{"id":"https://openalex.org/W4324302739","doi":"https://doi.org/10.1145/3576915.3623116","title":"Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks","display_name":"Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks","publication_year":2023,"publication_date":"2023-11-15","ids":{"openalex":"https://openalex.org/W4324302739","doi":"https://doi.org/10.1145/3576915.3623116"},"language":"en","primary_location":{"id":"doi:10.1145/3576915.3623116","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3576915.3623116","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2303.06280","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5007824710","display_name":"Ryan Feng","orcid":"https://orcid.org/0000-0002-4767-274X"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Ryan Feng","raw_affiliation_strings":["University of Michigan, Ann Arbor, MI, USA"],"raw_orcid":"https://orcid.org/0000-0002-4767-274X","affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, MI, USA","institution_ids":["https://openalex.org/I27837315"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077170899","display_name":"Ashish Hooda","orcid":"https://orcid.org/0000-0002-2928-919X"},"institutions":[{"id":"https://openalex.org/I135310074","display_name":"University of Wisconsin\u2013Madison","ror":"https://ror.org/01y2jtd41","country_code":"US","type":"education","lineage":["https://openalex.org/I135310074"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ashish Hooda","raw_affiliation_strings":["University of Wisconsin-Madison, Madison, WI, USA"],"raw_orcid":"https://orcid.org/0000-0002-2928-919X","affiliations":[{"raw_affiliation_string":"University of Wisconsin-Madison, Madison, WI, USA","institution_ids":["https://openalex.org/I135310074"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5051506534","display_name":"Neal Mangaokar","orcid":"https://orcid.org/0000-0002-0684-4971"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Neal Mangaokar","raw_affiliation_strings":["University of Michigan, Ann Arbor, MI, USA"],"raw_orcid":"https://orcid.org/0000-0002-0684-4971","affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, MI, USA","institution_ids":["https://openalex.org/I27837315"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5042450214","display_name":"Kassem Fawaz","orcid":"https://orcid.org/0000-0002-4609-7691"},"institutions":[{"id":"https://openalex.org/I135310074","display_name":"University of Wisconsin\u2013Madison","ror":"https://ror.org/01y2jtd41","country_code":"US","type":"education","lineage":["https://openalex.org/I135310074"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kassem Fawaz","raw_affiliation_strings":["University of Wisconsin-Madison, Madison, WI, USA"],"raw_orcid":"https://orcid.org/0000-0002-4609-7691","affiliations":[{"raw_affiliation_string":"University of Wisconsin-Madison, Madison, WI, USA","institution_ids":["https://openalex.org/I135310074"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088826068","display_name":"Somesh Jha","orcid":"https://orcid.org/0000-0001-5877-0436"},"institutions":[{"id":"https://openalex.org/I135310074","display_name":"University of Wisconsin\u2013Madison","ror":"https://ror.org/01y2jtd41","country_code":"US","type":"education","lineage":["https://openalex.org/I135310074"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Somesh Jha","raw_affiliation_strings":["University of Wisconsin-Madison, Madison, WI, USA"],"raw_orcid":"https://orcid.org/0000-0001-5877-0436","affiliations":[{"raw_affiliation_string":"University of Wisconsin-Madison, Madison, WI, USA","institution_ids":["https://openalex.org/I135310074"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5019723791","display_name":"Atul Prakash","orcid":"https://orcid.org/0000-0002-4907-3687"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Atul Prakash","raw_affiliation_strings":["University of Michigan, Ann Arbor, MI, USA"],"raw_orcid":"https://orcid.org/0000-0002-4907-3687","affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, MI, USA","institution_ids":["https://openalex.org/I27837315"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5007824710"],"corresponding_institution_ids":["https://openalex.org/I27837315"],"apc_list":null,"apc_paid":null,"fwci":1.7041,"has_fulltext":true,"cited_by_count":10,"citation_normalized_percentile":{"value":0.86944584,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":97,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"786","last_page":"800"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9930999875068665,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9825000166893005,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/stateful-firewall","display_name":"Stateful firewall","score":0.854282021522522},{"id":"https://openalex.org/keywords/black-box","display_name":"Black box","score":0.823244571685791},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.774423360824585},{"id":"https://openalex.org/keywords/oracle","display_name":"Oracle","score":0.6643880605697632},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.5974588394165039},{"id":"https://openalex.org/keywords/s-box","display_name":"S-box","score":0.4745634198188782},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.41202110052108765},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.3418154716491699},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3261077404022217},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.30337759852409363},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.11440116167068481},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.09008485078811646}],"concepts":[{"id":"https://openalex.org/C22927095","wikidata":"https://www.wikidata.org/wiki/Q1784206","display_name":"Stateful firewall","level":3,"score":0.854282021522522},{"id":"https://openalex.org/C94966114","wikidata":"https://www.wikidata.org/wiki/Q29256","display_name":"Black box","level":2,"score":0.823244571685791},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.774423360824585},{"id":"https://openalex.org/C55166926","wikidata":"https://www.wikidata.org/wiki/Q2892946","display_name":"Oracle","level":2,"score":0.6643880605697632},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.5974588394165039},{"id":"https://openalex.org/C45737032","wikidata":"https://www.wikidata.org/wiki/Q748364","display_name":"S-box","level":4,"score":0.4745634198188782},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.41202110052108765},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3418154716491699},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3261077404022217},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.30337759852409363},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.11440116167068481},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.09008485078811646},{"id":"https://openalex.org/C106544461","wikidata":"https://www.wikidata.org/wiki/Q543151","display_name":"Block cipher","level":3,"score":0.0},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3576915.3623116","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3576915.3623116","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2303.06280","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2303.06280","pdf_url":"https://arxiv.org/pdf/2303.06280","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2303.06280","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2303.06280","pdf_url":"https://arxiv.org/pdf/2303.06280","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.7099999785423279}],"awards":[{"id":"https://openalex.org/G1323911732","display_name":null,"funder_award_id":"885000","funder_id":"https://openalex.org/F4320332180","funder_display_name":"Defense Advanced Research Projects Agency"},{"id":"https://openalex.org/G135717089","display_name":"EAGER: SaTC-EDU: Identifying Educational Conceptions and Challenges in  Cybersecurity and Artificial Intelligence","funder_award_id":"2039445","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G2974791382","display_name":null,"funder_award_id":"DGE 1841052","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G4446443848","display_name":null,"funder_award_id":"1841052, 2039445","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8545717862","display_name":null,"funder_award_id":"1841052","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320332180","display_name":"Defense Advanced Research Projects Agency","ror":"https://ror.org/02caytj08"}],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W4324302739.pdf"},"referenced_works_count":17,"referenced_works":["https://openalex.org/W1540596182","https://openalex.org/W1998808035","https://openalex.org/W2117539524","https://openalex.org/W2194775991","https://openalex.org/W2557738935","https://openalex.org/W2792450155","https://openalex.org/W2798302089","https://openalex.org/W2969695741","https://openalex.org/W2990502263","https://openalex.org/W3007384386","https://openalex.org/W3015625436","https://openalex.org/W3034892461","https://openalex.org/W3080260826","https://openalex.org/W3091857398","https://openalex.org/W3155026250","https://openalex.org/W3173859330","https://openalex.org/W4226510616"],"related_works":["https://openalex.org/W3009622996","https://openalex.org/W3037859390","https://openalex.org/W4206598047","https://openalex.org/W2892509520","https://openalex.org/W1984273188","https://openalex.org/W2011644400","https://openalex.org/W3105637246","https://openalex.org/W4397049040","https://openalex.org/W4400374418","https://openalex.org/W2094644515"],"abstract_inverted_index":{"Recent":[0,77],"work":[1],"has":[2,20],"proposed":[3],"stateful":[4,35,212],"defense":[5,157],"models":[6],"(SDMs)":[7],"as":[8,26,169],"a":[9,15,73,104,113],"compelling":[10],"strategy":[11,118,183],"to":[12,23,38,103,134,148,153,172,180,184,190,217,218],"defend":[13,39],"against":[14,40,89,194,210],"black-box":[16,41,59,91,109,116,174,188,204],"attacker":[17],"who":[18],"only":[19],"query":[21,46,75,132,151,226],"access":[22],"the":[24,45,155,182],"model,":[25],"is":[27,166],"common":[28,187],"for":[29,221],"online":[30],"machine":[31],"learning":[32],"platforms.":[33],"Such":[34],"defenses":[36,213],"aim":[37],"attacks":[42,60,71,175,189,205],"by":[43],"tracking":[44],"history":[47],"and":[48,50,56,65,81],"detecting":[49],"rejecting":[51],"queries":[52],"that":[53,98,125],"are":[54,100],"\"similar\"":[55],"thus":[57],"preventing":[58],"from":[61,214],"finding":[62,69,162],"useful":[63],"gradients":[64],"making":[66,159],"progress":[67,160],"towards":[68,161],"adversarial":[70,163],"within":[72,224],"reasonable":[74,225],"budget.":[76],"SDMs":[78,99],"(e.g.,":[79],"Blacklight":[80],"PIHA)":[82],"have":[83],"shown":[84],"remarkable":[85],"success":[86,208],"in":[87],"defending":[88],"state-of-the-art":[90],"attacks.":[92,110],"In":[93],"this":[94],"paper,":[95],"we":[96,177],"show":[97,178],"highly":[101],"vulnerable":[102],"new":[105],"class":[106,196],"of":[107,197,203],"adaptive":[108,115],"We":[111],"propose":[112],"novel":[114],"attack":[117,207],"called":[119],"Oracle-guided":[120],"Adaptive":[121],"Rejection":[122],"Sampling":[123],"(OARS)":[124],"involves":[126],"two":[127],"stages:":[128],"(1)":[129],"use":[130],"initial":[131],"patterns":[133,152],"infer":[135],"key":[136],"properties":[137,147],"about":[138],"an":[139,170],"SDM's":[140,156],"defense;":[141],"and,":[142],"(2)":[143],"leverage":[144],"those":[145],"extracted":[146],"design":[149],"subsequent":[150],"evade":[154],"while":[158],"inputs.":[164],"OARS":[165],"broadly":[167],"applicable":[168],"enhancement":[171],"existing":[173],"-":[176],"how":[179],"apply":[181],"enhance":[185],"six":[186],"be":[191],"more":[192],"effective":[193],"current":[195],"SDMs.":[198],"For":[199],"example,":[200],"OARS-enhanced":[201],"versions":[202],"improved":[206],"rate":[209],"recent":[211],"almost":[215,219],"0%":[216],"100%":[220],"multiple":[222],"datasets":[223],"budgets.":[227]},"counts_by_year":[{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":5}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2023-03-16T00:00:00"}