{"id":"https://openalex.org/W7155717297","doi":"https://doi.org/10.1186/s42400-025-00408-y","title":"SwitchNet: protecting neural networks by structure obfuscation and switch-controlled inference","display_name":"SwitchNet: protecting neural networks by structure obfuscation and switch-controlled inference","publication_year":2026,"publication_date":"2026-04-27","ids":{"openalex":"https://openalex.org/W7155717297","doi":"https://doi.org/10.1186/s42400-025-00408-y"},"language":"en","primary_location":{"id":"doi:10.1186/s42400-025-00408-y","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s42400-025-00408-y","pdf_url":"https://link.springer.com/content/pdf/10.1186/s42400-025-00408-y.pdf","source":{"id":"https://openalex.org/S3035238565","display_name":"Cybersecurity","issn_l":"2523-3246","issn":["2523-3246"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319965","host_organization_name":"Springer Nature","host_organization_lineage":["https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Cybersecurity","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://link.springer.com/content/pdf/10.1186/s42400-025-00408-y.pdf","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5000632832","display_name":"Yuling Cai","orcid":"https://orcid.org/0000-0003-0992-4907"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yuling Cai","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5017417068","display_name":"Guozhu Meng","orcid":"https://orcid.org/0000-0001-6388-2571"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Guozhu Meng","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0001-6388-2571","affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5134636366","display_name":"Yinzhi Cao","orcid":null},"institutions":[{"id":"https://openalex.org/I145311948","display_name":"Johns Hopkins University","ror":"https://ror.org/00za53h95","country_code":"US","type":"education","lineage":["https://openalex.org/I145311948"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yinzhi Cao","raw_affiliation_strings":["Johns Hopkins University, Baltimore, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Johns Hopkins University, Baltimore, USA","institution_ids":["https://openalex.org/I145311948"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5134651709","display_name":"Guangdong Bai","orcid":null},"institutions":[{"id":"https://openalex.org/I165143802","display_name":"The University of Queensland","ror":"https://ror.org/00rqy9422","country_code":"AU","type":"education","lineage":["https://openalex.org/I165143802"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Guangdong Bai","raw_affiliation_strings":["The University of Queensland, Brisbane, Australia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"The University of Queensland, Brisbane, Australia","institution_ids":["https://openalex.org/I165143802"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5017417068"],"corresponding_institution_ids":["https://openalex.org/I19820366","https://openalex.org/I4210156404","https://openalex.org/I4210165038"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.74876804,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"9","issue":"1","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9868999719619751,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9868999719619751,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.002400000113993883,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.0010000000474974513,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.6460999846458435},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5848000049591064},{"id":"https://openalex.org/keywords/convolutional-neural-network","display_name":"Convolutional neural network","score":0.5135999917984009},{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.4973999857902527},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.4657000005245209},{"id":"https://openalex.org/keywords/network-model","display_name":"Network model","score":0.4194999933242798},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.3343000113964081},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.32820001244544983}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7967000007629395},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.6460999846458435},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5848000049591064},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5774999856948853},{"id":"https://openalex.org/C81363708","wikidata":"https://www.wikidata.org/wiki/Q17084460","display_name":"Convolutional neural network","level":2,"score":0.5135999917984009},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.4973999857902527},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.4657000005245209},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.41990000009536743},{"id":"https://openalex.org/C104122410","wikidata":"https://www.wikidata.org/wiki/Q1416406","display_name":"Network model","level":2,"score":0.4194999933242798},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3357999920845032},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.3343000113964081},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.32820001244544983},{"id":"https://openalex.org/C77618280","wikidata":"https://www.wikidata.org/wiki/Q1155772","display_name":"Scheme (mathematics)","level":2,"score":0.30979999899864197},{"id":"https://openalex.org/C107645828","wikidata":"https://www.wikidata.org/wiki/Q12070446","display_name":"System model","level":2,"score":0.2919999957084656},{"id":"https://openalex.org/C2776654903","wikidata":"https://www.wikidata.org/wiki/Q2601463","display_name":"SAFER","level":2,"score":0.29019999504089355},{"id":"https://openalex.org/C2781140086","wikidata":"https://www.wikidata.org/wiki/Q557945","display_name":"Confusion","level":2,"score":0.28610000014305115},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2838999927043915},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.28299999237060547},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.27790001034736633},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.27390000224113464},{"id":"https://openalex.org/C2988224531","wikidata":"https://www.wikidata.org/wiki/Q20830730","display_name":"Network structure","level":2,"score":0.2660999894142151},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.26330000162124634},{"id":"https://openalex.org/C23224414","wikidata":"https://www.wikidata.org/wiki/Q176769","display_name":"Hidden Markov model","level":2,"score":0.25029999017715454}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1186/s42400-025-00408-y","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s42400-025-00408-y","pdf_url":"https://link.springer.com/content/pdf/10.1186/s42400-025-00408-y.pdf","source":{"id":"https://openalex.org/S3035238565","display_name":"Cybersecurity","issn_l":"2523-3246","issn":["2523-3246"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319965","host_organization_name":"Springer Nature","host_organization_lineage":["https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Cybersecurity","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:99c176d1cc6f4555854c3804a242cfa2","is_oa":true,"landing_page_url":"https://doaj.org/article/99c176d1cc6f4555854c3804a242cfa2","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Cybersecurity, Vol 9, Iss 1 (2026)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.1186/s42400-025-00408-y","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s42400-025-00408-y","pdf_url":"https://link.springer.com/content/pdf/10.1186/s42400-025-00408-y.pdf","source":{"id":"https://openalex.org/S3035238565","display_name":"Cybersecurity","issn_l":"2523-3246","issn":["2523-3246"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319965","host_organization_name":"Springer Nature","host_organization_lineage":["https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Cybersecurity","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.6998574733734131,"id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G5541525046","display_name":null,"funder_award_id":"92270204","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6947245144","display_name":null,"funder_award_id":"YSBR-118","funder_id":"https://openalex.org/F4320321133","funder_display_name":"Chinese Academy of Sciences"},{"id":"https://openalex.org/G895161659","display_name":null,"funder_award_id":"XDB0690100","funder_id":"https://openalex.org/F4320321133","funder_display_name":"Chinese Academy of Sciences"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320321133","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7155717297.pdf","grobid_xml":"https://content.openalex.org/works/W7155717297.grobid-xml"},"referenced_works_count":34,"referenced_works":["https://openalex.org/W2051267297","https://openalex.org/W2339852062","https://openalex.org/W2774644650","https://openalex.org/W2806082141","https://openalex.org/W2914330473","https://openalex.org/W2959364614","https://openalex.org/W2963303354","https://openalex.org/W2964654358","https://openalex.org/W2969695741","https://openalex.org/W2971122390","https://openalex.org/W2990945337","https://openalex.org/W2994850640","https://openalex.org/W3001873791","https://openalex.org/W3002624958","https://openalex.org/W3085052658","https://openalex.org/W3092557510","https://openalex.org/W3107089345","https://openalex.org/W3109496323","https://openalex.org/W3112288498","https://openalex.org/W3116103918","https://openalex.org/W3119746519","https://openalex.org/W3157410348","https://openalex.org/W3170647102","https://openalex.org/W3190041646","https://openalex.org/W3203430276","https://openalex.org/W4210276879","https://openalex.org/W4210690620","https://openalex.org/W4296596384","https://openalex.org/W4313527147","https://openalex.org/W4385679786","https://openalex.org/W4386076400","https://openalex.org/W4386076651","https://openalex.org/W4402263968","https://openalex.org/W7131780867"],"related_works":[],"abstract_inverted_index":{"Abstract":[0],"Training":[1],"deep":[2],"learning":[3],"models":[4,18],"requires":[5],"substantial":[6],"financial":[7],"and":[8,29,43,60,79,134,150,197,235,240,249],"human":[9],"resources,":[10],"so":[11],"once":[12],"deployed":[13],"in":[14,38],"untrusted":[15],"environments,":[16],"these":[17],"immediately":[19],"attract":[20],"the":[21,72,76,89,97,131,136,147,219,229,259],"attention":[22],"of":[23,75,96,146],"attackers":[24],"who":[25],"seek":[26],"to":[27,65,224,228,246],"steal":[28],"misuse":[30],"them.":[31],"Traditional":[32],"model":[33,40,58,67,78,91,98,137,207],"protection":[34,260],"methods":[35],"are":[36,85],"ineffective":[37],"addressing":[39],"accuracy,":[41],"performance,":[42],"proactive":[44],"defense.":[45],"To":[46],"this":[47,116],"end,":[48],"we":[49,188],"present":[50],"an":[51,120],"active":[52],"defensive":[53],"approach":[54,232],"SwitchNet":[55,70,153,204,244],"by":[56,109,238],"obfuscating":[57],"structure":[59,93],"proposing":[61],"a":[62,103,110,124,142,214],"switch-controlled":[63],"mechanism":[64],"manage":[66],"inference.":[68],"Specifically,":[69],"learns":[71],"weight":[73],"distribution":[74],"original":[77,90],"then":[80],"constructs":[81],"confusion":[82],"layers":[83,99],"that":[84,127,152,203],"strategically":[86],"inserted":[87],"into":[88],"for":[92,209,221],"obfuscation.":[94],"Each":[95],"is":[100,107],"equipped":[101],"with":[102,119,168],"switch":[104,132],",":[105],"which":[106],"controlled":[108],"switching":[111],"policy":[112,117],"network.":[113],"We":[114,140],"train":[115],"network":[118],"adaptive":[121],"pattern":[122],"as":[123],"\u201csecret":[125],"key\u201d":[126],"can":[128],"accurately":[129],"control":[130],"states,":[133],"thereby":[135],"inference":[138,234],"process.":[139],"conduct":[141],"comprehensive":[143],"theoretical":[144],"analysis":[145],"perturbation":[148],"boundary":[149],"certify":[151],"maintains":[154],"high":[155],"robustness":[156],"under":[157],"$$\\ell":[158],"_\\infty$$":[159],"<mml:math":[160,177],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">":[161,178],"<mml:msub>":[162],"<mml:mi>\u2113</mml:mi>":[163],"<mml:mi>\u221e</mml:mi>":[164],"</mml:msub>":[165],"</mml:math>":[166,184],"perturbations,":[167],"certified":[169],"accuracy":[170,208,220],"exceeding":[171],"80%":[172],"at":[173,255],"$$\\epsilon":[174],"=":[175],"0.0048$$":[176],"<mml:mrow>":[179],"<mml:mi>\u03f5</mml:mi>":[180],"<mml:mo>=</mml:mo>":[181],"<mml:mn>0.0048</mml:mn>":[182],"</mml:mrow>":[183],"(CROWN).":[185],"In":[186],"addition,":[187],"perform":[189],"extensive":[190],"experiments":[191],"on":[192],"both":[193],"classical":[194],"convolutional":[195],"networks":[196],"Vision":[198],"Transformers.":[199],"The":[200],"results":[201],"show":[202],"effectively":[205],"preserves":[206],"legitimate":[210],"users":[211,223],"(with":[212],"only":[213],"0.35%":[215],"drop),":[216],"while":[217],"reducing":[218],"unauthorized":[222],"near-random":[225],"guessing.":[226],"Compared":[227],"state-of-the-art,":[230],"our":[231],"reduces":[233],"construction":[236],"overhead":[237],"20.89%":[239],"12.08%,":[241],"respectively.":[242],"Furthermore,":[243],"proves":[245],"be":[247],"stealthy":[248],"resilient":[250],"against":[251],"various":[252],"attacks":[253],"aimed":[254],"detecting":[256],"or":[257],"compromising":[258],"mechanism.":[261]},"counts_by_year":[],"updated_date":"2026-05-21T06:26:12.895304","created_date":"2026-04-27T00:00:00"}