{"id":"https://openalex.org/W3007928325","doi":"https://doi.org/10.1145/3411508.3421381","title":"Towards Certifiable Adversarial Sample Detection","display_name":"Towards Certifiable Adversarial Sample Detection","publication_year":2020,"publication_date":"2020-11-02","ids":{"openalex":"https://openalex.org/W3007928325","doi":"https://doi.org/10.1145/3411508.3421381","mag":"3007928325"},"language":"en","primary_location":{"id":"doi:10.1145/3411508.3421381","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3411508.3421381","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3411508.3421381","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"type":"preprint","indexed_in":["arxiv","crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3411508.3421381","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5069844959","display_name":"Ilia Shumailov","orcid":"https://orcid.org/0000-0003-3100-0727"},"institutions":[{"id":"https://openalex.org/I241749","display_name":"University of Cambridge","ror":"https://ror.org/013meh722","country_code":"GB","type":"education","lineage":["https://openalex.org/I241749"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Ilia Shumailov","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom","Univ. of Cambridge"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom","institution_ids":["https://openalex.org/I241749"]},{"raw_affiliation_string":"Univ. of Cambridge","institution_ids":["https://openalex.org/I241749"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048483915","display_name":"Yiren Zhao","orcid":"https://orcid.org/0009-0005-2486-1491"},"institutions":[{"id":"https://openalex.org/I241749","display_name":"University of Cambridge","ror":"https://ror.org/013meh722","country_code":"GB","type":"education","lineage":["https://openalex.org/I241749"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Yiren Zhao","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom","Univ. of Cambridge"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom","institution_ids":["https://openalex.org/I241749"]},{"raw_affiliation_string":"Univ. of Cambridge","institution_ids":["https://openalex.org/I241749"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040762162","display_name":"Robert Mullins","orcid":"https://orcid.org/0000-0002-8393-2748"},"institutions":[{"id":"https://openalex.org/I241749","display_name":"University of Cambridge","ror":"https://ror.org/013meh722","country_code":"GB","type":"education","lineage":["https://openalex.org/I241749"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Robert Mullins","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom","Univ. of Cambridge"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom","institution_ids":["https://openalex.org/I241749"]},{"raw_affiliation_string":"Univ. of Cambridge","institution_ids":["https://openalex.org/I241749"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5046983053","display_name":"Ross Anderson","orcid":"https://orcid.org/0000-0001-8697-5682"},"institutions":[{"id":"https://openalex.org/I241749","display_name":"University of Cambridge","ror":"https://ror.org/013meh722","country_code":"GB","type":"education","lineage":["https://openalex.org/I241749"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Ross Anderson","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom","Univ. of Cambridge"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom","institution_ids":["https://openalex.org/I241749"]},{"raw_affiliation_string":"Univ. of Cambridge","institution_ids":["https://openalex.org/I241749"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5069844959"],"corresponding_institution_ids":["https://openalex.org/I241749"],"apc_list":null,"apc_paid":null,"fwci":0.272,"has_fulltext":true,"cited_by_count":2,"citation_normalized_percentile":{"value":0.62457076,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"13","last_page":"24"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9747999906539917,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9380000233650208,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.9239761829376221},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8025638461112976},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.6973098516464233},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5228579044342041},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.4860554039478302},{"id":"https://openalex.org/keywords/convolutional-neural-network","display_name":"Convolutional neural network","score":0.4192139208316803},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4034002125263214},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3793765902519226}],"concepts":[{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.9239761829376221},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8025638461112976},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.6973098516464233},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5228579044342041},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.4860554039478302},{"id":"https://openalex.org/C81363708","wikidata":"https://www.wikidata.org/wiki/Q17084460","display_name":"Convolutional neural network","level":2,"score":0.4192139208316803},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4034002125263214},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3793765902519226},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0}],"mesh":[],"locations_count":6,"locations":[{"id":"doi:10.1145/3411508.3421381","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3411508.3421381","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3411508.3421381","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2002.08740","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2002.08740","pdf_url":"https://arxiv.org/pdf/2002.08740","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":null},{"id":"mag:3007928325","is_oa":true,"landing_page_url":"http://export.arxiv.org/pdf/2002.08740","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"arXiv (Cornell University)","raw_type":null},{"id":"pmh:oai:www.repository.cam.ac.uk:1810/315849","is_oa":false,"landing_page_url":"https://www.repository.cam.ac.uk/handle/1810/315849","pdf_url":null,"source":{"id":"https://openalex.org/S4306401777","display_name":"Apollo (University of Cambridge)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I241749","host_organization_name":"University of Cambridge","host_organization_lineage":["https://openalex.org/I241749"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2002.08740","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2002.08740","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"},{"id":"doi:10.17863/cam.62960","is_oa":true,"landing_page_url":"https://doi.org/10.17863/cam.62960","pdf_url":null,"source":{"id":"https://openalex.org/S7407050737","display_name":"Apollo","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article-journal"}],"best_oa_location":{"id":"doi:10.1145/3411508.3421381","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3411508.3421381","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3411508.3421381","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W3007928325.pdf","grobid_xml":"https://content.openalex.org/works/W3007928325.grobid-xml"},"referenced_works_count":43,"referenced_works":["https://openalex.org/W1983364832","https://openalex.org/W2096733369","https://openalex.org/W2119053853","https://openalex.org/W2243397390","https://openalex.org/W2486441166","https://openalex.org/W2552767274","https://openalex.org/W2593892853","https://openalex.org/W2594877703","https://openalex.org/W2613718673","https://openalex.org/W2618043096","https://openalex.org/W2735607295","https://openalex.org/W2738001131","https://openalex.org/W2750384547","https://openalex.org/W2768899812","https://openalex.org/W2794609696","https://openalex.org/W2798302089","https://openalex.org/W2803392236","https://openalex.org/W2803850896","https://openalex.org/W2890660842","https://openalex.org/W2898963688","https://openalex.org/W2899462473","https://openalex.org/W2900669141","https://openalex.org/W2903939901","https://openalex.org/W2911634294","https://openalex.org/W2912070915","https://openalex.org/W2914110731","https://openalex.org/W2937920463","https://openalex.org/W2951972811","https://openalex.org/W2962943487","https://openalex.org/W2963076808","https://openalex.org/W2963207607","https://openalex.org/W2963857521","https://openalex.org/W2963881378","https://openalex.org/W2963952467","https://openalex.org/W2964153729","https://openalex.org/W2964253222","https://openalex.org/W2983219069","https://openalex.org/W2992525328","https://openalex.org/W3037103175","https://openalex.org/W3037475485","https://openalex.org/W3091857398","https://openalex.org/W3099206234","https://openalex.org/W6609410732"],"related_works":["https://openalex.org/W3043775137","https://openalex.org/W3152892549","https://openalex.org/W3135693847","https://openalex.org/W3189578047","https://openalex.org/W2775755596","https://openalex.org/W1562855283","https://openalex.org/W3012089581","https://openalex.org/W2980131856","https://openalex.org/W3082761341","https://openalex.org/W2752049882","https://openalex.org/W3016150129","https://openalex.org/W3128757001","https://openalex.org/W3206164280","https://openalex.org/W1965706729","https://openalex.org/W3082612718","https://openalex.org/W4783647","https://openalex.org/W2951691683","https://openalex.org/W31544161","https://openalex.org/W3007335618","https://openalex.org/W2883326203"],"abstract_inverted_index":{"Convolutional":[0],"Neural":[1],"Networks":[2],"(CNNs)":[3],"are":[4,23],"deployed":[5],"in":[6,56,72],"more":[7,9],"and":[8,22,92,104,147],"classification":[10],"systems,":[11],"but":[12,38],"adversarial":[13,36,62,84,107],"samples":[14],"can":[15,74,148],"be":[16],"maliciously":[17],"crafted":[18],"to":[19,33],"trick":[20],"them,":[21],"becoming":[24],"a":[25,53,60,81],"real":[26],"threat.":[27],"There":[28],"have":[29,45],"been":[30],"various":[31,114],"proposals":[32],"improve":[34],"CNNs'":[35],"robustness":[37],"these":[39],"all":[40],"suffer":[41],"performance":[42],"penalties":[43],"or":[44],"other":[46],"limitations.":[47],"In":[48,109],"this":[49],"paper,":[50],"we":[51],"offer":[52],"new":[54],"approach":[55],"the":[57,65],"form":[58],"of":[59,78,80,83,96],"certifiable":[61,76],"detection":[63],"scheme,":[64],"Certifiable":[66],"Taboo":[67],"Trap":[68],"(CTT).":[69],"This":[70],"system,":[71],"theory,":[73],"provide":[75],"guarantees":[77],"detectability":[79],"range":[82],"inputs":[85],"for":[86],"certain":[87],"l-\u221e":[88],"sizes.":[89],"We":[90,129],"develop":[91],"evaluate":[93],"several":[94],"versions":[95],"CTT":[97,117,132],"with":[98,113],"different":[99],"defense":[100,120],"capabilities,":[101],"training":[102],"overheads":[103,144],"certifiability":[105],"on":[106,125,138],"samples.":[108],"practice,":[110],"against":[111],"adversaries":[112],"l-p":[115],"norms,":[116],"outperforms":[118],"existing":[119],"methods":[121],"that":[122,131],"focus":[123],"purely":[124],"improving":[126],"network":[127],"robustness.":[128],"show":[130],"has":[133],"small":[134],"false":[135],"positive":[136],"rates":[137],"clean":[139],"test":[140],"data,":[141],"minimal":[142],"compute":[143],"when":[145],"deployed,":[146],"support":[149],"complex":[150],"security":[151],"policies.":[152]},"counts_by_year":[{"year":2020,"cited_by_count":2}],"updated_date":"2026-05-15T06:05:50.897203","created_date":"2025-10-10T00:00:00"}