[256],"promising":[257],"research":[258],"directions.":[259]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":13},{"year":2024,"cited_by_count":21},{"year":2023,"cited_by_count":27},{"year":2022,"cited_by_count":23},{"year":2021,"cited_by_count":42},{"year":2020,"cited_by_count":31},{"year":2019,"cited_by_count":19},{"year":2018,"cited_by_count":3}],"updated_date":"2026-04-18T07:56:08.524223","created_date":"2025-10-10T00:00:00"}