[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"similar-THUYimingLi--backdoor-learning-resources":3,"tool-THUYimingLi--backdoor-learning-resources":61},[4,18,26,36,44,53],{"id":5,"name":6,"github_repo":7,"description_zh":8,"stars":9,"difficulty_score":10,"last_commit_at":11,"category_tags":12,"status":17},4358,"openclaw","openclaw\u002Fopenclaw","OpenClaw 是一款专为个人打造的本地化 AI 助手,旨在让你在自己的设备上拥有完全可控的智能伙伴。它打破了传统 AI 助手局限于特定网页或应用的束缚,能够直接接入你日常使用的各类通讯渠道,包括微信、WhatsApp、Telegram、Discord、iMessage 等数十种平台。无论你在哪个聊天软件中发送消息,OpenClaw 都能即时响应,甚至支持在 macOS、iOS 和 Android 设备上进行语音交互,并提供实时的画布渲染功能供你操控。\n\n这款工具主要解决了用户对数据隐私、响应速度以及“始终在线”体验的需求。通过将 AI 部署在本地,用户无需依赖云端服务即可享受快速、私密的智能辅助,真正实现了“你的数据,你做主”。其独特的技术亮点在于强大的网关架构,将控制平面与核心助手分离,确保跨平台通信的流畅性与扩展性。\n\nOpenClaw 非常适合希望构建个性化工作流的技术爱好者、开发者,以及注重隐私保护且不愿被单一生态绑定的普通用户。只要具备基础的终端操作能力(支持 macOS、Linux 及 Windows WSL2),即可通过简单的命令行引导完成部署。如果你渴望拥有一个懂你",349277,3,"2026-04-06T06:32:30",[13,14,15,16],"Agent","开发框架","图像","数据工具","ready",{"id":19,"name":20,"github_repo":21,"description_zh":22,"stars":23,"difficulty_score":10,"last_commit_at":24,"category_tags":25,"status":17},3808,"stable-diffusion-webui","AUTOMATIC1111\u002Fstable-diffusion-webui","stable-diffusion-webui 是一个基于 Gradio 构建的网页版操作界面,旨在让用户能够轻松地在本地运行和使用强大的 Stable Diffusion 图像生成模型。它解决了原始模型依赖命令行、操作门槛高且功能分散的痛点,将复杂的 AI 绘图流程整合进一个直观易用的图形化平台。\n\n无论是希望快速上手的普通创作者、需要精细控制画面细节的设计师,还是想要深入探索模型潜力的开发者与研究人员,都能从中获益。其核心亮点在于极高的功能丰富度:不仅支持文生图、图生图、局部重绘(Inpainting)和外绘(Outpainting)等基础模式,还独创了注意力机制调整、提示词矩阵、负向提示词以及“高清修复”等高级功能。此外,它内置了 GFPGAN 和 CodeFormer 等人脸修复工具,支持多种神经网络放大算法,并允许用户通过插件系统无限扩展能力。即使是显存有限的设备,stable-diffusion-webui 也提供了相应的优化选项,让高质量的 AI 艺术创作变得触手可及。",162132,"2026-04-05T11:01:52",[14,15,13],{"id":27,"name":28,"github_repo":29,"description_zh":30,"stars":31,"difficulty_score":32,"last_commit_at":33,"category_tags":34,"status":17},1381,"everything-claude-code","affaan-m\u002Feverything-claude-code","everything-claude-code 是一套专为 AI 编程助手(如 Claude Code、Codex、Cursor 等)打造的高性能优化系统。它不仅仅是一组配置文件,而是一个经过长期实战打磨的完整框架,旨在解决 AI 代理在实际开发中面临的效率低下、记忆丢失、安全隐患及缺乏持续学习能力等核心痛点。\n\n通过引入技能模块化、直觉增强、记忆持久化机制以及内置的安全扫描功能,everything-claude-code 能显著提升 AI 在复杂任务中的表现,帮助开发者构建更稳定、更智能的生产级 AI 代理。其独特的“研究优先”开发理念和针对 Token 消耗的优化策略,使得模型响应更快、成本更低,同时有效防御潜在的攻击向量。\n\n这套工具特别适合软件开发者、AI 研究人员以及希望深度定制 AI 工作流的技术团队使用。无论您是在构建大型代码库,还是需要 AI 协助进行安全审计与自动化测试,everything-claude-code 都能提供强大的底层支持。作为一个曾荣获 Anthropic 黑客大奖的开源项目,它融合了多语言支持与丰富的实战钩子(hooks),让 AI 真正成长为懂上",150037,2,"2026-04-10T23:33:47",[14,13,35],"语言模型",{"id":37,"name":38,"github_repo":39,"description_zh":40,"stars":41,"difficulty_score":32,"last_commit_at":42,"category_tags":43,"status":17},2271,"ComfyUI","Comfy-Org\u002FComfyUI","ComfyUI 是一款功能强大且高度模块化的视觉 AI 引擎,专为设计和执行复杂的 Stable Diffusion 图像生成流程而打造。它摒弃了传统的代码编写模式,采用直观的节点式流程图界面,让用户通过连接不同的功能模块即可构建个性化的生成管线。\n\n这一设计巧妙解决了高级 AI 绘图工作流配置复杂、灵活性不足的痛点。用户无需具备编程背景,也能自由组合模型、调整参数并实时预览效果,轻松实现从基础文生图到多步骤高清修复等各类复杂任务。ComfyUI 拥有极佳的兼容性,不仅支持 Windows、macOS 和 Linux 全平台,还广泛适配 NVIDIA、AMD、Intel 及苹果 Silicon 等多种硬件架构,并率先支持 SDXL、Flux、SD3 等前沿模型。\n\n无论是希望深入探索算法潜力的研究人员和开发者,还是追求极致创作自由度的设计师与资深 AI 绘画爱好者,ComfyUI 都能提供强大的支持。其独特的模块化架构允许社区不断扩展新功能,使其成为当前最灵活、生态最丰富的开源扩散模型工具之一,帮助用户将创意高效转化为现实。",108322,"2026-04-10T11:39:34",[14,15,13],{"id":45,"name":46,"github_repo":47,"description_zh":48,"stars":49,"difficulty_score":32,"last_commit_at":50,"category_tags":51,"status":17},6121,"gemini-cli","google-gemini\u002Fgemini-cli","gemini-cli 是一款由谷歌推出的开源 AI 命令行工具,它将强大的 Gemini 大模型能力直接集成到用户的终端环境中。对于习惯在命令行工作的开发者而言,它提供了一条从输入提示词到获取模型响应的最短路径,无需切换窗口即可享受智能辅助。\n\n这款工具主要解决了开发过程中频繁上下文切换的痛点,让用户能在熟悉的终端界面内直接完成代码理解、生成、调试以及自动化运维任务。无论是查询大型代码库、根据草图生成应用,还是执行复杂的 Git 操作,gemini-cli 都能通过自然语言指令高效处理。\n\n它特别适合广大软件工程师、DevOps 人员及技术研究人员使用。其核心亮点包括支持高达 100 万 token 的超长上下文窗口,具备出色的逻辑推理能力;内置 Google 搜索、文件操作及 Shell 命令执行等实用工具;更独特的是,它支持 MCP(模型上下文协议),允许用户灵活扩展自定义集成,连接如图像生成等外部能力。此外,个人谷歌账号即可享受免费的额度支持,且项目基于 Apache 2.0 协议完全开源,是提升终端工作效率的理想助手。",100752,"2026-04-10T01:20:03",[52,13,15,14],"插件",{"id":54,"name":55,"github_repo":56,"description_zh":57,"stars":58,"difficulty_score":32,"last_commit_at":59,"category_tags":60,"status":17},4721,"markitdown","microsoft\u002Fmarkitdown","MarkItDown 是一款由微软 AutoGen 团队打造的轻量级 Python 工具,专为将各类文件高效转换为 Markdown 格式而设计。它支持 PDF、Word、Excel、PPT、图片(含 OCR)、音频(含语音转录)、HTML 乃至 YouTube 链接等多种格式的解析,能够精准提取文档中的标题、列表、表格和链接等关键结构信息。\n\n在人工智能应用日益普及的今天,大语言模型(LLM)虽擅长处理文本,却难以直接读取复杂的二进制办公文档。MarkItDown 恰好解决了这一痛点,它将非结构化或半结构化的文件转化为模型“原生理解”且 Token 效率极高的 Markdown 格式,成为连接本地文件与 AI 分析 pipeline 的理想桥梁。此外,它还提供了 MCP(模型上下文协议)服务器,可无缝集成到 Claude Desktop 等 LLM 应用中。\n\n这款工具特别适合开发者、数据科学家及 AI 研究人员使用,尤其是那些需要构建文档检索增强生成(RAG)系统、进行批量文本分析或希望让 AI 助手直接“阅读”本地文件的用户。虽然生成的内容也具备一定可读性,但其核心优势在于为机器",93400,"2026-04-06T19:52:38",[52,14],{"id":62,"github_repo":63,"name":64,"description_en":65,"description_zh":66,"ai_summary_zh":66,"readme_en":67,"readme_zh":68,"quickstart_zh":69,"use_case_zh":70,"hero_image_url":71,"owner_login":72,"owner_name":73,"owner_avatar_url":74,"owner_bio":75,"owner_company":76,"owner_location":76,"owner_email":76,"owner_twitter":77,"owner_website":78,"owner_url":79,"languages":76,"stars":80,"forks":81,"last_commit_at":82,"license":83,"difficulty_score":84,"env_os":85,"env_gpu":85,"env_ram":85,"env_deps":86,"category_tags":89,"github_topics":90,"view_count":97,"oss_zip_url":76,"oss_zip_packed_at":76,"status":17,"created_at":98,"updated_at":99,"faqs":100,"releases":131},978,"THUYimingLi\u002Fbackdoor-learning-resources","backdoor-learning-resources","A list of backdoor learning resources","backdoor-learning-resources 是一份系统整理的后门学习(Backdoor Learning)领域资源清单,由研究者持续维护更新,旨在帮助社区快速追踪这一新兴安全方向的前沿进展。\n\n后门学习关注机器学习训练过程中的安全隐患:攻击者可通过在训练数据中植入特定\"触发器\",使模型在正常输入下表现正常,但一旦检测到触发模式便产生恶意输出。这类威胁也被称为\"神经木马\"(Neural Trojan),对安全使用第三方训练数据或预训练模型构成现实挑战。\n\n这份资源库涵盖了从综述论文、开源工具箱到具体攻防技术的完整脉络,按攻击类型(投毒攻击、权重攻击、结构修改攻击等)和防御策略(预处理、模型重构、触发器合成、样本过滤等)细致分类,并延伸至联邦学习、迁移学习、强化学习等场景。内容均按会议\u002F期刊\u002F预印本的时间顺序整理,便于研究者把握技术演进。\n\n适合 AI 安全研究者、深度学习工程师及关注模型可信性的开发者使用。若你的研究涉及模型供应链安全、预训练模型审计或对抗样本防御,这份清单能帮你快速定位关键文献与代码实现。项目作者每月更新,欢迎社区通过 PR 贡献新论文。","# Backdoor Learning Resources\nThis Github repository summarizes a list of **Backdoor Learning** resources. For more details and the categorization criteria, please refer to our [survey](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F343006441_Backdoor_Learning_A_Survey). \n\nWe will try our best to continuously maintain this Github Repository in a monthly manner.\n\n\n#### Why Backdoor Learning?\nBackdoor learning is an emerging research area, which discusses the security issues of the training process towards machine learning algorithms. It is critical for safely adopting third-party training resources or models in reality. \n\nNote: 'Backdoor' is also commonly called the 'Neural Trojan' or 'Trojan'.\n\n\n## News\n* 2023\u002F7\u002F24: I add ten ICLR'23 papers. All papers from this conference should have been included now.\n* 2023\u002F7\u002F23: I add seven NeurIPS'22 papers and four AAAI'23 papers. All papers from these conferences should have been included now.\n* 2023\u002F01\u002F25: I am deeply sorry that I have recently suspended the reading of related papers and the updates of this Repo, due to some personal issues such as sickness and writing Ph.D. dissertation. I will restart the update after June 2023.\n* 2022\u002F12\u002F05: I slightly change the repo format by placing conference papers before journal papers. Specifically, in the same year, please place the conference paper before the journal paper, as journals are usually submitted a long time ago and therefore have some lag.\n* 2022\u002F12\u002F05: I add three ECCV'22 papers. All papers from this conference should have been included now.\n\n\n\n## Reference\nIf our repo or survey is useful for your research, please cite our paper as follows:\n```\n@article{li2022backdoor,\n title={Backdoor learning: A survey},\n author={Li, Yiming and Jiang, Yong and Li, Zhifeng and Xia, Shu-Tao},\n journal={IEEE Transactions on Neural Networks and Learning Systems},\n year={2022}\n}\n```\n\n\n## Contributing\n\u003Cp align=\"center\">\n \u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002FTHUYimingLi_backdoor-learning-resources_readme_7a9f4b7eebd0.jpg\" alt=\"We Need You!\">\n\u003C\u002Fp>\n\nPlease help to contribute this list by contacting [me](http:\u002F\u002Fliyiming.tech) or add [pull request](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fawesome-backdoor-learning\u002Fpulls)\n\nMarkdown format:\n```markdown\n- Paper Name. \n [[pdf]](link) \n [[code]](link)\n - Author 1, Author 2, **and** Author 3. *Conference\u002FJournal*, Year.\n```\n**Note**: In the same year, please place the conference paper before the journal paper, as journals are usually submitted a long time ago and therefore have some lag. (*i.e.*, Conferences-->Journals-->Preprints)\n\n\n## Table of Contents\n- [Survey](#survey)\n- [Toolbox](#toolbox)\n- [Dissertation and Thesis](#dissertation-and-thesis)\n- [Image and Video Classification](#image-and-video-classification) \n - [Poisoning-based Attack](#poisoning-based-attack)\n - [Non-poisoning-based Attack](#non-poisoning-based-attack)\n - [Weights-oriented Attack](#weights-oriented-attack)\n - [Structure-modified Attack](#structure-modified-attack)\n - [Other Attacks](#other-attacks)\n - [Backdoor Defense](#backdoor-defense)\n - [Preprocessing-based Empirical Defense](#preprocessing-based-empirical-defense)\n - [Model Reconstruction based Empirical Defense](#model-reconstruction-based-empirical-defense)\n - [Trigger Synthesis based Empirical Defense](#trigger-synthesis-based-empirical-defense)\n - [Model Diagnosis based Empirical Defense](#model-diagnosis-based-empirical-defense)\n - [Poison Suppression based Empirical Defense](#poison-suppression-based-empirical-defense)\n - [Sample Filtering based Empirical Defense](#sample-filtering-based-empirical-defense)\n - [Certificated Defense](#certificated-defense)\n- [Attack and Defense Towards Other Paradigms and Tasks](#attack-and-defense-towards-other-paradigms-and-tasks) \n - [Federated Learning](#federated-learning)\n - [Transfer Learning](#transfer-learning) \n - [Reinforcement Learning](#reinforcement-learning)\n - [Semi-Supervised and Self-Supervised Learning](#semi-supervised-and-self-supervised-learning)\n - [Quantization](#quantization)\n - [Natural Language Processing](#natural-language-processing)\n - [Graph Neural Networks](#graph-neural-networks)\n - [Point Cloud](#point-cloud)\n - [Acoustics Signal Processing](#acoustics-signal-processing)\n - [Medical Science](#medical-science)\n - [Detection and Tracking](#detection-and-tracking)\n - [Vision Transformer](#vision-transformer)\n - [Diffusion Model](#diffusion-model)\n - [Cybersecurity](#cybersecurity)\n - [Others](#others)\n- [Evaluation and Discussion](#evaluation-and-discussion)\n- [Backdoor Attack for Positive Purposes](#backdoor-attack-for-positive-purposes)\n- [Competition](#competition)\n\n\n## Survey\n- Backdoor Learning: A Survey.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F343006441_Backdoor_Learning_A_Survey)\n - Yiming Li, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. *IEEE Transactions on Neural Networks and Learning Systems*, 2022.\n\n- Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.10760.pdf)\n - Yansong Gao, Bao Gia Doan, Zhi Zhang, Siqi Ma, Anmin Fu, Surya Nepal, and Hyoungshick Kim. arXiv, 2020.\n\n- Data Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.10544.pdf)\n - Micah Goldblum, Dimitris Tsipras, Chulin Xie, Xinyun Chen, Avi Schwarzschild, Dawn Song, Aleksander Madry, Bo Li, and Tom Goldstein. *IEEE Transactions on Pattern Analysis and Machine Intelligence*, 2022.\n\n- A Comprehensive Survey on Poisoning Attacks and Countermeasures in Machine Learning.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002F10.1145\u002F3551636)\n - Zhiyi Tian, Lei Cui, Jie Liang, and Shui Yu. *ACM Computing Surveys*, 2022.\n\n- Backdoor Attacks and Defenses in Federated Learning: State-of-the-art, Taxonomy, and Future Directions.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9806416)\n - Xueluan Gong, Yanjiao Chen, Qian Wang, and Weihan Kong. *IEEE Wireless Communications*, 2022.\n\n- Backdoor Attacks on Image Classification Models in Deep Neural Networks.\n [[link]](http:\u002F\u002Fcje.ejournal.org.cn\u002Farticle\u002Fdoi\u002F10.1049\u002Fcje.2021.00.126)\n - Quanxin Zhang, Wencong Ma, Yajie Wang, Yaoyuan Zhang, Zhiwei Shi, and Yuanzhang Li. *Chinese Journal of Electronics*, 2022.\n\n- Defense against Neural Trojan Attacks: A Survey.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0925231220316350)\n - Sara Kaviani and Insoo Sohn. *Neurocomputing*, 2021.\n\n- A Survey on Neural Trojans. \n [[pdf]](https:\u002F\u002Feprint.iacr.org\u002F2020\u002F201.pdf)\n - Yuntao Liu, Ankit Mondal, Abhishek Chakraborty, Michael Zuzak, Nina Jacobsen, Daniel Xing, and Ankur Srivastava. *ISQED*, 2020.\n\n- Backdoor Attacks against Voice Recognition Systems: A Survey.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2307.13643)\n - Baochen Yan, Jiahe Lan, and Zheng Yan. arXiv, 2023.\n\n- A Survey of Neural Trojan Attacks and Defenses in Deep Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.07183.pdf)\n - Jie Wang, Ghulam Mubashar Hassan, and Naveed Akhtar. arXiv, 2022.\n\n- Threats to Pre-trained Language Models: Survey and Taxonomy.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06862.pdf)\n - Shangwei Guo, Chunlong Xie, Jiwei Li, Lingjuan Lyu, and Tianwei Zhang. arXiv, 2022.\n\n- An Overview of Backdoor Attacks Against Deep Neural Networks and Possible Defences.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.08429.pdf)\n - Wei Guo, Benedetta Tondi, and Mauro Barni. arXiv, 2021.\n\n- Deep Learning Backdoors.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.08273.pdf)\n - Shaofeng Li, Shiqing Ma, Minhui Xue, and Benjamin Zi Hao Zhao. arXiv, 2020.\n \n\n## Toolbox\n- [BackdoorBox](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FBackdoorBox)\n- [TrojanZoo](https:\u002F\u002Fgithub.com\u002Fain-soph\u002Ftrojanzoo)\n- [OpenBackdoor](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n- [Backdoor Toolbox](https:\u002F\u002Fgithub.com\u002Fvtu81\u002Fbackdoor-toolbox)\n- [BackdoorBench](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FBackdoorBench)\n- [backdoors101](https:\u002F\u002Fgithub.com\u002Febagdasa\u002Fbackdoors101)\n- [ART](https:\u002F\u002Fgithub.com\u002FTrusted-AI\u002Fadversarial-robustness-toolbox)\n\n\n## Dissertation and Thesis\n- Poisoning-based Backdoor Attacks in Computer Vision.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F370233769_Poisoning-based_Backdoor_Attacks_in_Computer_Vision)\n - Yiming Li. *Ph.D. Dissertation at Tsinghua University*, 2023. \n\n- Defense of Backdoor Attacks against Deep Neural Network Classifiers.\n [[pdf]](https:\u002F\u002Fetda.libraries.psu.edu\u002Ffiles\u002Ffinal_submissions\u002F26656)\n - Zhen Xiang. *Ph.D. Dissertation at The Pennsylvania State University*, 2022. \n\n- Towards Adversarial and Backdoor Robustness of Deep Learning.\n [[link]](http:\u002F\u002Frave.ohiolink.edu\u002Fetdc\u002Fview?acc_num=case1654872780807815)\n - Yifan Guo. *Ph.D. Dissertation at Case Western Reserve University*, 2022. \n\n- Toward Robust and Communication Efficient Distributed Machine Learning.\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2572595657)\n - Hongyi Wang. *Ph.D. Dissertation at University of Wisconsin–Madison*, 2021.\n\n- Towards Robust Image Classification with Deep Learning and Real-Time DNN Inference on Mobile.\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2572970976)\n - Pu Zhao. *Ph.D. Dissertation at Northeastern University*, 2021.\n\n- Countermeasures Against Backdoor, Data Poisoning, and Adversarial Attacks.\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2572565404)\n - Henry Daniel. *Ph.D. Dissertation at University of Texas at San Antonio*, 2021.\n \n- Understanding and Mitigating the Impact of Backdooring Attacks on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2555308945?pq-origsite=gscholar&fromopenview=true)\n - Kang Liu. *Ph.D. Dissertation at New York University*, 2021.\n\n- Un-fair trojan: Targeted Backdoor Attacks against Model Fairness.\n [[pdf]](https:\u002F\u002Fdigitalcommons.njit.edu\u002Fcgi\u002Fviewcontent.cgi?article=3010&context=theses)\n - Nicholas Furth. *Master Thesis at New Jersey Institute of Technology*, 2022.\n\n- Check Your Other Door: Creating Backdoor Attacks in the Frequency Domain.\n [[pdf]](file:\u002F\u002F\u002FC:\u002FUsers\u002FRainbow\u002FDownloads\u002FThesis_Hasan_Hammoud.pdf)\n - Hasan Abed Al Kader Hammoud. *Master Thesis at King Abdullah University of Science and Technology*, 2022.\n\n- Backdoor Attacks in Neural Networks.\n [[link]](https:\u002F\u002Frepository.tudelft.nl\u002Fislandora\u002Fobject\u002Fuuid:b830b4a2-b700-4c93-8d1d-88dc0191c468?collection=education)\n - Stefanos Koffas. *Master Thesis at Delft University of Technology*, 2021.\n\n- Backdoor Defenses.\n [[pdf]](https:\u002F\u002Frepositum.tuwien.at\u002Fbitstream\u002F20.500.12708\u002F18831\u002F1\u002FMilakovic%20Andrea%20-%202021%20-%20Backdoor%20defenses.pdf)\n - Andrea Milakovic. *Master Thesis at Technischen Universität Wien*, 2021.\n \n- Geometric Properties of Backdoored Neural Networks.\n [[pdf]](https:\u002F\u002Fwww2.eecs.berkeley.edu\u002FPubs\u002FTechRpts\u002F2021\u002FEECS-2021-78.pdf)\n - Dominic Carrano. *Master Thesis at University of California at Berkeley*, 2021.\n\n- Detecting Backdoored Neural Networks with Structured Adversarial Attacks.\n [[pdf]](https:\u002F\u002Fwww2.eecs.berkeley.edu\u002FPubs\u002FTechRpts\u002F2021\u002FEECS-2021-90.pdf)\n - Charles Yang. *Master Thesis at University of California at Berkeley*, 2021.\n\n- Backdoor Attacks Against Deep Learning Systems in the Physical World.\n [[pdf]](https:\u002F\u002Fnewtraell.cs.uchicago.edu\u002Ffiles\u002Fms_paper\u002Fewillson.pdf)\n - Emily Willson. *Master Thesis at University of Chicago*, 2020.\n\n\n## Image and Video Classification\n### Poisoning-based Attack\n#### 2023\n- Revisiting the Assumption of Latent Separability for Backdoor Defenses.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=_wSHsgrVali)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FCircumventing-Backdoor-Defenses)\n - Xiangyu Qi, Tinghao Xie, Yiming Li, Saeed Mahloujifar, and Prateek Mittal. *ICLR*, 2023.\n\n- Few-shot Backdoor Attacks via Neural Tangent Kernels.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=a70lGJ-rwy)\n [[code]](https:\u002F\u002Fgithub.com\u002FSewoongLab\u002Fntk-backdoor)\n - Jonathan Hayase and Sewoong Oh. *ICLR*, 2023.\n\n- Color Backdoor: A Robust Poisoning Attack in Color Space.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FJiang_Color_Backdoor_A_Robust_Poisoning_Attack_in_Color_Space_CVPR_2023_paper.pdf)\n - Wenbo Jiang, Hongwei Li, Guowen Xu, and Tianwei Zhang. *CVPR*, 2023.\n\n\n#### 2022\n- Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F363766436_Untargeted_Backdoor_Watermark_Towards_Harmless_and_Stealthy_Dataset_Copyright_Protection)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FUntargeted_Backdoor_Watermark)\n - Yiming Li, Yang Bai, Yong Jiang, Yong Yang, Shu-Tao Xia, and Bo Li. *NeurIPS*, 2022.\n\n- DEFEAT: Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022\u002Fpapers\u002FZhao_DEFEAT_Deep_Hidden_Feature_Backdoor_Attacks_by_Imperceptible_Perturbation_and_CVPR_2022_paper.pdf)\n - Zhendong Zhao, Xiaojun Chen, Yuexin Xuan, Ye Dong, Dakui Wang, and Kaitai Liang. *CVPR*, 2022.\n\n- Marksman Backdoor: Backdoor Attacks with Arbitrary Target Class.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002Ffa0126bb7ebad258bf4ffdbbac2dd787-Paper-Conference.pdf)\n - Khoa D Doan, Yingjie Lao, and Ping Li. *NeurIPS*, 2022.\n\n- An Invisible Black-box Backdoor Attack through Frequency Domain.\n [[pdf]](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2022\u002Fpapers_ECCV\u002Fpapers\u002F136730396.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSoftWiser-group\u002FFTrojan)\n - Tong Wang, Yuan Yao, Feng Xu, Shengwei An, Hanghang Tong, and Ting Wang. *ECCV*, 2022.\n\n- BppAttack: Stealthy and Efficient Trojan Attacks against Deep Neural Networks via Image Quantization and Contrastive Adversarial Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13383.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FBppAttack)\n - Zhenting Wang, Juan Zhai, and Shiqing Ma. *CVPR*, 2022.\n \n- Dynamic Backdoor Attacks Against Machine Learning Models. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.03675.pdf)\n - Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang. *EuroS&P*, 2022. \n\n- Imperceptible Backdoor Attack: From Input Space to Feature Representation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.03190.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FEkko-zn\u002FIJCAI2022-Backdoor)\n - Nan Zhong, Zhenxing Qian, and Xinpeng Zhang. *IJCAI*, 2022.\n\n- Stealthy Backdoor Attack with Adversarial Training.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9746008)\n - Le Feng, Sheng Li, Zhenxing Qian, and Xinpeng Zhang. *ICASSP*, 2022. \n\n- Invisible and Efficient Backdoor Attacks for Compressed Deep Neural Networks.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9747582)\n - Huy Phan, Yi Xie, Jian Liu, Yingying Chen, and Bo Yuan. *ICASSP*, 2022.\n\n- Dynamic Backdoors with Global Average Pooling.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.02079.pdf)\n - Stefanos Koffas, Stjepan Picek, and Mauro Conti. *AICAS*, 2022.\n\n- Poison Ink: Robust and Invisible Backdoor Attack.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.02488)\n - Jie Zhang, Dongdong Chen, Qidong Huang, Jing Liao, Weiming Zhang, Huamin Feng, Gang Hua, and Nenghai Yu. *IEEE Transactions on Image Processing*, 2022.\n\n- Enhancing Backdoor Attacks with Multi-Level MMD Regularization.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9743735)\n - Pengfei Xia, Hongjing Niu, Ziqiang Li, and Bin Li. *IEEE Transactions on Dependable and Secure Computing*, 2022. \n\n- PTB: Robust Physical Backdoor Attacks against Deep Neural Networks in Real World.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404822001213)\n - Mingfu Xue, Can He, Yinghao Wu, Shichang Sun, Yushu Zhang, Jian Wang, and Weiqiang Liu. *Computers & Security*, 2022.\n\n- IBAttack: Being Cautious about Data Labels.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9891832\u002F)\n - Akshay Agarwal, Richa Singh, Mayank Vatsa, and Nalini Ratha. *IEEE Transactions on Artificial Intelligence*, 2022.\n\n- BlindNet Backdoor: Attack on Deep Neural Network using Blind Watermark.\n [[link]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs11042-021-11135-0)\n - Hyun Kwon and Yongchul Kim. *Multimedia Tools and Applications*, 2022.\n\n- Natural Backdoor Attacks on Deep Neural Networks via Raindrops.\n [[link]](https:\u002F\u002Fwww.hindawi.com\u002Fjournals\u002Fscn\u002F2022\u002F4593002\u002F)\n - Feng Zhao, Li Zhou, Qi Zhong, Rushi Lan, and Leo Yu Zhang. *Security and Communication Networks*, 2022.\n\n- Dispersed Pixel Perturbation-based Imperceptible Backdoor Trigger for Image Classifier Models. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.09336.pdf)\n - Yulong Wang, Minghui Zhao, Shenghong Li, Xin Yuan, and Wei Ni. arXiv, 2022.\n\n- FRIB: Low-poisoning Rate Invisible Backdoor Attack based on Feature Repair.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.12863.pdf)\n - Hui Xia, Xiugui Yang, Xiangyun Qian, and Rui Zhang. arXiv, 2022. \n\n- Augmentation Backdoors.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.15139.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fslkdfjslkjfd\u002Faugmentation_backdoors)\n - Joseph Rance, Yiren Zhao, Ilia Shumailov, and Robert Mullins. arXiv, 2022. \n\n- Just Rotate it: Deploying Backdoor Attacks via Rotation Transformation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.10825.pdf)\n - Tong Wu, Tianhao Wang, Vikash Sehwag, Saeed Mahloujifar, and Prateek Mittal. arXiv, 2022. \n\n- Natural Backdoor Datasets.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.10673.pdf)\n - Emily Wenger, Roma Bhattacharjee, Arjun Nitin Bhagoji, Josephine Passananti, Emilio Andere, Haitao Zheng, and Ben Y. Zhao. arXiv, 2022. \n\n- Enhancing Clean Label Backdoor Attack with Two-phase Specific Triggers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.04881.pdf)\n - Nan Luo, Yuanzhang Li, Yajie Wang, Shangbo Wu, Yu-an Tan, and Quanxin Zhang. arXiv, 2022.\n\n- Circumventing Backdoor Defenses That Are Based on Latent Separability.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13613.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FCircumventing-Backdoor-Defenses)\n - Xiangyu Qi, Tinghao Xie, Saeed Mahloujifar, and Prateek Mittal. arXiv, 2022.\n\n- Narcissus: A Practical Clean-Label Backdoor Attack with Limited Information.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.05255.pdf)\n - Yi Zeng, Minzhou Pan, Hoang Anh Just, Lingjuan Lyu, Meikang Qiu, and Ruoxi Jia. arXiv, 2022.\n\n- CASSOCK: Viable Backdoor Attacks against DNN in The Wall of Source-Specific Backdoor Defences.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.00145.pdf)\n - Shang Wang, Yansong Gao, Anmin Fu, Zhi Zhang, Yuqing Zhang, and Willy Susilo. arXiv, 2022.\n\n- Trojan Horse Training for Breaking Defenses against Backdoor Attacks in Deep Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.15506.pdf)\n - Arezoo Rajabi, Bhaskar Ramasubramanian, and Radha Poovendran. arXiv, 2022.\n\n- Label-Smoothed Backdoor Attack.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.11203.pdf)\n - Minlong Peng, Zidi Xiong, Mingming Sun, and Ping Li. arXiv, 2022.\n\n- Imperceptible and Multi-channel Backdoor Attack against Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.13164.pdf)\n - Mingfu Xue, Shifeng Ni, Yinghao Wu, Yushu Zhang, Jian Wang, and Weiqiang Liu. arXiv, 2022.\n\n- Compression-Resistant Backdoor Attack against Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.00672.pdf)\n - Mingfu Xue, Xin Wang, Shichang Sun, Yushu Zhang, Jian Wang, and Weiqiang Liu. arXiv, 2022.\n\n\n#### 2021 \n- Invisible Backdoor Attack with Sample-Specific Triggers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.03816.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fyuezunli\u002FISSBA)\n - Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and Siwei Lyu. *ICCV*, 2021.\n\n- Manipulating SGD with Data Ordering Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.09667.pdf)\n - Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A. Erdogdu, and Ross Anderson. *NeurIPS*, 2021.\n\n- Backdoor Attack with Imperceptible Input and Latent Modification.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2021\u002Ffile\u002F9d99197e2ebf03fc388d09f1e94af89b-Paper.pdf)\n - Khoa Doan, Yingjie Lao, and Ping Li. *NeurIPS*, 2021.\n\n- LIRA: Learnable, Imperceptible and Robust Backdoor Attacks.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FICCV2021\u002Fpapers\u002FDoan_LIRA_Learnable_Imperceptible_and_Robust_Backdoor_Attacks_ICCV_2021_paper.pdf)\n - Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. *ICCV*, 2021.\n\n- Blind Backdoors in Deep Learning Models. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2005.03823.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Febagdasa\u002Fbackdoors101)\n - Eugene Bagdasaryan, and Vitaly Shmatikov. *USENIX Security*, 2021.\n\n- Backdoor Attacks Against Deep Learning Systems in the Physical World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.14580.pdf)\n [[Master Thesis]](https:\u002F\u002Fnewtraell.cs.uchicago.edu\u002Ffiles\u002Fms_paper\u002Fewillson.pdf)\n - Emily Wenger, Josephine Passanati, Yuanshun Yao, Haitao Zheng, and Ben Y. Zhao. *CVPR*, 2021.\n\n- Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.11212.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FMegum1\u002FDFST)\n - Siyuan Cheng, Yingqi Liu, Shiqing Ma, and Xiangyu Zhang. *AAAI*, 2021.\n\n- WaNet - Imperceptible Warping-based Backdoor Attack.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=eEn8KTtJOx)\n [[code]](https:\u002F\u002Fgithub.com\u002FVinAIResearch\u002FWarping-based_Backdoor_Attack-release)\n - Tuan Anh Nguyen, and Anh Tuan Tran. *ICLR*, 2021.\n\n- AdvDoor: Adversarial Backdoor Attack of Deep Learning System.\n [[pdf]](http:\u002F\u002Fwww.wingtecher.com\u002Fthemes\u002FWingTecherResearch\u002Fassets\u002Fpapers\u002Fissta21_learning.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FAdvDoor\u002FAdvDoor)\n - Quan Zhang, Yifeng Ding, Yongqiang Tian, Jianmin Guo, Min Yuan, and Yu Jiang. *ISSTA*, 2021.\n\n- Invisible Poison: A Blackbox Clean Label Backdoor Attack to Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fwww.lions.odu.edu\u002F~h1wu\u002Fpaper\u002Finfocom21.pdf)\n - Rui Ning, Jiang Li, ChunSheng Xin, and Hongyi Wu. *INFOCOM*, 2021.\n\n- Backdoor Attack in the Physical World. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.02361.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.04692.pdf)\n - Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. *ICLR Workshop*, 2021.\n\n- Defense-Resistant Backdoor Attacks against Deep Neural Networks in Outsourced Cloud Environment.\n [[Link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9450029\u002Fauthors#authors)\n - Xueluan Gong, Yanjiao Chen, Qian Wang, Huayang Huang, Lingshuo Meng, Chao Shen, and Qian Zhang. *IEEE Journal on Selected Areas in Communications*, 2021.\n\n- A Master Key Backdoor for Universal Impersonation Attack against DNN-based Face Verification.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167865521000210)\n - WeiGuo, Benedetta Tondi, and Mauro Barni. *Pattern Recognition Letters*, 2021.\n \n- Backdoors Hidden in Facial Features: A Novel Invisible Backdoor Attack against Face Recognition Systems.\n [[link]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs12083-020-01031-z)\n - Mingfu Xue, Can He, Jian Wang, and Weiqiang Liu. *Peer-to-Peer Networking and Applications*, 2021. \n\n- Use Procedural Noise to Achieve Backdoor Attack.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9529206)\n [[code]](https:\u002F\u002Fgithub.com\u002F928082786\u002Fpnoiseattack)\n - Xuan Chen, Yuena Ma, and Shiwei Lu. *IEEE Access*, 2021.\n\n- A Multitarget Backdooring Attack on Deep Neural Networks with Random Location Trigger.\n [[link]](https:\u002F\u002Fonlinelibrary.wiley.com\u002Fdoi\u002Fabs\u002F10.1002\u002Fint.22785)\n - Xiao Yu, Cong Liu, Mingwen Zheng, Yajie Wang, Xinrui Liu, Shuxiao Song, Yuexuan Ma, and Jun Zheng. *International Journal of Intelligent Systems*, 2021.\n\n- Simtrojan: Stealthy Backdoor Attack.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9506313)\n - Yankun Ren, Longfei Li, and Jun Zhou. *ICIP*, 2021.\n\n- A Statistical Difference Reduction Method for Escaping Backdoor Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.05077.pdf)\n - Pengfei Xia, Hongjing Niu, Ziqiang Li, and Bin Li. arXiv, 2021.\n\n- Backdoor Attack through Frequency Domain.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.10991.pdf)\n - Tong Wang, Yuan Yao, Feng Xu, Shengwei An, and Ting Wang. arXiv, 2021.\n\n- Check Your Other Door! Establishing Backdoor Attacks in the Frequency Domain.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.05507.pdf)\n - Hasan Abed Al Kader Hammoud and Bernard Ghanem. arXiv, 2021.\n\n- Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.08970.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fhsouri\u002FSleeper-Agent)\n - Hossein Souri, Micah Goldblum, Liam Fowl, Rama Chellappa, and Tom Goldstein. arXiv, 2021.\n \n- RABA: A Robust Avatar Backdoor Attack on Deep Neural Network.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.01026.pdf)\n - Ying He, Zhili Shen, Chang Xia, Jingyu Hua, Wei Tong, and Sheng Zhong. arXiv, 2021.\n\n- Robust Backdoor Attacks against Deep Neural Networks in Real Physical World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.07395.pdf)\n - Mingfu Xue, Can He, Shichang Sun, Jian Wang, and Weiqiang Liu. arXiv, 2021.\n \n\n#### 2020\n- Composite Backdoor Attack for Deep Neural Network by Mixing Existing Benign Features.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3372297.3423362)\n - Junyu Lin, Lei Xu, Yingqi Liu, Xiangyu Zhang. *CCS*, 2020.\n\n- Input-Aware Dynamic Backdoor Attack. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.08138.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVinAIResearch\u002Finput-aware-backdoor-attack-release)\n - Anh Nguyen, and Anh Tran. *NeurIPS, 2020*.\n\n- Bypassing Backdoor Detection Algorithms in Deep Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.13409.pdf)\n - Te Juin Lester Tan, and Reza Shokri. *EuroS&P*, 2020.\n\n- Backdoor Embedding in Convolutional Neural Network Models via Invisible Perturbation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1808.10307.pdf)\n - Cong Liao, Haoti Zhong, Anna Squicciarini, Sencun Zhu, and David Miller. *ACM CODASPY*, 2020.\n\n- Clean-Label Backdoor Attacks on Video Recognition Models.\n [[pdf]](http:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent_CVPR_2020\u002Fpapers\u002FZhao_Clean-Label_Backdoor_Attacks_on_Video_Recognition_Models_CVPR_2020_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FShihaoZhaoZSH\u002FVideo-Backdoor-Attack)\n - Shihao Zhao, Xingjun Ma, Xiang Zheng, James Bailey, Jingjing Chen, and Yu-Gang Jiang. *CVPR*, 2020.\n\n- Escaping Backdoor Attack Detection of Deep Learning.\n [[link]](https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-030-58201-2_29)\n - Yayuan Xiong, Fengyuan Xu, Sheng Zhong, and Qun Li. *IFIP SEC*, 2020.\n\n- Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.02343.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FDreamtaleCore\u002FRefool)\n - Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. *ECCV*, 2020.\n\n- Live Trojan Attacks on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.11370.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Frobbycostales\u002Flive-trojans)\n - Robby Costales, Chengzhi Mao, Raphael Norwitz, Bryan Kim, and Junfeng Yang. *CVPR Workshop*, 2020.\n\n- Backdooring and Poisoning Neural Networks with Image-Scaling Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.08633.pdf)\n - Erwin Quiring, and Konrad Rieck. *IEEE S&P Workshop*, 2020.\n\n- One-to-N & N-to-One: Two Advanced Backdoor Attacks against Deep Learning Models.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9211729)\n - Mingfu Xue, Can He, Jian Wang, and Weiqiang Liu. *IEEE Transactions on Dependable and Secure Computing*, 2020.\n\n- Invisible Backdoor Attacks on Deep Neural Networks via Steganography and Regularization.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9186317\u002F)\n [[arXiv Version (2019)]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1909.02742.pdf)\n - Shaofeng Li, Minhui Xue, Benjamin Zi Hao Zhao, Haojin Zhu, and Xinpeng Zhang. *IEEE Transactions on Dependable and Secure Computing*, 2020.\n\n\n- HaS-Nets: A Heal and Select Mechanism to Defend DNNs Against Backdoor Attacks for Data Collection Scenarios.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07474.pdf)\n - Hassan Ali, Surya Nepal, Salil S. Kanhere, and Sanjay Jha. arXiv, 2020.\n\n- FaceHack: Triggering Backdoored Facial Recognition Systems Using Facial Characteristics.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.11623.pdf)\n - Esha Sarkar, Hadjer Benkraouda, and Michail Maniatakos. arXiv, 2020.\n\n- Light Can Hack Your Face! Black-box Backdoor Attack on Face Recognition Systems.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.06996.pdf)\n - Haoliang Li, Yufei Wang, Xiaofei Xie, Yang Liu, Shiqi Wang, Renjie Wan, Lap-Pui Chau, and Alex C. Kot. arXiv, 2020.\n\n\n#### 2019\n- A New Backdoor Attack in CNNS by Training Set Corruption Without Label Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.11237.pdf)\n - M.Barni, K.Kallas, and B.Tondi. *ICIP*, 2019.\n \n- Label-Consistent Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1912.02771.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FMadryLab\u002Flabel-consistent-backdoor-code)\n - Alexander Turner, Dimitris Tsipras, and Aleksander Madry. arXiv, 2019.\n\n#### 2018\n- Trojaning Attack on Neural Networks.\n [[pdf]](https:\u002F\u002Fdocs.lib.purdue.edu\u002Fcgi\u002Fviewcontent.cgi?referer=&httpsredir=1&article=2782&context=cstech)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FTrojanNN)\n - Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, and Juan Zhai. *NDSS*, 2018.\n \n#### 2017\n- BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1708.06733.pdf)\n [[journal]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=8685687)\n - Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. arXiv, 2017 (*IEEE Access*, 2019).\n\n- Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1712.05526.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FGeorgePisl\u002Fbackdoor-attacks-based-on-deep-learning)\n - Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. arXiv, 2017. \n\n### Non-poisoning-based Attack \n#### Weights-oriented Attack\n- Handcrafted Backdoors in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=6yuil2_tn9a)\n - Sanghyun Hong, Nicholas Carlini, and Alexey Kurakin. *NeurIPS*, 2022. \n\n- Hardly Perceptible Trojan Attack against Neural Networks with Bit Flips.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.13417.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjiawangbai\u002FHPT)\n - Jiawang Bai, Kuofeng Gao, Dihong Gong, Shu-Tao Xia, Zhifeng Li, and Wei Liu. *ECCV*, 2022.\n\n- ProFlip: Targeted Trojan Attack with Progressive Bit Flips. \n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FICCV2021\u002Fpapers\u002FChen_ProFlip_Targeted_Trojan_Attack_With_Progressive_Bit_Flips_ICCV_2021_paper.pdf)\n - Huili Chen, Cheng Fu, Jishen Zhao, and Farinaz Koushanfar. *ICCV*, 2021.\n\n- TBT: Targeted Neural Network Attack with Bit Trojan.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F1909.05193)\n [[code]](https:\u002F\u002Fgithub.com\u002Fadnansirajrakin\u002FTBT-CVPR2020)\n - Adnan Siraj Rakin, Zhezhi He, and Deliang Fan. *CVPR*, 2020.\n\n- How to Inject Backdoors with Better Consistency: Logit Anchoring on Clean Data.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.01300.pdf)\n - Zhiyuan Zhang, Lingjuan Lyu, Weiqiang Wang, Lichao Sun, and Xu Sun. *ICLR*, 2022.\n\n- Can Adversarial Weight Perturbations Inject Neural Backdoors?\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.01761.pdf)\n - Siddhant Garg, Adarsh Kumar, Vibhor Goel, and Yingyu Liang. *CIKM*, 2020.\n\n- Versatile Weight Attack via Flipping Limited Bits.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.12405.pdf)\n - Jiawang Bai, Baoyuan Wu, Zhifeng Li, and Shu-Tao Xia. arXiv, 2022.\n\n- Toward Realistic Backdoor Injection Attacks on DNNs using Rowhammer.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fprofile\u002FSaad-Islam-3\u002Fpublication\u002F355367637_Toward_Realistic_Backdoor_Injection_Attacks_on_DNNs_using_Rowhammer\u002Flinks\u002F62222bd93c53d31ba4a674a5\u002FToward-Realistic-Backdoor-Injection-Attacks-on-DNNs-using-Rowhammer.pdf)\n - M. Caner Tol, Saad Islam, Berk Sunar, and Ziming Zhang. 2022.\n\n- TrojanNet: Embedding Hidden Trojan Horse Models in Neural Network.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.10078.pdf)\n - Chuan Guo, Ruihan Wu, and Kilian Q. Weinberger. arXiv, 2020.\n\n- Backdooring Convolutional Neural Networks via Targeted Weight Perturbations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1812.03128.pdf)\n - Jacob Dumford, and Walter Scheirer. arXiv, 2018.\n \n \n#### Structure-modified Attack\n- LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks.\n [[pdf]](https:\u002F\u002Fwww.ittc.ku.edu\u002F~bluo\u002Fdownload\u002Fliu2022ccs.pdf)\n - Zeyan Liu, Fengjun Li, Zhu Li, and Bo Luo. *CCS*, 2022.\n\n- Towards Practical Deployment-Stage Backdoor Attack on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.12965.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FSubnet-Replacement-Attack)\n - Xiangyu Qi, Tinghao Xie, Ruizhe Pan, Jifeng Zhu, Yong Yang, and Kai Bu. *CVPR*, 2022.\n\n\n- Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002F10.1145\u002F3531536.3532966)\n [[code]](https:\u002F\u002Fgithub.com\u002Fszegedai\u002Fhiding-needles-in-a-haystack)\n - Árpád Berta, Gábor Danner, István Hegedűs and Márk Jelasity. *ACM IH&MMSec*, 2022.\n\n- Stealthy and Flexible Trojan in Deep Learning Framework.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9747995)\n - Yajie Wang, Kongyang Chen, Yu-An Tan, Shuxin Huang, Wencong Ma, and Yuanzhang Li. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- FooBaR: Fault Fooling Backdoor Attack on Neural Network Training.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fdocument\u002F9756234)\n [[code]](https:\u002F\u002Fgithub.com\u002Fmartin-ochoa\u002Ffoobar)\n - Jakub Breier, Xiaolu Hou, Martín Ochoa and Jesus Solano. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n\n- DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.06896.pdf)\n - Yuanchun Li, Jiayi Hua, Haoyu Wang, Chunyang Chen, and Yunxin Liu. *ICSE*, 2021.\n \n- An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.08131.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Ftrx14\u002FTrojanNet)\n - Ruixiang Tang, Mengnan Du, Ninghao Liu, Fan Yang, and Xia Hu. *KDD*, 2020.\n\n- BadRes: Reveal the Backdoors through Residual Connection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.07125.pdf)\n - Mingrui He, Tianyu Chen, Haoyi Zhou, Shanghang Zhang, and Jianxin Li. arXiv, 2022.\n\n- Architectural Backdoors in Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.07840.pdf)\n - Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, and Nicolas Papernot. arXiv, 2022.\n\n- Planting Undetectable Backdoors in Machine Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.06974.pdf)\n - Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, and Or Zamir. arXiv, 2022.\n\n\n\n#### Other Attacks\n- ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.00108.pdf)\n [[website]](https:\u002F\u002Fmlbackdoors.soc.srcf.net)\n [[code]](https:\u002F\u002Fgit.sr.ht\u002F~tim-clifford\u002Fimpnet_source)\n - Tim Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins. arXiv, 2022.\n\n- Don't Trigger Me! A Triggerless Backdoor Attack Against Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.03282.pdf)\n - Ahmed Salem, Michael Backes, and Yang Zhang. arXiv, 2020.\n\n\n \n### Backdoor Defense\n#### Preprocessing-based Empirical Defense\n- Backdoor Attack in the Physical World. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.02361.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.04692.pdf)\n - Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. *ICLR Workshop*, 2021.\n\n- DeepSweep: An Evaluation Framework for Mitigating DNN Backdoor Attacks using Data Augmentation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07006.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FYiZeng623\u002FDeepSweep)\n - Han Qiu, Yi Zeng, Shangwei Guo, Tianwei Zhang, Meikang Qiu, and Bhavani Thuraisingham. *AsiaCCS*, 2021.\n\n- Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3427228.3427264)\n [[code]](https:\u002F\u002Ffebruustrojandefense.github.io\u002F)\n - Bao Gia Doan, Ehsan Abbasnejad, and Damith C. Ranasinghe. *ACSAC*, 2020.\n\n- Neural Trojans.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1710.00942.pdf)\n - Yuntao Liu, Yang Xie, and Ankur Srivastava. *ICCD*, 2017.\n\n- Defending Deep Neural Networks against Backdoor Attack by Using De-trigger Autoencoder.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9579062)\n - Hyun Kwon. *IEEE Access*, 2021.\n\n- ConFoc: Content-Focus Protection Against Trojan Attacks on Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.00711.pdf)\n - Miguel Villarreal-Vasquez, and Bharat Bhargava. arXiv, 2021.\n \n- Model Agnostic Defense against Backdoor Attacks in Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.02203.pdf)\n - Sakshi Udeshi, Shanshan Peng, Gerald Woo, Lionell Loh, Louth Rawshan, and Sudipta Chattopadhyay. arXiv, 2019.\n\n#### Model Reconstruction based Empirical Defense\n- Backdoor Cleansing with Unlabeled Data.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2211.12044.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fluluppang\u002FBCU)\n - Lu Pang, Tao Sun, Haibin Ling, and Chao Chen. *CVPR*, 2023.\n\n- Adversarial Unlearning of Backdoors via Implicit Hypergradient.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.03735.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FYiZeng623\u002FI-BAU_Adversarial_Unlearning_of-Backdoors_via_implicit_Hypergradient)\n - Yi Zeng, Si Chen, Won Park, Z. Morley Mao, Ming Jin, and Ruoxi Jia. *ICLR*, 2022.\n\n- Data-free Backdoor Removal based on Channel Lipschitzness.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.03111.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Frkteddy\u002Fchannel-Lipschitzness-based-pruning)\n - Runkai Zheng, Rongjun Tang, Jianze Li, and Li Liu. *ECCV*, 2022.\n\n- Eliminating Backdoor Triggers for Deep Neural Networks Using Attention Relation Graph Distillation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.09975.pdf)\n - Jun Xia, Ting Wang, Jieping Ding, Xian Wei, and Mingsong Chen. *IJCAI*, 2022.\n\n- Pre-activation Distributions Expose Backdoor Neurons.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002F76917808731dae9e6d62c2a7a6afb542-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FRJ-T\u002FNIPS2022_EP_BNP)\n - Runkai Zheng, Rongjun Tang, Jianze Li, and Li Liu. *NeurIPS*, 2022.\n\n- Adversarial Neuron Pruning Purifies Backdoored Deep Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.14430.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fcsdongxian\u002FANP_backdoor)\n - Dongxian Wu and Yisen Wang. *NeurIPS*, 2021.\n\n- Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=9l0K4OM-oXE)\n [[code]](https:\u002F\u002Fgithub.com\u002Fbboylyg\u002FNAD)\n - Yige Li, Xingjun Ma, Nodens Koren, Lingjuan Lyu, Xixiang Lyu, and Bo Li. *ICLR*, 2021.\n\n- Interpretability-Guided Defense against Backdoor Attacks to Deep Neural Networks.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9530722\u002F)\n - Wei Jiang, Xiangyu Wen, Jinyu Zhan, Xupeng Wang, and Ziwei Song. *IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems*, 2021.\n\n- Boundary augment: A data augment method to defend poison attack.\n [[link]](https:\u002F\u002Fietresearch.onlinelibrary.wiley.com\u002Fdoi\u002Ffull\u002F10.1049\u002Fipr2.12325)\n - Xuan Chen, Yuena Ma, Shiwei Lu, and Yu Yao. *IET Image Processing*, 2021.\n\n- Bridging Mode Connectivity in Loss Landscapes and Adversarial Robustness.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2005.00060.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FIBM\u002Fmodel-sanitization)\n - Pu Zhao, Pin-Yu Chen, Payel Das, Karthikeyan Natesan Ramamurthy, and Xue Lin. *ICLR*, 2020.\n\n- Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1805.12185.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fkangliucn\u002FFine-pruning-defense)\n - Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. *RAID*, 2018. \n\n- Neural Trojans.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1710.00942.pdf)\n - Yuntao Liu, Yang Xie, and Ankur Srivastava. *ICCD*, 2017.\n\n- Test-time Adaptation of Residual Blocks against Poisoning and Backdoor Attacks. \n [[pdf]](https:\u002F\u002Fartofrobust.github.io\u002Fshort_paper\u002F15.pdf)\n - Arnav Gudibande, Xinyun Chen, Yang Bai, Jason Xiong, and Dawn Song. *CVPR Workshop*, 2022.\n\n- Disabling Backdoor and Identifying Poison Data by using Knowledge Distillation in Backdoor Attacks on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3411508.3421375)\n - Kota Yoshida, and Takeshi Fujino. *CCS Workshop*, 2020.\n\n- Defending against Backdoor Attack on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.12162.pdf)\n - Hao Cheng, Kaidi Xu, Sijia Liu, Pin-Yu Chen, Pu Zhao, and Xue Lin. *KDD Workshop*, 2019.\n\n- Defense against Backdoor Attacks via Identifying and Purifying Bad Neurons.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.06537.pdf)\n - Mingyuan Fan, Yang Liu, Cen Chen, Ximeng Liu, and Wenzhong Guo. arXiv, 2022.\n\n- Turning a Curse Into a Blessing: Enabling Clean-Data-Free Defenses by Model Inversion.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.07018.pdf)\n - Si Chen, Yi Zeng, Won Park, and Ruoxi Jia. arXiv, 2022.\n\n- Adversarial Fine-tuning for Backdoor Defense: Connect Adversarial Examples to Triggered Samples.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06312.pdf)\n - Bingxu Mu, Le Wang, and Zhenxing Niu. arXiv, 2022.\n\n- Neural Network Laundering: Removing Black-Box Backdoor Watermarks from Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.11368.pdf)\n - William Aiken, Hyoungshick Kim, and Simon Woo. arXiv, 2020.\n\n- HaS-Nets: A Heal and Select Mechanism to Defend DNNs Against Backdoor Attacks for Data Collection Scenarios.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07474.pdf)\n - Hassan Ali, Surya Nepal, Salil S. Kanhere, and Sanjay Jha. arXiv, 2020.\n\n\n#### Trigger Synthesis based Empirical Defense\n- Distilling Cognitive Backdoor Patterns within an Image.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=S3D9NLzjnQ5)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanxunH\u002FCognitiveDistillation)\n - Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, and James Bailey. *ICLR*, 2023.\n\n- UNICORN: A Unified Backdoor Trigger Inversion Framework.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Mj7K4lglGyj)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FUNICORN)\n - Zhenting Wang, Zhenting Wang, Kai Mei, Juan Zhai, and Shiqing Ma. *ICLR*, 2023.\n\n- Quarantine: Sparsity Can Uncover the Trojan Attack Trigger for Free.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022\u002Fpapers\u002FChen_Quarantine_Sparsity_Can_Uncover_the_Trojan_Attack_Trigger_for_Free_CVPR_2022_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVITA-Group\u002FBackdoor-LTH)\n - Tianlong Chen, Zhenyu Zhang, Yihua Zhang*, Shiyu Chang, Sijia Liu, and Zhangyang Wang. *CVPR*, 2022.\n\n- Better Trigger Inversion Optimization in Backdoor Scanning.\n [[pdf]](https:\u002F\u002Fwww.cs.purdue.edu\u002Fhomes\u002Ftaog\u002Fdocs\u002FCVPR22_Tao.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FGwinhen\u002FPixelBackdoor)\n - Guanhong Tao, Guangyu Shen, Yingqi Liu, Shengwei An, Qiuling Xu, Shiqing Ma, Pan Li, and Xiangyu Zhang. *CVPR*, 2022.\n\n- Few-shot Backdoor Defense Using Shapley Estimation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.14889.pdf)\n - Jiyang Guan, Zhuozhuo Tu, Ran He, and Dacheng Tao. *CVPR*, 2022.\n\n- Rethinking the Reverse-engineering of Trojan Triggers.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002F3f9bf45ea04c98ad7cb857f951f499e2-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FFeatureRE)\n - Zhenting Wang, Kai Mei, Hailun Ding, Juan Zhai, and Shiqing Ma. *NeurIPS*, 2022.\n\n- One-shot Neural Backdoor Erasing via Adversarial Weight Masking.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.04497)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjinghuichen\u002FAWM)\n - Shuwen Chai and Jinghui Chen. *NeurIPS*, 2022.\n\n- AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.14880.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FJunfengGo\u002FAEVA-Blackbox-Backdoor-Detection-main)\n - Junfeng Guo, Ang Li, and Cong Liu. *ICLR*, 2022.\n\n- Trigger Hunting with a Topological Prior for Trojan Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.08335.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHuXiaoling\u002FTopoTrigger)\n - Xiaoling Hu, Xiao Lin, Michael Cogswell, Yi Yao, Susmit Jha, and Chao Chen. *ICLR*, 2022.\n\n- Backdoor Defense with Machine Unlearning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.09538.pdf)\n - Yang Liu, Mingyuan Fan, Cen Chen, Ximeng Liu, Zhuo Ma, Li Wang, and Jianfeng Ma. *INFOCOM*, 2022.\n\n- Black-box Detection of Backdoor Attacks with Limited Information and Data.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.13127.pdf)\n - Yinpeng Dong, Xiao Yang, Zhijie Deng, Tianyu Pang, Zihao Xiao, Hang Su, and Jun Zhu. *ICCV*, 2021.\n\n- Backdoor Scanning for Deep Neural Networks through K-Arm Optimization.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.05123.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FK-ARM_Backdoor_Optimization)\n - Guangyu Shen, Yingqi Liu, Guanhong Tao, Shengwei An, Qiuling Xu, Siyuan Cheng, Shiqing Ma, and Xiangyu Zhang. *ICML*, 2021.\n\n- Towards Inspecting and Eliminating Trojan Backdoors in Deep Neural Networks.\n [[pdf]](http:\u002F\u002Fwww.personal.psu.edu\u002Fwzg13\u002Fpublications\u002Ficdm20.pdf)\n [[previous version]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.01763.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUsmannK\u002FTABOR)\n - Wenbo Guo, Lun Wang, Xinyu Xing, Min Du, and Dawn Song. *ICDM*, 2020.\n\n- GangSweep: Sweep out Neural Backdoors by GAN.\n [[pdf]](https:\u002F\u002Fwww.lions.odu.edu\u002F~h1wu\u002Fpaper\u002Fgangsweep.pdf)\n - Liuwan Zhu, Rui Ning, Cong Wang, Chunsheng Xin, and Hongyi Wu. *ACM MM*, 2020.\n\n- Detection of Backdoors in Trained Classifiers Without Access to the Training Set.\n [[pdf]](http:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.10498)\n - Z Xiang, DJ Miller, and G Kesidis. *IEEE Transactions on Neural Networks and Learning Systems*, 2020.\n\n- Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks.\n [[pdf]](https:\u002F\u002Fgangw.web.illinois.edu\u002Fclass\u002Fcs598\u002Fpapers\u002Fsp19-poisoning-backdoor.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fbolunwang\u002Fbackdoor)\n - Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, Ben Y. Zhao. *IEEE S&P*, 2019.\n\n- Defending Neural Backdoors via Generative Distribution Modeling.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.04749.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fsuperrrpotato\u002FDefending-Neural-Backdoors-via-Generative-Distribution-Modeling)\n - Ximing Qiao, Yukun Yang, and Hai Li. *NeurIPS*, 2019.\n\n- DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fwww.ijcai.org\u002Fproceedings\u002F2019\u002F0647.pdf)\n - Huili Chen, Cheng Fu, Jishen Zhao, Farinaz Koushanfar. *IJCAI*, 2019.\n\n- Identifying Physically Realizable Triggers for Backdoored Face Recognition Networks.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9506564)\n - Ankita Raj, Ambar Pal, and Chetan Arora. *ICIP*, 2021.\n\n- Revealing Perceptible Backdoors in DNNs Without the Training Set via the Maximum Achievable Misclassification Fraction Statistic.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9231861)\n - Zhen Xiang, David J. Miller, Hang Wang, and George Kesidis. *MLSP*, 2020.\n\n- Adaptive Perturbation Generation for Multiple Backdoors Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.05244.pdf)\n - Yuhang Wang, Huafeng Shi, Rui Min, Ruijia Wu, Siyuan Liang, Yichao Wu, Ding Liang, and Aishan Liu. arXiv, 2022.\n\n- Confidence Matters: Inspecting Backdoors in Deep Neural Networks via Distribution Transfer.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.06592.pdf)\n - Tong Wang, Yuan Yao, Feng Xu, Miao Xu, Shengwei An, and Ting Wang. arXiv, 2022.\n\n- Defense Against Multi-target Trojan Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.03895.pdf)\n - Haripriya Harikumar, Santu Rana, Kien Do, Sunil Gupta, Wei Zong, Willy Susilo, and Svetha Venkastesh. arXiv, 2022.\n\n- Model-Contrastive Learning for Backdoor Defense.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.04411)\n - Zhihao Yue, Jun Xia, Zhiwei Ling, Ting Wang, Xian Wei, and Mingsong Chen. arXiv, 2022.\n\n- CatchBackdoor: Backdoor Testing by Critical Trojan Neural Path Identification via Differential Fuzzing.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.13064.pdf)\n - Haibo Jin, Ruoxi Chen, Jinyin Chen, Yao Cheng, Chong Fu, Ting Wang, Yue Yu, and Zhaoyan Ming. arXiv, 2021.\n\n- Detect and Remove Watermark in Deep Neural Networks via Generative Adversarial Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.08104.pdf)\n - Haoqi Wang, Mingfu Xue, Shichang Sun, Yushu Zhang, Jian Wang, and Weiqiang Liu. arXiv, 2021.\n\n- TAD: Trigger Approximation based Black-box Trojan Detection for AI.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.01815.pdf)\n - Xinqiao Zhang, Huili Chen, and Farinaz Koushanfar. arXiv, 2021.\n\n- Scalable Backdoor Detection in Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.05646.pdf)\n - Haripriya Harikumar, Vuong Le, Santu Rana, Sourangshu Bhattacharya, Sunil Gupta, and Svetha Venkatesh. arXiv, 2020.\n\n- NNoculation: Broad Spectrum and Targeted Treatment of Backdoored DNNs.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.08313.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fakshajkumarv\u002FNNoculation)\n - Akshaj Kumar Veldanda, Kang Liu, Benjamin Tan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri, Brendan Dolan-Gavitt, and Siddharth Garg. arXiv, 2020.\n\n#### Model Diagnosis based Empirical Defense\n- Complex Backdoor Detection by Symmetric Feature Differencing.\n [[pdf]](https:\u002F\u002Fwww.cs.purdue.edu\u002Fhomes\u002Ftaog\u002Fdocs\u002FCVPR22_Liu.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FExray)\n - Yingqi Liu, Guangyu Shen, Guanhong Tao, Zhenting Wang, Shiqing Ma, and Xiangyu Zhang. *CVPR*, 2022.\n\n- Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.08474.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzhenxianglance\u002F2ClassBADetection)\n - Zhen Xiang, David J. Miller, and George Kesidis. *ICLR*, 2022.\n\n- Randomized Channel Shuffling: Minimal-Overhead Backdoor Attack Detection without Clean Datasets.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002Fdb1d5c63576587fc1d40d33a75190c71-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVITA-Group\u002FRandom-Shuffling-BackdoorDetect)\n - Ruisi Cai, Zhenyu Zhang, Tianlong Chen, Xiaohan Chen, and Zhangyang Wang. *NeurIPS*, 2022.\n\n- An Anomaly Detection Approach for Backdoored Neural Networks: Face Recognition as a Case Study.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.10231.pdf)\n - Alexander Unnervik and Sébastien Marcel. *BIOSIG*, 2022.\n\n- Critical Path-Based Backdoor Detection for Deep Neural Networks.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9882007)\n - Wei Jiang, Xiangyu Wen, Jinyu Zhan, Xupeng Wang, Ziwei Song, and Chen Bian. *IEEE Transactions on Neural Networks and Learning Systems*, 2022.\n\n- Detecting AI Trojans Using Meta Neural Analysis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.03137.pdf)\n - Xiaojun Xu, Qi Wang, Huichen Li, Nikita Borisov, Carl A. Gunter, and Bo Li. *IEEE S&P*, 2021.\n\n- Topological Detection of Trojaned Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.06469.pdf)\n - Songzhu Zheng, Yikai Zhang, Hubert Wagner, Mayank Goswami, and Chao Chen. *NeurIPS*, 2021.\n\n- Black-box Detection of Backdoor Attacks with Limited Information and Data.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.13127.pdf)\n - Yinpeng Dong, Xiao Yang, Zhijie Deng, Tianyu Pang, Zihao Xiao, Hang Su, and Jun Zhu. *ICCV*, 2021.\n\n- Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1906.10842.pdf)\n [[code]](https:\u002F\u002Fumbcvision.github.io\u002FUniversal-Litmus-Patterns\u002F)\n - Soheil Kolouri, Aniruddha Saha, Hamed Pirsiavash, and Heiko Hoffmann. *CVPR*, 2020.\n\n- One-Pixel Signature: Characterizing CNN Models for Backdoor Detection.\n [[pdf]](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2020\u002Fpapers_ECCV\u002Fpapers\u002F123720324.pdf)\n - Shanjiaoyang Huang, Weiqi Peng, Zhiwei Jia, and Zhuowen Tu. *ECCV*, 2020.\n \n- Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.15802.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fwangren09\u002FTrojanNetDetector)\n - Ren Wang, Gaoyuan Zhang, Sijia Liu, Pin-Yu Chen, Jinjun Xiong, and Meng Wang. *ECCV*, 2020.\n\n- Detecting Backdoor Attacks via Class Difference in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9233317)\n - Hyun Kwon. *IEEE Access*, 2020.\n\n- Baseline Pruning-Based Approach to Trojan Detection in Neural Networks.\n [[pdf]](https:\u002F\u002Faisecure-workshop.github.io\u002Faml-iclr2021\u002Fpapers\u002F17.pdf)\n - Peter Bajcsy and Michael Majurski. *ICLR Workshop*, 2021.\n\n- Universal Post-Training Backdoor Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.06900.pdf)\n - Hang Wang, Zhen Xiang, David J. Miller, and George Kesidis. arXiv, 2022.\n\n- Trojan Signatures in DNN Weights.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.02836.pdf)\n - Greg Fields, Mohammad Samragh, Mojan Javaheripi, Farinaz Koushanfar, and Tara Javidi. arXiv, 2021.\n\n- EX-RAY: Distinguishing Injected Backdoor from Natural Features in Neural Networks by Examining Differential Feature Symmetry.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.08820.pdf)\n - Yingqi Liu, Guangyu Shen, Guanhong Tao, Zhenting Wang, Shiqing Ma, and Xiangyu Zhang. arXiv, 2021.\n\n- TOP: Backdoor Detection in Neural Networks via Transferability of Perturbation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.10274.pdf)\n - Todd Huster and Emmanuel Ekwedike. arXiv, 2021.\n\n- Detecting Trojaned DNNs Using Counterfactual Attributions.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.02275.pdf)\n - Karan Sikka, Indranil Sur, Susmit Jha, Anirban Roy, and Ajay Divakaran. arXiv, 2021.\n\n- Adversarial examples are useful too!\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2005.06107.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Faliborji\u002FBackdoor_defense)\n - XBorji A. arXiv, 2020.\n\n- Cassandra: Detecting Trojaned Networks from Adversarial Perturbations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.14433.pdf)\n - Xiaoyu Zhang, Ajmal Mian, Rohit Gupta, Nazanin Rahnavard, and Mubarak Shah. arXiv, 2020.\n \n- Odyssey: Creation, Analysis and Detection of Trojan Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.08142.pdf)\n [[dataset]](https:\u002F\u002Flcwn-lab.github.io\u002FOdessey\u002F)\n - Marzieh Edraki, Nazmul Karim, Nazanin Rahnavard, Ajmal Mian, and Mubarak Shah. arXiv, 2020.\n\n- Noise-response Analysis for Rapid Detection of Backdoors in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00123.pdf)\n - N. Benjamin Erichson, Dane Taylor, Qixuan Wu, and Michael W. Mahoney. arXiv, 2020.\n\n- NeuronInspect: Detecting Backdoors in Neural Networks via Output Explanations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07399.pdf)\n - Xijie Huang, Moustafa Alzantot, and Mani Srivastava. arXiv, 2019.\n\n\n#### Poison Suppression based Empirical Defense\n- Backdoor Defense via Decoupling the Training Process.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=TySnJ-0RdKI)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FDBD)\n - Kunzhe Huang, Yiming Li, Baoyuan Wu, Zhan Qin, and Kui Ren. *ICLR*, 2022.\n\n- Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=AsH-Tx2U0Ug)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FEffective_backdoor_defense)\n - Weixin Chen, Baoyuan Wu, and Haoqian Wang. *NeurIPS*, 2022.\n\n- Trap and Replace: Defending Backdoor Attacks by Trapping Them into an Easy-to-Replace Subnetwork.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002Fea06e6e9e80f1c3d382317fff67041ac-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVITA-Group\u002FTrap-and-Replace-Backdoor-Defense)\n - Haotao Wang, Junyuan Hong, Aston Zhang, Jiayu Zhou, and Zhangyang Wang. *NeurIPS*, 2022.\n\n- Training with More Confidence: Mitigating Injected and Natural Backdoors During Training.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=yNPsd3oG_s)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FNONE)\n - Zhenting Wang, Zhenting_Wang, Hailun Ding, Juan Zhai, and Shiqing Ma. *NeurIPS*, 2022.\n\n- Anti-Backdoor Learning: Training Clean Models on Poisoned Data.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.11571.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fbboylyg\u002FABL)\n - Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. *NeurIPS*, 2021.\n\n\n- Robust Anomaly Detection and Backdoor Attack Detection via Differential Privacy.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07116.pdf)\n [[code]](https:\u002F\u002Fwww.dropbox.com\u002Fsh\u002Frt8qzii7wr07g6n\u002FAAAbwokv2sfBeE9XAL2pXv_Aa?dl=0)\n - Min Du, Ruoxi Jia, and Dawn Song. *ICLR*, 2020. \n\n- Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Trade-off.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.09527.pdf)\n - Eitan Borgnia, Valeriia Cherepanova, Liam Fowl, Amin Ghiasi, Jonas Geiping, Micah Goldblum, Tom Goldstein, and Arjun Gupta. *ICASSP*, 2021.\n\n- What Doesn't Kill You Makes You Robust(er): Adversarial Training against Poisons and Backdoors.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.13624.pdf)\n - Jonas Geiping, Liam Fowl, Gowthami Somepalli, Micah Goldblum, Michael Moeller, and Tom Goldstein. *ICLR Workshop*, 2021.\n\n- Removing Backdoor-Based Watermarks in Neural Networks with Limited Data.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00407.pdf)\n - Xuankai Liu, Fengting Li, Bihan Wen, and Qi Li. *ICPR*, 2021. \n\n- Mask and Restore: Blind Backdoor Defense at Test Time with Masked Autoencoder.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2303.15564.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Ftsun\u002FBDMAE)\n - Tao Sun, Lu Pang, Chao Chen, and Haibin Ling. *arXiv*, 2023.\n\n- On the Effectiveness of Adversarial Training against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10627.pdf)\n - Yinghua Gao, Dongxian Wu, Jingfeng Zhang, Guanhao Gan, Shu-Tao Xia, Gang Niu, and Masashi Sugiyama. arXiv, 2022.\n\n- Resurrecting Trust in Facial Recognition: Mitigating Backdoor Attacks in Face Recognition to Prevent Potential Privacy Breaches.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10320.pdf)\n - Reena Zelenkova, Jack Swallow, M. A. P. Chamikara, Dongxi Liu, Mohan Baruwal Chhetri, Seyit Camtepe, Marthie Grobler, and Mahathir Almashor. arXiv, 2022.\n\n- SanitAIs: Unsupervised Data Augmentation to Sanitize Trojaned Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.04566.pdf)\n - Kiran Karra and Chace Ashcraft. arXiv, 2021.\n\n- On the Effectiveness of Mitigating Data Poisoning Attacks with Gradient Shaping.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11497.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSanghyun-Hong\u002FGradient-Shaping)\n - Sanghyun Hong, Varun Chandrasekaran, Yiğitcan Kaya, Tudor Dumitraş, and Nicolas Papernot. arXiv, 2020. \n\n- DP-InstaHide: Provably Defusing Poisoning and Backdoor Attacks with Differentially Private Data Augmentations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.02079.pdf)\n - Eitan Borgnia, Jonas Geiping, Valeriia Cherepanova, Liam Fowl, Arjun Gupta, Amin Ghiasi, Furong Huang, Micah Goldblum, and Tom Goldstein. arXiv, 2021.\n \n\n\n#### Sample Filtering based Empirical Defense\n- SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=o0LFPcoFKnr)\n [[code]](https:\u002F\u002Fgithub.com\u002FJunfengGo\u002FSCALE-UP)\n - Junfeng Guo, Yiming Li, Xun Chen, Hanqing Guo, Lichao Sun, and Cong Liu. *ICLR*, 2023.\n\n- Distilling Cognitive Backdoor Patterns within an Image.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=S3D9NLzjnQ5)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanxunH\u002FCognitiveDistillation)\n - Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, and James Bailey. *ICLR*, 2023.\n\n- Incompatibility Clustering as a Defense Against Backdoor Poisoning Attacks.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=mkJm5Uy4HrQ)\n [[code]](https:\u002F\u002Fgithub.com\u002Fcharlesjin\u002Fcompatibility_clustering\u002F)\n - Charles Jin, Melinda Sun, and Martin Rinard. *ICLR*, 2023.\n\n- The \"Beatrix'' Resurrections: Robust Backdoor Detection via Gram Matrices.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.11715.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fwanlunsec\u002FBeatrix)\n - Wanlun Ma, Derui Wang, Ruoxi Sun, Minhui Xue, Sheng Wen, and Yang Xiang. *NDSS*, 2023.\n\n- Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=AsH-Tx2U0Ug)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FEffective_backdoor_defense)\n - Weixin Chen, Baoyuan Wu, and Haoqian Wang. *NeurIPS*, 2022.\n\n- Towards Effective and Robust Neural Trojan Defenses via Input Filtering.\n [[pdf]](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2022\u002Fpapers_ECCV\u002Fpapers\u002F136650277.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSoftWiser-group\u002FFTrojan)\n - Kien Do, Haripriya Harikumar, Hung Le, Dung Nguyen, Truyen Tran, Santu Rana, Dang Nguyen, Willy Susilo, and Svetha Venkatesh. *ECCV*, 2022.\n\n- Can We Mitigate Backdoor Attack Using Adversarial Detection Methods?\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9844276)\n - Kaidi Jin, Tianwei Zhang, Chao Shen, Yufei Chen, Ming Fan, Chenhao Lin, and Ting Liu. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- LinkBreaker: Breaking the Backdoor-Trigger Link in DNNs via Neurons Consistency Check.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9775729)\n - Zhenzhu Chen, Shang Wang, Anmin Fu, Yansong Gao, Shui Yu, and Robert H. Deng. *IEEE Transactions on Information Forensics and Security*, 2022.\n\n- Similarity-based Integrity Protection for Deep Learning Systems.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0020025522003279)\n - Ruitao Hou, Shan Ai, Qi Chen, Hongyang Yan, Teng Huang, and Kongyang Chen. *Information Sciences*, 2022.\n\n- A Feature-Based On-Line Detector to Remove Adversarial-Backdoors by Iterative Demarcation.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9673744)\n - Hao Fu, Akshaj Kumar Veldanda, Prashanth Krishnamurthy, Siddharth Garg, and Farshad Khorrami. *IEEE ACCESS*, 2022.\n\n- Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.03413.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FYiZeng623\u002Ffrequency-backdoor)\n - Yi Zeng, Won Park, Z. Morley Mao, and Ruoxi Jia. *ICCV*, 2021.\n\n- Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.00686.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FTDteach\u002Fbackdoor)\n - Di Tang, XiaoFeng Wang, Haixu Tang, and Kehuan Zhang. *USENIX Security*, 2021.\n\n- SPECTRE: Defending Against Backdoor Attacks Using Robust Statistics.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.11315.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSewoongLab\u002Fspectre-defense)\n - Jonathan Hayase, Weihao Kong, Raghav Somani, and Sewoong Oh. *ICML*, 2021.\n\n- CLEANN: Accelerated Trojan Shield for Embedded Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.02326.pdf)\n - Mojan Javaheripi, Mohammad Samragh, Gregory Fields, Tara Javidi, and Farinaz Koushanfar. *ICCAD*, 2020.\n\n- Robust Anomaly Detection and Backdoor Attack Detection via Differential Privacy.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07116.pdf)\n [[code]](https:\u002F\u002Fwww.dropbox.com\u002Fsh\u002Frt8qzii7wr07g6n\u002FAAAbwokv2sfBeE9XAL2pXv_Aa?dl=0)\n - Min Du, Ruoxi Jia, and Dawn Song. *ICLR*, 2020. \n \n- Simple, Attack-Agnostic Defense Against Targeted Training Set Attacks Using Cosine Similarity.\n [[pdf]](http:\u002F\u002Fwww.gatsby.ucl.ac.uk\u002F~balaji\u002Fudl2021\u002Faccepted-papers\u002FUDL2021-paper-029.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FZaydH\u002Fcosin)\n - Zayd Hammoudeh and Daniel Lowd. *ICML Workshop*, 2021.\n\n- SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1812.00292.pdf)\n - Edward Chou, Florian Tramèr, and Giancarlo Pellegrino. *IEEE S&P Workshop*, 2020.\n\n- STRIP: A Defence Against Trojan Attacks on Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.06531.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.10312.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fgarrisongys\u002FSTRIP)\n - Yansong Gao, Chang Xu, Derui Wang, Shiping Chen, Damith C. Ranasinghe, and Surya Nepal. *ACSAC*, 2019.\n\n- Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1811.03728.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FTrusted-AI\u002Fadversarial-robustness-toolbox\u002Fblob\u002Fmain\u002Fart\u002Fdefences\u002Fdetector\u002Fpoison\u002Factivation_defence.py)\n - Bryant Chen, Wilka Carvalho, Nathalie Baracaldo, Heiko Ludwig, Benjamin Edwards, Taesung Lee, Ian Molloy, and Biplav Srivastava. *AAAI Workshop*, 2019.\n\n- Deep Probabilistic Models to Detect Data Poisoning Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1912.01206.pdf)\n - Mahesh Subedar, Nilesh Ahuja, Ranganath Krishnan, Ibrahima J. Ndiour, and Omesh Tickoo. *NeurIPS Workshop*, 2019. \n\n- Spectral Signatures in Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1811.00636.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FMadryLab\u002Fbackdoor_data_poisoning)\n - Brandon Tran, Jerry Li, and Aleksander Madry. *NeurIPS*, 2018. \n\n- An Adaptive Black-box Defense against Trojan Attacks (TrojDef).\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.01721.pdf)\n - Guanxiong Liu, Abdallah Khreishah, Fatima Sharadgah, and Issa Khalil. arXiv, 2022.\n\n- Fight Poison with Poison: Detecting Backdoor Poison Samples via Decoupling Benign Correlations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13616.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FFight-Poison-With-Poison)\n - Xiangyu Qi, Tinghao Xie, Saeed Mahloujifar, and Prateek Mittal. arXiv, 2022.\n\n- PiDAn: A Coherence Optimization Approach for Backdoor Attack Detection and Mitigation in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.09289.pdf)\n - Yue Wang, Wenqing Li, Esha Sarkar, Muhammad Shafique, Michail Maniatakos, and Saif Eddin Jabari. arXiv, 2022.\n\n- Neural Network Trojans Analysis and Mitigation from the Input Domain.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06382.pdf)\n - Zhenting Wang, Hailun Ding, Juan Zhai, and Shiqing Ma. arXiv, 2022.\n\n- A General Framework for Defending Against Backdoor Attacks via Influence Graph.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.14309)\n - Xiaofei Sun, Jiwei Li, Xiaoya Li, Ziyao Wang, Tianwei Zhang, Han Qiu, Fei Wu, and Chun Fan. arXiv, 2021.\n\n- NTD: Non-Transferability Enabled Backdoor Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.11157.pdf)\n - Yinshan Li, Hua Ma, Zhi Zhang, Yansong Gao, Alsharif Abuadbba, Anmin Fu, Yifeng Zheng, Said F. Al-Sarawi, and Derek Abbott. arXiv, 2021.\n\n- A Unified Framework for Task-Driven Data Quality Management.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.05484.pdf)\n - Tianhao Wang, Yi Zeng, Ming Jin, and Ruoxi Jia. arXiv, 2021.\n\n- TESDA: Transform Enabled Statistical Detection of Attacks in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.08447.pdf)\n - Chandramouli Amarnath, Aishwarya H. Balwani, Kwondo Ma, and Abhijit Chatterjee. arXiv, 2021.\n\n- Traceback of Data Poisoning Attacks in Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.06904.pdf)\n - Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, and Ben Y. Zhao. arXiv, 2021.\n\n- Provable Guarantees against Data Poisoning Using Self-Expansion and Compatibility.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.03692.pdf)\n - Charles Jin, Melinda Sun, and Martin Rinard. arXiv, 2021.\n \n- Online Defense of Trojaned Models using Misattributions.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.15918.pdf)\n - Panagiota Kiourti, Wenchao Li, Anirban Roy, Karan Sikka, and Susmit Jha. arXiv, 2021.\n\n- Detecting Backdoor in Deep Neural Networks via Intentional Adversarial Perturbations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.14259.pdf)\n - Mingfu Xue, Yinghao Wu, Zhiyu Wu, Jian Wang, Yushu Zhang, and Weiqiang Liu. arXiv, 2021.\n\n- Exposing Backdoors in Robust Machine Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.00865.pdf)\n - Ezekiel Soremekun, Sakshi Udeshi, and Sudipta Chattopadhyay. arXiv, 2020.\n\n- HaS-Nets: A Heal and Select Mechanism to Defend DNNs Against Backdoor Attacks for Data Collection Scenarios.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07474.pdf)\n - Hassan Ali, Surya Nepal, Salil S. Kanhere, and Sanjay Jha. arXiv, 2020.\n\n- Poison as a Cure: Detecting & Neutralizing Variable-Sized Backdoor Attacks in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.08040.pdf)\n - Alvin Chan, and Yew-Soon Ong. arXiv, 2019. \n \n#### Certificated Defense\n- Towards Robustness Certification Against Universal Perturbations.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=7GEvPKxjtt)\n [[code]](https:\u002F\u002Fgithub.com\u002Fruoxi-jia-group\u002FUniversal_Pert_Cert)\n - Yi Zeng, Zhouxing Shi, Ming Jin, Feiyang Kang, Lingjuan Lyu, Cho-Jui Hsieh, and Ruoxi Jia. *ICLR*, 2023.\n\n- BagFlip: A Certified Defense against Data Poisoning.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=ZidkM5b92G)\n [[code]](https:\u002F\u002Fgithub.com\u002FForeverZyh\u002Fdefend_framework)\n - Yuhao Zhang, Aws Albarghouthi, and Loris D'Antoni. *NeurIPS*, 2022.\n\n- RAB: Provable Robustness Against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.08904.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FAI-secure\u002FRobustness-Against-Backdoor-Attacks)\n - Maurice Weber, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. *IEEE S&P*, 2022.\n\n- Certified Robustness of Nearest Neighbors against Data Poisoning and Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.03765.pdf)\n - Jinyuan Jia, Yupei Liu, Xiaoyu Cao, and Neil Zhenqiang Gong. *AAAI*, 2022.\n\n- Deep Partition Aggregation: Provable Defense against General Poisoning Attacks\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2006.14768)\n [[code]](https:\u002F\u002Fgithub.com\u002Falevine0\u002FDPA)\n - Alexander Levine and Soheil Feizi. *ICLR*, 2021.\n \n- Intrinsic Certified Robustness of Bagging against Data Poisoning Attacks\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2008.04495)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjjy1994\u002FBaggingCertifyDataPoisoning)\n - Jinyuan Jia, Xiaoyu Cao, and Neil Zhenqiang Gong. *AAAI*, 2021.\n\n- Certified Robustness to Label-Flipping Attacks via Randomized Smoothing.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.03018.pdf)\n - Elan Rosenfeld, Ezra Winston, Pradeep Ravikumar, and J. Zico Kolter. *ICML*, 2020.\n\n- On Certifying Robustness against Backdoor Attacks via Randomized Smoothing.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11750.pdf)\n - Binghui Wang, Xiaoyu Cao, Jinyuan jia, and Neil Zhenqiang Gong. *CVPR Workshop*, 2020.\n\n- BagFlip: A Certified Defense against Data Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13634.pdf)\n - Yuhao Zhang, Aws Albarghouthi, and Loris D'Antoni. arXiv, 2022.\n\n\n\n\n## Attack and Defense Towards Other Paradigms and Tasks\n### Federated Learning\n- FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated Learning.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Xo2E217_M4n)\n [[code]](https:\u002F\u002Fgithub.com\u002FKaiyuanZh\u002FFLIP)\n - Kaiyuan Zhang, Guanhong Tao, Qiuling Xu, Siyuan Cheng, Shengwei An, Yingqi Liu, Shiwei Feng, Guangyu Shen, Pin-Yu Chen, Shiqing Ma, and Xiangyu Zhang. *ICLR*, 2023.\n\n- On the Vulnerability of Backdoor Defenses for Federated Learning.\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F26393)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjinghuichen\u002FFocused-Flip-Federated-Backdoor-Attack)\n - Pei Fang and Jinghui Chen. *AAAI*, 2023.\n\n- Poisoning with Cerberus: Stealthy and Colluded Backdoor Attack against Federated Learning.\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F26083)\n - Xiaoting Lyu, Yufei Han, Wei Wang, Jingkai Liu, Bin Wang, Jiqiang Liu, and Xiangliang Zhang. *AAAI*, 2023.\n\n- Neurotoxin: Durable Backdoors in Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.10341.pdf)\n - Zhengming Zhang, Ashwinee Panda, Linyue Song, Yaoqing Yang, Michael W. Mahoney, Joseph E. Gonzalez, Kannan Ramchandran, and Prateek Mittal. *ICML*, 2022.\n\n- FLAME: Taming Backdoors in Federated Learning.\n [[pdf]](https:\u002F\u002Fwww.usenix.org\u002Fsystem\u002Ffiles\u002Fsec22fall_nguyen.pdf)\n - Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad-Reza Sadeghi, and Thomas Schneider. *USENIX Security*, 2022.\n\n- DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.00763.pdf)\n - Phillip Rieger, Thien Duc Nguyen, Markus Miettinen, and Ahmad-Reza Sadeghi. *NDSS*, 2022.\n\n- Defending Label Inference and Backdoor Attacks in Vertical Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.05409.pdf)\n - Yang Liu, Zhihao Yi, Yan Kang, Yuanqin He, Wenhan Liu, Tianyuan Zou, and Qiang Yang. *AAAI*, 2022.\n\n- An Analysis of Byzantine-Tolerant Aggregation Mechanisms on Model Poisoning in Federated Learning.\n [[link]](https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-031-13448-7_12)\n - Mary Roszel, Robert Norvill, and Radu State. *MDAI*, 2022.\n\n- Against Backdoor Attacks In Federated Learning With Differential Privacy.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9747653)\n - Lu Miao, Wei Yang, Rong Hu, Lu Li, and Liusheng Huang. *ICASSP*, 2022.\n\n- Secure Partial Aggregation: Making Federated Learning More Robust for Industry 4.0 Applications.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9692911)\n - Jiqiang Gao, Baolei Zhang, Xiaojie Guo, Thar Baker, Min Li, and Zheli Liu. *IEEE Transactions on Industrial Informatics*, 2022.\n\n- Backdoor Attacks-resilient Aggregation based on Robust Filtering of Outliers in Federated Learning for Image Classification.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0950705122002635)\n - Nuria Rodríguez-Barroso, Eugenio Martínez-Cámara, M. Victoria Luzónb, and Francisco Herrera. *Knowledge-Based Systems*, 2022.\n\n- Defense against Backdoor Attack in Federated Learning.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404822002139)\n [[code]](https:\u002F\u002Fgithub.com\u002Flsw3130104597\u002FBackdoor_detection)\n - Shiwei Lu, Ruihu Li, Wenbin Liu, and Xuan Chen. *Computers & Security*, 2022.\n\n- Privacy-Enhanced Federated Learning against Poisoning Adversaries.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9524709\u002F)\n - Xiaoyuan Liu, Hongwei Li, Guowen Xu, Zongqi Chen, Xiaoming Huang, and Rongxing Lu. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9713908)\n - Xueluan Gong, Yanjiao Chen, Huayang Huang, Yuqing Liao, Shuai Wang, and Qian Wang. *IEEE Network*, 2022.\n\n- CRFL: Certifiably Robust Federated Learning against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.08283.pdf)\n - Chulin Xie, Minghao Chen, Pin-Yu Chen, and Bo Li. *ICML*, 2021.\n\n- Curse or Redemption? How Data Heterogeneity Affects the Robustness of Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.00655.pdf)\n - Syed Zawad, Ahsan Ali, Pin-Yu Chen, Ali Anwar, Yi Zhou, Nathalie Baracaldo, Yuan Tian, and Feng Yan. *AAAI*, 2021.\n\n- Defending Against Backdoors in Federated Learning with Robust Learning Rate.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.03767.pdf)\n - Mustafa Safa Ozdayi, Murat Kantarcioglu, and Yulia R. Gel. *AAAI*, 2021.\n \n- BaFFLe: Backdoor detection via Feedback-based Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.02167.pdf)\n - ebastien Andreina, Giorgia Azzurra Marson, Helen Möllering, and Ghassan Karame. *ICDCS*, 2021.\n\n- PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.10926.pdf)\n - Shijie Zhang, Hongzhi Yin, Tong Chen, Zi Huang, Quoc Viet Hung Nguyen, and Lizhen Cui. *WSDM*, 2021.\n\n- Mitigating the Backdoor Attack by Federated Filters for Industrial IoT Applications.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fdocument\u002F9536411\u002F)\n - Boyu Hou, Jiqiang Gao, Xiaojie Guo, Thar Baker, Ying Zhang, Yanlong Wen, and Zheli Liu. *IEEE Transactions on Industrial Informatics*, 2021.\n\n- Stability-Based Analysis and Defense against Backdoor Attacks on Edge Computing Services.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9354927)\n - Yi Zhao, Ke Xu, Haiyang Wang, Bo Li, and Ruoxi Jia. *IEEE Network*, 2021.\n\n- Attack of the Tails: Yes, You Really Can Backdoor Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.05084.pdf)\n - Hongyi Wang, Kartik Sreenivasan, Shashank Rajput, Harit Vishwakarma, Saurabh Agarwal, Jy-yong Sohn, Kangwook Lee, and Dimitris Papailiopoulos. *NeurIPS*, 2020.\n \n- DBA: Distributed Backdoor Attacks against Federated Learning.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=rkgyS0VFvr)\n - Chulin Xie, Keli Huang, Pinyu Chen, and Bo Li. *ICLR*, 2020.\n\n\n- The Limitations of Federated Learning in Sybil Settings.\n [[pdf]](https:\u002F\u002Fwww.cs.ubc.ca\u002F~bestchai\u002Fpapers\u002Ffoolsgold-raid2020.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1808.04866.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FDistributedML\u002FFoolsGold)\n - Clement Fung, Chris J.M. Yoon, and Ivan Beschastnikh. *RAID*, 2020 (arXiv, 2018).\n\n- How to Backdoor Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1807.00459.pdf)\n - Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. *AISTATS*, 2020 (arXiv, 2018).\n\n\n- BEAS: Blockchain Enabled Asynchronous & Secure Federated Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.02817.pdf)\n - Arup Mondal, Harpreet Virk, and Debayan Gupta. *AAAI Workshop*, 2022.\n \n- Backdoor Attacks and Defenses in Feature-partitioned Collaborative Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.03608.pdf)\n - Yang Liu, Zhihao Yi, and Tianjian Chen. *ICML Workshop*, 2020.\n\n- Can You Really Backdoor Federated Learning?\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07963.pdf)\n - Ziteng Sun, Peter Kairouz, Ananda Theertha Suresh, and H. Brendan McMahan. *NeurIPS Workshop*, 2019.\n\n- Invariant Aggregator for Defending Federated Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.01834.pdf)\n - Xiaoyang Wang, Dimitrios Dimitriadis, Sanmi Koyejo, and Shruti Tople. arXiv, 2022.\n\n- Shielding Federated Learning: Mitigating Byzantine Attacks with Less Constraints.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.01437.pdf)\n - Minghui Li, Wei Wan, Jianrong Lu, Shengshan Hu, Junyu Shi, and Leo Yu Zhang. arXiv, 2022.\n\n- Federated Zero-Shot Learning for Visual Recognition.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.01994.pdf)\n - Zhi Chen, Yadan Luo, Sen Wang, Jingjing Li, and Zi Huang. arXiv, 2022.\n\n- Assisting Backdoor Federated Learning with Whole Population Knowledge Alignment.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.12327.pdf)\n - Tian Liu, Xueyang Hu, and Tao Shu. arXiv, 2022.\n\n- FL-Defender: Combating Targeted Attacks in Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00872.pdf)\n - Najeeb Jebreel and Josep Domingo-Ferrer. arXiv, 2022.\n\n- Backdoor Attack is A Devil in Federated GAN-based Medical Image Synthesis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00762.pdf)\n - Ruinan Jin and Xiaoxiao Li. arXiv, 2022.\n\n- SafeNet: Mitigating Data Poisoning Attacks on Private Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.09986.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fdata61\u002FMP-SPDZ)\n - Harsh Chaudhari, Matthew Jagielski, and Alina Oprea. arXiv, 2022.\n\n- PerDoor: Persistent Non-Uniform Backdoors in Federated Learning using Adversarial Perturbations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13523.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fmomalab\u002FPerDoor)\n - Manaar Alam, Esha Sarkar, and Michail Maniatakos. arXiv, 2022.\n\n- Towards a Defense against Backdoor Attacks in Continual Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.11736.pdf)\n - Shuaiqi Wang, Jonathan Hayase, Giulia Fanti, and Sewoong Oh. arXiv, 2022.\n \n- Client-Wise Targeted Backdoor in Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.08689.pdf)\n - Gorka Abad, Servio Paguada, Stjepan Picek, Víctor Julio Ramírez-Durán, and Aitor Urbieta. arXiv, 2022.\n\n- Backdoor Defense in Federated Learning Using Differential Testing and Outlier Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.11196.pdf)\n - Yein Kim, Huili Chen, and Farinaz Koushanfar. arXiv, 2022.\n\n- ARIBA: Towards Accurate and Robust Identification of Backdoor Attacks in Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.04311.pdf)\n - Yuxi Mi, Jihong Guan, and Shuigeng Zhou. arXiv, 2022.\n\n- More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03195.pdf)\n - Jing Xu, Rui Wang, Kaitai Liang, and Stjepan Picek. arXiv, 2022.\n\n- Low-Loss Subspace Compression for Clean Gains against Multi-Agent Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.03692.pdf)\n - Siddhartha Datta and Nigel Shadbolt. arXiv, 2022.\n\n- Backdoors Stuck at The Frontdoor: Multi-Agent Backdoor Attacks That Backfire.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.12211.pdf)\n - Siddhartha Datta and Nigel Shadbolt. arXiv, 2022.\n\n- Federated Unlearning with Knowledge Distillation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.09441.pdf)\n - Chen Wu, Sencun Zhu, and Prasenjit Mitra. arXiv, 2022.\n\n- Model Transferring Attacks to Backdoor HyperNetwork in Personalized Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.07063.pdf)\n - Phung Lai, NhatHai Phan, Abdallah Khreishah, Issa Khalil, and Xintao Wu. arXiv, 2022.\n\n- Backdoor Attacks on Federated Learning with Lottery Ticket Hypothesis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.10512.pdf)\n - Zihang Zou, Boqing Gong, and Liqiang Wang. arXiv, 2021.\n\n- On Provable Backdoor Defense in Collaborative Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.08177.pdf)\n - Ximing Qiao, Yuhua Bai, Siping Hu, Ang Li, Yiran Chen, and Hai Li. arXiv, 2021.\n\n- SparseFed: Mitigating Model Poisoning Attacks in Federated Learning with Sparsification.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.06274.pdf)\n - Ashwinee Panda, Saeed Mahloujifar, Arjun N. Bhagoji, Supriyo Chakraborty, and Prateek Mittal. arXiv, 2021.\n\n- Robust Federated Learning with Attack-Adaptive Aggregation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.05257.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fcpwan\u002FAttack-Adaptive-Aggregation)\n - Ching Pui Wan, and Qifeng Chen. arXiv, 2021.\n\n- Meta Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.05561.pdf)\n - Omid Aramoon, Pin-Yu Chen, Gang Qu, and Yuan Tian. arXiv, 2021.\n\n- FLGUARD: Secure and Private Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.02281.pdf)\n - Thien Duc Nguyen, Phillip Rieger, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Ahmad-Reza Sadeghi, Thomas Schneider, and Shaza Zeitouni. arXiv, 2021.\n\n- Toward Robustness and Privacy in Federated Learning: Experimenting with Local and Central Differential Privacy.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.03561.pdf)\n - Mohammad Naseri, Jamie Hayes, and Emiliano De Cristofaro. arXiv, 2020.\n\n- Backdoor Attacks on Federated Meta-Learning. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.07026.pdf)\n - Chien-Lun Chen, Leana Golubchik, and Marco Paolieri. arXiv, 2020. \n\n- Dynamic backdoor attacks against federated learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.07429.pdf)\n - Anbu Huang. arXiv, 2020.\n\n- Federated Learning in Adversarial Settings.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.07808.pdf)\n - Raouf Kerkouche, Gergely Ács, and Claude Castelluccia. arXiv, 2020.\n\n- BlockFLA: Accountable Federated Learning via Hybrid Blockchain Architecture.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.07427.pdf)\n - Harsh Bimal Desai, Mustafa Safa Ozdayi, and Murat Kantarcioglu. arXiv, 2020.\n\n- Mitigating Backdoor Attacks in Federated Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.01767.pdf)\n - Chen Wu, Xian Yang, Sencun Zhu, and Prasenjit Mitra. arXiv, 2020.\n\n- Learning to Detect Malicious Clients for Robust Federated Learning. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.00211.pdf)\n - Suyi Li, Yong Cheng, Wei Wang, Yang Liu, and Tianjian Chen. arXiv, 2020.\n \n- Attack-Resistant Federated Learning with Residual-based Reweighting.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1912.11464.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Ffushuhao6\u002FAttack-Resistant-Federated-Learning)\n - Shuhao Fu, Chulin Xie, Bo Li, and Qifeng Chen. arXiv, 2019.\n\n\n### Transfer Learning\n- Incremental Learning, Incremental Backdoor Threats.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9872528\u002F)\n - Wenbo Jiang, Tianwei Zhang, Han Qiu, Hongwei Li, and Guowen Xu. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- Robust Backdoor Injection with the Capability of Resisting Network Transfer.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS002002552201043X)\n - Le Feng, Sheng Li, Zhenxing Qian, and Xinpeng Zhang. *Information Sciences*, 2022.\n\n- Anti-Distillation Backdoor Attacks: Backdoors Can Really Survive in Knowledge Distillation.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3474085.3475254)\n - Yunjie Ge, Qian Wang, Baolin Zheng, Xinlu Zhuang, Qi Li, Chao Shen, and Cong Wang. *ACM MM*, 2021.\n\n- Hidden Trigger Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.00033.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUMBCvision\u002FHidden-Trigger-Backdoor-Attacks)\n - Aniruddha Saha, Akshayvarun Subramanya, and Hamed Pirsiavash. *AAAI*, 2020.\n\n- Weight Poisoning Attacks on Pre-trained Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.06660.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fneulab\u002FRIPPLe)\n - Keita Kurita, Paul Michel, and Graham Neubig. *ACL*, 2020.\n\n- Backdoor Attacks against Transfer Learning with Pre-trained Deep Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2001.03274.pdf)\n - Shuo Wang, Surya Nepal, Carsten Rudolph, Marthie Grobler, Shangyu Chen, and Tianle Chen. *IEEE Transactions on Services Computing*, 2020.\n\n\n- Latent Backdoor Attacks on Deep Neural Networks.\n [[pdf]](http:\u002F\u002Fpeople.cs.uchicago.edu\u002F~huiyingli\u002Fpublication\u002Ffr292-yaoA.pdf)\n - Yuanshun Yao, Huiying Li, Haitao Zheng and Ben Y. Zhao. *CCS*, 2019.\n \n- Architectural Backdoors in Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.07840.pdf)\n - Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, and Nicolas Papernot. arXiv, 2022.\n \n \n- Red Alarm for Pre-trained Models: Universal Vulnerabilities by Neuron-Level Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.06969.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FNeuBA)\n - Zhengyan Zhang, Guangxuan Xiao, Yongwei Li, Tian Lv, Fanchao Qi, Zhiyuan Liu, Yasheng Wang, Xin Jiang, and Maosong Sun. arXiv, 2021.\n\n### Reinforcement Learning\n- Provable Defense against Backdoor Policies in Reinforcement Learning.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=11WmFbrIt26)\n [[code]](https:\u002F\u002Fgithub.com\u002Fskbharti\u002FProvable-Defense-in-RL)\n - Shubham Kumar Bharti, Xuezhou Zhang, Adish Singla, and Jerry Zhu. *NeurIPS*, 2022.\n\n- MARNet: Backdoor Attacks against Cooperative Multi-Agent Reinforcement Learning.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9894692)\n - Yanjiao Chen, Zhicong Zheng, and Xueluan Gong. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- BACKDOORL: Backdoor Attack against Competitive Reinforcement Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.00579.pdf)\n - Lun Wang, Zaynah Javed, Xian Wu, Wenbo Guo, Xinyu Xing, and Dawn Song. *IJCAI*, 2021.\n\n- Stop-and-Go: Exploring Backdoor Attacks on Deep Reinforcement Learning-based Traffic Congestion Control Systems.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.07859.pdf)\n - Yue Wang, Esha Sarkar, Michail Maniatakos, and Saif Eddin Jabari. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- Agent Manipulator: Stealthy Strategy Attacks on Deep Reinforcement Learning.\n [[link]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs10489-022-03882-w)\n - Jinyin Chen, Xueke Wang, Yan Zhang, Haibin Zheng, Shanqing Yu, and Liang Bao. *Applied Intelligence*, 2022.\n\n- TrojDRL: Evaluation of Backdoor Attacks on Deep Reinforcement Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1903.06638.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fpkiourti\u002Frl_backdoor)\n - Panagiota Kiourti, Kacper Wardega, Susmit Jha, and Wenchao Li. *DAC*, 2020.\n\n- Poisoning Deep Reinforcement Learning Agents with In-Distribution Triggers.\n [[pdf]](https:\u002F\u002Faisecure-workshop.github.io\u002Faml-iclr2021\u002Fpapers\u002F11.pdf) \n - Chace Ashcraft and Kiran Karra. *ICLR Workshop*, 2021.\n\n- A Temporal-Pattern Backdoor Attack to Deep Reinforcement Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.02589.pdf)\n - Yinbo Yu, Jiajia Liu, Shouqing Li, Kepu Huang, and Xudong Feng. arXiv, 2022.\n\n- Backdoor Detection in Reinforcement Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03609.pdf)\n - Junfeng Guo, Ang Li, and Cong Liu. arXiv, 2022.\n \n- Design of Intentional Backdoors in Sequential Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.09972.pdf)\n - Zhaoyuan Yang, Naresh Iyer, Johan Reimann, and Nurali Virani. arXiv, 2019.\n\n\n### Semi-Supervised and Self-Supervised Learning\n- Backdoor Attacks on Self-Supervised Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.10123)\n [[code]](https:\u002F\u002Fgithub.com\u002FUMBCvision\u002FSSL-Backdoor)\n - Aniruddha Saha, Ajinkya Tejankar, Soroush Abbasi Koohpayegani, and Hamed Pirsiavash. *CVPR*, 2022.\n\n- Poisoning and Backdooring Contrastive Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.09667.pdf)\n - Nicholas Carlini and Andreas Terzis. *ICLR*, 2022.\n\n- BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.00352.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjjy1994\u002FBadEncoder)\n - Jinyuan Jia, Yupei Liu, and Neil Zhenqiang Gong. *IEEE S&P*, 2022.\n\n- DeHiB: Deep Hidden Backdoor Attack on Semi-supervised Learning via adversarial Perturbation.\n [[pdf]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F17266)\n - Zhicong Yan, Gaolei Li, Yuan Tian, Jun Wu, Shenghong Li, Mingzhe Chen, and H. Vincent Poor. *AAAI*, 2021.\n\n- Deep Neural Backdoor in Semi-Supervised Learning: Threats and Countermeasures.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9551983)\n - Zhicong Yan, Jun Wu, Gaolei Li, Shenghong Li, and Mohsen Guizani. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- Backdoor Attacks in the Supply Chain of Masked Image Modeling.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.01632.pdf)\n - Xinyue Shen, Xinlei He, Zheng Li, Yun Shen, Michael Backes, and Yang Zhang. arXiv, 2022.\n\n- Watermarking Pre-trained Encoders in Contrastive Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.08217.pdf)\n - Yutong Wu, Han Qiu, Tianwei Zhang, Jiwei Li, and Meikang Qiu. arXiv, 2022.\n\n\n### Quantization\n- RIBAC: Towards Robust and Imperceptible Backdoor Attack against Compact DNN.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.10608.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fhuyvnphan\u002FECCV2022-RIBAC)\n - Huy Phan, Cong Shi, Yi Xie, Tianfang Zhang, Zhuohang Li, Tianming Zhao, Jian Liu, Yan Wang, Yingying Chen, and Bo Yuan. *ECCV*, 2022.\n\n- Qu-ANTI-zation: Exploiting Quantization Artifacts for Achieving Adversarial Outcomes.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.13541.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSecure-AI-Systems-Group\u002FQu-ANTI-zation)\n - Sanghyun Hong, Michael-Andrei Panaitescu-Liess, Yiğitcan Kaya, and Tudor Dumitraş. *NeurIPS*, 2021.\n\n- Understanding the Threats of Trojaned Quantized Neural Network in Model Supply Chains.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3485832.3485881)\n - Xudong Pan, Mi Zhang, Yifan Yan, and Min Yang. *ACSAC*, 2021\n\n- Quantization Backdoors to Deep Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.09187.pdf)\n - Hua Ma, Huming Qiu, Yansong Gao, Zhi Zhang, Alsharif Abuadbba, Anmin Fu, Said Al-Sarawi, and Derek Abbott. arXiv, 2021.\n\n- Stealthy Backdoors as Compression Artifacts.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.15129.pdf) \n - Yulong Tian, Fnu Suya, Fengyuan Xu, and David Evans. arXiv, 2021.\n\n\n### Natural Language Processing\n \n- TrojText: Test-time Invisible Textual Trojan Insertion.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=ja4Lpp5mqc2)\n [[code]](https:\u002F\u002Fgithub.com\u002FUCF-ML-Research\u002FTrojText)\n - Qian Lou, Yepeng Liu, and Bo Feng. *ICLR*, 2023.\n\n- Defending against Backdoor Attacks in Natural Language Generation.\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F25656)\n - Xiaofei Sun, Xiaoya Li, Yuxian Meng, Xiang Ao, Lingjuan Lyu, Jiwei Li, and Tianwei Zhang. *AAAI*, 2023.\n\n- Removing Backdoors in Pre-trained Models by Regularized Continual Pre-training.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fforum?id=JKuBOuzntQ)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FRECIPE)\n - Biru Zhu, Ganqu Cui, Yangyi Chen, Yujia Qin, Lifan Yuan, Chong Fu, Yangdong Deng, Zhiyuan Liu, Maosong Sun, Ming Gu. *Transactions of the Association for Computational Linguistics*, 2023.\n\n\n- BadPrompt: Backdoor Attacks on Continuous Prompts.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=rlN6fO3OrP)\n [[code]](https:\u002F\u002Fgithub.com\u002FpapersPapers\u002FBadPrompt)\n - Xiangrui Cai, haidong xu, Sihan Xu, Ying Zhang, and Xiaojie Yuan. *NeurIPS*, 2022.\n\n- Moderate-fitting as a Natural Backdoor Defender for Pre-trained Language Models\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fforum?id=C7cv9fh8m-b)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FModerate-fitting)\n - Biru Zhu, Yujia Qin, Ganqu Cui, Yangyi Chen, Weilin Zhao, Chong Fu, Yangdong Deng, Zhiyuan Liu, Jingang Wang, Wei Wu, Maosong Sun, and Ming Gu. *NeurIPS*, 2022.\n\n- A Unified Evaluation of Textual Backdoor Learning: Frameworks and Benchmarks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08514.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n - Ganqu Cui, Lifan Yuan, Bingxiang He, Yangyi Chen, Zhiyuan Liu, and Maosong Sun. *NeurIPS*, 2022. \n\n- Spinning Language Models: Risks of Propaganda-as-a-Service and Countermeasures\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2112.05224)\n [[code]](https:\u002F\u002Fgithub.com\u002Febagdasa\u002Fpropaganda_as_a_service)\n - Eugene Bagdasaryan and Vitaly Shmatikov. *IEEE S&P*, 2022.\n\n- PICCOLO: Exposing Complex Backdoors in NLP Transformer Models.\n [[pdf]](https:\u002F\u002Fwww.cs.purdue.edu\u002Fhomes\u002Ftaog\u002Fdocs\u002FSP22_Liu.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FPICCOLO)\n - Yingqi Liu, Guangyu Shen, Guanhong Tao, Shengwei An, Shiqing Ma, and Xiangyu Zhang. *IEEE S&P*, 2022.\n\n- Triggerless Backdoor Attack for NLP Tasks with Clean Labels.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.07970.pdf)\n - Leilei Gan, Jiwei Li, Tianwei Zhang, Xiaoya Li, Yuxian Meng, Fei Wu, Shangwei Guo, and Chun Fan. *NAACL*, 2022.\n\n- A Study of the Attention Abnormality in Trojaned BERTs.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.08305.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fweimin17\u002Fattention_abnormality_in_trojaned_berts)\n - Weimin Lyu, Songzhu Zheng, Tengfei Ma, and Chao Chen. *NAACL*, 2022.\n\n\n- The Triggers that Open the NLP Model Backdoors Are Hidden in the Adversarial Samples.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404822001250)\n - Kun Shao, Yu Zhang, Junan Yang, Xiaoshuai Li, and Hui Liu. *Computers & Security*, 2022.\n\n- BDDR: An Effective Defense Against Textual Backdoor Attacks.\n [[pdf]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404821002571)\n - Kun Shao, Junan Yang, Yang Ai, Hui Liu, and Yu Zhang. *Computers & Security*, 2021.\n\n- BadPre: Task-agnostic Backdoor Attacks to Pre-trained NLP Foundation Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.02467.pdf)\n - Kangjie Chen, Yuxian Meng, Xiaofei Sun, Shangwei Guo, Tianwei Zhang, Jiwei Li, and Chun Fan. *ICLR*, 2022.\n\n- Exploring the Universal Vulnerability of Prompt-based Learning Paradigm.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.05239.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fleix28\u002Fprompt-universal-vulnerability)\n - Lei Xu, Yangyi Chen, Ganqu Cui, Hongcheng Gao, and Zhiyuan Liu. *NAACL-Findings*, 2022.\n\n- Backdoor Pre-trained Models Can Transfer to All.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.00197)\n - Lujia Shen, Shouling Ji, Xuhong Zhang, Jinfeng Li, Jing Chen, Jie Shi, Chengfang Fang, Jianwei Yin, and Ting Wang. *CCS*, 2021.\n\n- BadNL: Backdoor Attacks against NLP Models with Semantic-preserving Improvements.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3485832.3485837)\n [[arXiv-20]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.01043.pdf)\n - Xiaoyi Chen, Ahmed Salem, Dingfan Chen, Michael Backes, Shiqing Ma, Qingni Shen, Zhonghai Wu, and Yang Zhang. *ACSAC*, 2021.\n\n- Backdoor Attacks on Pre-trained Models by Layerwise Weight Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.13888.pdf)\n - Linyang Li, Demin Song, Xiaonan Li, Jiehang Zeng, Ruotian Ma, and Xipeng Qiu. *EMNLP*, 2021.\n\n- T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.04264.pdf)\n - Ahmadreza Azizi, Ibrahim Asadullah Tahmid, Asim Waheed, Neal Mangaokar, Jiameng Pu, Mobin Javed, Chandan K. Reddy, and Bimal Viswanath. *USENIX Security*, 2021.\n\n- RAP: Robustness-Aware Perturbations for Defending against Backdoor Attacks on NLP Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.07831.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flancopku\u002FRAP)\n - Wenkai Yang, Yankai Lin, Peng Li, Jie Zhou, and Xu Sun. *EMNLP*, 2021.\n\n- ONION: A Simple and Effective Defense Against Textual Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.10369.pdf)\n - Fanchao Qi, Yangyi Chen, Mukai Li, Zhiyuan Liu, and Maosong Sun. *EMNLP*, 2021.\n\n- Mind the Style of Text! Adversarial and Backdoor Attacks Based on Text Style Transfer.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.07139.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FStyleAttack)\n - Fanchao Qi, Yangyi Chen, Xurui Zhang, Mukai Li, Zhiyuan Liu, and Maosong Sun. *EMNLP*, 2021.\n\n- Rethinking Stealthiness of Backdoor Attack against NLP Models.\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.acl-long.431.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flancopku\u002FSOS)\n - Wenkai Yang, Yankai Lin, Peng Li, Jie Zhou, and Xu Sun. *ACL*, 2021.\n\n- Turn the Combination Lock: Learnable Textual Backdoor Attacks via Word Substitution.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.06361.pdf)\n - Fanchao Qi, Yuan Yao, Sophia Xu, Zhiyuan Liu, and Maosong Sun. *ACL*, 2021.\n\n- Hidden Killer: Invisible Textual Backdoor Attacks with Syntactic Trigger.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.12400.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FHiddenKiller)\n - Fanchao Qi, Mukai Li, Yangyi Chen, Zhengyan Zhang, Zhiyuan Liu, Yasheng Wang, and Maosong Sun. *ACL*, 2021.\n\n- Mitigating Data Poisoning in Text Classification with Differential Privacy.\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.findings-emnlp.369.pdf)\n - Chang Xu, Jun Wang, Francisco Guzmán, Benjamin I. P. Rubinstein, and Trevor Cohn. *EMNLP-Findings*, 2021.\n\n- BFClass: A Backdoor-free Text Classification Framework.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.10855.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fdheeraj7596\u002FBFClass)\n - Zichao Li, Dheeraj Mekala, Chengyu Dong, and Jingbo Shang. *EMNLP-Findings*, 2021.\n\n\n- Be Careful about Poisoned Word Embeddings: Exploring the Vulnerability of the Embedding Layers in NLP Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.15543.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flancopku\u002FEmbedding-Poisoning)\n - Wenkai Yang, Lei Li, Zhiyuan Zhang, Xuancheng Ren, Xu Sun, and Bin He. *NAACL-HLT*, 2021.\n\n- Neural Network Surgery: Injecting Data Patterns into Pre-trained Models with Minimal Instance-wise Side Effects.\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.naacl-main.430.pdf) \n - Zhiyuan Zhang, Xuancheng Ren, Qi Su, Xu Sun, and Bin He. *NAACL-HLT*, 2021.\n\n- Text Backdoor Detection Using An Interpretable RNN Abstract Model.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9508422)\n - Ming Fan, Ziliang Si, Xiaofei Xie, Yang Liu, and Ting Liu. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- Textual Backdoor Attack for the Text Classification System.\n [[pdf]](https:\u002F\u002Fwww.hindawi.com\u002Fjournals\u002Fscn\u002F2021\u002F2938386\u002F)\n - Hyun Kwon and Sanghyun Lee. *Security and Communication Networks*, 2021.\n\n- Weight Poisoning Attacks on Pre-trained Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.06660.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fneulab\u002FRIPPLe)\n - Keita Kurita, Paul Michel, and Graham Neubig. *ACL*, 2020.\n\n- Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.02684.pdf)\n - Alvin Chan, Yi Tay, Yew-Soon Ong, and Aston Zhang. *EMNLP-Findings*, 2020.\n\n- A Backdoor Attack Against LSTM-based Text Classification Systems.\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=8836465)\n - Jiazhu Dai, Chuanshuai Chen, and Yufeng Li. *IEEE Access*, 2019.\n\n- PerD: Perturbation Sensitivity-based Neural Trojan Detection Framework on NLP Applications.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.04943.pdf)\n - Diego Garcia-soto, Huili Chen, and Farinaz Koushanfar. arXiv, 2022. \n\n- Kallima: A Clean-label Framework for Textual Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.01832.pdf)\n - Xiaoyi Chen, Yinpeng Dong, Zeyu Sun, Shengfang Zhai, Qingni Shen, and Zhonghai Wu. arXiv, 2022.\n\n- Textual Backdoor Attacks with Iterative Trigger Injection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.12700.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FINK-USC\u002Fdata-poisoning)\n - Jun Yan, Vansh Gupta, and Xiang Ren. arXiv, 2022.\n\n- WeDef: Weakly Supervised Backdoor Defense for Text Classification.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.11803.pdf)\n - Lesheng Jin, Zihan Wang, and Jingbo Shang. arXiv, 2022.\n\n- Constrained Optimization with Dynamic Bound-scaling for Effective NLPBackdoor Defense.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.05749.pdf)\n - Guangyu Shen, Yingqi Liu, Guanhong Tao, Qiuling Xu, Zhuo Zhang, Shengwei An, Shiqing Ma, and Xiangyu Zhang. arXiv, 2022.\n\n- Rethink Stealthy Backdoor Attacks in Natural Language Processing.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.02993.pdf)\n - Lingfeng Shen, Haiyun Jiang, Lemao Liu, and Shuming Shi. arXiv, 2022.\n\n- Textual Backdoor Attacks Can Be More Harmful via Two Simple Tricks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.08247.pdf)\n - Yangyi Chen, Fanchao Qi, Zhiyuan Liu, and Maosong Sun. arXiv, 2021.\n\n- Spinning Sequence-to-Sequence Models with Meta-Backdoors.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2107.10443.pdf)\n - Eugene Bagdasaryan and Vitaly Shmatikov. arXiv, 2021.\n\n- Defending against Backdoor Attacks in Natural Language Generation.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.01810.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FShannonAI\u002Fbackdoor_nlg)\n - Chun Fan, Xiaoya Li, Yuxian Meng, Xiaofei Sun, Xiang Ao, Fei Wu, Jiwei Li, and Tianwei Zhang. arXiv, 2021.\n\n- Hidden Backdoors in Human-Centric Language Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.00164.pdf)\n - Shaofeng Li, Hui Liu, Tian Dong, Benjamin Zi Hao Zhao, Minhui Xue, Haojin Zhu, and Jialiang Lu. arXiv, 2021.\n\n- Detecting Universal Trigger’s Adversarial Attack with Honeypot.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2011.10492)\n - Thai Le, Noseong Park, Dongwon Lee. arXiv, 2020. \n\n- Mitigating Backdoor Attacks in LSTM-based Text Classification Systems by Backdoor Keyword Identification.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.12070.pdf)\n - Chuanshuai Chen, and Jiazhu Dai. arXiv, 2020.\n\n- Trojaning Language Models for Fun and Profit.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00312.pdf)\n - Xinyang Zhang, Zheng Zhang, and Ting Wang. arXiv, 2020.\n\n\n\n### Graph Neural Networks\n- Transferable Graph Backdoor Attack.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00425.pdf)\n - Shuiqiao Yang, Bao Gia Doan, Paul Montague, Olivier De Vel, Tamas Abraham, Seyit Camtepe, Damith C. Ranasinghe, and Salil S. Kanhere. *RAID*, 2022.\n\n- More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03195.pdf)\n - Jing Xu, Rui Wang, Kaitai Liang, and Stjepan Picek. *ACSAC*, 2022.\n\n- Graph Backdoor.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.11890.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHarrialX\u002FGraphBackdoor)\n - Zhaohan Xi, Ren Pang, Shouling Ji, and Ting Wang. *USENIX Security*, 2021.\n \n- Backdoor Attacks to Graph Neural Networks. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.11165.pdf)\n - Zaixi Zhang, Jinyuan Jia, Binghui Wang, and Neil Zhenqiang Gong. *SACMAT*, 2021. \n\n- Defending Against Backdoor Attack on Graph Nerual Network by Explainability.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.02902.pdf)\n - Bingchen Jiang and Zhao Li. arXiv, 2022.\n\n- Link-Backdoor: Backdoor Attack on Link Prediction via Node Injection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.06776.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSeaocn\u002FLink-Backdoor)\n - Haibin Zheng, Haiyang Xiong, Haonan Ma, Guohan Huang, and Jinyin Chen. arXiv, 2022.\n\n- Neighboring Backdoor Attacks on Graph Convolutional Network.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.06202.pdf)\n - Liang Chen, Qibiao Peng, Jintang Li, Yang Liu, Jiawei Chen, Yong Li, and Zibin Zheng. arXiv, 2022.\n\n- Dyn-Backdoor: Backdoor Attack on Dynamic Link Prediction.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.03875.pdf)\n - Jinyin Chen, Haiyang Xiong, Haibin Zheng, Jian Zhang, Guodong Jiang, and Yi Liu. arXiv, 2021.\n\n- Explainability-based Backdoor Attacks Against Graph Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.03674.pdf)\n - Jing Xu, Minhui, Xue, and Stjepan Picek. arXiv, 2021.\n\n\n### Point Cloud\n- A Backdoor Attack against 3D Point Cloud Classifiers. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.05808.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzhenxianglance\u002FPCBA)\n - Zhen Xiang, David J. Miller, Siheng Chen, Xi Li, and George Kesidis. *ICCV*, 2021.\n\n- PointBA: Towards Backdoor Attacks in 3D Point Cloud.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.16074.pdf)\n - Xinke Li, Zhiru Chen, Yue Zhao, Zekun Tong, Yabang Zhao, Andrew Lim, and Joey Tianyi Zhou. *ICCV*, 2021.\n\n- Imperceptible and Robust Backdoor Attack in 3D Point Cloud.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.08052.pdf)\n - Kuofeng Gao, Jiawang Bai, Baoyuan Wu, Mengxi Ya, and Shu-Tao Xia. arXiv, 2022.\n\n- Detecting Backdoor Attacks Against Point Cloud Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.10354.pdf)\n - Zhen Xiang, David J. Miller, Siheng Chen, Xi Li, and George Kesidis. arXiv, 2021.\n\n- Poisoning MorphNet for Clean-Label Backdoor Attack to Point Clouds.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.04839.pdf)\n - Guiyu Tian, Wenhao Jiang, Wei Liu, and Yadong Mu. arXiv, 2021.\n\n### Acoustics Signal Processing\n- Toward Stealthy Backdoor Attacks against Speech Recognition via Elements of Sound.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2307.08208.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanboCai\u002FBadSpeech_SoE)\n - Hanbo Cai, Pengcheng Zhang, Hai Dong, Yan Xiao, Stefanos Koffas, Yiming Li. *IEEE Transactions on Information Forensics and Security*, 2024.\n\n- Breaking Speaker Recognition with Paddingback.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F10448169)\n - Zhe Ye, Diqun Yan, Li Dong, Kailai Shen. *ICASSP*, 2024.\n\n- Inaudible Backdoor Attack via Stealthy Frequency Trigger Injection in Audio Spectrogram.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fabs\u002F10.1145\u002F3636534.3649345)\n - Tianfang Zhang, Huy Phan, Zijie Tang, Cong Shi, Yan Wang, Bo Yuan, Yingying Chen. *ACM MobiCom*, 2024.\n \n- SilentTrig: An imperceptible backdoor attack against speaker identification with hidden triggers.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167865523003495)\n - Yu Tang, Lijuan Sun, Xiaolong Xu. *Pattern Recognition Letters*, 2024.\n\n- Devil in the Room: Triggering Audio Backdoors in the Physical World.\n [[pdf]](https:\u002F\u002Fwww.usenix.org\u002Fsystem\u002Ffiles\u002Fsec23winter-prepub-166-chen.pdf)\n - Meng Chen, Xiangyu Xu, Li Lu, Zhongjie Ba, Feng Lin, and Kui Ren. *USENIX*, 2023.\n\n- The Silent Manipulator: A Practical and Inaudible Backdoor Attack against Speech Recognition Systems.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fabs\u002F10.1145\u002F3581783.3613843)\n - Zhicong Zheng, Xinfeng Li, Chen Yan, Xiaoyu Ji, Wenyuan Xu. *ACM MM*, 2023.\n\n- Going in Style: Audio Backdoors Through Stylistic Transformations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2211.03117)\n - Stefanos Koffas, Luca Pajola, Stjepan Picek, and Mauro Conti. *ICASSP*, 2023.\n\n- VenoMave: Targeted Poisoning Against Speech Recognition.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.10682.pdf)\n - Hojjat Aghakhani, Lea Schönherr, Thorsten Eisenhofer, Dorothea Kolossa, Thorsten Holz, Christopher Kruegel, Giovanni Vigna. *SaTML*, 2023.\n\n- Stealthy Backdoor Attack Against Speaker Recognition Using Phase-Injection Hidden Trigger.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F10175571)\n - Zhe Ye, Diqun Yan, Li Dong, Jiacheng Deng, Shui Yu. *IEEE Signal Processing Letters*, 2023.\n\n- Fake the Real: Backdoor Attack on Deep Speech Classification via Voice Conversion.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2306.15875)\n - Zhe Ye, Terui Mao, Li Dong, Diqun Yan. arXiv, 2023.\n\n- Opportunistic Backdoor Attacks: Exploring Human-imperceptible Vulnerabilities on Speech Recognition Systems.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fabs\u002F10.1145\u002F3503161.3548261)\n [[code]](https:\u002F\u002Fgithub.com\u002Flqsunshine\u002FDABA)\n - Qiang Liu, Tongqing Zhou, Zhiping Cai, Yonghao Tang. *ACM MM*, 2022.\n\n- Audio-domain position-independent backdoor attack via unnoticeable triggers.\n [[pdf]](https:\u002F\u002Fweb.njit.edu\u002F~cs638\u002Fpaper\u002FAudio-domain%20Position-independent%20Backdoor%20Attack%20via%20Unnoticeable%20Triggers.pdf)\n - Cong Shi, Tianfang Zhang, Zhuohang Li, Huy Phan, Tianming Zhao, Yan Wang, Jian Liu, Bo Yuan, Yingying Chen. *ACM MobiCom*, 2022.\n\n- Can You Hear It? Backdoor Attacks via Ultrasonic Triggers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2107.14569.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fskoffas\u002Fultrasonic_backdoor)\n - Stefanos Koffas, Jing Xu, Mauro Conti, and Stjepan Picek. *WiseML*, 2022.\n\n- Natural Backdoor Attacks on Speech Recognition Models.\n [[link]](https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-031-20096-0_45)\n - Jinwen Xin, Xixiang Lyu, Jing Ma. *ML4CS*, 2022.\n\n- Adversarial Audio: A New Information Hiding Method and Backdoor for DNN-based Speech Recognition Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F1904.03829.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanboCai\u002FBadSpeech_SoE)\n - Yehao Kong, Jiliang Zhang. arXiv, 2022.\n\n- DriNet: Dynamic Backdoor Attack against Automatic Speech Recognization Models.\n [[link]](https:\u002F\u002Fwww.mdpi.com\u002F2076-3417\u002F12\u002F12\u002F5786)\n - Jianbin Ye, Xiaoyuan Liu, Zheng You, Guowei Li, and Bo Liu. *Applied Sciences*, 2022.\n\n- Backdoor Attack against Speaker Verification\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.11607.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzhaitongqing233\u002FBackdoor-attack-against-speaker-verification)\n - Tongqing Zhai, Yiming Li, Ziqi Zhang, Baoyuan Wu, Yong Jiang, and Shu-Tao Xia. *ICASSP*, 2021.\n\n- A Novel Trojan Attack against Co-learning Based ASR DNN System.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9437669)\n - Mingxuan Li, Xiao Wang, Dongdong Huo, Han Wang, Chao Liu, Yazhe Wang, Yu Wang, Zhen Xu. *CSCWD*, 2021.\n \n\n\n### Medical Science\n- FIBA: Frequency-Injection based Backdoor Attack in Medical Image Analysis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.01148.pdf)\n - Yu Feng, Benteng Ma, Jing Zhang, Shanshan Zhao, Yong Xia, and Dacheng Tao. *CVPR*, 2022.\n\n- Exploiting Missing Value Patterns for a Backdoor Attack on Machine Learning Models of Electronic Health Records: Development and Validation Study.\n [[link]](https:\u002F\u002Fmedinform.jmir.org\u002F2022\u002F8\u002Fe38440\u002F)\n - Byunggill Joe, Yonghyeon Park, Jihun Hamm, Insik Shin, and Jiyeon Lee. *JMIR Medical Informatics*, 2022.\n\n- Machine Learning with Electronic Health Records is vulnerable to Backdoor Trigger Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.07925.pdf)\n - Byunggill Joe, Akshay Mehra, Insik Shin, and Jihun Hamm. *AAAI Workshop*, 2021.\n\n- Explainability Matters: Backdoor Attacks on Medical Imaging.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.00008.pdf)\n - Munachiso Nwadike, Takumi Miyawaki, Esha Sarkar, Michail Maniatakos, and Farah Shamout. *AAAI Workshop*, 2021.\n\n- TRAPDOOR: Repurposing Backdoors to Detect Dataset Bias in Machine Learning-based Genomic Analysis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.10132.pdf)\n - Esha Sarkar and Michail Maniatakos. arXiv, 2021.\n\n### Vision Transformer\n- You Are Catching My Attention: Are Vision Transformers Bad Learners Under Backdoor Attacks?\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FYuan_You_Are_Catching_My_Attention_Are_Vision_Transformers_Bad_Learners_CVPR_2023_paper.pdf)\n - Zenghui Yuan, Pan Zhou, Kai Zou, and Yu Cheng. *CVPR*, 2023.\n\n- TrojViT: Trojan Insertion in Vision Transformers.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FZheng_TrojViT_Trojan_Insertion_in_Vision_Transformers_CVPR_2023_paper.pdf)\n - Mengxin Zheng, Qian Lou, and Lei Jiang. *CVPR*, 2023.\n\n- Defending Backdoor Attacks on Vision Transformer via Patch Processing.\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F25125)\n - Khoa D. Doan, Yingjie Lao, Peng Yang, and Ping Li. *AAAI*, 2023.\n\n- Backdoor Attacks on Vision Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08477.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUCDvision\u002Fbackdoor_transformer.git)\n - Akshayvarun Subramanya, Aniruddha Saha, Soroush Abbasi Koohpayegani, Ajinkya Tejankar, and Hamed Pirsiavash. arXiv, 2022.\n\n- TrojViT: Trojan Insertion in Vision Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.13049.pdf)\n - Mengxin Zheng, Qian Lou, and Lei Jiang. arXiv, 2022.\n\n- Attention Hijacking in Trojan Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.04946.pdf)\n - Weimin Lyu, Songzhu Zheng, Tengfei Ma, Haibin Ling, and Chao Chen. arXiv, 2022.\n\n- DBIA: Data-free Backdoor Injection Attack against Transformer Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.11870.pdf)\n [[code]](https:\u002F\u002Fanonymous.4open.science\u002Fr\u002FDBIA-825D)\n - Peizhuo Lv, Hualong Ma, Jiachen Zhou, Ruigang Liang, Kai Chen, Shengzhi Zhang, and Yunfei Yang. arXiv, 2021.\n \n\n### Diffusion Model\n- How to Backdoor Diffusion Models?\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FChou_How_to_Backdoor_Diffusion_Models_CVPR_2023_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FIBM\u002FBadDiffusion)\n - Sheng-Yen Chou, Pin-Yu Chen, and Tsung-Yi Ho. *CVPR*, 2023.\n\n- TrojDiff: Trojan Attacks on Diffusion Models With Diverse Targets.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FChen_TrojDiff_Trojan_Attacks_on_Diffusion_Models_With_Diverse_Targets_CVPR_2023_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fchenweixin107\u002FTrojDiff)\n - Weixin Chen, Dawn Song, and Bo Li. *CVPR*, 2023.\n\n### Cybersecurity\n- VulnerGAN: A Backdoor Attack through Vulnerability Amplification against Machine Learning-based Network Intrusion Detection Systems.\n [[link]](http:\u002F\u002Fscis.scichina.com\u002Fen\u002F2022\u002F170303.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fliuguangrui-hit\u002FVulnerGAN-py)\n - Guangrui Liu, Weizhe Zhang, Xinjie Li, Kaisheng Fan, and Shui Yu. *Information Sciences*, 2022.\n\n- Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.01031.pdf)\n - Giorgio Severi, Jim Meyer, Scott Coull, and Alina Oprea. *USENIX Security*, 2021.\n\n- Backdoor Attack on Machine Learning Based Android Malware Detectors.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9477038\u002F)\n - Chaoran Li, Xiao Chen, Derui Wang, Sheng Wen, Muhammad Ejaz Ahmed, Seyit Camtepe, and Yang Xiang. *IEEE Transactions on Dependable and Secure Computing*, 2021.\n\n- Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.05470.pdf)\n - Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, and Gang Wang. arXiv, 2022.\n\n### Detection and Tracking\n- Clean-image Backdoor: Attacking Multi-label Models with Poisoned Labels Only.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=rFQfjDC9Mt)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FUNICORN)\n - Kangjie Chen, Xiaoxuan Lou, Guowen Xu, Jiwei Li, and Tianwei Zhang. *ICLR*, 2023.\n\n- Untargeted Backdoor Attack against Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2211.05638)\n [[code]](https:\u002F\u002Fgithub.com\u002FChengxiao-Luo\u002FUntargeted-Backdoor-Attack-against-Object-Detection)\n - Chengxiao Luo, Yiming Li, Yong Jiang, and Shu-Tao Xia. *ICASSP*, 2023.\n\n- Few-Shot Backdoor Attacks on Visual Object Tracking.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=qSV5CuSaK_a)\n [[code]](https:\u002F\u002Fgithub.com\u002FHXZhong1997\u002FFSBA)\n - Yiming Li, Haoxiang Zhong, Xingjun Ma, Yong Jiang, and Shu-Tao Xia. *ICLR*, 2022.\n\n- BadDet: Backdoor attacks on object detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.14497.pdf)\n - Shih-Han Chan, Yinpeng Dong, Jun Zhu, Xiaolu Zhang, and Jun Zhou. *ECCV Workshop*, 2022.\n\n- Attacking by Aligning: Clean-Label Backdoor Attacks on Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2307.10487.pdf)\n - Yize Cheng, Wenbin Hu, Minhao Cheng. arXiv, 2023.\n \n- Mask-based Invisible Backdoor Attacks on Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2405.09550)\n - Jeongjin Shin. arXiv, 2024.\n\n- TAT: Targeted Backdoor Attacks against Visual Object Tracking.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0031320323003308)\n [[code]](https:\u002F\u002Fgithub.com\u002FMisakaZipi\u002FTAT)\n - Ziyi Cheng, Baoyuan Wu, Zhenya Zhang, and Jianjun Zhao. *Pattern Recognition*, 2023.\n\n\n### Others\n- The Dark Side of AutoML: Towards Architectural Backdoor Search.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=bsZULlDGXe)\n [[code]](https:\u002F\u002Fgithub.com\u002Fain-soph\u002Fnas_backdoor)\n - Ren Pang, Changjiang Li, Zhaohan Xi, Shouling Ji, and Ting Wang. *ICLR*, 2023.\n\n- Backdoor Attacks Against Deep Image Compression via Adaptive Frequency Trigger.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FTan_Backdoor_Attacks_Against_Deep_Image_Compression_via_Adaptive_Frequency_Trigger_CVPR_2023_paper.pdf)\n Yi Yu, Yufei Wang, Wenhan Yang, Shijian Lu, Yap-Peng Tan, and Alex C. Kot. *CVPR*, 2023.\n\n- The Dark Side of Dynamic Routing Neural Networks: Towards Efficiency Backdoor Injection.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FChen_The_Dark_Side_of_Dynamic_Routing_Neural_Networks_Towards_Efficiency_CVPR_2023_paper.pdf)\n - Simin Chen, Hanlin Chen, Mirazul Haque, Cong Liu, and Wei Yang. *CVPR*, 2023.\n\n- Backdoor Attacks on Crowd Counting.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.05641.pdf)\n - Yuhua Sun, Tailai Zhang, Xingjun Ma, Pan Zhou, Jian Lou, Zichuan Xu, Xing Di, Yu Cheng, and Lichao Sun. *ACM MM*, 2022.\n\n- Backdoor Attacks on the DNN Interpretation System.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.10698.pdf)\n - Shihong Fang and Anna Choromanska. *AAAI*, 2022.\n\n- The Devil is in the GAN: Defending Deep Generative Models Against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.01644.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FIBM\u002Fdevil-in-GAN)\n [[demo]](https:\u002F\u002Fgithub.com\u002FTrusted-AI\u002Fadversarial-robustness-toolbox\u002Fblob\u002Fmain\u002Fnotebooks\u002Fbackdoor_attack_DGM.ipynb)\n - Ambrish Rawat, Killian Levacher, and Mathieu Sinn. *ESORICS*, 2022.\n\n- Object-Oriented Backdoor Attack Against Image Captioning.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9746440)\n - Meiling Li, Nan Zhong, Xinpeng Zhang, Zhenxing Qian, and Sheng Li. *ICASSP*, 2022.\n\n- When Does Backdoor Attack Succeed in Image Reconstruction? A Study of Heuristics vs. Bi-Level Solution.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9746433)\n - Vardaan Taneja, Pin-Yu Chen, Yuguang Yao, and Sijia Liu. *ICASSP*, 2022.\n\n- An Interpretive Perspective: Adversarial Trojaning Attack on Neural-Architecture-Search Enabled Edge AI Systems.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9780600)\n - Ship Peng Xu, Ke Wang, Md. Rafiul Hassan, Mohammad Mehedi Hassan, and Chien-Ming Chen. *IEEE Transactions on Industrial Informatics*, 2022.\n\n- A Triggerless Backdoor Attack and Defense Mechanism for Intelligent Task Offloading in Multi-UAV Systems.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9770193)\n - Shafkat Islam, Shahriar Badsha, Ibrahim Khalil, Mohammed Atiquzzaman, and Charalambos Konstantinou. *IEEE Internet of Things Journal*, 2022.\n\n- Multi-Target Invisibly Trojaned Networks for Visual Recognition and Detection.\n [[pdf]](https:\u002F\u002Fwww.ijcai.org\u002Fproceedings\u002F2021\u002F0477.pdf)\n - Xinzhe Zhou, Wenhao Jiang, Sheng Qi, and Yadong Mu. *IJCAI*, 2021.\n\n- Hidden Backdoor Attack against Semantic Segmentation Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.04038.pdf)\n - Yiming Li, Yanjie Li, Yalei Lv, Yong Jiang, and Shu-Tao Xia. *ICLR Workshop*, 2021.\n\n- Adversarial Targeted Forgetting in Regularization and Generative Based Continual Learning Models.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9533400)\n - Muhammad Umer and Robi Polikar. *IJCNN*, 2021.\n\n- Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.07111.pdf)\n - Muhammad Umer, Glenn Dawson, Robi Polikar. *IJCNN*, 2020.\n\n- Trojan Attacks on Wireless Signal Classification with Adversarial Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.10766.pdf)\n - Kemal Davaslioglu, and Yalin E. Sagduyu. *DySPAN*, 2019.\n\n- BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean Label.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00278.pdf)\n - Shengshan Hu, Ziqi Zhou, Yechao Zhang, Leo Yu Zhang, Yifeng Zheng, Yuanyuan HE, and Hai Jin. arXiv, 2022.\n\n- A Temporal Chrominance Trigger for Clean-label Backdoor Attack against Anti-spoof Rebroadcast Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.01102.pdf)\n - Wei Guo, Benedetta Tondi, and Mauro Barni. arXiv, 2022.\n\n- MACAB: Model-Agnostic Clean-Annotation Backdoor to Object Detection with Natural Trigger in Real-World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.02339.pdf)\n - Hua Ma, Yinshan Li, Yansong Gao, Zhi Zhang, Alsharif Abuadbba, Anmin Fu, Said F. Al-Sarawi, Nepal Surya, and Derek Abbott. arXiv, 2022.\n\n- BadDet: Backdoor Attacks on Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.14497.pdf)\n - Shih-Han Chan, Yinpeng Dong, Jun Zhu, Xiaolu Zhang, and Jun Zhou. arXiv, 2022.\n\n- Backdoor Attacks on Bayesian Neural Networks using Reverse Distribution.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.09167.pdf)\n - Zhixin Pan and Prabhat Mishra. arXiv, 2022.\n\n- Backdooring Explainable Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.09498.pdf)\n - Maximilian Noppel, Lukas Peter, and Christian Wressnegger. arXiv, 2022.\n\n- Clean-Annotation Backdoor Attack against Lane Detection Systems in the Wild.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.00858.pdf)\n - Xingshuo Han, Guowen Xu, Yuan Zhou, Xuehuan Yang, Jiwei Li, and Tianwei Zhang. arXiv, 2022.\n\n- Dangerous Cloaking: Natural Trigger based Backdoor Attacks on Object Detectors in the Physical World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.08619)\n - Hua Ma, Yinshan Li, Yansong Gao, Alsharif Abuadbba, Zhi Zhang, Anmin Fu, Hyoungshick Kim, Said F. Al-Sarawi, Nepal Surya, and Derek Abbott. arXiv, 2022.\n\n- Targeted Trojan-Horse Attacks on Language-based Image Retrieval.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03861.pdf)\n - Fan Hu, Aozhu Chen, and Xirong Li. arXiv, 2022.\n\n- Is Multi-Modal Necessarily Better? Robustness Evaluation of Multi-modal Fake News Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08788.pdf)\n - Jinyin Chen, Chengyu Jia, Haibin Zheng, Ruoxi Chen, and Chenbo Fu. arXiv, 2022.\n\n- Dual-Key Multimodal Backdoors for Visual Question Answering.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.07668.pdf)\n - Matthew Walmer, Karan Sikka, Indranil Sur, Abhinav Shrivastava, and Susmit Jha. arXiv, 2021.\n\n- Clean-label Backdoor Attack against Deep Hashing based Retrieval.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.08868.pdf)\n - Kuofeng Gao, Jiawang Bai, Bin Chen, Dongxian Wu, and Shu-Tao Xia. arXiv, 2021.\n\n- Backdoor Attacks on Network Certification via Data Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.11299.pdf)\n - Tobias Lorenz, Marta Kwiatkowska, and Mario Fritz. arXiv, 2021.\n\n- Backdoor Attack and Defense for Deep Regression.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.02381.pdf)\n - Xi Li, George Kesidis, David J. Miller, and Vladimir Lucic. arXiv, 2021.\n\n- The Devil is in the GAN: Defending Deep Generative Models Against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.01644.pdf)\n - Ambrish Rawat, Killian Levacher, and Mathieu Sinn. arXiv, 2021.\n\n- BAAAN: Backdoor Attacks Against Autoencoder and GAN-Based Machine Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.03007.pdf)\n - Ahmed Salem, Yannick Sautter, Michael Backes, Mathias Humbert, and Yang Zhang. arXiv, 2020.\n\n- DeepObliviate: A Powerful Charm for Erasing Data Residual Memory in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.06209.pdf)\n - Yingzhe He, Guozhu Meng, Kai Chen, Jinwen He, and Xingbo Hu. arXiv, 2021.\n\n- Backdoors in Neural Models of Source Code.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.06841)\n - Goutham Ramakrishnan, and Aws Albarghouthi. arXiv, 2020.\n\n- EEG-Based Brain-Computer Interfaces Are Vulnerable to Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.00101.pdf)\n - Lubin Meng, Jian Huang, Zhigang Zeng, Xue Jiang, Shan Yu, Tzyy-Ping Jung, Chin-Teng Lin, Ricardo Chavarriaga, and Dongrui Wu. arXiv, 2020.\n\n- Bias Busters: Robustifying DL-based Lithographic Hotspot Detectors Against Backdooring Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.12492.pdf)\n - Kang Liu, Benjamin Tan, Gaurav Rajavendra Reddy, Siddharth Garg, Yiorgos Makris, and Ramesh Karri. arXiv, 2020.\n\n\n## Evaluation and Discussion\n- Distilling Cognitive Backdoor Patterns within an Image.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=S3D9NLzjnQ5)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanxunH\u002FCognitiveDistillation)\n - Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, and James Bailey. *ICLR*, 2023.\n\n- Finding Naturally Occurring Physical Backdoors in Image Datasets.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002F8af749935131cc8ea5dae4f6d8cdb304-Paper-Datasets_and_Benchmarks.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fuchicago-sandlab\u002Fnaturalbackdoors)\n - Emily Wenger, Roma Bhattacharjee, Arjun Nitin Bhagoji, Josephine Passananti, Emilio Andere, Heather Zheng, and Ben Zhao. *NeurIPS*, 2022. \n\n- BackdoorBox: A Python Toolbox for Backdoor Learning.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F359439455_BackdoorBox_A_Python_Toolbox_for_Backdoor_Learning)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FBackdoorBox)\n - Yiming Li, Mengxi Ya, Yang Bai, Yong Jiang, Shu-Tao Xia. *ICLR Workshop*, 2023.\n\n- TROJANZOO: Everything You Ever Wanted to Know about Neural Backdoors (But were Afraid to Ask).\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.09302.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fain-soph\u002Ftrojanzoo)\n - Ren Pang, Zheng Zhang, Xiangshan Gao, Zhaohan Xi, Shouling Ji, Peng Cheng, and Ting Wang. *EuroS&P*, 2022.\n\n- A Unified Evaluation of Textual Backdoor Learning: Frameworks and Benchmarks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08514.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n - Ganqu Cui, Lifan Yuan, Bingxiang He, Yangyi Chen, Zhiyuan Liu, and Maosong Sun. *NeurIPS*, 2022. \n\n- BackdoorBench: A Comprehensive Benchmark of Backdoor Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.12654.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002Fbackdoorbench)\n [[website]](https:\u002F\u002Fbackdoorbench.github.io\u002F)\n - Baoyuan Wu, Hongrui Chen, Mingda Zhang, Zihao Zhu, Shaokui Wei, Danni Yuan, Chao Shen, and Hongyuan Zha. *NeurIPS*, 2022. \n\n- Backdoor Defense via Decoupling the Training Process.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=TySnJ-0RdKI)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FDBD)\n - Kunzhe Huang, Yiming Li, Baoyuan Wu, Zhan Qin, and Kui Ren. *ICLR*, 2022.\n\n- How to Inject Backdoors with Better Consistency: Logit Anchoring on Clean Data.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Bn09TnDngN)\n - Zhiyuan Zhang, Lingjuan Lyu, Weiqiang Wang, Lichao Sun, and Xu Sun. *ICLR*, 2022.\n\n- Defending against Model Stealing via Verifying Embedded External Features.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F356717751_Defending_against_Model_Stealing_via_Verifying_Embedded_External_Features)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzlh-thu\u002FStealingVerification) \n - Yiming Li, Linghui Zhu, Xiaojun Jia, Yong Jiang, Shu-Tao Xia, and Xiaochun Cao. *AAAI*, 2022. (Discuss the limitations of using backdoor attacks for model watermarking)\n\n- Susceptibility & Defense of Satellite Image-trained Convolutional Networks to Backdoor Attacks.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0020025522004248)\n - Ethan Brewer, Jason Lin, and Dan Runfola. *Information Sciences*, 2021.\n\n- Data-Efficient Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.12281.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fxpf\u002FData-Efficient-Backdoor-Attacks)\n - Pengfei Xia, Ziqiang Li, Wei Zhang, and Bin Li. *IJCAI*, 2022.\n\n- Excess Capacity and Backdoor Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.00685.pdf)\n - Naren Sarayu Manoj and Avrim Blum. *NeurIPS*, 2021.\n\n- Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.12557.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Faks2203\u002Fpoisoning-benchmark)\n - Avi Schwarzschild, Micah Goldblum, Arjun Gupta, John P Dickerson, and Tom Goldstein. *ICML*, 2021.\n\n- Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.03413.pdf)\n - Yi Zeng, Won Park, Z. Morley Mao, and Ruoxi Jia. *ICCV*, 2021.\n\n- Backdoor Attacks Against Deep Learning Systems in the Physical World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.14580.pdf)\n [[Master Thesis]](https:\u002F\u002Fnewtraell.cs.uchicago.edu\u002Ffiles\u002Fms_paper\u002Fewillson.pdf)\n - Emily Wenger, Josephine Passanati, Yuanshun Yao, Haitao Zheng, and Ben Y. Zhao. *CVPR*, 2021.\n\n- Can Optical Trojans Assist Adversarial Perturbations?\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FICCV2021W\u002FAROW\u002Fpapers\u002FBoloor_Can_Optical_Trojans_Assist_Adversarial_Perturbations_ICCVW_2021_paper.pdf)\n - Adith Boloor, Tong Wu, Patrick Naughton, Ayan Chakrabarti, Xuan Zhang, and Yevgeniy Vorobeychik. *ICCV Workshop*, 2021.\n\n- On the Trade-off between Adversarial and Backdoor Robustness.\n [[pdf]](https:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F2020\u002Ffile\u002F8b4066554730ddfaa0266346bdc1b202-Paper.pdf)\n - Cheng-Hsin Weng, Yan-Ting Lee, and Shan-Hung Wu. *NeurIPS*, 2020.\n\n- A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.01559.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Falps-lab\u002Fimc)\n - Ren Pang, Hua Shen, Xinyang Zhang, Shouling Ji, Yevgeniy Vorobeychik, Xiapu Luo, Alex Liu, and Ting Wang. *CCS*, 2020.\n\n- Systematic Evaluation of Backdoor Data Poisoning Attacks on Image Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.11514.pdf)\n - Loc Truong, Chace Jones, Brian Hutchinson, Andrew August, Brenda Praggastis, Robert Jasper, Nicole Nichols, and Aaron Tuor. *CVPR Workshop*, 2020.\n\n- On Evaluating Neural Network Backdoor Defenses.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.12186.pdf)\n - Akshaj Veldanda, and Siddharth Garg. *NeurIPS Workshop*, 2020.\n\n- Attention Hijacking in Trojan Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.04946.pdf)\n - Weimin Lyu, Songzhu Zheng, Tengfei Ma, Haibin Ling, and Chao Chen. arXiv, 2022.\n\n- Game of Trojans: A Submodular Byzantine Approach.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.05937.pdf)\n - Dinuka Sahabandu, Arezoo Rajabi, Luyao Niu, Bo Li, Bhaskar Ramasubramanian, and Radha Poovendran. arXiv, 2022. \n\n- Auditing Visualizations: Transparency Methods Struggle to Detect Anomalous Behavior.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.13498.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjs-d\u002Fauditing-vis)\n - Jean-Stanislas Denain and Jacob Steinhardt. arXiv, 2022. \n\n- A Unified Evaluation of Textual Backdoor Learning: Frameworks and Benchmarks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08514.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n - Ganqu Cui, Lifan Yuan, Bingxiang He, Yangyi Chen, Zhiyuan Liu, and Maosong Sun. arXiv, 2022. \n\n- Can Backdoor Attacks Survive Time-Varying Models?\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.04677.pdf)\n - Huiying Li, Arjun Nitin Bhagoji, Ben Y. Zhao, and Haitao Zheng. arXiv, 2022. \n\n- Dynamic Backdoor Attacks with Global Average Pooling\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.02079.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fskoffas\u002Fgap)\n - Stefanos Koffas, Stjepan Picek, and Mauro Conti. arXiv, 2022. \n\n- Planting Undetectable Backdoors in Machine Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.06974.pdf)\n - Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, and Or Zamir. arXiv, 2022.\n\n- Towards A Critical Evaluation of Robustness for Deep Learning Backdoor Countermeasures.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.06273.pdf)\n - Huming Qiu, Hua Ma, Zhi Zhang, Alsharif Abuadbba, Wei Kang, Anmin Fu, and Yansong Gao. arXiv, 2022.\n\n- Neural Network Trojans Analysis and Mitigation from the Input Domain.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06382.pdf)\n - Zhenting Wang, Hailun Ding, Juan Zhai, and Shiqing Ma. arXiv, 2022.\n\n- Widen The Backdoor To Let More Attackers In.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.04571.pdf)\n - Siddhartha Datta, Giulio Lovisotto, Ivan Martinovic, and Nigel Shadbolt. arXiv, 2021.\n\n- Backdoor Learning Curves: Explaining Backdoor Poisoning Beyond Influence Functions.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.07214.pdf)\n - Antonio Emanuele Cinà, Kathrin Grosse, Sebastiano Vascon, Ambra Demontis, Battista Biggio, Fabio Roli, and Marcello Pelillo. arXiv, 2021.\n\n- Rethinking the Trigger of Backdoor Attack.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.04692.pdf)\n - Yiming Li, Tongqing Zhai, Baoyuan Wu, Yong Jiang, Zhifeng Li, and Shutao Xia. arXiv, 2020. \n\n- Poisoned Classifiers are Not Only Backdoored, They are Fundamentally Broken.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.09080.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flocuslab\u002Fbreaking-poisoned-classifier)\n - Mingjie Sun, Siddhant Agarwal, and J. Zico Kolter. *ICLR Workshop*, 2021.\n\n- Effect of Backdoor Attacks over the Complexity of the Latent Space Distribution.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.01931.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fhenrychacon\u002FBackdoor_attacks\u002Ftree\u002Fmain\u002FD-Vine_copula_auto_encoder)\n - Henry D. Chacon, and Paul Rad. arXiv, 2020.\n\n- Trembling Triggers: Exploring the Sensitivity of Backdoors in DNN-based Face Recognition.\n [[pdf]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1186\u002Fs13635-020-00104-z)\n - Cecilia Pasquini, and Rainer Böhme. *EURASIP Journal on Information Security*, 2020. \n\n- Noise-response Analysis for Rapid Detection of Backdoors in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00123.pdf)\n - N. Benjamin Erichson, Dane Taylor, Qixuan Wu, and Michael W. Mahoney. arXiv, 2020.\n\n## Backdoor Attack for Positive Purposes\n- Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F363766436_Untargeted_Backdoor_Watermark_Towards_Harmless_and_Stealthy_Dataset_Copyright_Protection)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FUntargeted_Backdoor_Watermark)\n - Yiming Li, Yang Bai, Yong Jiang, Yong Yang, Shu-Tao Xia, and Bo Li. *NeurIPS*, 2022.\n\n- Membership Inference via Backdooring.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.04823.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHongshengHu\u002Fmembership-inference-via-backdooring)\n - Hongsheng Hu, Zoran Salcic, Gillian Dobbie, Jinjun Chen, Lichao Sun, and Xuyun Zhang. *IJCAI*, 2022. \n\n- Neural Network Surgery: Injecting Data Patterns into Pre-trained Models with Minimal Instance-wise Side Effects.\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.naacl-main.430.pdf) \n - Zhiyuan Zhang, Xuancheng Ren, Qi Su, Xu Sun and Bin He. *NAACL-HLT*, 2021.\n\n- One Step Further: Evaluating Interpreters using Metamorphic Testing.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3533767.3534225)\n - Ming Fan, Jiali Wei, Wuxia Jin, Zhou Xu, Wenying Wei, and Ting Liu. *ISSTA*, 2022.\n\n- What Do You See? Evaluation of Explainable Artificial Intelligence (XAI) Interpretability through Neural Backdoors.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.10639.pdf)\n - Yi-Shan Lin, Wen-Chuan Lee, and Z. Berkay Celik. *KDD*, 2021.\n\n- Using Honeypots to Catch Adversarial Attacks on Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1904.08554.pdf)\n - Shawn Shan, Emily Wenger, Bolun Wang, Bo Li, Haitao Zheng, Ben Y. Zhao. *CCS*, 2020. (**Note:** Unfortunately, it was bypassed by Nicholas Carlini most recently. [[arXiv]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.10975.pdf))\n \n- Turning Your Weakness into a Strength: Watermarking Deep Neural Networks by Backdooring.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1802.04633.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fadiyoss\u002FWatermarkNN)\n - Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. *USENIX Security*, 2018. \n\n- Open-sourced Dataset Protection via Backdoor Watermarking.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.05821.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FOpen-sourced_Dataset_Protection)\n - Yiming Li, Ziqi Zhang, Jiawang Bai, Baoyuan Wu, Yong Jiang, and Shu-Tao Xia. *NeurIPS Workshop*, 2020.\n\n- Protecting Deep Cerebrospinal Fluid Cell Image Processing Models with Backdoor and Semi-Distillation.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9647115)\n - FangQi Li, Shilin Wang, and Zhenhai Wang. *DICTA*, 2021.\n\n- Debiasing Backdoor Attack: A Benign Application of Backdoor Attack in Eliminating Data Bias.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10582.pdf)\n - Shangxi Wu, Qiuyang He, Yi Zhang, and Jitao Sang. arXiv, 2022.\n\n- Watermarking Graph Neural Networks based on Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.11024.pdf)\n - Jing Xu and Stjepan Picek. arXiv, 2021.\n\n- CoProtector: Protect Open-Source Code against Unauthorized Training Usage with Data Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.12925.pdf)\n - Zhensu Sun, Xiaoning Du, Fu Song, Mingze Ni, and Li Li. arXiv, 2021.\n\n- What Do Deep Nets Learn? Class-wise Patterns Revealed in the Input Space.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.06898.pdf)\n - Shihao Zhao, Xingjun Ma, Yisen Wang, James Bailey, Bo Li, and Yu-Gang Jiang. arXiv, 2021.\n\n- A Stealthy and Robust Fingerprinting Scheme for Generative Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.11760.pdf)\n - Guanlin Li, Shangwei Guo, Run Wang, Guowen Xu, and Tianwei Zhang. arXiv, 2021.\n\n- Towards Probabilistic Verification of Machine Unlearning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.04247.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Finspire-group\u002Funlearning-verification)\n - David Marco Sommer, Liwei Song, Sameer Wagh, and Prateek Mittal. arXiv, 2020. \n\n\n## Competition\n- [Trojan Detection Challenge](https:\u002F\u002Ftrojandetection.ai\u002F)\n- [IARPA TrojAI Competition](https:\u002F\u002Fpages.nist.gov\u002Ftrojai\u002Fdocs\u002Fabout.html)\n","# 后门学习资源\n\n本 GitHub 仓库汇总了一系列**后门学习(Backdoor Learning)**相关资源。更多详情及分类标准,请参阅我们的[综述论文](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F343006441_Backdoor_Learning_A_Survey)。\n\n我们将尽力以月度频率持续维护本 GitHub 仓库。\n\n#### 为什么选择后门学习?\n后门学习是一个新兴的研究领域,探讨机器学习算法训练过程中的安全问题。对于现实中安全采用第三方训练资源或模型至关重要。\n\n注:\"Backdoor\"(后门)也常被称为 \"Neural Trojan\"(神经木马)或 \"Trojan\"(木马)。\n\n## 动态\n* 2023\u002F7\u002F24:新增十篇 ICLR'23 论文。该会议的所有论文应已全部收录。\n* 2023\u002F7\u002F23:新增七篇 NeurIPS'22 论文和四篇 AAAI'23 论文。这些会议的所有论文应已全部收录。\n* 2023\u002F01\u002F25:因个人原因(如身体不适和博士论文撰写),近期暂停了相关论文阅读和本仓库的更新,深表歉意。将于 2023 年 6 月后恢复更新。\n* 2022\u002F12\u002F05:略微调整仓库格式,将会议论文置于期刊论文之前。具体而言,同一年份内请将会议论文放在期刊论文之前,因为期刊通常投稿时间较早,存在一定滞后性。\n* 2022\u002F12\u002F05:新增三篇 ECCV'22 论文。该会议的所有论文应已全部收录。\n\n## 引用\n如果本仓库或综述论文对您的研究有所帮助,请按以下格式引用我们的论文:\n```\n@article{li2022backdoor,\n title={Backdoor learning: A survey},\n author={Li, Yiming and Jiang, Yong and Li, Zhifeng and Xia, Shu-Tao},\n journal={IEEE Transactions on Neural Networks and Learning Systems},\n year={2022}\n}\n```\n\n## 贡献\n\u003Cp align=\"center\">\n \u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002FTHUYimingLi_backdoor-learning-resources_readme_7a9f4b7eebd0.jpg\" alt=\"We Need You!\">\n\u003C\u002Fp>\n\n欢迎通过[邮件](http:\u002F\u002Fliyiming.tech)联系本人或提交 [Pull Request](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fawesome-backdoor-learning\u002Fpulls) 来贡献本列表。\n\nMarkdown 格式:\n```markdown\n- 论文名称。\n [[pdf]](链接) \n [[code]](链接)\n - 作者 1, 作者 2, **and** 作者 3. *会议\u002F期刊*, 年份。\n```\n**注意**:同一年份内,请将会议论文置于期刊论文之前,因为期刊通常投稿时间较早,存在一定滞后性。(即:会议论文-->期刊论文-->预印本)\n\n## 目录\n- [综述](#survey)\n- [工具箱](#toolbox)\n- [学位论文](#dissertation-and-thesis)\n- [图像与视频分类](#image-and-video-classification) \n - [基于投毒的攻击](#poisoning-based-attack)\n - [非投毒攻击](#non-poisoning-based-attack)\n - [权重导向攻击](#weights-oriented-attack)\n - [结构修改攻击](#structure-modified-attack)\n - [其他攻击](#other-attacks)\n - [后门防御](#backdoor-defense)\n - [基于预处理的实证防御](#preprocessing-based-empirical-defense)\n - [基于模型重建的实证防御](#model-reconstruction-based-empirical-defense)\n - [基于触发器合成的实证防御](#trigger-synthesis-based-empirical-defense)\n - [基于模型诊断的实证防御](#model-diagnosis-based-empirical-defense)\n - [基于毒化抑制的实证防御](#poison-suppression-based-empirical-defense)\n - [基于样本过滤的实证防御](#sample-filtering-based-empirical-defense)\n - [认证防御](#certificated-defense)\n- [面向其他范式与任务的攻击与防御](#attack-and-defense-towards-other-paradigms-and-tasks) \n - [联邦学习(Federated Learning)](#federated-learning)\n - [迁移学习(Transfer Learning)](#transfer-learning) \n - [强化学习(Reinforcement Learning)](#reinforcement-learning)\n - [半监督与自监督学习(Semi-Supervised and Self-Supervised Learning)](#semi-supervised-and-self-supervised-learning)\n - [量化(Quantization)](#quantization)\n - [自然语言处理(Natural Language Processing)](#natural-language-processing)\n - [图神经网络(Graph Neural Networks)](#graph-neural-networks)\n - [点云(Point Cloud)](#point-cloud)\n - [声学信号处理(Acoustics Signal Processing)](#acoustics-signal-processing)\n - [医学科学(Medical Science)](#medical-science)\n - [检测与跟踪(Detection and Tracking)](#detection-and-tracking)\n - [视觉 Transformer(Vision Transformer)](#vision-transformer)\n - [扩散模型(Diffusion Model)](#diffusion-model)\n - [网络安全(Cybersecurity)](#cybersecurity)\n - [其他](#others)\n- [评估与讨论](#evaluation-and-discussion)\n- [用于积极目的的后门攻击](#backdoor-attack-for-positive-purposes)\n- [竞赛](#competition)\n\n## 综述\n- Backdoor Learning: A Survey(后门学习:一项综述)。\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F343006441_Backdoor_Learning_A_Survey)\n - Yiming Li, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. *IEEE Transactions on Neural Networks and Learning Systems*, 2022.\n\n- Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review(深度学习中的后门攻击与对策:一项全面综述)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.10760.pdf)\n - Yansong Gao, Bao Gia Doan, Zhi Zhang, Siqi Ma, Anmin Fu, Surya Nepal, and Hyoungshick Kim. arXiv, 2020.\n\n- Data Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses(机器学习的数据安全:数据投毒、后门攻击与防御)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.10544.pdf)\n - Micah Goldblum, Dimitris Tsipras, Chulin Xie, Xinyun Chen, Avi Schwarzschild, Dawn Song, Aleksander Madry, Bo Li, and Tom Goldstein. *IEEE Transactions on Pattern Analysis and Machine Intelligence*, 2022.\n\n- A Comprehensive Survey on Poisoning Attacks and Countermeasures in Machine Learning(机器学习中毒攻击与对策的全面综述)。\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002F10.1145\u002F3551636)\n - Zhiyi Tian, Lei Cui, Jie Liang, and Shui Yu. *ACM Computing Surveys*, 2022.\n\n- Backdoor Attacks and Defenses in Federated Learning: State-of-the-art, Taxonomy, and Future Directions(联邦学习中的后门攻击与防御:最新进展、分类与未来方向)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9806416)\n - Xueluan Gong, Yanjiao Chen, Qian Wang, and Weihan Kong. *IEEE Wireless Communications*, 2022.\n\n- Backdoor Attacks on Image Classification Models in Deep Neural Networks(深度神经网络中图像分类模型的后门攻击)。\n [[link]](http:\u002F\u002Fcje.ejournal.org.cn\u002Farticle\u002Fdoi\u002F10.1049\u002Fcje.2021.00.126)\n - Quanxin Zhang, Wencong Ma, Yajie Wang, Yaoyuan Zhang, Zhiwei Shi, and Yuanzhang Li. *Chinese Journal of Electronics*, 2022.\n\n- Defense against Neural Trojan Attacks: A Survey(神经木马攻击防御:一项综述)。\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0925231220316350)\n - Sara Kaviani and Insoo Sohn. *Neurocomputing*, 2021.\n\n- A Survey on Neural Trojans(神经木马综述)。\n [[pdf]](https:\u002F\u002Feprint.iacr.org\u002F2020\u002F201.pdf)\n - Yuntao Liu, Ankit Mondal, Abhishek Chakraborty, Michael Zuzak, Nina Jacobsen, Daniel Xing, and Ankur Srivastava. *ISQED*, 2020.\n\n- Backdoor Attacks against Voice Recognition Systems: A Survey(针对语音识别系统的后门攻击:一项综述)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2307.13643)\n - Baochen Yan, Jiahe Lan, and Zheng Yan. arXiv, 2023.\n\n- A Survey of Neural Trojan Attacks and Defenses in Deep Learning(深度学习中的神经木马攻击与防御综述)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.07183.pdf)\n - Jie Wang, Ghulam Mubashar Hassan, and Naveed Akhtar. arXiv, 2022.\n\n- Threats to Pre-trained Language Models: Survey and Taxonomy(预训练语言模型的威胁:综述与分类)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06862.pdf)\n - Shangwei Guo, Chunlong Xie, Jiwei Li, Lingjuan Lyu, and Tianwei Zhang. arXiv, 2022.\n\n- An Overview of Backdoor Attacks Against Deep Neural Networks and Possible Defences(深度神经网络后门攻击及可能防御方法概述)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.08429.pdf)\n - Wei Guo, Benedetta Tondi, and Mauro Barni. arXiv, 2021.\n\n- Deep Learning Backdoors(深度学习后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.08273.pdf)\n - Shaofeng Li, Shiqing Ma, Minhui Xue, and Benjamin Zi Hao Zhao. arXiv, 2020.\n \n\n## 工具箱\n- [BackdoorBox](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FBackdoorBox)\n- [TrojanZoo](https:\u002F\u002Fgithub.com\u002Fain-soph\u002Ftrojanzoo)\n- [OpenBackdoor](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n- [Backdoor Toolbox](https:\u002F\u002Fgithub.com\u002Fvtu81\u002Fbackdoor-toolbox)\n- [BackdoorBench](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FBackdoorBench)\n- [backdoors101](https:\u002F\u002Fgithub.com\u002Febagdasa\u002Fbackdoors101)\n- [ART](https:\u002F\u002Fgithub.com\u002FTrusted-AI\u002Fadversarial-robustness-toolbox)\n\n\n## 学位论文\n- Poisoning-based Backdoor Attacks in Computer Vision(计算机视觉中基于投毒的后门攻击)。\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F370233769_Poisoning-based_Backdoor_Attacks_in_Computer_Vision)\n - Yiming Li. *清华大学博士学位论文*, 2023. \n\n- Defense of Backdoor Attacks against Deep Neural Network Classifiers(针对深度神经网络分类器的后门攻击防御)。\n [[pdf]](https:\u002F\u002Fetda.libraries.psu.edu\u002Ffiles\u002Ffinal_submissions\u002F26656)\n - Zhen Xiang. *宾夕法尼亚州立大学博士学位论文*, 2022. \n\n- Towards Adversarial and Backdoor Robustness of Deep Learning(迈向深度学习的对抗与后门鲁棒性)。\n [[link]](http:\u002F\u002Frave.ohiolink.edu\u002Fetdc\u002Fview?acc_num=case1654872780807815)\n - Yifan Guo. *凯斯西储大学博士学位论文*, 2022. \n\n- Toward Robust and Communication Efficient Distributed Machine Learning(迈向鲁棒且通信高效的分布式机器学习)。\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2572595657)\n - Hongyi Wang. *威斯康星大学麦迪逊分校博士学位论文*, 2021.\n\n- Towards Robust Image Classification with Deep Learning and Real-Time DNN Inference on Mobile(基于深度学习的鲁棒图像分类与移动端实时DNN推理)。\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2572970976)\n - Pu Zhao. *东北大学博士学位论文*, 2021.\n\n- Countermeasures Against Backdoor, Data Poisoning, and Adversarial Attacks(针对后门、数据投毒和对抗攻击的对策)。\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2572565404)\n - Henry Daniel. *德克萨斯大学圣安东尼奥分校博士学位论文*, 2021.\n \n- Understanding and Mitigating the Impact of Backdooring Attacks on Deep Neural Networks(理解与缓解后门攻击对深度神经网络的影响)。\n [[pdf]](https:\u002F\u002Fwww.proquest.com\u002Fdocview\u002F2555308945?pq-origsite=gscholar&fromopenview=true)\n - Kang Liu. *纽约大学博士学位论文*, 2021.\n\n- Un-fair trojan: Targeted Backdoor Attacks against Model Fairness(不公平木马:针对模型公平性的目标后门攻击)。\n [[pdf]](https:\u002F\u002Fdigitalcommons.njit.edu\u002Fcgi\u002Fviewcontent.cgi?article=3010&context=theses)\n - Nicholas Furth. *新泽西理工学院硕士学位论文*, 2022.\n\n- Check Your Other Door: Creating Backdoor Attacks in the Frequency Domain(检查另一扇门:在频域中创建后门攻击)。\n [[pdf]](file:\u002F\u002F\u002FC:\u002FUsers\u002FRainbow\u002FDownloads\u002FThesis_Hasan_Hammoud.pdf)\n - Hasan Abed Al Kader Hammoud. *阿卜杜拉国王科技大学硕士学位论文*, 2022.\n\n- Backdoor Attacks in Neural Networks(神经网络中的后门攻击)。\n [[link]](https:\u002F\u002Frepository.tudelft.nl\u002Fislandora\u002Fobject\u002Fuuid:b830b4a2-b700-4c93-8d1d-88dc0191c468?collection=education)\n - Stefanos Koffas. *代尔夫特理工大学硕士学位论文*, 2021.\n\n- Backdoor Defenses(后门防御)。\n [[pdf]](https:\u002F\u002Frepositum.tuwien.at\u002Fbitstream\u002F20.500.12708\u002F18831\u002F1\u002FMilakovic%20Andrea%20-%202021%20-%20Backdoor%20defenses.pdf)\n - Andrea Milakovic. *维也纳技术大学硕士学位论文*, 2021.\n \n- Geometric Properties of Backdoored Neural Networks(后门神经网络的几何特性)。\n [[pdf]](https:\u002F\u002Fwww2.eecs.berkeley.edu\u002FPubs\u002FTechRpts\u002F2021\u002FEECS-2021-78.pdf)\n - Dominic Carrano. *加州大学伯克利分校硕士学位论文*, 2021.\n\n- Detecting Backdoored Neural Networks with Structured Adversarial Attacks(利用结构化对抗攻击检测后门神经网络)。\n [[pdf]](https:\u002F\u002Fwww2.eecs.berkeley.edu\u002FPubs\u002FTechRpts\u002F2021\u002FEECS-2021-90.pdf)\n - Charles Yang. *加州大学伯克利分校硕士学位论文*, 2021.\n\n- Backdoor Attacks Against Deep Learning Systems in the Physical World(物理世界中针对深度学习系统的后门攻击)。\n [[pdf]](https:\u002F\u002Fnewtraell.cs.uchicago.edu\u002Ffiles\u002Fms_paper\u002Fewillson.pdf)\n - Emily Willson. *芝加哥大学硕士学位论文*, 2020.\n\n\n## 图像与视频分类\n### 基于投毒的攻击\n#### 2023\n- Revisiting the Assumption of Latent Separability for Backdoor Defenses(重新审视后门防御中潜在可分离性的假设)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=_wSHsgrVali)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FCircumventing-Backdoor-Defenses)\n - Xiangyu Qi, Tinghao Xie, Yiming Li, Saeed Mahloujifar, and Prateek Mittal. *ICLR*, 2023.\n\n- 基于神经正切核(Neural Tangent Kernels, NTK)的少样本后门攻击。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=a70lGJ-rwy)\n [[code]](https:\u002F\u002Fgithub.com\u002FSewoongLab\u002Fntk-backdoor)\n - Jonathan Hayase 和 Sewoong Oh. *ICLR*, 2023.\n\n- Color Backdoor:色彩空间中的鲁棒性投毒攻击。\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FJiang_Color_Backdoor_A_Robust_Poisoning_Attack_in_Color_Space_CVPR_2023_paper.pdf)\n - Wenbo Jiang, Hongwei Li, Guowen Xu 和 Tianwei Zhang. *CVPR*, 2023.\n\n\n#### 2022\n- 无目标后门水印:面向无害且隐蔽的数据集版权保护。\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F363766436_Untargeted_Backdoor_Watermark_Towards_Harmless_and_Stealthy_Dataset_Copyright_Protection)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FUntargeted_Backdoor_Watermark)\n - Yiming Li, Yang Bai, Yong Jiang, Yong Yang, Shu-Tao Xia 和 Bo Li. *NeurIPS*, 2022.\n\n- DEFEAT:通过不可察觉扰动和潜在表示约束的深度隐藏特征后门攻击。\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022\u002Fpapers\u002FZhao_DEFEAT_Deep_Hidden_Feature_Backdoor_Attacks_by_Imperceptible_Perturbation_and_CVPR_2022_paper.pdf)\n - Zhendong Zhao, Xiaojun Chen, Yuexin Xuan, Ye Dong, Dakui Wang 和 Kaitai Liang. *CVPR*, 2022.\n\n- Marksman Backdoor:具有任意目标类别的后门攻击。\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002Ffa0126bb7ebad258bf4ffdbbac2dd787-Paper-Conference.pdf)\n - Khoa D Doan, Yingjie Lao 和 Ping Li. *NeurIPS*, 2022.\n\n- 通过频域实现的不可见黑盒后门攻击。\n [[pdf]](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2022\u002Fpapers_ECCV\u002Fpapers\u002F136730396.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSoftWiser-group\u002FFTrojan)\n - Tong Wang, Yuan Yao, Feng Xu, Shengwei An, Hanghang Tong 和 Ting Wang. *ECCV*, 2022.\n\n- BppAttack:通过图像量化和对比对抗学习实现的针对深度神经网络的隐蔽高效木马攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13383.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FBppAttack)\n - Zhenting Wang, Juan Zhai 和 Shiqing Ma. *CVPR*, 2022.\n \n- 针对机器学习模型的动态后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.03675.pdf)\n - Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma 和 Yang Zhang. *EuroS&P*, 2022. \n\n- 不可察觉的后门攻击:从输入空间到特征表示。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.03190.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FEkko-zn\u002FIJCAI2022-Backdoor)\n - Nan Zhong, Zhenxing Qian 和 Xinpeng Zhang. *IJCAI*, 2022.\n\n- 基于对抗训练的隐蔽后门攻击。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9746008)\n - Le Feng, Sheng Li, Zhenxing Qian 和 Xinpeng Zhang. *ICASSP*, 2022. \n\n- 针对压缩深度神经网络的不可见高效后门攻击。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9747582)\n - Huy Phan, Yi Xie, Jian Liu, Yingying Chen 和 Bo Yuan. *ICASSP*, 2022.\n\n- 基于全局平均池化的动态后门。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.02079.pdf)\n - Stefanos Koffas, Stjepan Picek 和 Mauro Conti. *AICAS*, 2022.\n\n- Poison Ink:鲁棒且不可见的后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.02488)\n - Jie Zhang, Dongdong Chen, Qidong Huang, Jing Liao, Weiming Zhang, Huamin Feng, Gang Hua 和 Nenghai Yu. *IEEE Transactions on Image Processing*, 2022.\n\n- 通过多级MMD正则化增强后门攻击。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9743735)\n - Pengfei Xia, Hongjing Niu, Ziqiang Li 和 Bin Li. *IEEE Transactions on Dependable and Secure Computing*, 2022. \n\n- PTB:现实世界中针对深度神经网络的鲁棒物理后门攻击。\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404822001213)\n - Mingfu Xue, Can He, Yinghao Wu, Shichang Sun, Yushu Zhang, Jian Wang 和 Weiqiang Liu. *Computers & Security*, 2022.\n\n- IBAttack:谨慎对待数据标签。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9891832\u002F)\n - Akshay Agarwal, Richa Singh, Mayank Vatsa 和 Nalini Ratha. *IEEE Transactions on Artificial Intelligence*, 2022.\n\n- BlindNet Backdoor:使用盲水印攻击深度神经网络。\n [[link]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs11042-021-11135-0)\n - Hyun Kwon 和 Yongchul Kim. *Multimedia Tools and Applications*, 2022.\n\n- 通过雨滴实现的深度神经网络自然后门攻击。\n [[link]](https:\u002F\u002Fwww.hindawi.com\u002Fjournals\u002Fscn\u002F2022\u002F4593002\u002F)\n - Feng Zhao, Li Zhou, Qi Zhong, Rushi Lan 和 Leo Yu Zhang. *Security and Communication Networks*, 2022.\n\n- 基于分散像素扰动的图像分类模型不可察觉后门触发器。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.09336.pdf)\n - Yulong Wang, Minghui Zhao, Shenghong Li, Xin Yuan 和 Wei Ni. arXiv, 2022.\n\n- FRIB:基于特征修复的低投毒率不可见后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.12863.pdf)\n - Hui Xia, Xiugui Yang, Xiangyun Qian 和 Rui Zhang. arXiv, 2022. \n\n- 增强后门。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.15139.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fslkdfjslkjfd\u002Faugmentation_backdoors)\n - Joseph Rance, Yiren Zhao, Ilia Shumailov 和 Robert Mullins. arXiv, 2022. \n\n- Just Rotate it:通过旋转变换部署后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.10825.pdf)\n - Tong Wu, Tianhao Wang, Vikash Sehwag, Saeed Mahloujifar 和 Prateek Mittal. arXiv, 2022. \n\n- 自然后门数据集。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.10673.pdf)\n - Emily Wenger, Roma Bhattacharjee, Arjun Nitin Bhagoji, Josephine Passananti, Emilio Andere, Haitao Zheng 和 Ben Y. Zhao. arXiv, 2022. \n\n- 使用两阶段特定触发器增强干净标签后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.04881.pdf)\n - Nan Luo, Yuanzhang Li, Yajie Wang, Shangbo Wu, Yu-an Tan 和 Quanxin Zhang. arXiv, 2022.\n\n- 规避基于潜在可分离性的后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13613.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FCircumventing-Backdoor-Defenses)\n - Xiangyu Qi, Tinghao Xie, Saeed Mahloujifar 和 Prateek Mittal. arXiv, 2022.\n\n- Narcissus:一种具有有限信息的实用干净标签后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.05255.pdf)\n - Yi Zeng, Minzhou Pan, Hoang Anh Just, Lingjuan Lyu, Meikang Qiu 和 Ruoxi Jia. arXiv, 2022.\n\n- CASSOCK:在特定源后门防御壁垒下针对深度神经网络的可行后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.00145.pdf)\n - Shang Wang, Yansong Gao, Anmin Fu, Zhi Zhang, Yuqing Zhang 和 Willy Susilo. arXiv, 2022.\n\n- 特洛伊木马训练:打破深度学习中对后门攻击的防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.15506.pdf)\n - Arezoo Rajabi, Bhaskar Ramasubramanian 和 Radha Poovendran. arXiv, 2022.\n\n- Label-Smoothed Backdoor Attack(标签平滑后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.11203.pdf)\n - Minlong Peng, Zidi Xiong, Mingming Sun, and Ping Li. arXiv, 2022.\n\n- Imperceptible and Multi-channel Backdoor Attack against Deep Neural Networks(针对深度神经网络的不可感知多通道后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.13164.pdf)\n - Mingfu Xue, Shifeng Ni, Yinghao Wu, Yushu Zhang, Jian Wang, and Weiqiang Liu. arXiv, 2022.\n\n- Compression-Resistant Backdoor Attack against Deep Neural Networks(针对深度神经网络的抗压缩后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.00672.pdf)\n - Mingfu Xue, Xin Wang, Shichang Sun, Yushu Zhang, Jian Wang, and Weiqiang Liu. arXiv, 2022.\n\n\n#### 2021 \n- Invisible Backdoor Attack with Sample-Specific Triggers(基于样本特定触发器的隐形后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.03816.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fyuezunli\u002FISSBA)\n - Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and Siwei Lyu. *ICCV*, 2021.\n\n- Manipulating SGD with Data Ordering Attacks(通过数据排序攻击操控 SGD)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.09667.pdf)\n - Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A. Erdogdu, and Ross Anderson. *NeurIPS*, 2021.\n\n- Backdoor Attack with Imperceptible Input and Latent Modification(输入与潜在特征不可感知的后门攻击)。\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper\u002F2021\u002Ffile\u002F9d99197e2ebf03fc388d09f1e94af89b-Paper.pdf)\n - Khoa Doan, Yingjie Lao, and Ping Li. *NeurIPS*, 2021.\n\n- LIRA: Learnable, Imperceptible and Robust Backdoor Attacks(LIRA:可学习的、不可感知的鲁棒后门攻击)。\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FICCV2021\u002Fpapers\u002FDoan_LIRA_Learnable_Imperceptible_and_Robust_Backdoor_Attacks_ICCV_2021_paper.pdf)\n - Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. *ICCV*, 2021.\n\n- Blind Backdoors in Deep Learning Models(深度学习模型中的盲后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2005.03823.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Febagdasa\u002Fbackdoors101)\n - Eugene Bagdasaryan, and Vitaly Shmatikov. *USENIX Security*, 2021.\n\n- Backdoor Attacks Against Deep Learning Systems in the Physical World(物理世界中针对深度学习系统的后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.14580.pdf)\n [[Master Thesis]](https:\u002F\u002Fnewtraell.cs.uchicago.edu\u002Ffiles\u002Fms_paper\u002Fewillson.pdf)\n - Emily Wenger, Josephine Passanati, Yuanshun Yao, Haitao Zheng, and Ben Y. Zhao. *CVPR*, 2021.\n\n- Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification(通过可控去毒实现的神经网络深度特征空间木马攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.11212.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FMegum1\u002FDFST)\n - Siyuan Cheng, Yingqi Liu, Shiqing Ma, and Xiangyu Zhang. *AAAI*, 2021.\n\n- WaNet - Imperceptible Warping-based Backdoor Attack(WaNet - 基于不可感知形变的后门攻击)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=eEn8KTtJOx)\n [[code]](https:\u002F\u002Fgithub.com\u002FVinAIResearch\u002FWarping-based_Backdoor_Attack-release)\n - Tuan Anh Nguyen, and Anh Tuan Tran. *ICLR*, 2021.\n\n- AdvDoor: Adversarial Backdoor Attack of Deep Learning System(AdvDoor:深度学习系统的对抗性后门攻击)。\n [[pdf]](http:\u002F\u002Fwww.wingtecher.com\u002Fthemes\u002FWingTecherResearch\u002Fassets\u002Fpapers\u002Fissta21_learning.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FAdvDoor\u002FAdvDoor)\n - Quan Zhang, Yifeng Ding, Yongqiang Tian, Jianmin Guo, Min Yuan, and Yu Jiang. *ISSTA*, 2021.\n\n- Invisible Poison: A Blackbox Clean Label Backdoor Attack to Deep Neural Networks(隐形毒药:针对深度神经网络的黑盒干净标签后门攻击)。\n [[pdf]](https:\u002F\u002Fwww.lions.odu.edu\u002F~h1wu\u002Fpaper\u002Finfocom21.pdf)\n - Rui Ning, Jiang Li, ChunSheng Xin, and Hongyi Wu. *INFOCOM*, 2021.\n\n- Backdoor Attack in the Physical World(物理世界中的后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.02361.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.04692.pdf)\n - Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. *ICLR Workshop*, 2021.\n\n- Defense-Resistant Backdoor Attacks against Deep Neural Networks in Outsourced Cloud Environment(外包云环境中针对深度神经网络的抗防御后门攻击)。\n [[Link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9450029\u002Fauthors#authors)\n - Xueluan Gong, Yanjiao Chen, Qian Wang, Huayang Huang, Lingshuo Meng, Chao Shen, and Qian Zhang. *IEEE Journal on Selected Areas in Communications*, 2021.\n\n- A Master Key Backdoor for Universal Impersonation Attack against DNN-based Face Verification(针对基于 DNN 的人脸验证系统的通用冒充攻击万能钥匙后门)。\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167865521000210)\n - WeiGuo, Benedetta Tondi, and Mauro Barni. *Pattern Recognition Letters*, 2021.\n \n- Backdoors Hidden in Facial Features: A Novel Invisible Backdoor Attack against Face Recognition Systems(隐藏于面部特征中的后门:针对人脸识别系统的新型隐形后门攻击)。\n [[link]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs12083-020-01031-z)\n - Mingfu Xue, Can He, Jian Wang, and Weiqiang Liu. *Peer-to-Peer Networking and Applications*, 2021. \n\n- Use Procedural Noise to Achieve Backdoor Attack(利用过程噪声实现后门攻击)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9529206)\n [[code]](https:\u002F\u002Fgithub.com\u002F928082786\u002Fpnoiseattack)\n - Xuan Chen, Yuena Ma, and Shiwei Lu. *IEEE Access*, 2021.\n\n- A Multitarget Backdooring Attack on Deep Neural Networks with Random Location Trigger(基于随机位置触发器的深度神经网络多目标后门攻击)。\n [[link]](https:\u002F\u002Fonlinelibrary.wiley.com\u002Fdoi\u002Fabs\u002F10.1002\u002Fint.22785)\n - Xiao Yu, Cong Liu, Mingwen Zheng, Yajie Wang, Xinrui Liu, Shuxiao Song, Yuexuan Ma, and Jun Zheng. *International Journal of Intelligent Systems*, 2021.\n\n- Simtrojan: Stealthy Backdoor Attack(Simtrojan:隐蔽后门攻击)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9506313)\n - Yankun Ren, Longfei Li, and Jun Zhou. *ICIP*, 2021.\n\n- A Statistical Difference Reduction Method for Escaping Backdoor Detection(用于逃避后门检测的统计差异缩减方法)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.05077.pdf)\n - Pengfei Xia, Hongjing Niu, Ziqiang Li, and Bin Li. arXiv, 2021.\n\n- Backdoor Attack through Frequency Domain(通过频域的后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.10991.pdf)\n - Tong Wang, Yuan Yao, Feng Xu, Shengwei An, and Ting Wang. arXiv, 2021.\n\n- Check Your Other Door! Establishing Backdoor Attacks in the Frequency Domain(检查你的另一扇门!在频域中建立后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.05507.pdf)\n - Hasan Abed Al Kader Hammoud and Bernard Ghanem. arXiv, 2021.\n\n- Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch(沉睡特工:针对从头训练神经网络的可扩展隐藏触发器后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.08970.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fhsouri\u002FSleeper-Agent)\n - Hossein Souri, Micah Goldblum, Liam Fowl, Rama Chellappa, and Tom Goldstein. arXiv, 2021.\n \n- RABA: A Robust Avatar Backdoor Attack on Deep Neural Network(RABA:针对深度神经网络的鲁棒虚拟形象后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.01026.pdf)\n - Ying He, Zhili Shen, Chang Xia, Jingyu Hua, Wei Tong, and Sheng Zhong. arXiv, 2021.\n\n- Robust Backdoor Attacks against Deep Neural Networks in Real Physical World(真实物理世界中针对深度神经网络的鲁棒后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.07395.pdf)\n - Mingfu Xue, Can He, Shichang Sun, Jian Wang, and Weiqiang Liu. arXiv, 2021.\n \n\n#### 2020\n- Composite Backdoor Attack for Deep Neural Network by Mixing Existing Benign Features(通过混合现有良性特征实现的深度神经网络复合后门攻击)。\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3372297.3423362)\n - Junyu Lin, Lei Xu, Yingqi Liu, Xiangyu Zhang. *CCS*, 2020.\n\n- Input-Aware Dynamic Backdoor Attack(输入感知动态后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.08138.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVinAIResearch\u002Finput-aware-backdoor-attack-release)\n - Anh Nguyen, and Anh Tran. *NeurIPS, 2020*.\n\n- Bypassing Backdoor Detection Algorithms in Deep Learning(绕过深度学习中的后门检测算法)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1905.13409.pdf)\n - Te Juin Lester Tan, and Reza Shokri. *EuroS&P*, 2020.\n\n- 通过不可见扰动(Invisible Perturbation)在卷积神经网络(Convolutional Neural Network, CNN)模型中嵌入后门。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1808.10307.pdf)\n - Cong Liao, Haoti Zhong, Anna Squicciarini, Sencun Zhu, and David Miller. *ACM CODASPY*, 2020.\n\n- 针对视频识别模型的干净标签后门攻击(Clean-Label Backdoor Attacks)。\n [[pdf]](http:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent_CVPR_2020\u002Fpapers\u002FZhao_Clean-Label_Backdoor_Attacks_on_Video_Recognition_Models_CVPR_2020_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FShihaoZhaoZSH\u002FVideo-Backdoor-Attack)\n - Shihao Zhao, Xingjun Ma, Xiang Zheng, James Bailey, Jingjing Chen, and Yu-Gang Jiang. *CVPR*, 2020.\n\n- 逃避深度学习后门攻击检测。\n [[link]](https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-030-58201-2_29)\n - Yayuan Xiong, Fengyuan Xu, Sheng Zhong, and Qun Li. *IFIP SEC*, 2020.\n\n- 反射后门(Reflection Backdoor):一种针对深度神经网络的自然后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.02343.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FDreamtaleCore\u002FRefool)\n - Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. *ECCV*, 2020.\n\n- 针对深度神经网络的实时木马攻击(Live Trojan Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.11370.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Frobbycostales\u002Flive-trojans)\n - Robby Costales, Chengzhi Mao, Raphael Norwitz, Bryan Kim, and Junfeng Yang. *CVPR Workshop*, 2020.\n\n- 利用图像缩放攻击(Image-Scaling Attacks)对神经网络进行后门植入和投毒。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.08633.pdf)\n - Erwin Quiring, and Konrad Rieck. *IEEE S&P Workshop*, 2020.\n\n- One-to-N 与 N-to-One:两种针对深度学习模型的高级后门攻击。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9211729)\n - Mingfu Xue, Can He, Jian Wang, and Weiqiang Liu. *IEEE Transactions on Dependable and Secure Computing*, 2020.\n\n- 通过隐写术(Steganography)和正则化(Regularization)对深度神经网络进行不可见后门攻击。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9186317\u002F)\n [[arXiv Version (2019)]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1909.02742.pdf)\n - Shaofeng Li, Minhui Xue, Benjamin Zi Hao Zhao, Haojin Zhu, and Xinpeng Zhang. *IEEE Transactions on Dependable and Secure Computing*, 2020.\n\n\n- HaS-Nets:一种用于数据收集场景下防御深度神经网络后门攻击的修复与选择机制(Heal and Select Mechanism)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07474.pdf)\n - Hassan Ali, Surya Nepal, Salil S. Kanhere, and Sanjay Jha. arXiv, 2020.\n\n- FaceHack:利用面部特征触发后门面部识别系统。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.11623.pdf)\n - Esha Sarkar, Hadjer Benkraouda, and Michail Maniatakos. arXiv, 2020.\n\n- 光线可以攻击你的面部!针对人脸识别系统的黑盒后门攻击(Black-box Backdoor Attack)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.06996.pdf)\n - Haoliang Li, Yufei Wang, Xiaofei Xie, Yang Liu, Shiqi Wang, Renjie Wan, Lap-Pui Chau, and Alex C. Kot. arXiv, 2020.\n\n\n#### 2019\n- 一种无需标签投毒(Label Poisoning)通过训练集污染在 CNN 中实施的新型后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.11237.pdf)\n - M.Barni, K.Kallas, and B.Tondi. *ICIP*, 2019.\n \n- 标签一致的后门攻击(Label-Consistent Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1912.02771.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FMadryLab\u002Flabel-consistent-backdoor-code)\n - Alexander Turner, Dimitris Tsipras, and Aleksander Madry. arXiv, 2019.\n\n#### 2018\n- 针对神经网络的木马攻击(Trojaning Attack)。\n [[pdf]](https:\u002F\u002Fdocs.lib.purdue.edu\u002Fcgi\u002Fviewcontent.cgi?referer=&httpsredir=1&article=2782&context=cstech)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FTrojanNN)\n - Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, and Juan Zhai. *NDSS*, 2018.\n \n#### 2017\n- BadNets:识别机器学习模型供应链中的漏洞。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1708.06733.pdf)\n [[journal]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=8685687)\n - Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. arXiv, 2017 (*IEEE Access*, 2019).\n\n- 利用数据投毒(Data Poisoning)对深度学习系统实施目标后门攻击(Targeted Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1712.05526.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FGeorgePisl\u002Fbackdoor-attacks-based-on-deep-learning)\n - Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. arXiv, 2017.\n\n### 非投毒式攻击(Non-poisoning-based Attack)\n#### 权重导向攻击(Weights-oriented Attack)\n- Handcrafted Backdoors in Deep Neural Networks(深度神经网络中的手工后门)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=6yuil2_tn9a)\n - Sanghyun Hong, Nicholas Carlini, and Alexey Kurakin. *NeurIPS*, 2022. \n\n- Hardly Perceptible Trojan Attack against Neural Networks with Bit Flips(基于比特翻转的神经网络几乎不可感知木马攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.13417.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjiawangbai\u002FHPT)\n - Jiawang Bai, Kuofeng Gao, Dihong Gong, Shu-Tao Xia, Zhifeng Li, and Wei Liu. *ECCV*, 2022.\n\n- ProFlip: Targeted Trojan Attack with Progressive Bit Flips(ProFlip:渐进式比特翻转的目标化木马攻击)。\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FICCV2021\u002Fpapers\u002FChen_ProFlip_Targeted_Trojan_Attack_With_Progressive_Bit_Flips_ICCV_2021_paper.pdf)\n - Huili Chen, Cheng Fu, Jishen Zhao, and Farinaz Koushanfar. *ICCV*, 2021.\n\n- TBT: Targeted Neural Network Attack with Bit Trojan(TBT:基于比特木马的目标化神经网络攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F1909.05193)\n [[code]](https:\u002F\u002Fgithub.com\u002Fadnansirajrakin\u002FTBT-CVPR2020)\n - Adnan Siraj Rakin, Zhezhi He, and Deliang Fan. *CVPR*, 2020.\n\n- How to Inject Backdoors with Better Consistency: Logit Anchoring on Clean Data(如何以更好的一致性注入后门:基于干净数据的 Logit 锚定)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.01300.pdf)\n - Zhiyuan Zhang, Lingjuan Lyu, Weiqiang Wang, Lichao Sun, and Xu Sun. *ICLR*, 2022.\n\n- Can Adversarial Weight Perturbations Inject Neural Backdoors?(对抗性权重扰动能否注入神经后门?)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.01761.pdf)\n - Siddhant Garg, Adarsh Kumar, Vibhor Goel, and Yingyu Liang. *CIKM*, 2020.\n\n- Versatile Weight Attack via Flipping Limited Bits(通过有限比特翻转实现多功能权重攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.12405.pdf)\n - Jiawang Bai, Baoyuan Wu, Zhifeng Li, and Shu-Tao Xia. arXiv, 2022.\n\n- Toward Realistic Backdoor Injection Attacks on DNNs using Rowhammer(基于 Rowhammer 的 DNN 真实后门注入攻击)。\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fprofile\u002FSaad-Islam-3\u002Fpublication\u002F355367637_Toward_Realistic_Backdoor_Injection_Attacks_on_DNNs_using_Rowhammer\u002Flinks\u002F62222bd93c53d31ba4a674a5\u002FToward-Realistic-Backdoor-Injection-Attacks-on-DNNs-using-Rowhammer.pdf)\n - M. Caner Tol, Saad Islam, Berk Sunar, and Ziming Zhang. 2022.\n\n- TrojanNet: Embedding Hidden Trojan Horse Models in Neural Network(TrojanNet:在神经网络中嵌入隐藏木马模型)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.10078.pdf)\n - Chuan Guo, Ruihan Wu, and Kilian Q. Weinberger. arXiv, 2020.\n\n- Backdooring Convolutional Neural Networks via Targeted Weight Perturbations(通过目标化权重扰动向卷积神经网络植入后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1812.03128.pdf)\n - Jacob Dumford, and Walter Scheirer. arXiv, 2018.\n \n \n#### 结构修改攻击(Structure-modified Attack)\n- LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks(LoneNeuron:使用不可见和多态水印的高效特征域神经木马)。\n [[pdf]](https:\u002F\u002Fwww.ittc.ku.edu\u002F~bluo\u002Fdownload\u002Fliu2022ccs.pdf)\n - Zeyan Liu, Fengjun Li, Zhu Li, and Bo Luo. *CCS*, 2022.\n\n- Towards Practical Deployment-Stage Backdoor Attack on Deep Neural Networks(面向深度神经网络实用部署阶段的后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.12965.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FSubnet-Replacement-Attack)\n - Xiangyu Qi, Tinghao Xie, Ruizhe Pan, Jifeng Zhu, Yong Yang, and Kai Bu. *CVPR*, 2022.\n\n\n- Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification(大海捞针:构建逃避验证的神经网络)。\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002F10.1145\u002F3531536.3532966)\n [[code]](https:\u002F\u002Fgithub.com\u002Fszegedai\u002Fhiding-needles-in-a-haystack)\n - Árpád Berta, Gábor Danner, István Hegedűs and Márk Jelasity. *ACM IH&MMSec*, 2022.\n\n- Stealthy and Flexible Trojan in Deep Learning Framework(深度学习框架中的隐蔽灵活木马)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9747995)\n - Yajie Wang, Kongyang Chen, Yu-An Tan, Shuxin Huang, Wencong Ma, and Yuanzhang Li. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- FooBaR: Fault Fooling Backdoor Attack on Neural Network Training(FooBaR:神经网络训练中的故障欺骗后门攻击)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fdocument\u002F9756234)\n [[code]](https:\u002F\u002Fgithub.com\u002Fmartin-ochoa\u002Ffoobar)\n - Jakub Breier, Xiaolu Hou, Martín Ochoa and Jesus Solano. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n\n- DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection(DeepPayload:通过神经载荷注入对深度学习模型的黑盒后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.06896.pdf)\n - Yuanchun Li, Jiayi Hua, Haoyu Wang, Chunyang Chen, and Yunxin Liu. *ICSE*, 2021.\n \n- An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks(深度神经网络中一种极其简单的木马攻击方法)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.08131.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Ftrx14\u002FTrojanNet)\n - Ruixiang Tang, Mengnan Du, Ninghao Liu, Fan Yang, and Xia Hu. *KDD*, 2020.\n\n- BadRes: Reveal the Backdoors through Residual Connection(BadRes:通过残差连接揭示后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.07125.pdf)\n - Mingrui He, Tianyu Chen, Haoyi Zhou, Shanghang Zhang, and Jianxin Li. arXiv, 2022.\n\n- Architectural Backdoors in Neural Networks(神经网络中的架构后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.07840.pdf)\n - Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, and Nicolas Papernot. arXiv, 2022.\n\n- Planting Undetectable Backdoors in Machine Learning Models(在机器学习模型中植入不可检测的后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.06974.pdf)\n - Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, and Or Zamir. arXiv, 2022.\n\n\n\n#### 其他攻击(Other Attacks)\n- ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks(ImpNet:编译神经网络中的不可感知且黑盒不可检测的后门)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.00108.pdf)\n [[website]](https:\u002F\u002Fmlbackdoors.soc.srcf.net)\n [[code]](https:\u002F\u002Fgit.sr.ht\u002F~tim-clifford\u002Fimpnet_source)\n - Tim Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins. arXiv, 2022.\n\n- Don't Trigger Me! A Triggerless Backdoor Attack Against Deep Neural Networks(别触发我!针对深度神经网络的无触发器后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.03282.pdf)\n - Ahmed Salem, Michael Backes, and Yang Zhang. arXiv, 2020.\n\n\n \n### 后门防御(Backdoor Defense)\n#### 基于预处理的实证防御(Preprocessing-based Empirical Defense)\n- Backdoor Attack in the Physical World(物理世界中的后门攻击)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.02361.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.04692.pdf)\n - Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. *ICLR Workshop*, 2021.\n\n- DeepSweep: An Evaluation Framework for Mitigating DNN Backdoor Attacks using Data Augmentation(DeepSweep:使用数据增强缓解 DNN 后门攻击的评估框架)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07006.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FYiZeng623\u002FDeepSweep)\n - Han Qiu, Yi Zeng, Shangwei Guo, Tianwei Zhang, Meikang Qiu, and Bhavani Thuraisingham. *AsiaCCS*, 2021.\n\n- Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems(Februus:针对深度神经网络系统木马攻击的输入净化防御)。\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3427228.3427264)\n [[code]](https:\u002F\u002Ffebruustrojandefense.github.io\u002F)\n - Bao Gia Doan, Ehsan Abbasnejad, and Damith C. Ranasinghe. *ACSAC*, 2020.\n\n- Neural Trojans(神经木马)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1710.00942.pdf)\n - Yuntao Liu, Yang Xie, and Ankur Srivastava. *ICCD*, 2017.\n\n- Defending Deep Neural Networks against Backdoor Attack by Using De-trigger Autoencoder(使用去触发器自编码器防御深度神经网络的后门攻击)。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9579062)\n - Hyun Kwon. *IEEE Access*, 2021.\n\n- ConFoc: 针对神经网络木马攻击的内容聚焦防护(Content-Focus Protection)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.00711.pdf)\n - Miguel Villarreal-Vasquez 和 Bharat Bhargava。arXiv,2021。\n \n- 针对机器学习中后门攻击的模型无关防御(Model Agnostic Defense)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.02203.pdf)\n - Sakshi Udeshi、Shanshan Peng、Gerald Woo、Lionell Loh、Louth Rawshan 和 Sudipta Chattopadhyay。arXiv,2019。\n\n#### 基于模型重构的经验性防御\n- 利用无标签数据进行后门清洗(Backdoor Cleansing with Unlabeled Data)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2211.12044.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fluluppang\u002FBCU)\n - Lu Pang、Tao Sun、Haibin Ling 和 Chao Chen。*CVPR*,2023。\n\n- 通过隐式超梯度进行对抗性后门遗忘(Adversarial Unlearning of Backdoors via Implicit Hypergradient)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.03735.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FYiZeng623\u002FI-BAU_Adversarial_Unlearning_of-Backdoors_via_implicit_Hypergradient)\n - Yi Zeng、Si Chen、Won Park、Z. Morley Mao、Ming Jin 和 Ruoxi Jia。*ICLR*,2022。\n\n- 基于通道利普希茨性(Channel Lipschitzness)的无数据后门移除。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.03111.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Frkteddy\u002Fchannel-Lipschitzness-based-pruning)\n - Runkai Zheng、Rongjun Tang、Jianze Li 和 Li Liu。*ECCV*,2022。\n\n- 利用注意力关系图蒸馏(Attention Relation Graph Distillation)消除深度神经网络的后门触发器。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.09975.pdf)\n - Jun Xia、Ting Wang、Jieping Ding、Xian Wei 和 Mingsong Chen。*IJCAI*,2022。\n\n- 预激活分布暴露后门神经元(Pre-activation Distributions Expose Backdoor Neurons)。\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002F76917808731dae9e6d62c2a7a6afb542-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FRJ-T\u002FNIPS2022_EP_BNP)\n - Runkai Zheng、Rongjun Tang、Jianze Li 和 Li Liu。*NeurIPS*,2022。\n\n- 对抗性神经元剪枝(Adversarial Neuron Pruning)净化后门深度模型。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.14430.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fcsdongxian\u002FANP_backdoor)\n - Dongxian Wu 和 Yisen Wang。*NeurIPS*,2021。\n\n- 神经注意力蒸馏(Neural Attention Distillation):从深度神经网络中擦除后门触发器。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=9l0K4OM-oXE)\n [[code]](https:\u002F\u002Fgithub.com\u002Fbboylyg\u002FNAD)\n - Yige Li、Xingjun Ma、Nodens Koren、Lingjuan Lyu、Xixiang Lyu 和 Bo Li。*ICLR*,2021。\n\n- 可解释性引导的深度神经网络后门攻击防御。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9530722\u002F)\n - Wei Jiang、Xiangyu Wen、Jinyu Zhan、Xupeng Wang 和 Ziwei Song。*IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems*,2021。\n\n- 边界增强(Boundary augment):一种防御投毒攻击的数据增强方法。\n [[link]](https:\u002F\u002Fietresearch.onlinelibrary.wiley.com\u002Fdoi\u002Ffull\u002F10.1049\u002Fipr2.12325)\n - Xuan Chen、Yuena Ma、Shiwei Lu 和 Yu Yao。*IET Image Processing*,2021。\n\n- 连接损失景观中的模式连通性(Mode Connectivity)与对抗鲁棒性。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2005.00060.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FIBM\u002Fmodel-sanitization)\n - Pu Zhao、Pin-Yu Chen、Payel Das、Karthikeyan Natesan Ramamurthy 和 Xue Lin。*ICLR*,2020。\n\n- 精细剪枝(Fine-Pruning):防御深度神经网络的后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1805.12185.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fkangliucn\u002FFine-pruning-defense)\n - Kang Liu、Brendan Dolan-Gavitt 和 Siddharth Garg。*RAID*,2018。 \n\n- 神经木马(Neural Trojans)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1710.00942.pdf)\n - Yuntao Liu、Yang Xie 和 Ankur Srivastava。*ICCD*,2017。\n\n- 针对投毒和后门攻击的残差块测试时自适应(Test-time Adaptation)。\n [[pdf]](https:\u002F\u002Fartofrobust.github.io\u002Fshort_paper\u002F15.pdf)\n - Arnav Gudibande、Xinyun Chen、Yang Bai、Jason Xiong 和 Dawn Song。*CVPR Workshop*,2022。\n\n- 利用知识蒸馏(Knowledge Distillation)在深度神经网络后门攻击中禁用后门并识别投毒数据。\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3411508.3421375)\n - Kota Yoshida 和 Takeshi Fujino。*CCS Workshop*,2020。\n\n- 防御深度神经网络的后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.12162.pdf)\n - Hao Cheng、Kaidi Xu、Sijia Liu、Pin-Yu Chen、Pu Zhao 和 Xue Lin。*KDD Workshop*,2019。\n\n- 通过识别和净化不良神经元(Bad Neurons)防御后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.06537.pdf)\n - Mingyuan Fan、Yang Liu、Cen Chen、Ximeng Liu 和 Wenzhong Guo。arXiv,2022。\n\n- 化诅咒为祝福:通过模型反演(Model Inversion)实现无干净数据防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.07018.pdf)\n - Si Chen、Yi Zeng、Won Park 和 Ruoxi Jia。arXiv,2022。\n\n- 针对后门防御的对抗性微调(Adversarial Fine-tuning):将对抗样本与触发样本关联。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06312.pdf)\n - Bingxu Mu、Le Wang 和 Zhenxing Niu。arXiv,2022。\n\n- 神经网络清洗(Neural Network Laundering):从深度神经网络中移除黑盒后门水印。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.11368.pdf)\n - William Aiken、Hyoungshick Kim 和 Simon Woo。arXiv,2020。\n\n- HaS-Nets:一种用于数据收集场景下防御深度神经网络后门攻击的修复与选择机制(Heal and Select Mechanism)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07474.pdf)\n - Hassan Ali、Surya Nepal、Salil S. Kanhere 和 Sanjay Jha。arXiv,2020。\n\n\n#### 基于触发器合成的经验性防御\n- 图像中认知后门模式蒸馏(Distilling Cognitive Backdoor Patterns)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=S3D9NLzjnQ5)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanxunH\u002FCognitiveDistillation)\n - Hanxun Huang、Xingjun Ma、Sarah Monazam Erfani 和 James Bailey。*ICLR*,2023。\n\n- UNICORN:统一的后门触发器反演框架(Unified Backdoor Trigger Inversion Framework)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Mj7K4lglGyj)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FUNICORN)\n - Zhenting Wang、Zhenting Wang、Kai Mei、Juan Zhai 和 Shiqing Ma。*ICLR*,2023。\n\n- 隔离(Quarantine):稀疏性可以免费揭示木马攻击触发器。\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2022\u002Fpapers\u002FChen_Quarantine_Sparsity_Can_Uncover_the_Trojan_Attack_Trigger_for_Free_CVPR_2022_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVITA-Group\u002FBackdoor-LTH)\n - Tianlong Chen、Zhenyu Zhang、Yihua Zhang*、Shiyu Chang、Sijia Liu 和 Zhangyang Wang。*CVPR*,2022。\n\n- 后门扫描中更优的触发器反演优化。\n [[pdf]](https:\u002F\u002Fwww.cs.purdue.edu\u002Fhomes\u002Ftaog\u002Fdocs\u002FCVPR22_Tao.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FGwinhen\u002FPixelBackdoor)\n - Guanhong Tao、Guangyu Shen、Yingqi Liu、Shengwei An、Qiuling Xu、Shiqing Ma、Pan Li 和 Xiangyu Zhang。*CVPR*,2022。\n\n- 使用夏普利估计(Shapley Estimation)进行少样本后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.14889.pdf)\n - Jiyang Guan、Zhuozhuo Tu、Ran He 和 Dacheng Tao。*CVPR*,2022。\n\n- 重新思考木马触发器的逆向工程(Reverse-engineering)。\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002F3f9bf45ea04c98ad7cb857f951f499e2-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FFeatureRE)\n - Zhenting Wang、Kai Mei、Hailun Ding、Juan Zhai 和 Shiqing Ma。*NeurIPS*,2022。\n\n- 基于对抗性权重掩码(Adversarial Weight Masking, AWM)的单次神经网络后门擦除。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.04497)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjinghuichen\u002FAWM)\n - Shuwen Chai 和 Jinghui Chen。*NeurIPS*,2022。\n\n- AEVA:基于对抗性极值分析(Adversarial Extreme Value Analysis)的黑盒后门检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.14880.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FJunfengGo\u002FAEVA-Blackbox-Backdoor-Detection-main)\n - Junfeng Guo、Ang Li 和 Cong Liu。*ICLR*,2022。\n\n- 基于拓扑先验的触发器搜索用于木马检测(Trigger Hunting with a Topological Prior for Trojan Detection)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.08335.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHuXiaoling\u002FTopoTrigger)\n - Xiaoling Hu、Xiao Lin、Michael Cogswell、Yi Yao、Susmit Jha 和 Chao Chen。*ICLR*,2022。\n\n- 基于机器遗忘(Machine Unlearning)的后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.09538.pdf)\n - Yang Liu、Mingyuan Fan、Cen Chen、Ximeng Liu、Zhuo Ma、Li Wang 和 Jianfeng Ma。*INFOCOM*,2022。\n\n- 在有限信息和数据下的黑盒后门攻击检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.13127.pdf)\n - Yinpeng Dong、Xiao Yang、Zhijie Deng、Tianyu Pang、Zihao Xiao、Hang Su 和 Jun Zhu。*ICCV*,2021。\n\n- 通过 K-Arm 优化(K-Arm Optimization)对深度神经网络进行后门扫描。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.05123.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FK-ARM_Backdoor_Optimization)\n - Guangyu Shen、Yingqi Liu、Guanhong Tao、Shengwei An、Qiuling Xu、Siyuan Cheng、Shiqing Ma 和 Xiangyu Zhang。*ICML*,2021。\n\n- 面向深度神经网络中木马后门(Trojan Backdoors)的检测与消除。\n [[pdf]](http:\u002F\u002Fwww.personal.psu.edu\u002Fwzg13\u002Fpublications\u002Ficdm20.pdf)\n [[previous version]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.01763.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUsmannK\u002FTABOR)\n - Wenbo Guo、Lun Wang、Xinyu Xing、Min Du 和 Dawn Song。*ICDM*,2020。\n\n- GangSweep:通过生成对抗网络(GAN, Generative Adversarial Network)清除神经网络后门。\n [[pdf]](https:\u002F\u002Fwww.lions.odu.edu\u002F~h1wu\u002Fpaper\u002Fgangsweep.pdf)\n - Liuwan Zhu、Rui Ning、Cong Wang、Chunsheng Xin 和 Hongyi Wu。*ACM MM*,2020。\n\n- 在无法访问训练集的情况下检测训练好的分类器中的后门。\n [[pdf]](http:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.10498)\n - Z Xiang、DJ Miller 和 G Kesidis。*IEEE Transactions on Neural Networks and Learning Systems*,2020。\n\n- Neural Cleanse:识别和缓解神经网络中的后门攻击。\n [[pdf]](https:\u002F\u002Fgangw.web.illinois.edu\u002Fclass\u002Fcs598\u002Fpapers\u002Fsp19-poisoning-backdoor.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fbolunwang\u002Fbackdoor)\n - Bolun Wang、Yuanshun Yao、Shawn Shan、Huiying Li、Bimal Viswanath、Haitao Zheng、Ben Y. Zhao。*IEEE S&P*,2019。\n\n- 基于生成式分布建模(Generative Distribution Modeling)的神经网络后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.04749.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fsuperrrpotato\u002FDefending-Neural-Backdoors-via-Generative-Distribution-Modeling)\n - Ximing Qiao、Yukun Yang 和 Hai Li。*NeurIPS*,2019。\n\n- DeepInspect:深度神经网络的黑盒木马检测与缓解框架。\n [[pdf]](https:\u002F\u002Fwww.ijcai.org\u002Fproceedings\u002F2019\u002F0647.pdf)\n - Huili Chen、Cheng Fu、Jishen Zhao、Farinaz Koushanfar。*IJCAI*,2019。\n\n- 识别后门人脸识别网络中物理可实现的触发器。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9506564)\n - Ankita Raj、Ambar Pal 和 Chetan Arora。*ICIP*,2021。\n\n- 通过最大可实现误分类分数统计量(Maximum Achievable Misclassification Fraction Statistic)在无训练集情况下揭示深度神经网络中的可感知后门。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9231861)\n - Zhen Xiang、David J. Miller、Hang Wang 和 George Kesidis。*MLSP*,2020。\n\n- 面向多后门检测的自适应扰动生成。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.05244.pdf)\n - Yuhang Wang、Huafeng Shi、Rui Min、Ruijia Wu、Siyuan Liang、Yichao Wu、Ding Liang 和 Aishan Liu。arXiv,2022。\n\n- 置信度至关重要:通过分布迁移(Distribution Transfer)检查深度神经网络中的后门。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.06592.pdf)\n - Tong Wang、Yuan Yao、Feng Xu、Miao Xu、Shengwei An 和 Ting Wang。arXiv,2022。\n\n- 防御多目标木马攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.03895.pdf)\n - Haripriya Harikumar、Santu Rana、Kien Do、Sunil Gupta、Wei Zong、Willy Susilo 和 Svetha Venkastesh。arXiv,2022。\n\n- 基于模型对比学习(Model-Contrastive Learning)的后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.04411)\n - Zhihao Yue、Jun Xia、Zhiwei Ling、Ting Wang、Xian Wei 和 Mingsong Chen。arXiv,2022。\n\n- CatchBackdoor:通过差分模糊测试(Differential Fuzzing)识别关键木马神经路径进行后门测试。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.13064.pdf)\n - Haibo Jin、Ruoxi Chen、Jinyin Chen、Yao Cheng、Chong Fu、Ting Wang、Yue Yu 和 Zhaoyan Ming。arXiv,2021。\n\n- 通过生成对抗网络(GAN)检测和移除深度神经网络中的水印。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.08104.pdf)\n - Haoqi Wang、Mingfu Xue、Shichang Sun、Yushu Zhang、Jian Wang 和 Weiqiang Liu。arXiv,2021。\n\n- TAD:基于触发器近似(Trigger Approximation)的 AI 黑盒木马检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.01815.pdf)\n - Xinqiao Zhang、Huili Chen 和 Farinaz Koushanfar。arXiv,2021。\n\n- 神经网络中的可扩展后门检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.05646.pdf)\n - Haripriya Harikumar、Vuong Le、Santu Rana、Sourangshu Bhattacharya、Sunil Gupta 和 Svetha Venkatesh。arXiv,2020。\n\n- NNoculation:后门深度神经网络的广谱和靶向治疗。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.08313.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fakshajkumarv\u002FNNoculation)\n - Akshaj Kumar Veldanda、Kang Liu、Benjamin Tan、Prashanth Krishnamurthy、Farshad Khorrami、Ramesh Karri、Brendan Dolan-Gavitt 和 Siddharth Garg。arXiv,2020。\n\n#### 基于模型诊断的经验防御\n- 通过对称特征差分(Symmetric Feature Differencing)检测复杂后门。\n [[pdf]](https:\u002F\u002Fwww.cs.purdue.edu\u002Fhomes\u002Ftaog\u002Fdocs\u002FCVPR22_Liu.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FExray)\n - Yingqi Liu、Guangyu Shen、Guanhong Tao、Zhenting Wang、Shiqing Ma 和 Xiangyu Zhang。*CVPR*,2022。\n\n- 针对二分类和多攻击场景的后门攻击训练后检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.08474.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzhenxianglance\u002F2ClassBADetection)\n - Zhen Xiang、David J. Miller 和 George Kesidis。*ICLR*,2022。\n\n- 随机通道混洗(Randomized Channel Shuffling):无需干净数据集的最小开销后门攻击检测。\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002Fdb1d5c63576587fc1d40d33a75190c71-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVITA-Group\u002FRandom-Shuffling-BackdoorDetect)\n - Ruisi Cai、Zhenyu Zhang、Tianlong Chen、Xiaohan Chen 和 Zhangyang Wang。*NeurIPS*,2022。\n\n- 神经网络后门检测的异常检测方法:以人脸识别为案例研究。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.10231.pdf)\n - Alexander Unnervik 和 Sébastien Marcel。*BIOSIG*,2022。\n\n- 基于关键路径的深度学习后门检测(Critical Path-Based Backdoor Detection)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9882007)\n - Wei Jiang, Xiangyu Wen, Jinyu Zhan, Xupeng Wang, Ziwei Song, and Chen Bian. *IEEE Transactions on Neural Networks and Learning Systems*, 2022.\n\n- 基于元神经分析的 AI 木马检测(Detecting AI Trojans Using Meta Neural Analysis)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.03137.pdf)\n - Xiaojun Xu, Qi Wang, Huichen Li, Nikita Borisov, Carl A. Gunter, and Bo Li. *IEEE S&P*, 2021.\n\n- 木马神经网络拓扑检测(Topological Detection of Trojaned Neural Networks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.06469.pdf)\n - Songzhu Zheng, Yikai Zhang, Hubert Wagner, Mayank Goswami, and Chao Chen. *NeurIPS*, 2021.\n\n- 有限信息和数据下的黑盒后门攻击检测(Black-box Detection of Backdoor Attacks with Limited Information and Data)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.13127.pdf)\n - Yinpeng Dong, Xiao Yang, Zhijie Deng, Tianyu Pang, Zihao Xiao, Hang Su, and Jun Zhu. *ICCV*, 2021.\n\n- 通用石蕊图案:揭示 CNN 中的后门攻击(Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1906.10842.pdf)\n [[code]](https:\u002F\u002Fumbcvision.github.io\u002FUniversal-Litmus-Patterns\u002F)\n - Soheil Kolouri, Aniruddha Saha, Hamed Pirsiavash, and Heiko Hoffmann. *CVPR*, 2020.\n\n- 单像素签名:用于后门检测的 CNN 模型特征刻画(One-Pixel Signature: Characterizing CNN Models for Backdoor Detection)。\n [[pdf]](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2020\u002Fpapers_ECCV\u002Fpapers\u002F123720324.pdf)\n - Shanjiaoyang Huang, Weiqi Peng, Zhiwei Jia, and Zhuowen Tu. *ECCV*, 2020.\n \n- 木马神经网络的实用检测:数据受限与无数据场景(Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.15802.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fwangren09\u002FTrojanNetDetector)\n - Ren Wang, Gaoyuan Zhang, Sijia Liu, Pin-Yu Chen, Jinjun Xiong, and Meng Wang. *ECCV*, 2020.\n\n- 基于类别差异的深度学习后门攻击检测(Detecting Backdoor Attacks via Class Difference in Deep Neural Networks)。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9233317)\n - Hyun Kwon. *IEEE Access*, 2020.\n\n- 基于基线剪枝的神经网络木马检测方法(Baseline Pruning-Based Approach to Trojan Detection in Neural Networks)。\n [[pdf]](https:\u002F\u002Faisecure-workshop.github.io\u002Faml-iclr2021\u002Fpapers\u002F17.pdf)\n - Peter Bajcsy and Michael Majurski. *ICLR Workshop*, 2021.\n\n- 通用训练后后门检测(Universal Post-Training Backdoor Detection)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.06900.pdf)\n - Hang Wang, Zhen Xiang, David J. Miller, and George Kesidis. arXiv, 2022.\n\n- DNN 权重中的木马特征(Trojan Signatures in DNN Weights)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.02836.pdf)\n - Greg Fields, Mohammad Samragh, Mojan Javaheripi, Farinaz Koushanfar, and Tara Javidi. arXiv, 2021.\n\n- EX-RAY:通过检查差异特征对称性区分神经网络中的注入后门与自然特征(EX-RAY: Distinguishing Injected Backdoor from Natural Features in Neural Networks by Examining Differential Feature Symmetry)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.08820.pdf)\n - Yingqi Liu, Guangyu Shen, Guanhong Tao, Zhenting Wang, Shiqing Ma, and Xiangyu Zhang. arXiv, 2021.\n\n- TOP:基于扰动可迁移性的神经网络后门检测(TOP: Backdoor Detection in Neural Networks via Transferability of Perturbation)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.10274.pdf)\n - Todd Huster and Emmanuel Ekwedike. arXiv, 2021.\n\n- 基于反事实归因的木马 DNN 检测(Detecting Trojaned DNNs Using Counterfactual Attributions)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.02275.pdf)\n - Karan Sikka, Indranil Sur, Susmit Jha, Anirban Roy, and Ajay Divakaran. arXiv, 2021.\n\n- 对抗样本同样有用!(Adversarial examples are useful too!)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2005.06107.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Faliborji\u002FBackdoor_defense)\n - XBorji A. arXiv, 2020.\n\n- Cassandra:从对抗扰动中检测木马网络(Cassandra: Detecting Trojaned Networks from Adversarial Perturbations)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.14433.pdf)\n - Xiaoyu Zhang, Ajmal Mian, Rohit Gupta, Nazanin Rahnavard, and Mubarak Shah. arXiv, 2020.\n \n- Odyssey:木马模型的创建、分析与检测(Odyssey: Creation, Analysis and Detection of Trojan Models)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.08142.pdf)\n [[dataset]](https:\u002F\u002Flcwn-lab.github.io\u002FOdessey\u002F)\n - Marzieh Edraki, Nazmul Karim, Nazanin Rahnavard, Ajmal Mian, and Mubarak Shah. arXiv, 2020.\n\n- 基于噪声响应分析的深度学习后门快速检测(Noise-response Analysis for Rapid Detection of Backdoors in Deep Neural Networks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00123.pdf)\n - N. Benjamin Erichson, Dane Taylor, Qixuan Wu, and Michael W. Mahoney. arXiv, 2020.\n\n- NeuronInspect:通过输出解释检测神经网络中的后门(NeuronInspect: Detecting Backdoors in Neural Networks via Output Explanations)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07399.pdf)\n - Xijie Huang, Moustafa Alzantot, and Mani Srivastava. arXiv, 2019.\n\n\n#### 基于毒化抑制的经验防御\n- 通过解耦训练过程进行后门防御(Backdoor Defense via Decoupling the Training Process)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=TySnJ-0RdKI)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FDBD)\n - Kunzhe Huang, Yiming Li, Baoyuan Wu, Zhan Qin, and Kui Ren. *ICLR*, 2022.\n\n- 利用毒化样本的敏感性实现有效后门防御(Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=AsH-Tx2U0Ug)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FEffective_backdoor_defense)\n - Weixin Chen, Baoyuan Wu, and Haoqian Wang. *NeurIPS*, 2022.\n\n- 诱捕与替换:通过将后门诱入易替换子网络进行防御(Trap and Replace: Defending Backdoor Attacks by Trapping Them into an Easy-to-Replace Subnetwork)。\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002Fea06e6e9e80f1c3d382317fff67041ac-Paper-Conference.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FVITA-Group\u002FTrap-and-Replace-Backdoor-Defense)\n - Haotao Wang, Junyuan Hong, Aston Zhang, Jiayu Zhou, and Zhangyang Wang. *NeurIPS*, 2022.\n\n- 更自信地训练:在训练过程中缓解注入型与自然后门(Training with More Confidence: Mitigating Injected and Natural Backdoors During Training)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=yNPsd3oG_s)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FNONE)\n - Zhenting Wang, Zhenting_Wang, Hailun Ding, Juan Zhai, and Shiqing Ma. *NeurIPS*, 2022.\n\n- 反后门学习:在毒化数据上训练干净模型(Anti-Backdoor Learning: Training Clean Models on Poisoned Data)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.11571.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fbboylyg\u002FABL)\n - Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. *NeurIPS*, 2021.\n\n\n- 基于差分隐私的鲁棒异常检测与后门攻击检测(Robust Anomaly Detection and Backdoor Attack Detection via Differential Privacy)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07116.pdf)\n [[code]](https:\u002F\u002Fwww.dropbox.com\u002Fsh\u002Frt8qzii7wr07g6n\u002FAAAbwokv2sfBeE9XAL2pXv_Aa?dl=0)\n - Min Du, Ruoxi Jia, and Dawn Song. *ICLR*, 2020. \n\n- 强数据增强可在不牺牲精度的情况下消除毒化与后门攻击(Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Trade-off)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.09527.pdf)\n - Eitan Borgnia, Valeriia Cherepanova, Liam Fowl, Amin Ghiasi, Jonas Geiping, Micah Goldblum, Tom Goldstein, and Arjun Gupta. *ICASSP*, 2021.\n\n- 杀不死你的使你更强大:针对毒化与后门的对抗训练(What Doesn't Kill You Makes You Robust(er): Adversarial Training against Poisons and Backdoors)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.13624.pdf)\n - Jonas Geiping, Liam Fowl, Gowthami Somepalli, Micah Goldblum, Michael Moeller, and Tom Goldstein. *ICLR Workshop*, 2021.\n\n- 有限数据下移除神经网络中的基于后门的水印(Removing Backdoor-Based Watermarks in Neural Networks with Limited Data)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00407.pdf)\n - Xuankai Liu, Fengting Li, Bihan Wen, and Qi Li. *ICPR*, 2021. \n\n- 掩码与恢复:测试时使用掩码自编码器的盲后门防御(Mask and Restore: Blind Backdoor Defense at Test Time with Masked Autoencoder)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2303.15564.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Ftsun\u002FBDMAE)\n - Tao Sun, Lu Pang, Chao Chen, and Haibin Ling. *arXiv*, 2023.\n\n- 对抗训练(Adversarial Training)针对后门攻击的有效性研究。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10627.pdf)\n - Yinghua Gao, Dongxian Wu, Jingfeng Zhang, Guanhao Gan, Shu-Tao Xia, Gang Niu, 和 Masashi Sugiyama. arXiv, 2022.\n\n- 重塑人脸识别中的信任:缓解人脸识别中的后门攻击以防止潜在的隐私泄露。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10320.pdf)\n - Reena Zelenkova, Jack Swallow, M. A. P. Chamikara, Dongxi Liu, Mohan Baruwal Chhetri, Seyit Camtepe, Marthie Grobler, 和 Mahathir Almashor. arXiv, 2022.\n\n- SanitAIs:利用无监督数据增强(Unsupervised Data Augmentation)净化植入木马(Trojan)的神经网络。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.04566.pdf)\n - Kiran Karra 和 Chace Ashcraft. arXiv, 2021.\n\n- 梯度塑形(Gradient Shaping)缓解数据投毒攻击的有效性研究。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11497.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSanghyun-Hong\u002FGradient-Shaping)\n - Sanghyun Hong, Varun Chandrasekaran, Yiğitcan Kaya, Tudor Dumitraş, 和 Nicolas Papernot. arXiv, 2020. \n\n- DP-InstaHide:利用差分隐私(Differentially Private)数据增强可证明地化解投毒和后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.02079.pdf)\n - Eitan Borgnia, Jonas Geiping, Valeriia Cherepanova, Liam Fowl, Arjun Gupta, Amin Ghiasi, Furong Huang, Micah Goldblum, 和 Tom Goldstein. arXiv, 2021.\n \n\n\n#### 基于样本过滤的经验性防御\n- SCALE-UP:通过分析缩放预测一致性实现高效的黑盒输入级后门检测。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=o0LFPcoFKnr)\n [[code]](https:\u002F\u002Fgithub.com\u002FJunfengGo\u002FSCALE-UP)\n - Junfeng Guo, Yiming Li, Xun Chen, Hanqing Guo, Lichao Sun, 和 Cong Liu. *ICLR*, 2023.\n\n- 图像中认知后门模式的蒸馏提取。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=S3D9NLzjnQ5)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanxunH\u002FCognitiveDistillation)\n - Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, 和 James Bailey. *ICLR*, 2023.\n\n- 不兼容性聚类(Incompatibility Clustering)作为防御后门投毒攻击的手段。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=mkJm5Uy4HrQ)\n [[code]](https:\u002F\u002Fgithub.com\u002Fcharlesjin\u002Fcompatibility_clustering\u002F)\n - Charles Jin, Melinda Sun, 和 Martin Rinard. *ICLR*, 2023.\n\n- \"Beatrix\" 复活:通过格拉姆矩阵(Gram Matrices)实现鲁棒的后门检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.11715.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fwanlunsec\u002FBeatrix)\n - Wanlun Ma, Derui Wang, Ruoxi Sun, Minhui Xue, Sheng Wen, 和 Yang Xiang. *NDSS*, 2023.\n\n- 利用投毒样本的敏感性实现有效的后门防御。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=AsH-Tx2U0Ug)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FEffective_backdoor_defense)\n - Weixin Chen, Baoyuan Wu, 和 Haoqian Wang. *NeurIPS*, 2022.\n\n- 通过输入过滤实现有效且鲁棒的神经木马防御。\n [[pdf]](https:\u002F\u002Fwww.ecva.net\u002Fpapers\u002Feccv_2022\u002Fpapers_ECCV\u002Fpapers\u002F136650277.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSoftWiser-group\u002FFTrojan)\n - Kien Do, Haripriya Harikumar, Hung Le, Dung Nguyen, Truyen Tran, Santu Rana, Dang Nguyen, Willy Susilo, 和 Svetha Venkatesh. *ECCV*, 2022.\n\n- 我们能否利用对抗检测方法来缓解后门攻击?\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9844276)\n - Kaidi Jin, Tianwei Zhang, Chao Shen, Yufei Chen, Ming Fan, Chenhao Lin, 和 Ting Liu. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- LinkBreaker:通过神经元一致性检查打破深度神经网络(DNNs)中的后门触发器链接。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9775729)\n - Zhenzhu Chen, Shang Wang, Anmin Fu, Yansong Gao, Shui Yu, 和 Robert H. Deng. *IEEE Transactions on Information Forensics and Security*, 2022.\n\n- 基于相似性的深度学习系统完整性保护。\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0020025522003279)\n - Ruitao Hou, Shan Ai, Qi Chen, Hongyang Yan, Teng Huang, 和 Kongyang Chen. *Information Sciences*, 2022.\n\n- 基于特征的在线检测器,通过迭代界定移除对抗性后门。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=9673744)\n - Hao Fu, Akshaj Kumar Veldanda, Prashanth Krishnamurthy, Siddharth Garg, 和 Farshad Khorrami. *IEEE ACCESS*, 2022.\n\n- 重新思考后门攻击的触发器:频率视角。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.03413.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FYiZeng623\u002Ffrequency-backdoor)\n - Yi Zeng, Won Park, Z. Morley Mao, 和 Ruoxi Jia. *ICCV*, 2021.\n\n- 变体中的恶魔:深度神经网络(DNNs)的统计分析用于鲁棒的后门污染检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1908.00686.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FTDteach\u002Fbackdoor)\n - Di Tang, XiaoFeng Wang, Haixu Tang, 和 Kehuan Zhang. *USENIX Security*, 2021.\n\n- SPECTRE:利用鲁棒统计学(Robust Statistics)防御后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.11315.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSewoongLab\u002Fspectre-defense)\n - Jonathan Hayase, Weihao Kong, Raghav Somani, 和 Sewoong Oh. *ICML*, 2021.\n\n- CLEANN:嵌入式神经网络的加速木马防护盾。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.02326.pdf)\n - Mojan Javaheripi, Mohammad Samragh, Gregory Fields, Tara Javidi, 和 Farinaz Koushanfar. *ICCAD*, 2020.\n\n- 通过差分隐私(Differential Privacy)实现鲁棒的异常检测和后门攻击检测。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07116.pdf)\n [[code]](https:\u002F\u002Fwww.dropbox.com\u002Fsh\u002Frt8qzii7wr07g6n\u002FAAAbwokv2sfBeE9XAL2pXv_Aa?dl=0)\n - Min Du, Ruoxi Jia, 和 Dawn Song. *ICLR*, 2020. \n \n- 利用余弦相似度(Cosine Similarity)实现简单且与攻击无关的针对目标训练集攻击的防御。\n [[pdf]](http:\u002F\u002Fwww.gatsby.ucl.ac.uk\u002F~balaji\u002Fudl2021\u002Faccepted-papers\u002FUDL2021-paper-029.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FZaydH\u002Fcosin)\n - Zayd Hammoudeh 和 Daniel Lowd. *ICML Workshop*, 2021.\n\n- SentiNet:检测针对深度学习系统的局部化通用攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1812.00292.pdf)\n - Edward Chou, Florian Tramèr, 和 Giancarlo Pellegrino. *IEEE S&P Workshop*, 2020.\n\n- STRIP:针对深度神经网络木马攻击的防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.06531.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.10312.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fgarrisongys\u002FSTRIP)\n - Yansong Gao, Chang Xu, Derui Wang, Shiping Chen, Damith C. Ranasinghe, 和 Surya Nepal. *ACSAC*, 2019.\n\n- 通过激活聚类(Activation Clustering)检测深度神经网络的后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1811.03728.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FTrusted-AI\u002Fadversarial-robustness-toolbox\u002Fblob\u002Fmain\u002Fart\u002Fdefences\u002Fdetector\u002Fpoison\u002Factivation_defence.py)\n - Bryant Chen, Wilka Carvalho, Nathalie Baracaldo, Heiko Ludwig, Benjamin Edwards, Taesung Lee, Ian Molloy, 和 Biplav Srivastava. *AAAI Workshop*, 2019.\n\n- 深度概率模型检测数据投毒攻击(Deep Probabilistic Models to Detect Data Poisoning Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1912.01206.pdf)\n - Mahesh Subedar, Nilesh Ahuja, Ranganath Krishnan, Ibrahima J. Ndiour, and Omesh Tickoo. *NeurIPS Workshop*, 2019. \n\n- 后门攻击中的频谱特征(Spectral Signatures in Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1811.00636.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FMadryLab\u002Fbackdoor_data_poisoning)\n - Brandon Tran, Jerry Li, and Aleksander Madry. *NeurIPS*, 2018. \n\n- 针对木马攻击的自适应黑盒防御(TrojDef)(An Adaptive Black-box Defense against Trojan Attacks (TrojDef))。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.01721.pdf)\n - Guanxiong Liu, Abdallah Khreishah, Fatima Sharadgah, and Issa Khalil. arXiv, 2022.\n\n- 以毒攻毒:通过解耦良性相关性检测后门投毒样本(Fight Poison with Poison: Detecting Backdoor Poison Samples via Decoupling Benign Correlations)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13616.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FFight-Poison-With-Poison)\n - Xiangyu Qi, Tinghao Xie, Saeed Mahloujifar, and Prateek Mittal. arXiv, 2022.\n\n- PiDAn:一种用于深度神经网络后门攻击检测与缓解的一致性优化方法(PiDAn: A Coherence Optimization Approach for Backdoor Attack Detection and Mitigation in Deep Neural Networks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.09289.pdf)\n - Yue Wang, Wenqing Li, Esha Sarkar, Muhammad Shafique, Michail Maniatakos, and Saif Eddin Jabari. arXiv, 2022.\n\n- 从输入域进行神经网络木马分析与缓解(Neural Network Trojans Analysis and Mitigation from the Input Domain)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06382.pdf)\n - Zhenting Wang, Hailun Ding, Juan Zhai, and Shiqing Ma. arXiv, 2022.\n\n- 通过影响图防御后门攻击的通用框架(A General Framework for Defending Against Backdoor Attacks via Influence Graph)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.14309)\n - Xiaofei Sun, Jiwei Li, Xiaoya Li, Ziyao Wang, Tianwei Zhang, Han Qiu, Fei Wu, and Chun Fan. arXiv, 2021.\n\n- NTD:基于不可迁移性的后门检测(NTD: Non-Transferability Enabled Backdoor Detection)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.11157.pdf)\n - Yinshan Li, Hua Ma, Zhi Zhang, Yansong Gao, Alsharif Abuadbba, Anmin Fu, Yifeng Zheng, Said F. Al-Sarawi, and Derek Abbott. arXiv, 2021.\n\n- 任务驱动的数据质量管理统一框架(A Unified Framework for Task-Driven Data Quality Management)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.05484.pdf)\n - Tianhao Wang, Yi Zeng, Ming Jin, and Ruoxi Jia. arXiv, 2021.\n\n- TESDA:深度神经网络中基于变换的统计攻击检测(TESDA: Transform Enabled Statistical Detection of Attacks in Deep Neural Networks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.08447.pdf)\n - Chandramouli Amarnath, Aishwarya H. Balwani, Kwondo Ma, and Abhijit Chatterjee. arXiv, 2021.\n\n- 神经网络数据投毒攻击的溯源(Traceback of Data Poisoning Attacks in Neural Networks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.06904.pdf)\n - Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, and Ben Y. Zhao. arXiv, 2021.\n\n- 利用自扩展和兼容性防御数据投毒的可证明保证(Provable Guarantees against Data Poisoning Using Self-Expansion and Compatibility)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.03692.pdf)\n - Charles Jin, Melinda Sun, and Martin Rinard. arXiv, 2021.\n \n- 利用错误归因在线防御木马模型(Online Defense of Trojaned Models using Misattributions)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.15918.pdf)\n - Panagiota Kiourti, Wenchao Li, Anirban Roy, Karan Sikka, and Susmit Jha. arXiv, 2021.\n\n- 通过有意对抗扰动检测深度神经网络中的后门(Detecting Backdoor in Deep Neural Networks via Intentional Adversarial Perturbations)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.14259.pdf)\n - Mingfu Xue, Yinghao Wu, Zhiyu Wu, Jian Wang, Yushu Zhang, and Weiqiang Liu. arXiv, 2021.\n\n- 暴露鲁棒机器学习模型中的后门(Exposing Backdoors in Robust Machine Learning Models)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.00865.pdf)\n - Ezekiel Soremekun, Sakshi Udeshi, and Sudipta Chattopadhyay. arXiv, 2020.\n\n- HaS-Nets:一种用于数据收集场景下防御深度神经网络后门攻击的修复与选择机制(HaS-Nets: A Heal and Select Mechanism to Defend DNNs Against Backdoor Attacks for Data Collection Scenarios)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.07474.pdf)\n - Hassan Ali, Surya Nepal, Salil S. Kanhere, and Sanjay Jha. arXiv, 2020.\n\n- 以毒为药:检测并中和深度神经网络中的可变尺寸后门攻击(Poison as a Cure: Detecting & Neutralizing Variable-Sized Backdoor Attacks in Deep Neural Networks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.08040.pdf)\n - Alvin Chan, and Yew-Soon Ong. arXiv, 2019. \n \n#### 可认证防御(Certificated Defense)\n- 针对通用扰动的鲁棒性认证(Towards Robustness Certification Against Universal Perturbations)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=7GEvPKxjtt)\n [[code]](https:\u002F\u002Fgithub.com\u002Fruoxi-jia-group\u002FUniversal_Pert_Cert)\n - Yi Zeng, Zhouxing Shi, Ming Jin, Feiyang Kang, Lingjuan Lyu, Cho-Jui Hsieh, and Ruoxi Jia. *ICLR*, 2023.\n\n- BagFlip:针对数据投毒的可认证防御(BagFlip: A Certified Defense against Data Poisoning)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=ZidkM5b92G)\n [[code]](https:\u002F\u002Fgithub.com\u002FForeverZyh\u002Fdefend_framework)\n - Yuhao Zhang, Aws Albarghouthi, and Loris D'Antoni. *NeurIPS*, 2022.\n\n- RAB:针对后门攻击的可证明鲁棒性(RAB: Provable Robustness Against Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.08904.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FAI-secure\u002FRobustness-Against-Backdoor-Attacks)\n - Maurice Weber, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. *IEEE S&P*, 2022.\n\n- 最近邻针对数据投毒和后门攻击的可认证鲁棒性(Certified Robustness of Nearest Neighbors against Data Poisoning and Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.03765.pdf)\n - Jinyuan Jia, Yupei Liu, Xiaoyu Cao, and Neil Zhenqiang Gong. *AAAI*, 2022.\n\n- 深度分区聚合:针对通用投毒攻击的可证明防御(Deep Partition Aggregation: Provable Defense against General Poisoning Attacks)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2006.14768)\n [[code]](https:\u002F\u002Fgithub.com\u002Falevine0\u002FDPA)\n - Alexander Levine and Soheil Feizi. *ICLR*, 2021.\n \n- Bagging 针对数据投毒攻击的内在可认证鲁棒性(Intrinsic Certified Robustness of Bagging against Data Poisoning Attacks)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2008.04495)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjjy1994\u002FBaggingCertifyDataPoisoning)\n - Jinyuan Jia, Xiaoyu Cao, and Neil Zhenqiang Gong. *AAAI*, 2021.\n\n- 通过随机平滑实现针对标签翻转攻击的可认证鲁棒性(Certified Robustness to Label-Flipping Attacks via Randomized Smoothing)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.03018.pdf)\n - Elan Rosenfeld, Ezra Winston, Pradeep Ravikumar, and J. Zico Kolter. *ICML*, 2020.\n\n- 关于通过随机平滑实现针对后门攻击的鲁棒性认证(On Certifying Robustness against Backdoor Attacks via Randomized Smoothing)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.11750.pdf)\n - Binghui Wang, Xiaoyu Cao, Jinyuan jia, and Neil Zhenqiang Gong. *CVPR Workshop*, 2020.\n\n- BagFlip:针对数据投毒的可认证防御(BagFlip: A Certified Defense against Data Poisoning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13634.pdf)\n - Yuhao Zhang, Aws Albarghouthi, and Loris D'Antoni. arXiv, 2022.\n\n\n\n\n\n\n## 针对其他范式与任务的攻击与防御\n### 联邦学习(Federated Learning)\n- FLIP:联邦学习中后门缓解的可证明防御框架(FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated Learning)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Xo2E217_M4n)\n [[code]](https:\u002F\u002Fgithub.com\u002FKaiyuanZh\u002FFLIP)\n - Kaiyuan Zhang, Guanhong Tao, Qiuling Xu, Siyuan Cheng, Shengwei An, Yingqi Liu, Shiwei Feng, Guangyu Shen, Pin-Yu Chen, Shiqing Ma, and Xiangyu Zhang. *ICLR*, 2023.\n\n- 联邦学习中后门防御的脆弱性研究(On the Vulnerability of Backdoor Defenses for Federated Learning)。\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F26393)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjinghuichen\u002FFocused-Flip-Federated-Backdoor-Attack)\n - Pei Fang and Jinghui Chen. *AAAI*, 2023.\n\n- Cerberus 投毒:针对联邦学习的隐蔽协同后门攻击(Poisoning with Cerberus: Stealthy and Colluded Backdoor Attack against Federated Learning)。\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F26083)\n - Xiaoting Lyu, Yufei Han, Wei Wang, Jingkai Liu, Bin Wang, Jiqiang Liu, and Xiangliang Zhang. *AAAI*, 2023.\n\n- Neurotoxin: 联邦学习中的持久化后门攻击(Durable Backdoors in Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.10341.pdf)\n - Zhengming Zhang, Ashwinee Panda, Linyue Song, Yaoqing Yang, Michael W. Mahoney, Joseph E. Gonzalez, Kannan Ramchandran, and Prateek Mittal. *ICML*, 2022.\n\n- FLAME: 驯服联邦学习中的后门攻击(Taming Backdoors in Federated Learning)。\n [[pdf]](https:\u002F\u002Fwww.usenix.org\u002Fsystem\u002Ffiles\u002Fsec22fall_nguyen.pdf)\n - Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad-Reza Sadeghi, and Thomas Schneider. *USENIX Security*, 2022.\n\n- DeepSight: 通过深度模型检测缓解联邦学习中的后门攻击(Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.00763.pdf)\n - Phillip Rieger, Thien Duc Nguyen, Markus Miettinen, and Ahmad-Reza Sadeghi. *NDSS*, 2022.\n\n- 防御纵向联邦学习中的标签推断与后门攻击(Defending Label Inference and Backdoor Attacks in Vertical Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.05409.pdf)\n - Yang Liu, Zhihao Yi, Yan Kang, Yuanqin He, Wenhan Liu, Tianyuan Zou, and Qiang Yang. *AAAI*, 2022.\n\n- 拜占庭容错聚合机制在联邦学习模型投毒攻击中的分析(An Analysis of Byzantine-Tolerant Aggregation Mechanisms on Model Poisoning in Federated Learning)。\n [[link]](https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-031-13448-7_12)\n - Mary Roszel, Robert Norvill, and Radu State. *MDAI*, 2022.\n\n- 利用差分隐私防御联邦学习中的后门攻击(Against Backdoor Attacks In Federated Learning With Differential Privacy)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9747653)\n - Lu Miao, Wei Yang, Rong Hu, Lu Li, and Liusheng Huang. *ICASSP*, 2022.\n\n- 安全部分聚合:使联邦学习在工业4.0应用中更加鲁棒(Secure Partial Aggregation: Making Federated Learning More Robust for Industry 4.0 Applications)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9692911)\n - Jiqiang Gao, Baolei Zhang, Xiaojie Guo, Thar Baker, Min Li, and Zheli Liu. *IEEE Transactions on Industrial Informatics*, 2022.\n\n- 基于联邦学习中离群值鲁棒过滤的后门攻击弹性聚合用于图像分类(Backdoor Attacks-resilient Aggregation based on Robust Filtering of Outliers in Federated Learning for Image Classification)。\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0950705122002635)\n - Nuria Rodríguez-Barroso, Eugenio Martínez-Cámara, M. Victoria Luzónb, and Francisco Herrera. *Knowledge-Based Systems*, 2022.\n\n- 联邦学习中的后门攻击防御(Defense against Backdoor Attack in Federated Learning)。\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404822002139)\n [[code]](https:\u002F\u002Fgithub.com\u002Flsw3130104597\u002FBackdoor_detection)\n - Shiwei Lu, Ruihu Li, Wenbin Liu, and Xuan Chen. *Computers & Security*, 2022.\n\n- 针对投毒对抗者的隐私增强联邦学习(Privacy-Enhanced Federated Learning against Poisoning Adversaries)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9524709\u002F)\n - Xiaoyuan Liu, Hongwei Li, Guowen Xu, Zongqi Chen, Xiaoming Huang, and Rongxing Lu. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- 基于模型相关触发器的协调后门攻击对抗联邦学习(Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9713908)\n - Xueluan Gong, Yanjiao Chen, Huayang Huang, Yuqing Liao, Shuai Wang, and Qian Wang. *IEEE Network*, 2022.\n\n- CRFL: 可证明鲁棒的联邦学习防御后门攻击(Certifiably Robust Federated Learning against Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.08283.pdf)\n - Chulin Xie, Minghao Chen, Pin-Yu Chen, and Bo Li. *ICML*, 2021.\n\n- 诅咒还是救赎?数据异质性如何影响联邦学习的鲁棒性(Curse or Redemption? How Data Heterogeneity Affects the Robustness of Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.00655.pdf)\n - Syed Zawad, Ahsan Ali, Pin-Yu Chen, Ali Anwar, Yi Zhou, Nathalie Baracaldo, Yuan Tian, and Feng Yan. *AAAI*, 2021.\n\n- 利用鲁棒学习率防御联邦学习中的后门攻击(Defending Against Backdoors in Federated Learning with Robust Learning Rate)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.03767.pdf)\n - Mustafa Safa Ozdayi, Murat Kantarcioglu, and Yulia R. Gel. *AAAI*, 2021.\n \n- BaFFLe: 基于反馈的联邦学习后门检测(Backdoor detection via Feedback-based Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.02167.pdf)\n - ebastien Andreina, Giorgia Azzurra Marson, Helen Möllering, and Ghassan Karame. *ICDCS*, 2021.\n\n- PipAttack: 投毒联邦推荐系统以操纵商品推广(Poisoning Federated Recommender Systems for Manipulating Item Promotion)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.10926.pdf)\n - Shijie Zhang, Hongzhi Yin, Tong Chen, Zi Huang, Quoc Viet Hung Nguyen, and Lizhen Cui. *WSDM*, 2021.\n\n- 通过联邦过滤器缓解工业物联网应用中的后门攻击(Mitigating the Backdoor Attack by Federated Filters for Industrial IoT Applications)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fdocument\u002F9536411\u002F)\n - Boyu Hou, Jiqiang Gao, Xiaojie Guo, Thar Baker, Ying Zhang, Yanlong Wen, and Zheli Liu. *IEEE Transactions on Industrial Informatics*, 2021.\n\n- 基于稳定性的边缘计算服务后门攻击分析与防御(Stability-Based Analysis and Defense against Backdoor Attacks on Edge Computing Services)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9354927)\n - Yi Zhao, Ke Xu, Haiyang Wang, Bo Li, and Ruoxi Jia. *IEEE Network*, 2021.\n\n- 尾部攻击:是的,你真的可以在联邦学习中植入后门(Attack of the Tails: Yes, You Really Can Backdoor Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.05084.pdf)\n - Hongyi Wang, Kartik Sreenivasan, Shashank Rajput, Harit Vishwakarma, Saurabh Agarwal, Jy-yong Sohn, Kangwook Lee, and Dimitris Papailiopoulos. *NeurIPS*, 2020.\n \n- DBA: 针对联邦学习的分布式后门攻击(Distributed Backdoor Attacks against Federated Learning)。\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=rkgyS0VFvr)\n - Chulin Xie, Keli Huang, Pinyu Chen, and Bo Li. *ICLR*, 2020.\n\n\n- 联邦学习在女巫攻击场景下的局限性(The Limitations of Federated Learning in Sybil Settings)。\n [[pdf]](https:\u002F\u002Fwww.cs.ubc.ca\u002F~bestchai\u002Fpapers\u002Ffoolsgold-raid2020.pdf)\n [[extension]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1808.04866.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FDistributedML\u002FFoolsGold)\n - Clement Fung, Chris J.M. Yoon, and Ivan Beschastnikh. *RAID*, 2020 (arXiv, 2018).\n\n- 如何在联邦学习中植入后门(How to Backdoor Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1807.00459.pdf)\n - Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. *AISTATS*, 2020 (arXiv, 2018).\n\n\n- BEAS: 区块链赋能的异步安全联邦机器学习(Blockchain Enabled Asynchronous & Secure Federated Machine Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.02817.pdf)\n - Arup Mondal, Harpreet Virk, and Debayan Gupta. *AAAI Workshop*, 2022.\n \n- 特征分割协作学习中的后门攻击与防御(Backdoor Attacks and Defenses in Feature-partitioned Collaborative Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.03608.pdf)\n - Yang Liu, Zhihao Yi, and Tianjian Chen. *ICML Workshop*, 2020.\n\n- 你真的能在联邦学习中植入后门吗?(Can You Really Backdoor Federated Learning?)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.07963.pdf)\n - Ziteng Sun, Peter Kairouz, Ananda Theertha Suresh, and H. Brendan McMahan. *NeurIPS Workshop*, 2019.\n\n- 用于防御联邦后门攻击的不变聚合器(Invariant Aggregator for Defending Federated Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.01834.pdf)\n - Xiaoyang Wang, Dimitrios Dimitriadis, Sanmi Koyejo, and Shruti Tople. arXiv, 2022.\n\n- 保护联邦学习:以更少的约束缓解拜占庭攻击(Shielding Federated Learning: Mitigating Byzantine Attacks with Less Constraints)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.01437.pdf)\n - Minghui Li, Wei Wan, Jianrong Lu, Shengshan Hu, Junyu Shi, and Leo Yu Zhang. arXiv, 2022.\n\n- 面向视觉识别的联邦零样本学习(Federated Zero-Shot Learning for Visual Recognition)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.01994.pdf)\n - Zhi Chen, Yadan Luo, Sen Wang, Jingjing Li, and Zi Huang. arXiv, 2022.\n\n- 利用全群体知识对齐辅助后门联邦学习(Backdoor Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.12327.pdf)\n - Tian Liu, Xueyang Hu, and Tao Shu. arXiv, 2022.\n\n- FL-Defender:应对联邦学习中的针对性攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00872.pdf)\n - Najeeb Jebreel and Josep Domingo-Ferrer. arXiv, 2022.\n\n- 后门攻击是联邦 GAN 医疗图像合成中的恶魔。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00762.pdf)\n - Ruinan Jin and Xiaoxiao Li. arXiv, 2022.\n\n- SafeNet:缓解针对私有机器学习的数据投毒攻击(Data Poisoning Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.09986.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fdata61\u002FMP-SPDZ)\n - Harsh Chaudhari, Matthew Jagielski, and Alina Oprea. arXiv, 2022.\n\n- PerDoor:利用对抗扰动(Adversarial Perturbations)在联邦学习中实现持久非均匀后门。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.13523.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fmomalab\u002FPerDoor)\n - Manaar Alam, Esha Sarkar, and Michail Maniatakos. arXiv, 2022.\n\n- 面向持续联邦学习(Continual Federated Learning)中后门攻击的防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.11736.pdf)\n - Shuaiqi Wang, Jonathan Hayase, Giulia Fanti, and Sewoong Oh. arXiv, 2022.\n \n- 联邦学习中的客户端定向后门攻击(Client-Wise Targeted Backdoor)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.08689.pdf)\n - Gorka Abad, Servio Paguada, Stjepan Picek, Víctor Julio Ramírez-Durán, and Aitor Urbieta. arXiv, 2022.\n\n- 利用差分测试(Differential Testing)和异常值检测(Outlier Detection)进行联邦学习中的后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.11196.pdf)\n - Yein Kim, Huili Chen, and Farinaz Koushanfar. arXiv, 2022.\n\n- ARIBA:实现联邦学习中后门攻击的准确鲁棒识别。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.04311.pdf)\n - Yuxi Mi, Jihong Guan, and Shuigeng Zhou. arXiv, 2022.\n\n- 更多即是更好(大多数情况下):论联邦图神经网络(Federated Graph Neural Networks)中的后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03195.pdf)\n - Jing Xu, Rui Wang, Kaitai Liang, and Stjepan Picek. arXiv, 2022.\n\n- 低损子空间压缩(Low-Loss Subspace Compression):对抗多智能体后门攻击的有效手段。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.03692.pdf)\n - Siddhartha Datta and Nigel Shadbolt. arXiv, 2022.\n\n- 后门困于前门:适得其反的多智能体后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.12211.pdf)\n - Siddhartha Datta and Nigel Shadbolt. arXiv, 2022.\n\n- 基于知识蒸馏(Knowledge Distillation)的联邦遗忘学习(Federated Unlearning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.09441.pdf)\n - Chen Wu, Sencun Zhu, and Prasenjit Mitra. arXiv, 2022.\n\n- 针对个性化联邦学习(Personalized Federated Learning)中后门超网络(Backdoor HyperNetwork)的模型迁移攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.07063.pdf)\n - Phung Lai, NhatHai Phan, Abdallah Khreishah, Issa Khalil, and Xintao Wu. arXiv, 2022.\n\n- 基于彩票假设(Lottery Ticket Hypothesis)的联邦学习后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.10512.pdf)\n - Zihang Zou, Boqing Gong, and Liqiang Wang. arXiv, 2021.\n\n- 论协作学习中的可证明后门防御。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.08177.pdf)\n - Ximing Qiao, Yuhua Bai, Siping Hu, Ang Li, Yiran Chen, and Hai Li. arXiv, 2021.\n\n- SparseFed:利用稀疏化(Sparsification)缓解联邦学习中的模型投毒攻击(Model Poisoning Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.06274.pdf)\n - Ashwinee Panda, Saeed Mahloujifar, Arjun N. Bhagoji, Supriyo Chakraborty, and Prateek Mittal. arXiv, 2021.\n\n- 具有攻击自适应聚合(Attack-Adaptive Aggregation)的鲁棒联邦学习。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.05257.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fcpwan\u002FAttack-Adaptive-Aggregation)\n - Ching Pui Wan, and Qifeng Chen. arXiv, 2021.\n\n- 元联邦学习(Meta Federated Learning)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2102.05561.pdf)\n - Omid Aramoon, Pin-Yu Chen, Gang Qu, and Yuan Tian. arXiv, 2021.\n\n- FLGUARD:安全私有的联邦学习。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.02281.pdf)\n - Thien Duc Nguyen, Phillip Rieger, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Ahmad-Reza Sadeghi, Thomas Schneider, and Shaza Zeitouni. arXiv, 2021.\n\n- 迈向鲁棒且私有的联邦学习:本地与中心差分隐私(Differential Privacy)实验。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.03561.pdf)\n - Mohammad Naseri, Jamie Hayes, and Emiliano De Cristofaro. arXiv, 2020.\n\n- 针对联邦元学习(Federated Meta-Learning)的后门攻击。 \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.07026.pdf)\n - Chien-Lun Chen, Leana Golubchik, and Marco Paolieri. arXiv, 2020. \n\n- 针对联邦学习的动态后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.07429.pdf)\n - Anbu Huang. arXiv, 2020.\n\n- 对抗性设置中的联邦学习。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.07808.pdf)\n - Raouf Kerkouche, Gergely Ács, and Claude Castelluccia. arXiv, 2020.\n\n- BlockFLA:基于混合区块链架构的可问责联邦学习。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.07427.pdf)\n - Harsh Bimal Desai, Mustafa Safa Ozdayi, and Murat Kantarcioglu. arXiv, 2020.\n\n- 缓解联邦学习中的后门攻击。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.01767.pdf)\n - Chen Wu, Xian Yang, Sencun Zhu, and Prasenjit Mitra. arXiv, 2020.\n\n- 学习检测恶意客户端以实现鲁棒联邦学习。 \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.00211.pdf)\n - Suyi Li, Yong Cheng, Wei Wang, Yang Liu, and Tianjian Chen. arXiv, 2020.\n \n- 基于残差重加权(Residual-based Reweighting)的抗攻击联邦学习。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1912.11464.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Ffushuhao6\u002FAttack-Resistant-Federated-Learning)\n - Shuhao Fu, Chulin Xie, Bo Li, and Qifeng Chen. arXiv, 2019.\n\n### 迁移学习(Transfer Learning)\n- Incremental Learning, Incremental Backdoor Threats(增量学习,增量后门威胁)\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9872528\u002F)\n - Wenbo Jiang, Tianwei Zhang, Han Qiu, Hongwei Li, and Guowen Xu. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- Robust Backdoor Injection with the Capability of Resisting Network Transfer(具有抵抗网络迁移能力的鲁棒后门注入)\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS002002552201043X)\n - Le Feng, Sheng Li, Zhenxing Qian, and Xinpeng Zhang. *Information Sciences*, 2022.\n\n- Anti-Distillation Backdoor Attacks: Backdoors Can Really Survive in Knowledge Distillation(反蒸馏后门攻击:后门真的可以在知识蒸馏中存活)\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3474085.3475254)\n - Yunjie Ge, Qian Wang, Baolin Zheng, Xinlu Zhuang, Qi Li, Chao Shen, and Cong Wang. *ACM MM*, 2021.\n\n- Hidden Trigger Backdoor Attacks(隐藏触发器后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.00033.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUMBCvision\u002FHidden-Trigger-Backdoor-Attacks)\n - Aniruddha Saha, Akshayvarun Subramanya, and Hamed Pirsiavash. *AAAI*, 2020.\n\n- Weight Poisoning Attacks on Pre-trained Models(预训练模型的权重投毒攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.06660.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fneulab\u002FRIPPLe)\n - Keita Kurita, Paul Michel, and Graham Neubig. *ACL*, 2020.\n\n- Backdoor Attacks against Transfer Learning with Pre-trained Deep Learning Models(针对预训练深度学习模型迁移学习的后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2001.03274.pdf)\n - Shuo Wang, Surya Nepal, Carsten Rudolph, Marthie Grobler, Shangyu Chen, and Tianle Chen. *IEEE Transactions on Services Computing*, 2020.\n\n\n- Latent Backdoor Attacks on Deep Neural Networks(深度神经网络的潜在后门攻击)\n [[pdf]](http:\u002F\u002Fpeople.cs.uchicago.edu\u002F~huiyingli\u002Fpublication\u002Ffr292-yaoA.pdf)\n - Yuanshun Yao, Huiying Li, Haitao Zheng and Ben Y. Zhao. *CCS*, 2019.\n \n- Architectural Backdoors in Neural Networks(神经网络中的架构后门)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.07840.pdf)\n - Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, and Nicolas Papernot. arXiv, 2022.\n \n \n- Red Alarm for Pre-trained Models: Universal Vulnerabilities by Neuron-Level Backdoor Attacks(预训练模型的红色警报:神经元级后门攻击导致的通用漏洞)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.06969.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FNeuBA)\n - Zhengyan Zhang, Guangxuan Xiao, Yongwei Li, Tian Lv, Fanchao Qi, Zhiyuan Liu, Yasheng Wang, Xin Jiang, and Maosong Sun. arXiv, 2021.\n\n### 强化学习(Reinforcement Learning)\n- Provable Defense against Backdoor Policies in Reinforcement Learning(强化学习中后门策略的可证明防御)\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=11WmFbrIt26)\n [[code]](https:\u002F\u002Fgithub.com\u002Fskbharti\u002FProvable-Defense-in-RL)\n - Shubham Kumar Bharti, Xuezhou Zhang, Adish Singla, and Jerry Zhu. *NeurIPS*, 2022.\n\n- MARNet: Backdoor Attacks against Cooperative Multi-Agent Reinforcement Learning(MARNet:针对协作多智能体强化学习的后门攻击)\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9894692)\n - Yanjiao Chen, Zhicong Zheng, and Xueluan Gong. *IEEE Transactions on Dependable and Secure Computing*, 2022.\n\n- BACKDOORL: Backdoor Attack against Competitive Reinforcement Learning(BACKDOORL:针对竞争强化学习的后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.00579.pdf)\n - Lun Wang, Zaynah Javed, Xian Wu, Wenbo Guo, Xinyu Xing, and Dawn Song. *IJCAI*, 2021.\n\n- Stop-and-Go: Exploring Backdoor Attacks on Deep Reinforcement Learning-based Traffic Congestion Control Systems(Stop-and-Go:探索基于深度强化学习的交通拥堵控制系统上的后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.07859.pdf)\n - Yue Wang, Esha Sarkar, Michail Maniatakos, and Saif Eddin Jabari. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- Agent Manipulator: Stealthy Strategy Attacks on Deep Reinforcement Learning(智能体操控器:深度强化学习的隐蔽策略攻击)\n [[link]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1007\u002Fs10489-022-03882-w)\n - Jinyin Chen, Xueke Wang, Yan Zhang, Haibin Zheng, Shanqing Yu, and Liang Bao. *Applied Intelligence*, 2022.\n\n- TrojDRL: Evaluation of Backdoor Attacks on Deep Reinforcement Learning(TrojDRL:深度强化学习后门攻击评估)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1903.06638.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fpkiourti\u002Frl_backdoor)\n - Panagiota Kiourti, Kacper Wardega, Susmit Jha, and Wenchao Li. *DAC*, 2020.\n\n- Poisoning Deep Reinforcement Learning Agents with In-Distribution Triggers(利用分布内触发器投毒深度强化学习智能体)\n [[pdf]](https:\u002F\u002Faisecure-workshop.github.io\u002Faml-iclr2021\u002Fpapers\u002F11.pdf) \n - Chace Ashcraft and Kiran Karra. *ICLR Workshop*, 2021.\n\n- A Temporal-Pattern Backdoor Attack to Deep Reinforcement Learning(针对深度强化学习的时间模式后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.02589.pdf)\n - Yinbo Yu, Jiajia Liu, Shouqing Li, Kepu Huang, and Xudong Feng. arXiv, 2022.\n\n- Backdoor Detection in Reinforcement Learning(强化学习中的后门检测)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03609.pdf)\n - Junfeng Guo, Ang Li, and Cong Liu. arXiv, 2022.\n \n- Design of Intentional Backdoors in Sequential Models(序列模型中故意后门的构建)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1902.09972.pdf)\n - Zhaoyuan Yang, Naresh Iyer, Johan Reimann, and Nurali Virani. arXiv, 2019.\n\n\n### 半监督学习与自监督学习(Semi-Supervised and Self-Supervised Learning)\n- Backdoor Attacks on Self-Supervised Learning(自监督学习中的后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.10123)\n [[code]](https:\u002F\u002Fgithub.com\u002FUMBCvision\u002FSSL-Backdoor)\n - Aniruddha Saha, Ajinkya Tejankar, Soroush Abbasi Koohpayegani, and Hamed Pirsiavash. *CVPR*, 2022.\n\n- Poisoning and Backdooring Contrastive Learning(对比学习的投毒与后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.09667.pdf)\n - Nicholas Carlini and Andreas Terzis. *ICLR*, 2022.\n\n- BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning(BadEncoder:自监督学习中预训练编码器的后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.00352.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjjy1994\u002FBadEncoder)\n - Jinyuan Jia, Yupei Liu, and Neil Zhenqiang Gong. *IEEE S&P*, 2022.\n\n- DeHiB: Deep Hidden Backdoor Attack on Semi-supervised Learning via adversarial Perturbation(DeHiB:通过对抗扰动对半监督学习的深度隐藏后门攻击)\n [[pdf]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F17266)\n - Zhicong Yan, Gaolei Li, Yuan Tian, Jun Wu, Shenghong Li, Mingzhe Chen, and H. Vincent Poor. *AAAI*, 2021.\n\n- Deep Neural Backdoor in Semi-Supervised Learning: Threats and Countermeasures(半监督学习中的深度神经后门:威胁与对策)\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9551983)\n - Zhicong Yan, Jun Wu, Gaolei Li, Shenghong Li, and Mohsen Guizani. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- Backdoor Attacks in the Supply Chain of Masked Image Modeling(掩码图像建模供应链中的后门攻击)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2210.01632.pdf)\n - Xinyue Shen, Xinlei He, Zheng Li, Yun Shen, Michael Backes, and Yang Zhang. arXiv, 2022.\n\n- Watermarking Pre-trained Encoders in Contrastive Learning(对比学习中预训练编码器的水印)\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.08217.pdf)\n - Yutong Wu, Han Qiu, Tianwei Zhang, Jiwei Li, and Meikang Qiu. arXiv, 2022.\n\n### 量化(Quantization)\n- RIBAC: Towards Robust and Imperceptible Backdoor Attack against Compact DNN.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.10608.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fhuyvnphan\u002FECCV2022-RIBAC)\n - Huy Phan, Cong Shi, Yi Xie, Tianfang Zhang, Zhuohang Li, Tianming Zhao, Jian Liu, Yan Wang, Yingying Chen, and Bo Yuan. *ECCV*, 2022.\n\n- Qu-ANTI-zation: Exploiting Quantization Artifacts for Achieving Adversarial Outcomes.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.13541.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSecure-AI-Systems-Group\u002FQu-ANTI-zation)\n - Sanghyun Hong, Michael-Andrei Panaitescu-Liess, Yiğitcan Kaya, and Tudor Dumitraş. *NeurIPS*, 2021.\n\n- Understanding the Threats of Trojaned Quantized Neural Network in Model Supply Chains.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3485832.3485881)\n - Xudong Pan, Mi Zhang, Yifan Yan, and Min Yang. *ACSAC*, 2021\n\n- Quantization Backdoors to Deep Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.09187.pdf)\n - Hua Ma, Huming Qiu, Yansong Gao, Zhi Zhang, Alsharif Abuadbba, Anmin Fu, Said Al-Sarawi, and Derek Abbott. arXiv, 2021.\n\n- Stealthy Backdoors as Compression Artifacts.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.15129.pdf) \n - Yulong Tian, Fnu Suya, Fengyuan Xu, and David Evans. arXiv, 2021.\n\n\n### 自然语言处理(Natural Language Processing)\n \n- TrojText: Test-time Invisible Textual Trojan Insertion.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=ja4Lpp5mqc2)\n [[code]](https:\u002F\u002Fgithub.com\u002FUCF-ML-Research\u002FTrojText)\n - Qian Lou, Yepeng Liu, and Bo Feng. *ICLR*, 2023.\n\n- Defending against Backdoor Attacks in Natural Language Generation.\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F25656)\n - Xiaofei Sun, Xiaoya Li, Yuxian Meng, Xiang Ao, Lingjuan Lyu, Jiwei Li, and Tianwei Zhang. *AAAI*, 2023.\n\n- Removing Backdoors in Pre-trained Models by Regularized Continual Pre-training.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fforum?id=JKuBOuzntQ)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FRECIPE)\n - Biru Zhu, Ganqu Cui, Yangyi Chen, Yujia Qin, Lifan Yuan, Chong Fu, Yangdong Deng, Zhiyuan Liu, Maosong Sun, Ming Gu. *Transactions of the Association for Computational Linguistics*, 2023.\n\n\n- BadPrompt: Backdoor Attacks on Continuous Prompts.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=rlN6fO3OrP)\n [[code]](https:\u002F\u002Fgithub.com\u002FpapersPapers\u002FBadPrompt)\n - Xiangrui Cai, haidong xu, Sihan Xu, Ying Zhang, and Xiaojie Yuan. *NeurIPS*, 2022.\n\n- Moderate-fitting as a Natural Backdoor Defender for Pre-trained Language Models\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fforum?id=C7cv9fh8m-b)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FModerate-fitting)\n - Biru Zhu, Yujia Qin, Ganqu Cui, Yangyi Chen, Weilin Zhao, Chong Fu, Yangdong Deng, Zhiyuan Liu, Jingang Wang, Wei Wu, Maosong Sun, and Ming Gu. *NeurIPS*, 2022.\n\n- A Unified Evaluation of Textual Backdoor Learning: Frameworks and Benchmarks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08514.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n - Ganqu Cui, Lifan Yuan, Bingxiang He, Yangyi Chen, Zhiyuan Liu, and Maosong Sun. *NeurIPS*, 2022. \n\n- Spinning Language Models: Risks of Propaganda-as-a-Service and Countermeasures\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2112.05224)\n [[code]](https:\u002F\u002Fgithub.com\u002Febagdasa\u002Fpropaganda_as_a_service)\n - Eugene Bagdasaryan and Vitaly Shmatikov. *IEEE S&P*, 2022.\n\n- PICCOLO: Exposing Complex Backdoors in NLP Transformer Models.\n [[pdf]](https:\u002F\u002Fwww.cs.purdue.edu\u002Fhomes\u002Ftaog\u002Fdocs\u002FSP22_Liu.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FPurduePAML\u002FPICCOLO)\n - Yingqi Liu, Guangyu Shen, Guanhong Tao, Shengwei An, Shiqing Ma, and Xiangyu Zhang. *IEEE S&P*, 2022.\n\n- Triggerless Backdoor Attack for NLP Tasks with Clean Labels.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.07970.pdf)\n - Leilei Gan, Jiwei Li, Tianwei Zhang, Xiaoya Li, Yuxian Meng, Fei Wu, Shangwei Guo, and Chun Fan. *NAACL*, 2022.\n\n- A Study of the Attention Abnormality in Trojaned BERTs.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.08305.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fweimin17\u002Fattention_abnormality_in_trojaned_berts)\n - Weimin Lyu, Songzhu Zheng, Tengfei Ma, and Chao Chen. *NAACL*, 2022.\n\n\n- The Triggers that Open the NLP Model Backdoors Are Hidden in the Adversarial Samples.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404822001250)\n - Kun Shao, Yu Zhang, Junan Yang, Xiaoshuai Li, and Hui Liu. *Computers & Security*, 2022.\n\n- BDDR: An Effective Defense Against Textual Backdoor Attacks.\n [[pdf]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167404821002571)\n - Kun Shao, Junan Yang, Yang Ai, Hui Liu, and Yu Zhang. *Computers & Security*, 2021.\n\n- BadPre: Task-agnostic Backdoor Attacks to Pre-trained NLP Foundation Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.02467.pdf)\n - Kangjie Chen, Yuxian Meng, Xiaofei Sun, Shangwei Guo, Tianwei Zhang, Jiwei Li, and Chun Fan. *ICLR*, 2022.\n\n- Exploring the Universal Vulnerability of Prompt-based Learning Paradigm.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.05239.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fleix28\u002Fprompt-universal-vulnerability)\n - Lei Xu, Yangyi Chen, Ganqu Cui, Hongcheng Gao, and Zhiyuan Liu. *NAACL-Findings*, 2022.\n\n- Backdoor Pre-trained Models Can Transfer to All.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.00197)\n - Lujia Shen, Shouling Ji, Xuhong Zhang, Jinfeng Li, Jing Chen, Jie Shi, Chengfang Fang, Jianwei Yin, and Ting Wang. *CCS*, 2021.\n\n- BadNL: Backdoor Attacks against NLP Models with Semantic-preserving Improvements.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3485832.3485837)\n [[arXiv-20]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.01043.pdf)\n - Xiaoyi Chen, Ahmed Salem, Dingfan Chen, Michael Backes, Shiqing Ma, Qingni Shen, Zhonghai Wu, and Yang Zhang. *ACSAC*, 2021.\n\n- Backdoor Attacks on Pre-trained Models by Layerwise Weight Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.13888.pdf)\n - Linyang Li, Demin Song, Xiaonan Li, Jiehang Zeng, Ruotian Ma, and Xipeng Qiu. *EMNLP*, 2021.\n\n- T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.04264.pdf)\n - Ahmadreza Azizi, Ibrahim Asadullah Tahmid, Asim Waheed, Neal Mangaokar, Jiameng Pu, Mobin Javed, Chandan K. Reddy, and Bimal Viswanath. *USENIX Security*, 2021.\n\n- RAP: Robustness-Aware Perturbations for Defending against Backdoor Attacks on NLP Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.07831.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flancopku\u002FRAP)\n - Wenkai Yang, Yankai Lin, Peng Li, Jie Zhou, and Xu Sun. *EMNLP*, 2021.\n\n- ONION: A Simple and Effective Defense Against Textual Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.10369.pdf)\n - Fanchao Qi, Yangyi Chen, Mukai Li, Zhiyuan Liu, and Maosong Sun. *EMNLP*, 2021.\n\n- Mind the Style of Text! Adversarial and Backdoor Attacks Based on Text Style Transfer.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.07139.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FStyleAttack)\n - Fanchao Qi, Yangyi Chen, Xurui Zhang, Mukai Li, Zhiyuan Liu, and Maosong Sun. *EMNLP*, 2021.\n\n- 重新思考针对 NLP 模型的后门攻击隐蔽性(Rethinking Stealthiness of Backdoor Attack against NLP Models)。\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.acl-long.431.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flancopku\u002FSOS)\n - Wenkai Yang, Yankai Lin, Peng Li, Jie Zhou, and Xu Sun. *ACL*, 2021.\n\n- 转动密码锁:通过词语替换实现可学习的文本后门攻击(Turn the Combination Lock: Learnable Textual Backdoor Attacks via Word Substitution)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.06361.pdf)\n - Fanchao Qi, Yuan Yao, Sophia Xu, Zhiyuan Liu, and Maosong Sun. *ACL*, 2021.\n\n- 隐藏杀手:基于句法触发器的隐形文本后门攻击(Hidden Killer: Invisible Textual Backdoor Attacks with Syntactic Trigger)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.12400.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FHiddenKiller)\n - Fanchao Qi, Mukai Li, Yangyi Chen, Zhengyan Zhang, Zhiyuan Liu, Yasheng Wang, and Maosong Sun. *ACL*, 2021.\n\n- 利用差分隐私缓解文本分类中的数据投毒攻击(Mitigating Data Poisoning in Text Classification with Differential Privacy)。\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.findings-emnlp.369.pdf)\n - Chang Xu, Jun Wang, Francisco Guzmán, Benjamin I. P. Rubinstein, and Trevor Cohn. *EMNLP-Findings*, 2021.\n\n- BFClass:无后门文本分类框架(BFClass: A Backdoor-free Text Classification Framework)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.10855.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fdheeraj7596\u002FBFClass)\n - Zichao Li, Dheeraj Mekala, Chengyu Dong, and Jingbo Shang. *EMNLP-Findings*, 2021.\n\n\n- 警惕被投毒的词嵌入:探索 NLP 模型嵌入层的脆弱性(Be Careful about Poisoned Word Embeddings: Exploring the Vulnerability of the Embedding Layers in NLP Models)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.15543.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flancopku\u002FEmbedding-Poisoning)\n - Wenkai Yang, Lei Li, Zhiyuan Zhang, Xuancheng Ren, Xu Sun, and Bin He. *NAACL-HLT*, 2021.\n\n- 神经网络手术:以最小化实例级副作用将数据模式注入预训练模型(Neural Network Surgery: Injecting Data Patterns into Pre-trained Models with Minimal Instance-wise Side Effects)。\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.naacl-main.430.pdf) \n - Zhiyuan Zhang, Xuancheng Ren, Qi Su, Xu Sun, and Bin He. *NAACL-HLT*, 2021.\n\n- 基于可解释 RNN 抽象模型的文本后门检测(Text Backdoor Detection Using An Interpretable RNN Abstract Model)。\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9508422)\n - Ming Fan, Ziliang Si, Xiaofei Xie, Yang Liu, and Ting Liu. *IEEE Transactions on Information Forensics and Security*, 2021.\n\n- 针对文本分类系统的文本后门攻击(Textual Backdoor Attack for the Text Classification System)。\n [[pdf]](https:\u002F\u002Fwww.hindawi.com\u002Fjournals\u002Fscn\u002F2021\u002F2938386\u002F)\n - Hyun Kwon and Sanghyun Lee. *Security and Communication Networks*, 2021.\n\n- 针对预训练模型的权重投毒攻击(Weight Poisoning Attacks on Pre-trained Models)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.06660.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fneulab\u002FRIPPLe)\n - Keita Kurita, Paul Michel, and Graham Neubig. *ACL*, 2020.\n\n- 基于条件对抗正则化自编码器的文本数据集投毒攻击(Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.02684.pdf)\n - Alvin Chan, Yi Tay, Yew-Soon Ong, and Aston Zhang. *EMNLP-Findings*, 2020.\n\n- 针对基于 LSTM 的文本分类系统的后门攻击(A Backdoor Attack Against LSTM-based Text Classification Systems)。\n [[pdf]](https:\u002F\u002Fieeexplore.ieee.org\u002Fstamp\u002Fstamp.jsp?tp=&arnumber=8836465)\n - Jiazhu Dai, Chuanshuai Chen, and Yufeng Li. *IEEE Access*, 2019.\n\n- PerD:基于扰动敏感性的 NLP 应用神经木马检测框架(PerD: Perturbation Sensitivity-based Neural Trojan Detection Framework on NLP Applications)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.04943.pdf)\n - Diego Garcia-soto, Huili Chen, and Farinaz Koushanfar. arXiv, 2022. \n\n- Kallima:文本后门攻击的干净标签框架(Kallima: A Clean-label Framework for Textual Backdoor Attacks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.01832.pdf)\n - Xiaoyi Chen, Yinpeng Dong, Zeyu Sun, Shengfang Zhai, Qingni Shen, and Zhonghai Wu. arXiv, 2022.\n\n- 基于迭代触发器注入的文本后门攻击(Textual Backdoor Attacks with Iterative Trigger Injection)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.12700.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FINK-USC\u002Fdata-poisoning)\n - Jun Yan, Vansh Gupta, and Xiang Ren. arXiv, 2022.\n\n- WeDef:文本分类的弱监督后门防御(WeDef: Weakly Supervised Backdoor Defense for Text Classification)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.11803.pdf)\n - Lesheng Jin, Zihan Wang, and Jingbo Shang. arXiv, 2022.\n\n- 基于动态边界缩放约束优化的有效 NLP 后门防御(Constrained Optimization with Dynamic Bound-scaling for Effective NLPBackdoor Defense)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.05749.pdf)\n - Guangyu Shen, Yingqi Liu, Guanhong Tao, Qiuling Xu, Zhuo Zhang, Shengwei An, Shiqing Ma, and Xiangyu Zhang. arXiv, 2022.\n\n- 重新思考自然语言处理中的隐蔽后门攻击(Rethink Stealthy Backdoor Attacks in Natural Language Processing)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.02993.pdf)\n - Lingfeng Shen, Haiyun Jiang, Lemao Liu, and Shuming Shi. arXiv, 2022.\n\n- 通过两个简单技巧使文本后门攻击更具危害性(Textual Backdoor Attacks Can Be More Harmful via Two Simple Tricks)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.08247.pdf)\n - Yangyi Chen, Fanchao Qi, Zhiyuan Liu, and Maosong Sun. arXiv, 2021.\n\n- 利用元后门操控序列到序列模型(Spinning Sequence-to-Sequence Models with Meta-Backdoors)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2107.10443.pdf)\n - Eugene Bagdasaryan and Vitaly Shmatikov. arXiv, 2021.\n\n- 防御自然语言生成中的后门攻击(Defending against Backdoor Attacks in Natural Language Generation)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.01810.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FShannonAI\u002Fbackdoor_nlg)\n - Chun Fan, Xiaoya Li, Yuxian Meng, Xiaofei Sun, Xiang Ao, Fei Wu, Jiwei Li, and Tianwei Zhang. arXiv, 2021.\n\n- 以人为中心的语言模型中的隐藏后门(Hidden Backdoors in Human-Centric Language Models)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.00164.pdf)\n - Shaofeng Li, Hui Liu, Tian Dong, Benjamin Zi Hao Zhao, Minhui Xue, Haojin Zhu, and Jialiang Lu. arXiv, 2021.\n\n- 利用蜜罐检测通用触发器的对抗攻击(Detecting Universal Trigger's Adversarial Attack with Honeypot)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2011.10492)\n - Thai Le, Noseong Park, Dongwon Lee. arXiv, 2020. \n\n- 通过后门关键词识别缓解基于 LSTM 的文本分类系统中的后门攻击(Mitigating Backdoor Attacks in LSTM-based Text Classification Systems by Backdoor Keyword Identification)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2007.12070.pdf)\n - Chuanshuai Chen, and Jiazhu Dai. arXiv, 2020.\n\n- 木马化语言模型以谋取利益(Trojaning Language Models for Fun and Profit)。\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00312.pdf)\n - Xinyang Zhang, Zheng Zhang, and Ting Wang. arXiv, 2020.\n\n### Graph Neural Networks\n- Transferable Graph Backdoor Attack.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00425.pdf)\n - Shuiqiao Yang, Bao Gia Doan, Paul Montague, Olivier De Vel, Tamas Abraham, Seyit Camtepe, Damith C. Ranasinghe, and Salil S. Kanhere. *RAID*, 2022.\n\n- More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03195.pdf)\n - Jing Xu, Rui Wang, Kaitai Liang, and Stjepan Picek. *ACSAC*, 2022.\n\n- Graph Backdoor.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.11890.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHarrialX\u002FGraphBackdoor)\n - Zhaohan Xi, Ren Pang, Shouling Ji, and Ting Wang. *USENIX Security*, 2021.\n \n- Backdoor Attacks to Graph Neural Networks. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.11165.pdf)\n - Zaixi Zhang, Jinyuan Jia, Binghui Wang, and Neil Zhenqiang Gong. *SACMAT*, 2021. \n\n- Defending Against Backdoor Attack on Graph Nerual Network by Explainability.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.02902.pdf)\n - Bingchen Jiang and Zhao Li. arXiv, 2022.\n\n- Link-Backdoor: Backdoor Attack on Link Prediction via Node Injection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.06776.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSeaocn\u002FLink-Backdoor)\n - Haibin Zheng, Haiyang Xiong, Haonan Ma, Guohan Huang, and Jinyin Chen. arXiv, 2022.\n\n- Neighboring Backdoor Attacks on Graph Convolutional Network.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.06202.pdf)\n - Liang Chen, Qibiao Peng, Jintang Li, Yang Liu, Jiawei Chen, Yong Li, and Zibin Zheng. arXiv, 2022.\n\n- Dyn-Backdoor: Backdoor Attack on Dynamic Link Prediction.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.03875.pdf)\n - Jinyin Chen, Haiyang Xiong, Haibin Zheng, Jian Zhang, Guodong Jiang, and Yi Liu. arXiv, 2021.\n\n- Explainability-based Backdoor Attacks Against Graph Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.03674.pdf)\n - Jing Xu, Minhui, Xue, and Stjepan Picek. arXiv, 2021.\n\n\n### Point Cloud\n- A Backdoor Attack against 3D Point Cloud Classifiers. \n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.05808.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzhenxianglance\u002FPCBA)\n - Zhen Xiang, David J. Miller, Siheng Chen, Xi Li, and George Kesidis. *ICCV*, 2021.\n\n- PointBA: Towards Backdoor Attacks in 3D Point Cloud.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.16074.pdf)\n - Xinke Li, Zhiru Chen, Yue Zhao, Zekun Tong, Yabang Zhao, Andrew Lim, and Joey Tianyi Zhou. *ICCV*, 2021.\n\n- Imperceptible and Robust Backdoor Attack in 3D Point Cloud.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.08052.pdf)\n - Kuofeng Gao, Jiawang Bai, Baoyuan Wu, Mengxi Ya, and Shu-Tao Xia. arXiv, 2022.\n\n- Detecting Backdoor Attacks Against Point Cloud Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.10354.pdf)\n - Zhen Xiang, David J. Miller, Siheng Chen, Xi Li, and George Kesidis. arXiv, 2021.\n\n- Poisoning MorphNet for Clean-Label Backdoor Attack to Point Clouds.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.04839.pdf)\n - Guiyu Tian, Wenhao Jiang, Wei Liu, and Yadong Mu. arXiv, 2021.\n\n### Acoustics Signal Processing\n- Toward Stealthy Backdoor Attacks against Speech Recognition via Elements of Sound.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2307.08208.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanboCai\u002FBadSpeech_SoE)\n - Hanbo Cai, Pengcheng Zhang, Hai Dong, Yan Xiao, Stefanos Koffas, Yiming Li. *IEEE Transactions on Information Forensics and Security*, 2024.\n\n- Breaking Speaker Recognition with Paddingback.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F10448169)\n - Zhe Ye, Diqun Yan, Li Dong, Kailai Shen. *ICASSP*, 2024.\n\n- Inaudible Backdoor Attack via Stealthy Frequency Trigger Injection in Audio Spectrogram.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fabs\u002F10.1145\u002F3636534.3649345)\n - Tianfang Zhang, Huy Phan, Zijie Tang, Cong Shi, Yan Wang, Bo Yuan, Yingying Chen. *ACM MobiCom*, 2024.\n \n- SilentTrig: An imperceptible backdoor attack against speaker identification with hidden triggers.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0167865523003495)\n - Yu Tang, Lijuan Sun, Xiaolong Xu. *Pattern Recognition Letters*, 2024.\n\n- Devil in the Room: Triggering Audio Backdoors in the Physical World.\n [[pdf]](https:\u002F\u002Fwww.usenix.org\u002Fsystem\u002Ffiles\u002Fsec23winter-prepub-166-chen.pdf)\n - Meng Chen, Xiangyu Xu, Li Lu, Zhongjie Ba, Feng Lin, and Kui Ren. *USENIX*, 2023.\n\n- The Silent Manipulator: A Practical and Inaudible Backdoor Attack against Speech Recognition Systems.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fabs\u002F10.1145\u002F3581783.3613843)\n - Zhicong Zheng, Xinfeng Li, Chen Yan, Xiaoyu Ji, Wenyuan Xu. *ACM MM*, 2023.\n\n- Going in Style: Audio Backdoors Through Stylistic Transformations.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2211.03117)\n - Stefanos Koffas, Luca Pajola, Stjepan Picek, and Mauro Conti. *ICASSP*, 2023.\n\n- VenoMave: Targeted Poisoning Against Speech Recognition.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.10682.pdf)\n - Hojjat Aghakhani, Lea Schönherr, Thorsten Eisenhofer, Dorothea Kolossa, Thorsten Holz, Christopher Kruegel, Giovanni Vigna. *SaTML*, 2023.\n\n- Stealthy Backdoor Attack Against Speaker Recognition Using Phase-Injection Hidden Trigger.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F10175571)\n - Zhe Ye, Diqun Yan, Li Dong, Jiacheng Deng, Shui Yu. *IEEE Signal Processing Letters*, 2023.\n\n- Fake the Real: Backdoor Attack on Deep Speech Classification via Voice Conversion.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F2306.15875)\n - Zhe Ye, Terui Mao, Li Dong, Diqun Yan. arXiv, 2023.\n\n- Opportunistic Backdoor Attacks: Exploring Human-imperceptible Vulnerabilities on Speech Recognition Systems.\n [[link]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fabs\u002F10.1145\u002F3503161.3548261)\n [[code]](https:\u002F\u002Fgithub.com\u002Flqsunshine\u002FDABA)\n - Qiang Liu, Tongqing Zhou, Zhiping Cai, Yonghao Tang. *ACM MM*, 2022.\n\n- Audio-domain position-independent backdoor attack via unnoticeable triggers.\n [[pdf]](https:\u002F\u002Fweb.njit.edu\u002F~cs638\u002Fpaper\u002FAudio-domain%20Position-independent%20Backdoor%20Attack%20via%20Unnoticeable%20Triggers.pdf)\n - Cong Shi, Tianfang Zhang, Zhuohang Li, Huy Phan, Tianming Zhao, Yan Wang, Jian Liu, Bo Yuan, Yingying Chen. *ACM MobiCom*, 2022.\n\n- Can You Hear It? Backdoor Attacks via Ultrasonic Triggers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2107.14569.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fskoffas\u002Fultrasonic_backdoor)\n - Stefanos Koffas, Jing Xu, Mauro Conti, and Stjepan Picek. *WiseML*, 2022.\n\n- Natural Backdoor Attacks on Speech Recognition Models.\n [[link]](https:\u002F\u002Flink.springer.com\u002Fchapter\u002F10.1007\u002F978-3-031-20096-0_45)\n - Jinwen Xin, Xixiang Lyu, Jing Ma. *ML4CS*, 2022.\n\n- Adversarial Audio: A New Information Hiding Method and Backdoor for DNN-based Speech Recognition Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fabs\u002F1904.03829.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanboCai\u002FBadSpeech_SoE)\n - Yehao Kong, Jiliang Zhang. arXiv, 2022.\n\n- DriNet: Dynamic Backdoor Attack against Automatic Speech Recognization Models.\n [[link]](https:\u002F\u002Fwww.mdpi.com\u002F2076-3417\u002F12\u002F12\u002F5786)\n - Jianbin Ye, Xiaoyuan Liu, Zheng You, Guowei Li, and Bo Liu. *Applied Sciences*, 2022.\n\n- Backdoor Attack against Speaker Verification\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.11607.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzhaitongqing233\u002FBackdoor-attack-against-speaker-verification)\n - Tongqing Zhai, Yiming Li, Ziqi Zhang, Baoyuan Wu, Yong Jiang, and Shu-Tao Xia. *ICASSP*, 2021.\n\n- A Novel Trojan Attack against Co-learning Based ASR DNN System.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9437669)\n - Mingxuan Li, Xiao Wang, Dongdong Huo, Han Wang, Chao Liu, Yazhe Wang, Yu Wang, Zhen Xu. *CSCWD*, 2021.\n \n\n\n### Medical Science\n- FIBA: Frequency-Injection based Backdoor Attack in Medical Image Analysis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.01148.pdf)\n - Yu Feng, Benteng Ma, Jing Zhang, Shanshan Zhao, Yong Xia, and Dacheng Tao. *CVPR*, 2022.\n\n- Exploiting Missing Value Patterns for a Backdoor Attack on Machine Learning Models of Electronic Health Records: Development and Validation Study.\n [[link]](https:\u002F\u002Fmedinform.jmir.org\u002F2022\u002F8\u002Fe38440\u002F)\n - Byunggill Joe, Yonghyeon Park, Jihun Hamm, Insik Shin, and Jiyeon Lee. *JMIR Medical Informatics*, 2022.\n\n- Machine Learning with Electronic Health Records is vulnerable to Backdoor Trigger Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.07925.pdf)\n - Byunggill Joe, Akshay Mehra, Insik Shin, and Jihun Hamm. *AAAI Workshop*, 2021.\n\n- Explainability Matters: Backdoor Attacks on Medical Imaging.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.00008.pdf)\n - Munachiso Nwadike, Takumi Miyawaki, Esha Sarkar, Michail Maniatakos, and Farah Shamout. *AAAI Workshop*, 2021.\n\n- TRAPDOOR: Repurposing Backdoors to Detect Dataset Bias in Machine Learning-based Genomic Analysis.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.10132.pdf)\n - Esha Sarkar and Michail Maniatakos. arXiv, 2021.\n\n### Vision Transformer\n- You Are Catching My Attention: Are Vision Transformers Bad Learners Under Backdoor Attacks?\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FYuan_You_Are_Catching_My_Attention_Are_Vision_Transformers_Bad_Learners_CVPR_2023_paper.pdf)\n - Zenghui Yuan, Pan Zhou, Kai Zou, and Yu Cheng. *CVPR*, 2023.\n\n- TrojViT: Trojan Insertion in Vision Transformers.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FZheng_TrojViT_Trojan_Insertion_in_Vision_Transformers_CVPR_2023_paper.pdf)\n - Mengxin Zheng, Qian Lou, and Lei Jiang. *CVPR*, 2023.\n\n- Defending Backdoor Attacks on Vision Transformer via Patch Processing.\n [[link]](https:\u002F\u002Fojs.aaai.org\u002Findex.php\u002FAAAI\u002Farticle\u002Fview\u002F25125)\n - Khoa D. Doan, Yingjie Lao, Peng Yang, and Ping Li. *AAAI*, 2023.\n\n- Backdoor Attacks on Vision Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08477.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FUCDvision\u002Fbackdoor_transformer.git)\n - Akshayvarun Subramanya, Aniruddha Saha, Soroush Abbasi Koohpayegani, Ajinkya Tejankar, and Hamed Pirsiavash. arXiv, 2022.\n\n- TrojViT: Trojan Insertion in Vision Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.13049.pdf)\n - Mengxin Zheng, Qian Lou, and Lei Jiang. arXiv, 2022.\n\n- Attention Hijacking in Trojan Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.04946.pdf)\n - Weimin Lyu, Songzhu Zheng, Tengfei Ma, Haibin Ling, and Chao Chen. arXiv, 2022.\n\n- DBIA: Data-free Backdoor Injection Attack against Transformer Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2111.11870.pdf)\n [[code]](https:\u002F\u002Fanonymous.4open.science\u002Fr\u002FDBIA-825D)\n - Peizhuo Lv, Hualong Ma, Jiachen Zhou, Ruigang Liang, Kai Chen, Shengzhi Zhang, and Yunfei Yang. arXiv, 2021.\n \n\n### Diffusion Model\n- How to Backdoor Diffusion Models?\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FChou_How_to_Backdoor_Diffusion_Models_CVPR_2023_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FIBM\u002FBadDiffusion)\n - Sheng-Yen Chou, Pin-Yu Chen, and Tsung-Yi Ho. *CVPR*, 2023.\n\n- TrojDiff: Trojan Attacks on Diffusion Models With Diverse Targets.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FChen_TrojDiff_Trojan_Attacks_on_Diffusion_Models_With_Diverse_Targets_CVPR_2023_paper.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fchenweixin107\u002FTrojDiff)\n - Weixin Chen, Dawn Song, and Bo Li. *CVPR*, 2023.\n\n### Cybersecurity\n- VulnerGAN: A Backdoor Attack through Vulnerability Amplification against Machine Learning-based Network Intrusion Detection Systems.\n [[link]](http:\u002F\u002Fscis.scichina.com\u002Fen\u002F2022\u002F170303.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fliuguangrui-hit\u002FVulnerGAN-py)\n - Guangrui Liu, Weizhe Zhang, Xinjie Li, Kaisheng Fan, and Shui Yu. *Information Sciences*, 2022.\n\n- Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.01031.pdf)\n - Giorgio Severi, Jim Meyer, Scott Coull, and Alina Oprea. *USENIX Security*, 2021.\n\n- Backdoor Attack on Machine Learning Based Android Malware Detectors.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9477038\u002F)\n - Chaoran Li, Xiao Chen, Derui Wang, Sheng Wen, Muhammad Ejaz Ahmed, Seyit Camtepe, and Yang Xiang. *IEEE Transactions on Dependable and Secure Computing*, 2021.\n\n- Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.05470.pdf)\n - Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, and Gang Wang. arXiv, 2022.\n\n### Detection and Tracking\n- Clean-image Backdoor: Attacking Multi-label Models with Poisoned Labels Only.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=rFQfjDC9Mt)\n [[code]](https:\u002F\u002Fgithub.com\u002FRU-System-Software-and-Security\u002FUNICORN)\n - Kangjie Chen, Xiaoxuan Lou, Guowen Xu, Jiwei Li, and Tianwei Zhang. *ICLR*, 2023.\n\n- Untargeted Backdoor Attack against Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2211.05638)\n [[code]](https:\u002F\u002Fgithub.com\u002FChengxiao-Luo\u002FUntargeted-Backdoor-Attack-against-Object-Detection)\n - Chengxiao Luo, Yiming Li, Yong Jiang, and Shu-Tao Xia. *ICASSP*, 2023.\n\n- Few-Shot Backdoor Attacks on Visual Object Tracking.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=qSV5CuSaK_a)\n [[code]](https:\u002F\u002Fgithub.com\u002FHXZhong1997\u002FFSBA)\n - Yiming Li, Haoxiang Zhong, Xingjun Ma, Yong Jiang, and Shu-Tao Xia. *ICLR*, 2022.\n\n- BadDet: Backdoor attacks on object detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.14497.pdf)\n - Shih-Han Chan, Yinpeng Dong, Jun Zhu, Xiaolu Zhang, and Jun Zhou. *ECCV Workshop*, 2022.\n\n- Attacking by Aligning: Clean-Label Backdoor Attacks on Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2307.10487.pdf)\n - Yize Cheng, Wenbin Hu, Minhao Cheng. arXiv, 2023.\n \n- Mask-based Invisible Backdoor Attacks on Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2405.09550)\n - Jeongjin Shin. arXiv, 2024.\n\n- TAT: Targeted Backdoor Attacks against Visual Object Tracking.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0031320323003308)\n [[code]](https:\u002F\u002Fgithub.com\u002FMisakaZipi\u002FTAT)\n - Ziyi Cheng, Baoyuan Wu, Zhenya Zhang, and Jianjun Zhao. *Pattern Recognition*, 2023.\n\n\n### Others\n- The Dark Side of AutoML: Towards Architectural Backdoor Search.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=bsZULlDGXe)\n [[code]](https:\u002F\u002Fgithub.com\u002Fain-soph\u002Fnas_backdoor)\n - Ren Pang, Changjiang Li, Zhaohan Xi, Shouling Ji, and Ting Wang. *ICLR*, 2023.\n\n- Backdoor Attacks Against Deep Image Compression via Adaptive Frequency Trigger.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FTan_Backdoor_Attacks_Against_Deep_Image_Compression_via_Adaptive_Frequency_Trigger_CVPR_2023_paper.pdf)\n Yi Yu, Yufei Wang, Wenhan Yang, Shijian Lu, Yap-Peng Tan, and Alex C. Kot. *CVPR*, 2023.\n\n- The Dark Side of Dynamic Routing Neural Networks: Towards Efficiency Backdoor Injection.\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FCVPR2023\u002Fpapers\u002FChen_The_Dark_Side_of_Dynamic_Routing_Neural_Networks_Towards_Efficiency_CVPR_2023_paper.pdf)\n - Simin Chen, Hanlin Chen, Mirazul Haque, Cong Liu, and Wei Yang. *CVPR*, 2023.\n\n- Backdoor Attacks on Crowd Counting.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.05641.pdf)\n - Yuhua Sun, Tailai Zhang, Xingjun Ma, Pan Zhou, Jian Lou, Zichuan Xu, Xing Di, Yu Cheng, and Lichao Sun. *ACM MM*, 2022.\n\n- Backdoor Attacks on the DNN Interpretation System.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.10698.pdf)\n - Shihong Fang and Anna Choromanska. *AAAI*, 2022.\n\n- The Devil is in the GAN: Defending Deep Generative Models Against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.01644.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FIBM\u002Fdevil-in-GAN)\n [[demo]](https:\u002F\u002Fgithub.com\u002FTrusted-AI\u002Fadversarial-robustness-toolbox\u002Fblob\u002Fmain\u002Fnotebooks\u002Fbackdoor_attack_DGM.ipynb)\n - Ambrish Rawat, Killian Levacher, and Mathieu Sinn. *ESORICS*, 2022.\n\n- Object-Oriented Backdoor Attack Against Image Captioning.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9746440)\n - Meiling Li, Nan Zhong, Xinpeng Zhang, Zhenxing Qian, and Sheng Li. *ICASSP*, 2022.\n\n- When Does Backdoor Attack Succeed in Image Reconstruction? A Study of Heuristics vs. Bi-Level Solution.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9746433)\n - Vardaan Taneja, Pin-Yu Chen, Yuguang Yao, and Sijia Liu. *ICASSP*, 2022.\n\n- An Interpretive Perspective: Adversarial Trojaning Attack on Neural-Architecture-Search Enabled Edge AI Systems.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9780600)\n - Ship Peng Xu, Ke Wang, Md. Rafiul Hassan, Mohammad Mehedi Hassan, and Chien-Ming Chen. *IEEE Transactions on Industrial Informatics*, 2022.\n\n- A Triggerless Backdoor Attack and Defense Mechanism for Intelligent Task Offloading in Multi-UAV Systems.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9770193)\n - Shafkat Islam, Shahriar Badsha, Ibrahim Khalil, Mohammed Atiquzzaman, and Charalambos Konstantinou. *IEEE Internet of Things Journal*, 2022.\n\n- Multi-Target Invisibly Trojaned Networks for Visual Recognition and Detection.\n [[pdf]](https:\u002F\u002Fwww.ijcai.org\u002Fproceedings\u002F2021\u002F0477.pdf)\n - Xinzhe Zhou, Wenhao Jiang, Sheng Qi, and Yadong Mu. *IJCAI*, 2021.\n\n- Hidden Backdoor Attack against Semantic Segmentation Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2103.04038.pdf)\n - Yiming Li, Yanjie Li, Yalei Lv, Yong Jiang, and Shu-Tao Xia. *ICLR Workshop*, 2021.\n\n- Adversarial Targeted Forgetting in Regularization and Generative Based Continual Learning Models.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9533400)\n - Muhammad Umer and Robi Polikar. *IJCNN*, 2021.\n\n- Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2002.07111.pdf)\n - Muhammad Umer, Glenn Dawson, Robi Polikar. *IJCNN*, 2020.\n\n- Trojan Attacks on Wireless Signal Classification with Adversarial Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1910.10766.pdf)\n - Kemal Davaslioglu, and Yalin E. Sagduyu. *DySPAN*, 2019.\n\n- BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean Label.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.00278.pdf)\n - Shengshan Hu, Ziqi Zhou, Yechao Zhang, Leo Yu Zhang, Yifeng Zheng, Yuanyuan HE, and Hai Jin. arXiv, 2022.\n\n- A Temporal Chrominance Trigger for Clean-label Backdoor Attack against Anti-spoof Rebroadcast Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.01102.pdf)\n - Wei Guo, Benedetta Tondi, and Mauro Barni. arXiv, 2022.\n\n- MACAB: Model-Agnostic Clean-Annotation Backdoor to Object Detection with Natural Trigger in Real-World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2209.02339.pdf)\n - Hua Ma, Yinshan Li, Yansong Gao, Zhi Zhang, Alsharif Abuadbba, Anmin Fu, Said F. Al-Sarawi, Nepal Surya, and Derek Abbott. arXiv, 2022.\n\n- BadDet: Backdoor Attacks on Object Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.14497.pdf)\n - Shih-Han Chan, Yinpeng Dong, Jun Zhu, Xiaolu Zhang, and Jun Zhou. arXiv, 2022.\n\n- Backdoor Attacks on Bayesian Neural Networks using Reverse Distribution.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2205.09167.pdf)\n - Zhixin Pan and Prabhat Mishra. arXiv, 2022.\n\n- Backdooring Explainable Machine Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.09498.pdf)\n - Maximilian Noppel, Lukas Peter, and Christian Wressnegger. arXiv, 2022.\n\n- Clean-Annotation Backdoor Attack against Lane Detection Systems in the Wild.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.00858.pdf)\n - Xingshuo Han, Guowen Xu, Yuan Zhou, Xuehuan Yang, Jiwei Li, and Tianwei Zhang. arXiv, 2022.\n\n- Dangerous Cloaking: Natural Trigger based Backdoor Attacks on Object Detectors in the Physical World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2201.08619)\n - Hua Ma, Yinshan Li, Yansong Gao, Alsharif Abuadbba, Zhi Zhang, Anmin Fu, Hyoungshick Kim, Said F. Al-Sarawi, Nepal Surya, and Derek Abbott. arXiv, 2022.\n\n- Targeted Trojan-Horse Attacks on Language-based Image Retrieval.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.03861.pdf)\n - Fan Hu, Aozhu Chen, and Xirong Li. arXiv, 2022.\n\n- Is Multi-Modal Necessarily Better? Robustness Evaluation of Multi-modal Fake News Detection.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08788.pdf)\n - Jinyin Chen, Chengyu Jia, Haibin Zheng, Ruoxi Chen, and Chenbo Fu. arXiv, 2022.\n\n- Dual-Key Multimodal Backdoors for Visual Question Answering.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2112.07668.pdf)\n - Matthew Walmer, Karan Sikka, Indranil Sur, Abhinav Shrivastava, and Susmit Jha. arXiv, 2021.\n\n- Clean-label Backdoor Attack against Deep Hashing based Retrieval.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.08868.pdf)\n - Kuofeng Gao, Jiawang Bai, Bin Chen, Dongxian Wu, and Shu-Tao Xia. arXiv, 2021.\n\n- Backdoor Attacks on Network Certification via Data Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.11299.pdf)\n - Tobias Lorenz, Marta Kwiatkowska, and Mario Fritz. arXiv, 2021.\n\n- Backdoor Attack and Defense for Deep Regression.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.02381.pdf)\n - Xi Li, George Kesidis, David J. Miller, and Vladimir Lucic. arXiv, 2021.\n\n- The Devil is in the GAN: Defending Deep Generative Models Against Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2108.01644.pdf)\n - Ambrish Rawat, Killian Levacher, and Mathieu Sinn. arXiv, 2021.\n\n- BAAAN: Backdoor Attacks Against Autoencoder and GAN-Based Machine Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.03007.pdf)\n - Ahmed Salem, Yannick Sautter, Michael Backes, Mathias Humbert, and Yang Zhang. arXiv, 2020.\n\n- DeepObliviate: A Powerful Charm for Erasing Data Residual Memory in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2105.06209.pdf)\n - Yingzhe He, Guozhu Meng, Kai Chen, Jinwen He, and Xingbo Hu. arXiv, 2021.\n\n- Backdoors in Neural Models of Source Code.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.06841)\n - Goutham Ramakrishnan, and Aws Albarghouthi. arXiv, 2020.\n\n- EEG-Based Brain-Computer Interfaces Are Vulnerable to Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2011.00101.pdf)\n - Lubin Meng, Jian Huang, Zhigang Zeng, Xue Jiang, Shan Yu, Tzyy-Ping Jung, Chin-Teng Lin, Ricardo Chavarriaga, and Dongrui Wu. arXiv, 2020.\n\n- Bias Busters: Robustifying DL-based Lithographic Hotspot Detectors Against Backdooring Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.12492.pdf)\n - Kang Liu, Benjamin Tan, Gaurav Rajavendra Reddy, Siddharth Garg, Yiorgos Makris, and Ramesh Karri. arXiv, 2020.\n\n\n\n\n## Evaluation and Discussion\n- Distilling Cognitive Backdoor Patterns within an Image.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=S3D9NLzjnQ5)\n [[code]](https:\u002F\u002Fgithub.com\u002FHanxunH\u002FCognitiveDistillation)\n - Hanxun Huang, Xingjun Ma, Sarah Monazam Erfani, and James Bailey. *ICLR*, 2023.\n\n- Finding Naturally Occurring Physical Backdoors in Image Datasets.\n [[pdf]](https:\u002F\u002Fproceedings.neurips.cc\u002Fpaper_files\u002Fpaper\u002F2022\u002Ffile\u002F8af749935131cc8ea5dae4f6d8cdb304-Paper-Datasets_and_Benchmarks.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fuchicago-sandlab\u002Fnaturalbackdoors)\n - Emily Wenger, Roma Bhattacharjee, Arjun Nitin Bhagoji, Josephine Passananti, Emilio Andere, Heather Zheng, and Ben Zhao. *NeurIPS*, 2022. \n\n- BackdoorBox: A Python Toolbox for Backdoor Learning.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F359439455_BackdoorBox_A_Python_Toolbox_for_Backdoor_Learning)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FBackdoorBox)\n - Yiming Li, Mengxi Ya, Yang Bai, Yong Jiang, Shu-Tao Xia. *ICLR Workshop*, 2023.\n\n- TROJANZOO: Everything You Ever Wanted to Know about Neural Backdoors (But were Afraid to Ask).\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.09302.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fain-soph\u002Ftrojanzoo)\n - Ren Pang, Zheng Zhang, Xiangshan Gao, Zhaohan Xi, Shouling Ji, Peng Cheng, and Ting Wang. *EuroS&P*, 2022.\n\n- A Unified Evaluation of Textual Backdoor Learning: Frameworks and Benchmarks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08514.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n - Ganqu Cui, Lifan Yuan, Bingxiang He, Yangyi Chen, Zhiyuan Liu, and Maosong Sun. *NeurIPS*, 2022. \n\n- BackdoorBench: A Comprehensive Benchmark of Backdoor Learning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.12654.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002Fbackdoorbench)\n [[website]](https:\u002F\u002Fbackdoorbench.github.io\u002F)\n - Baoyuan Wu, Hongrui Chen, Mingda Zhang, Zihao Zhu, Shaokui Wei, Danni Yuan, Chao Shen, and Hongyuan Zha. *NeurIPS*, 2022. \n\n- Backdoor Defense via Decoupling the Training Process.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=TySnJ-0RdKI)\n [[code]](https:\u002F\u002Fgithub.com\u002FSCLBD\u002FDBD)\n - Kunzhe Huang, Yiming Li, Baoyuan Wu, Zhan Qin, and Kui Ren. *ICLR*, 2022.\n\n- How to Inject Backdoors with Better Consistency: Logit Anchoring on Clean Data.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=Bn09TnDngN)\n - Zhiyuan Zhang, Lingjuan Lyu, Weiqiang Wang, Lichao Sun, and Xu Sun. *ICLR*, 2022.\n\n- Defending against Model Stealing via Verifying Embedded External Features.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F356717751_Defending_against_Model_Stealing_via_Verifying_Embedded_External_Features)\n [[code]](https:\u002F\u002Fgithub.com\u002Fzlh-thu\u002FStealingVerification) \n - Yiming Li, Linghui Zhu, Xiaojun Jia, Yong Jiang, Shu-Tao Xia, and Xiaochun Cao. *AAAI*, 2022. (Discuss the limitations of using backdoor attacks for model watermarking)\n\n- Susceptibility & Defense of Satellite Image-trained Convolutional Networks to Backdoor Attacks.\n [[link]](https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fpii\u002FS0020025522004248)\n - Ethan Brewer, Jason Lin, and Dan Runfola. *Information Sciences*, 2021.\n\n- Data-Efficient Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.12281.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fxpf\u002FData-Efficient-Backdoor-Attacks)\n - Pengfei Xia, Ziqiang Li, Wei Zhang, and Bin Li. *IJCAI*, 2022.\n\n- Excess Capacity and Backdoor Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2109.00685.pdf)\n - Naren Sarayu Manoj and Avrim Blum. *NeurIPS*, 2021.\n\n- Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.12557.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Faks2203\u002Fpoisoning-benchmark)\n - Avi Schwarzschild, Micah Goldblum, Arjun Gupta, John P Dickerson, and Tom Goldstein. *ICML*, 2021.\n\n- Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2104.03413.pdf)\n - Yi Zeng, Won Park, Z. Morley Mao, and Ruoxi Jia. *ICCV*, 2021.\n\n- Backdoor Attacks Against Deep Learning Systems in the Physical World.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2006.14580.pdf)\n [[Master Thesis]](https:\u002F\u002Fnewtraell.cs.uchicago.edu\u002Ffiles\u002Fms_paper\u002Fewillson.pdf)\n - Emily Wenger, Josephine Passanati, Yuanshun Yao, Haitao Zheng, and Ben Y. Zhao. *CVPR*, 2021.\n\n- Can Optical Trojans Assist Adversarial Perturbations?\n [[pdf]](https:\u002F\u002Fopenaccess.thecvf.com\u002Fcontent\u002FICCV2021W\u002FAROW\u002Fpapers\u002FBoloor_Can_Optical_Trojans_Assist_Adversarial_Perturbations_ICCVW_2021_paper.pdf)\n - Adith Boloor, Tong Wu, Patrick Naughton, Ayan Chakrabarti, Xuan Zhang, and Yevgeniy Vorobeychik. *ICCV Workshop*, 2021.\n\n- On the Trade-off between Adversarial and Backdoor Robustness.\n [[pdf]](https:\u002F\u002Fpapers.nips.cc\u002Fpaper\u002F2020\u002Ffile\u002F8b4066554730ddfaa0266346bdc1b202-Paper.pdf)\n - Cheng-Hsin Weng, Yan-Ting Lee, and Shan-Hung Wu. *NeurIPS*, 2020.\n\n- A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1911.01559.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Falps-lab\u002Fimc)\n - Ren Pang, Hua Shen, Xinyang Zhang, Shouling Ji, Yevgeniy Vorobeychik, Xiapu Luo, Alex Liu, and Ting Wang. *CCS*, 2020.\n\n- Systematic Evaluation of Backdoor Data Poisoning Attacks on Image Classifiers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.11514.pdf)\n - Loc Truong, Chace Jones, Brian Hutchinson, Andrew August, Brenda Praggastis, Robert Jasper, Nicole Nichols, and Aaron Tuor. *CVPR Workshop*, 2020.\n\n- On Evaluating Neural Network Backdoor Defenses.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.12186.pdf)\n - Akshaj Veldanda, and Siddharth Garg. *NeurIPS Workshop*, 2020.\n\n- Attention Hijacking in Trojan Transformers.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2208.04946.pdf)\n - Weimin Lyu, Songzhu Zheng, Tengfei Ma, Haibin Ling, and Chao Chen. arXiv, 2022.\n\n- Game of Trojans: A Submodular Byzantine Approach.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2207.05937.pdf)\n - Dinuka Sahabandu, Arezoo Rajabi, Luyao Niu, Bo Li, Bhaskar Ramasubramanian, and Radha Poovendran. arXiv, 2022. \n\n- Auditing Visualizations: Transparency Methods Struggle to Detect Anomalous Behavior.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.13498.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fjs-d\u002Fauditing-vis)\n - Jean-Stanislas Denain and Jacob Steinhardt. arXiv, 2022. \n\n- A Unified Evaluation of Textual Backdoor Learning: Frameworks and Benchmarks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.08514.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fthunlp\u002FOpenBackdoor)\n - Ganqu Cui, Lifan Yuan, Bingxiang He, Yangyi Chen, Zhiyuan Liu, and Maosong Sun. arXiv, 2022. \n\n- Can Backdoor Attacks Survive Time-Varying Models?\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.04677.pdf)\n - Huiying Li, Arjun Nitin Bhagoji, Ben Y. Zhao, and Haitao Zheng. arXiv, 2022. \n\n- Dynamic Backdoor Attacks with Global Average Pooling\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2203.02079.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fskoffas\u002Fgap)\n - Stefanos Koffas, Stjepan Picek, and Mauro Conti. arXiv, 2022. \n\n- Planting Undetectable Backdoors in Machine Learning Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.06974.pdf)\n - Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, and Or Zamir. arXiv, 2022.\n\n- Towards A Critical Evaluation of Robustness for Deep Learning Backdoor Countermeasures.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2204.06273.pdf)\n - Huming Qiu, Hua Ma, Zhi Zhang, Alsharif Abuadbba, Wei Kang, Anmin Fu, and Yansong Gao. arXiv, 2022.\n\n- Neural Network Trojans Analysis and Mitigation from the Input Domain.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.06382.pdf)\n - Zhenting Wang, Hailun Ding, Juan Zhai, and Shiqing Ma. arXiv, 2022.\n\n- Widen The Backdoor To Let More Attackers In.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.04571.pdf)\n - Siddhartha Datta, Giulio Lovisotto, Ivan Martinovic, and Nigel Shadbolt. arXiv, 2021.\n\n- Backdoor Learning Curves: Explaining Backdoor Poisoning Beyond Influence Functions.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.07214.pdf)\n - Antonio Emanuele Cinà, Kathrin Grosse, Sebastiano Vascon, Ambra Demontis, Battista Biggio, Fabio Roli, and Marcello Pelillo. arXiv, 2021.\n\n- Rethinking the Trigger of Backdoor Attack.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2004.04692.pdf)\n - Yiming Li, Tongqing Zhai, Baoyuan Wu, Yong Jiang, Zhifeng Li, and Shutao Xia. arXiv, 2020. \n\n- Poisoned Classifiers are Not Only Backdoored, They are Fundamentally Broken.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.09080.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Flocuslab\u002Fbreaking-poisoned-classifier)\n - Mingjie Sun, Siddhant Agarwal, and J. Zico Kolter. *ICLR Workshop*, 2021.\n\n- Effect of Backdoor Attacks over the Complexity of the Latent Space Distribution.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2012.01931.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fhenrychacon\u002FBackdoor_attacks\u002Ftree\u002Fmain\u002FD-Vine_copula_auto_encoder)\n - Henry D. Chacon, and Paul Rad. arXiv, 2020.\n\n- Trembling Triggers: Exploring the Sensitivity of Backdoors in DNN-based Face Recognition.\n [[pdf]](https:\u002F\u002Flink.springer.com\u002Farticle\u002F10.1186\u002Fs13635-020-00104-z)\n - Cecilia Pasquini, and Rainer Böhme. *EURASIP Journal on Information Security*, 2020. \n\n- Noise-response Analysis for Rapid Detection of Backdoors in Deep Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2008.00123.pdf)\n - N. Benjamin Erichson, Dane Taylor, Qixuan Wu, and Michael W. Mahoney. arXiv, 2020.\n\n\n\n## Backdoor Attack for Positive Purposes\n- Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection.\n [[pdf]](https:\u002F\u002Fwww.researchgate.net\u002Fpublication\u002F363766436_Untargeted_Backdoor_Watermark_Towards_Harmless_and_Stealthy_Dataset_Copyright_Protection)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FUntargeted_Backdoor_Watermark)\n - Yiming Li, Yang Bai, Yong Jiang, Yong Yang, Shu-Tao Xia, and Bo Li. *NeurIPS*, 2022.\n\n- Membership Inference via Backdooring.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2206.04823.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FHongshengHu\u002Fmembership-inference-via-backdooring)\n - Hongsheng Hu, Zoran Salcic, Gillian Dobbie, Jinjun Chen, Lichao Sun, and Xuyun Zhang. *IJCAI*, 2022. \n\n- Neural Network Surgery: Injecting Data Patterns into Pre-trained Models with Minimal Instance-wise Side Effects.\n [[pdf]](https:\u002F\u002Faclanthology.org\u002F2021.naacl-main.430.pdf) \n - Zhiyuan Zhang, Xuancheng Ren, Qi Su, Xu Sun and Bin He. *NAACL-HLT*, 2021.\n\n- One Step Further: Evaluating Interpreters using Metamorphic Testing.\n [[pdf]](https:\u002F\u002Fdl.acm.org\u002Fdoi\u002Fpdf\u002F10.1145\u002F3533767.3534225)\n - Ming Fan, Jiali Wei, Wuxia Jin, Zhou Xu, Wenying Wei, and Ting Liu. *ISSTA*, 2022.\n\n- What Do You See? Evaluation of Explainable Artificial Intelligence (XAI) Interpretability through Neural Backdoors.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.10639.pdf)\n - Yi-Shan Lin, Wen-Chuan Lee, and Z. Berkay Celik. *KDD*, 2021.\n\n- Using Honeypots to Catch Adversarial Attacks on Neural Networks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1904.08554.pdf)\n - Shawn Shan, Emily Wenger, Bolun Wang, Bo Li, Haitao Zheng, Ben Y. Zhao. *CCS*, 2020. (**Note:** Unfortunately, it was bypassed by Nicholas Carlini most recently. [[arXiv]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2009.10975.pdf))\n \n- Turning Your Weakness into a Strength: Watermarking Deep Neural Networks by Backdooring.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F1802.04633.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Fadiyoss\u002FWatermarkNN)\n - Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. *USENIX Security*, 2018. \n\n- Open-sourced Dataset Protection via Backdoor Watermarking.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2010.05821.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002FOpen-sourced_Dataset_Protection)\n - Yiming Li, Ziqi Zhang, Jiawang Bai, Baoyuan Wu, Yong Jiang, and Shu-Tao Xia. *NeurIPS Workshop*, 2020.\n\n- Protecting Deep Cerebrospinal Fluid Cell Image Processing Models with Backdoor and Semi-Distillation.\n [[link]](https:\u002F\u002Fieeexplore.ieee.org\u002Fabstract\u002Fdocument\u002F9647115)\n - FangQi Li, Shilin Wang, and Zhenhai Wang. *DICTA*, 2021.\n\n- Debiasing Backdoor Attack: A Benign Application of Backdoor Attack in Eliminating Data Bias.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2202.10582.pdf)\n - Shangxi Wu, Qiuyang He, Yi Zhang, and Jitao Sang. arXiv, 2022.\n\n- Watermarking Graph Neural Networks based on Backdoor Attacks.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.11024.pdf)\n - Jing Xu and Stjepan Picek. arXiv, 2021.\n\n- CoProtector: Protect Open-Source Code against Unauthorized Training Usage with Data Poisoning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2110.12925.pdf)\n - Zhensu Sun, Xiaoning Du, Fu Song, Mingze Ni, and Li Li. arXiv, 2021.\n\n- What Do Deep Nets Learn? Class-wise Patterns Revealed in the Input Space.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2101.06898.pdf)\n - Shihao Zhao, Xingjun Ma, Yisen Wang, James Bailey, Bo Li, and Yu-Gang Jiang. arXiv, 2021.\n\n- A Stealthy and Robust Fingerprinting Scheme for Generative Models.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2106.11760.pdf)\n - Guanlin Li, Shangwei Guo, Run Wang, Guowen Xu, and Tianwei Zhang. arXiv, 2021.\n\n- Towards Probabilistic Verification of Machine Unlearning.\n [[pdf]](https:\u002F\u002Farxiv.org\u002Fpdf\u002F2003.04247.pdf)\n [[code]](https:\u002F\u002Fgithub.com\u002Finspire-group\u002Funlearning-verification)\n - David Marco Sommer, Liwei Song, Sameer Wagh, and Prateek Mittal. arXiv, 2020. \n\n\n## Competition\n- [Trojan Detection Challenge](https:\u002F\u002Ftrojandetection.ai\u002F)\n- [IARPA TrojAI Competition](https:\u002F\u002Fpages.nist.gov\u002Ftrojai\u002Fdocs\u002Fabout.html)","# Backdoor Learning Resources 快速上手指南\n\n`backdoor-learning-resources` 是一个专注于后门学习(Backdoor Learning)的开源资源库,汇总了相关领域的论文、工具和研究资料。以下是快速上手指南。\n\n---\n\n## 环境准备\n\n### 系统要求\n- 操作系统:支持 Linux、macOS 和 Windows(推荐使用 Linux 或 macOS)\n- Python 版本:>= 3.7\n- Git 工具:用于克隆仓库\n\n### 前置依赖\n- 需要安装 `git` 工具。\n- 如果需要运行代码示例,请确保安装了对应项目的依赖环境(如 PyTorch、TensorFlow 等)。\n\n---\n\n## 安装步骤\n\n1. 克隆仓库到本地:\n ```bash\n git clone https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fawesome-backdoor-learning.git\n ```\n\n2. 进入项目目录:\n ```bash\n cd awesome-backdoor-learning\n ```\n\n3. (可选)如果需要加速克隆,可以使用国内镜像源(如 Gitee):\n ```bash\n git clone https:\u002F\u002Fgitee.com\u002Fmirrors\u002Fawesome-backdoor-learning.git\n ```\n\n---\n\n## 基本使用\n\n### 查看资源分类\n资源按照主题进行了详细分类,可以直接浏览 `README.md` 文件中的 **Table of Contents** 部分,找到感兴趣的内容。例如:\n\n- **Survey**:包含后门学习领域的综述论文。\n- **Toolbox**:提供后门攻击与防御的工具箱链接。\n- **Image and Video Classification**:针对图像和视频分类任务的攻击与防御方法。\n\n### 示例:查找特定年份的论文\n如果你想查看 2023 年的相关论文,可以直接搜索 `#### 2023`,例如:\n\n```markdown\n#### 2023\n- Revisiting the Assumption of Latent Separability for Backdoor Defenses.\n [[pdf]](https:\u002F\u002Fopenreview.net\u002Fpdf?id=_wSHsgrVali)\n [[code]](https:\u002F\u002Fgithub.com\u002FUnispac\u002FCircumventing-Backdoor-Defenses)\n - Xiangyu Qi, Tinghao Xie, Yiming Li, Saeed Mahloujifar, and Prateek Mittal. *ICLR*, 2023.\n```\n\n### 示例:运行代码\n部分资源提供了代码链接,可以直接克隆并运行。例如:\n\n```bash\n# 克隆代码仓库\ngit clone https:\u002F\u002Fgithub.com\u002FUnispac\u002FCircumventing-Backdoor-Defenses.git\n\n# 安装依赖\ncd Circumventing-Backdoor-Defenses\npip install -r requirements.txt\n\n# 运行示例代码\npython main.py\n```\n\n---\n\n## 贡献资源\n\n如果你希望贡献新的资源,请按照以下格式提交 Pull Request:\n\n```markdown\n- Paper Name. \n [[pdf]](link) \n [[code]](link)\n - Author 1, Author 2, **and** Author 3. *Conference\u002FJournal*, Year.\n```\n\n**注意**:同一年份中,请将会议论文放在期刊论文之前(会议论文通常比期刊论文更新)。\n\n---\n\n通过以上步骤,你可以快速上手并开始使用 `backdoor-learning-resources`!","一位机器学习安全研究员正在研究如何检测和防御第三方预训练模型中的潜在后门攻击。\n\n### 没有 backdoor-learning-resources 时\n- 研究员需要花费大量时间在不同会议和期刊中手动搜索相关论文,效率低下且容易遗漏重要研究\n- 难以系统性了解后门学习领域的最新进展,特别是不同攻击和防御方法的分类和发展脉络\n- 在进行文献调研时,经常遇到找不到代码实现或实验数据的情况,影响研究进度\n- 缺乏对领域内经典survey论文的快速访问渠道,需要自行判断哪些是权威参考文献\n- 更新知识库困难,难以持续跟踪最新的研究成果\n\n### 使用 backdoor-learning-resources 后\n- 可以按主题和年份快速定位所需论文,涵盖ICLR、NeurIPS等顶级会议的最新研究成果\n- 清晰的分类结构帮助研究员系统掌握各类攻击(如投毒攻击、权重攻击)和防御方法的发展现状\n- 提供论文PDF和代码链接,方便快速复现和验证相关研究结果\n- 直接获取领域权威survey论文及其引用信息,为研究提供可靠的理论基础\n- 定期更新机制确保研究员能够及时获取最新研究动态,保持知识库的时效性\n\nbackdoor-learning-resources通过系统化的资源整理和持续更新,显著提升了研究人员在机器学习安全领域的工作效率。","https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002FTHUYimingLi_backdoor-learning-resources_19632061.png","THUYimingLi","Yiming Li","https:\u002F\u002Foss.gittoolsai.com\u002Favatars\u002FTHUYimingLi_91c47b57.jpg","Research Fellow, NTU\r\n\r\nPrevious Research Professor, ZJU\r\n\r\nWorking on Trustworthy ML\u002FGenAI",null,"GeorgeL84893376","http:\u002F\u002Fliyiming.tech","https:\u002F\u002Fgithub.com\u002FTHUYimingLi",1163,174,"2026-04-10T00:36:15","MIT",1,"未说明",{"notes":87,"python":85,"dependencies":88},"该仓库主要汇总了后门学习相关的资源和论文,未明确提及具体的运行环境需求。",[],[14],[91,92,93,94,95,96],"backdoor-attacks","backdoor-learning","ai-security","backdoor-defense","deep-learning","machine-learning",4,"2026-03-27T02:49:30.150509","2026-04-11T18:32:43.490851",[101,106,111,116,121,126],{"id":102,"question_zh":103,"answer_zh":104,"source_url":105},4344,"DeepInspect 是否真的是黑盒方法?","根据讨论,优化生成器 G 不需要模型 D 的内部信息。但伪代码显示损失通过模型 D 反向传播,这更像是白盒方法。如果无法理解,建议参考作者的解释或相关论文。","https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fbackdoor-learning-resources\u002Fissues\u002F13",{"id":107,"question_zh":108,"answer_zh":109,"source_url":110},4345,"如何获取《Trojan Attacks and Defense for Speech Recognition》论文?","原链接已失效,且网上没有其他副本。如果需要阅读,可以尝试联系论文作者获取。","https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fbackdoor-learning-resources\u002Fissues\u002F20",{"id":112,"question_zh":113,"answer_zh":114,"source_url":115},4346,"本仓库是否还在更新?","近期作者可能没有时间更新,但欢迎通过 PR 提交缺失的相关论文。","https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fbackdoor-learning-resources\u002Fissues\u002F46",{"id":117,"question_zh":118,"answer_zh":119,"source_url":120},4347,"为什么没有持续更新?","仓库几乎每天都在更新。如果发现缺失的相关论文,可以通过 PR 提交。","https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fbackdoor-learning-resources\u002Fissues\u002F31",{"id":122,"question_zh":123,"answer_zh":124,"source_url":125},4348,"如何贡献代码到仓库?","可以 fork 仓库,修改后提交 PR,这样贡献会被记录。也可以通知维护者添加相关内容。","https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fbackdoor-learning-resources\u002Fissues\u002F24",{"id":127,"question_zh":128,"answer_zh":129,"source_url":130},4349,"关于《Data Poisoning Attacks Against Federated Learning Systems》的问题如何解决?","建议直接联系该论文的作者以获取更准确的解答。","https:\u002F\u002Fgithub.com\u002FTHUYimingLi\u002Fbackdoor-learning-resources\u002Fissues\u002F35",[]]