• Stars
    star
    207
  • Rank 189,769 (Top 4 %)
  • Language
  • Created almost 3 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A curated list of Meachine learning Security & Privacy papers published in security top-4 conferences (IEEE S&P, ACM CCS, USENIX Security and NDSS).

Awesome-ML-Security-and-Privacy-Papers

Awesome PRs Welcome

A curated list of Meachine learning Security & Privacy papers published in security top-4 conferences (IEEE S&P, ACM CCS, USENIX Security and NDSS).

Contents:

1. Security Papers

1.1 Adversarial Attack & Defense

1.1.1 Image

  1. Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries. USENIX Security 2020. Transferability + Query. Black-box Attack [pdf] [code]

  2. Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning. USENIX Security 2020. Defense of Image Scaling Attack [pdf] [code]

  3. HopSkipJumpAttack: A Query-Efficient Decision-Based Attack. IEEE S&P 2020. Query-based Black-box Attack [pdf] [code]

  4. PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking. USENIX Security 2021. Adversarial Patch Defense [pdf] [code]

  5. Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. ACM CCS 2020. Build an trap in model to induce specific adversarial perturbation [pdf] [code]

  6. A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models. ACM CCS 2020. Perturbate both input and model [pdf] [code]

  7. Feature-Indistinguishable Attack to Circumvent Trapdoor-Enabled Defense. ACM CCS 2021. A new attack method can break TeD defense mechanism [pdf] [code]

  8. DetectorGuard: Provably Securing Object Detectors against Localized Patch Hiding Attacks. ACM CCS 2021. Provable robustness for patch hiding in object detection [pdf] [code]

  9. It's Not What It Looks Like: Manipulating Perceptual Hashing based Applications. ACM CCS 2021. Adversarial Attack against PHash [pdf] [code]

  10. RamBoAttack: A Robust and Query Efficient Deep Neural Network Decision Exploit. NDSS 2022. Query-based black box attack [pdf] [code]

  11. What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction. NDSS 2022. Generative-based AE detection [pdf] [code]

  12. AutoDA: Automated Decision-based Iterative Adversarial Attacks. USENIX 2022. Program Synthesis for Adversarial Attack [pdf]

  13. Blacklight: Scalable Defense for Neural Networks against Query-Based Black-Box Attacks. USENIX Security 2022. AE Detection using probabilistic fingerprints based on hash of input similarity [pdf] [code]

  14. Physical Hijacking Attacks against Object Trackers. ACM CCS 2022. Adversarial Attacks on Object Trackers [pdf] [code]

  15. Post-breach Recovery: Protection against White-box Adversarial Examples for Leaked DNN Models. ACM CCS 2022. Adversarial Attacks on Object Trackers [pdf]

  16. Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning. USENIX Security 2023. Adversarial Attacks against PhotoDNA and PDQ [pdf]

  17. The Space of Adversarial Strategies. USENIX Security 2023. Decompose the Adversarial Attack Components and combine them together [pdf]

  18. Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks. ACM CCS 2023. Attack strategy to enhance the query-based attack against the stateful defense [pdf] [code]

1.1.2 Text

  1. TextShield: Robust Text Classification Based on Multimodal Embedding and Neural Machine Translation. USENIX Security 2020. Defense in preprossing [pdf]

  2. Bad Characters: Imperceptible NLP Attacks. IEEE S&P 2022. Use unicode to conduct human imperceptible attack [pdf] [code]

  3. Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models. ACM CCS 2022. Attack Neural Ranking Models [pdf]

  4. No more Reviewer #2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning. USENIX Security 2023. Adversarial Attack on Paper Assignment [pdf]

1.1.3 Audio

  1. WaveGuard: Understanding and Mitigating Audio Adversarial Examples. USENIX Security 2021. Defense in preprossing [pdf] [code]

  2. Dompteur: Taming Audio Adversarial Examples. USENIX Security 2021. Defense in preprossing. Preprocessing the audio to make the noise human noticeable [pdf] [code]

  3. Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems. IEEE S&P 2021. Attack [pdf] [code]

  4. Hear "No Evil", See "Kenansville": Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems. IEEE S&P 2021. Black-box Attack [pdf]

  5. SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems. IEEE S&P 2021. Survey [pdf]

  6. AdvPulse: Universal, Synchronization-free, and Targeted Audio Adversarial Attacks via Subsecond Perturbations. ACM CCS 2020. Attack [pdf]

  7. Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information. ACM CCS 2021. Black-box Attack. Physical World [pdf]

  8. Perception-Aware Attack: Creating Adversarial Music via Reverse-Engineering Human Perception. ACM CCS 2022. Adversarial Audio with human-aware noise [pdf]

  9. SpecPatch: Human-in-the-Loop Adversarial Audio Spectrogram Patch Attack on Speech Recognition. ACM CCS 2022. Adversarial Patch for audio [pdf]

1.1.4 Video

  1. Universal 3-Dimensional Perturbations for Black-Box Attacks on Video Recognition Systems. IEEE S&P 2022. Adversarial attack in video recognition [pdf]

  2. StyleFool: Fooling Video Classification Systems via Style Transfer. IEEE S&P 2023. Style Transfer to conduct adversarial attack [pdf] [code]

1.1.5 Graph

  1. A Hard Label Black-box Adversarial Attack Against Graph Neural Networks. ACM CCS 2021. Graph Classification [pdf]

1.1.6 Software

  1. Evading Classifiers by Morphing in the Dark. ACM CCS 2017. Morpher and search to generate adversarial PDF [pdf]

  2. Misleading Authorship Attribution of Source Code using Adversarial Learning. USENIX Security 2019. Adversarial attack in source code, MCST [pdf] [code]

  3. Intriguing Properties of Adversarial ML Attacks in the Problem Space. IEEE S&P 2020. Attack Malware Classification [pdf]

  4. Structural Attack against Graph Based Android Malware Detection. IEEE S&P 2020. Perturbed function call graph [pdf]

  5. URET: Universal Robustness Evaluation Toolkit (for Evasion). USENIX Security 2023. General Toolbox to select the perdefined perturbations [pdf] [code]

  6. Adversarial Training for Raw-Binary Malware Classifiers. USENIX Security 2023. Adversarial Training for Windows PE malware [pdf]

  7. PELICAN: Exploiting Backdoors of Naturally Trained Deep Learning Models In Binary Code Analysis. USENIX Security 2023. Reverse engineering natural backdoor in transformer-based x86 binary code analysis task [pdf]

  8. Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information. USENIX Security 2023. Black-box Android Adversarial Malware against the FCG-based ML classifier [pdf]

  9. Efficient Query-Based Attack against ML-Based Android Malware Detection under Zero Knowledge Setting. ACM CCS 2023. Semantic similar perturbations are more likely to have similar evasion effectiveness [pdf] [code]

1.1.7 Hardware

  1. ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning. ACM CCS 2022. Attack Hardware Trojan Detection [pdf]

1.1.8 Interpret Method

  1. Interpretable Deep Learning under Fire. USENIX Security 2020. Attack both image classification and interpret method [pdf]

  2. β€œIs your explanation stable?”: A Robustness Evaluation Framework for Feature Attribution. ACM CCS 2022. Hypothesis Testing to increasing the robustness of explaination methods [pdf]

  3. AIRS: Explanation for Deep Reinforcement Learning based Security Applications. USENIX Security 2023. DRL Interpertation Method to pinpoint the most influence step [pdf] [code]

1.1.9 Physical World

  1. SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations. USENIX Security 2021. Projector light causes misclassification [pdf] [code]

  2. Understanding Real-world Threats to Deep Learning Models in Android Apps. ACM CCS 2022. Adversarial Attack in real-world models [pdf]

  3. X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection. USENIX Security 2023. Adversarial Attack on X-ray Images [pdf] [code]

  4. That Person Moves Like A Car: Misclassification Attack Detection for Autonomous Systems Using Spatiotemporal Consistency. USENIX Security 2023. Robust OD in Autonomous System using spatiotemporal information [pdf]

  5. You Can't See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks. USENIX Security 2023. Adversarial attack against Autonomous Vehicles using Laser [pdf] demo]

  6. CAPatch: Physical Adversarial Patch against Image Captioning Systems. USENIX Security 2023. Physical Adversarial Patch against the image caption system [pdf] [code]

  7. Exorcising "Wraith": Protecting LiDAR-based Object Detector in Automated Driving System from Appearing Attacks. USENIX Security 2023. Defend the appearing attack in autonomous system using local objectness predictor [pdf] [code]

1.1.10 Reinforcement Learning

  1. Adversarial Policy Training against Deep Reinforcement Learning. USENIX Security 2021. Weird behavior to trigger opposite abnormal action. Two-agent competitor game [pdf] [code]

1.1.11 Robust Defense

  1. Cost-Aware Robust Tree Ensembles for Security Applications. USENIX Security 2021. Propose Cost of feature to certify the model robustness [pdf] [code]

  2. CADE: Detecting and Explaining Concept Drift Samples for Security Applications. USENIX Security 2021. Detect Concept shift [pdf] [code]

  3. Learning Security Classifiers with Verified Global Robustness Properties. ACM CCS 2021. Train a classifier with global robustness [pdf] [code]

  4. On the Robustness of Domain Constraints. ACM CCS 2021. Domain constraints. Input space robustness [pdf]

  5. Cert-RNN: Towards Certifying the Robustness of Recurrent Neural Networks. ACM CCS 2021. Certify robustness in RNN [pdf]

  6. TSS: Transformation-Specific Smoothing for Robustness Certification. ACM CCS 2021. Certify robustness about transformation [pdf][code]

  7. Transcend: Detecting Concept Drift in Malware Classification Models. USENIX Security 2017. Conformal evaluators [pdf] [code]

  8. Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift. IEEE S&P 2022. New conformal evaluators [pdf][code]

  9. Transferring Adversarial Robustness Through Robust Representation Matching. USENIX Security 2022. Robust Transfer Learning [pdf]

  10. DiffSmooth: Certifiably Robust Learning via Diffusion Models and Local Smoothing. USENIX Security 2023. Diffusion Model Improve Certified Robustness [pdf]

  11. Anomaly Detection in the Open World: Normality Shift Detection, Explanation, and Adaptation. NDSS 2023. Concept Drift Detection using unsupervised approch [pdf] [code]

  12. BARS: Local Robustness Certification for Deep Learning based Traffic Analysis Systems. NDSS 2023. Certified Robustness for Traffic Analysis Systems [pdf] [code]

  13. REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service. NDSS 2023. Build a certificable EaaS model [pdf]

  14. Continuous Learning for Android Malware Detection. USENIX Security 2023. New Continual Learning Paridigram for Malware detection [pdf] [code]

  15. ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking. IEEE S&P 2023. Certified robustness of object detection [pdf] [code]

  16. On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks. IEEE S&P 2023. Adversarial attacks on feature space may enhance the robustness in problem space [pdf] [code]

1.1.12 Network Traffic

  1. Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations. USENIX Security 2021. Adversarial attack to defeat DNN-based traffic analysis [pdf] [code]

1.1.13 Wireless Communication System

  1. Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems. ACM CCS 2021. Attack [pdf]

1.1.14 Tabular Data

  1. Adversarial Robustness for Tabular Data through Cost and Utility Awareness. NDSS 2023. Adversarial Attack & Defense on tabular data [pdf]

1.2 Distributed Machine Learning

1.2.1 Federated Learning

  1. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. USENIX Security 2020. Poisoning Attack [pdf]

  2. Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning. NDSS 2021. Poisoning Attack [pdf]

  3. DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection. NDSS 2022. Backdoor defense [pdf]

  4. FLAME: Taming Backdoors in Federated Learning. USENIX Security 2022. Backdoor defense [pdf]

  5. EIFFeL: Ensuring Integrity for Federated Learning. ACM CCS 2022. New FL Protocol to guarteen integrity [pdf]

  6. Eluding Secure Aggregation in Federated Learning via Model Inconsistency. ACM CCS 2022. Model inconsistency to break the secure aggregation [pdf]

  7. FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information. IEEE S&P 2023. Poisoned Model Recovery Algorithm [pdf]

  8. Every Vote Counts: Ranking-Based Training of Federated Learning to Resist Poisoning Attacks. USENIX Security 2023. Discrete the model updates and purning the model to defense the poisoning attack [pdf] [code]

  9. Securing Federated Sensitive Topic Classification against Poisoning Attacks. NDSS 2023. Robust Aggregation against the poisoning attack [pdf]

  10. BayBFed: Bayesian Backdoor Defense for Federated Learning. IEEE S&P 2023. Purify the model updates using bayesian [pdf]

  11. ADI: Adversarial Dominating Inputs in Vertical Federated Learning Systems. IEEE S&P 2023. Poisoning the vertical federated learning system [pdf] [code]

  12. 3DFed: Adaptive and Extensible Framework for Covert Backdoor Attack in Federated Learning. IEEE S&P 2023. Convert normal backdoor into the federated learning scenario [pdf]

1.2.2 Normal Distributed Learning

  1. Justinian's GAAvernor: Robust Distributed Learning with Gradient Aggregation Agent. USENIX Security 2020. Defense in Gradient Aggregation. Reinforcement learning [pdf]

1.3 Data Poisoning

1.3.1 Hijack Embedding

  1. Humpty Dumpty: Controlling Word Meanings via Corpus Poisoning. IEEE S&P 2020. Hijack Word Embedding [pdf]

1.3.2 Hijack Autocomplete Code

  1. You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion. USENIX Security 2021. Hijack Code Autocomplete [pdf]

1.3.3 Semi-Supervised Learning

  1. Poisoning the Unlabeled Dataset of Semi-Supervised Learning. USENIX Security 2021. Poisoning semi-supervised learning [pdf]

1.3.4 Recommender Systems

  1. Data Poisoning Attacks to Deep Learning Based Recommender Systems. NDSS 2021. The attacker chosen items are recommended as much as possible [pdf]

  2. Reverse Attack: Black-box Attacks on Collaborative Recommendation. ACM CCS 2021. Black-box setting. Surrogate model. Collaborative Filtering. Demoting and Promoting [pdf]

1.3.5 Classification

  1. Subpopulation Data Poisoning Attacks. ACM CCS 2021. Poisoning to flip a group of data samples [pdf]

  2. Get a Model! Model Hijacking Attack Against Machine Learning Models. NDSS 2022. Fusing dataset to hijacking model [pdf] [code]

1.3.6 Constractive Learning

  1. PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. USENIX Security 2022. Poison attack in constractive learning [pdf]

1.3.7 Privacy

  1. Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. ACM CCS 2022. Poison attack to reveal sensitive information [pdf]

1.3.8 Defense

  1. Poison Forensics: Traceback of Data Poisoning Attacks in Neural Networks. USENIX Security 2022. Identify poisioned subset by clustering and purning benign set [pdf]

  2. Meta-Sift: How to Sift Out a Clean Subset in the Presence of Data Poisoning?. USENIX Security 2023. Obtain a clean subset from the poisoned set [pdf] [code]

1.4 Backdoor

1.4.1 Image

  1. Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection. USENIX Security 2021. Class-specific Backdoor. Defense by decomposition [pdf]

  2. Double-Cross Attacks: Subverting Active Learning Systems. USENIX Security 2021. Active Learning System. Backdoor Attack [pdf]

  3. Detecting AI Trojans Using Meta Neural Analysis. IEEE S&P 2021. Meta Neural Classifier [pdf] [code]

  4. BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. IEEE S&P 2022. Backdoor attack in image-text pretrained model [pdf] [code]

  5. Composite Backdoor Attack for Deep Neural Network by Mixing Existing Benign Features. ACM CCS 2020. Composite backdoor. Image & text tasks [pdf] [code]

  6. AI-Lancet: Locating Error-inducing Neurons to Optimize Neural Networks. ACM CCS 2021. Locate neural location and finetuning it [pdf]

  7. LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks. ACM CCS 2022. Backdoor attack by modifying neuros [pdf]

  8. ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks. NDSS 2022. Backdoor attack by attention techniques [pdf]

  9. RAB: Provable Robustness Against Backdoor Attacks. IEEE S&P 2023. Backdoor Cetrification [pdf]

  10. A Data-free Backdoor Injection Approach in Neural Networks. USENIX Security 2023. Data free backdoor injection [pdf] [code]

  11. Backdoor Attacks Against Dataset Distillation. NDSS 2023. Backdoor attack against dataset istillation [pdf] [code]

  12. BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense. NDSS 2023. Backdoor Forensics [pdf] [code]

  13. Disguising Attacks with Explanation-Aware Backdoors. IEEE S&P 2023. Backdoor to mislead the explaination method [pdf]

  14. Selective Amnesia: On Efficient, High-Fidelity and Blind Suppression of Backdoor Effects in Trojaned Machine Learning Models. IEEE S&P 2023. Finetuning to remove backdoor [pdf]

  15. AI-Guardian: Defeating Adversarial Attacks using Backdoors. IEEE S&P 2023. using backdoor to detect adversarial example. Backdoor with all-to-all mapping and reverse the mapping [pdf]

  16. REDEEM MYSELF: Purifying Backdoors in Deep Learning Models using Self Attention Distillation. IEEE S&P 2023. Purifying backdoor using model distillation [pdf]

  17. NARCISSUS: A Practical Clean-Label Backdoor Attack with Limited Information. ACM CCS 2023. Clean label backdoor attack [pdf] [code]

  18. ASSET: Robust Backdoor Data Detection Across a Multiplicity of Deep Learning Paradigms. USENIX Security 2023. Backdoor Defense works in Different Learning Paradigms [pdf] [code]

1.4.2 Text

  1. T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification. USENIX Security 2021. Backdoor Defense. GAN to recover trigger [pdf] [code]

  2. Hidden Backdoors in Human-Centric Language Models. ACM CCS 2021. Novel trigger [pdf] [code]

  3. Backdoor Pre-trained Models Can Transfer to All. ACM CCS 2021. Backdoor in pre-trained to poison the down stream task [pdf] [code]

  4. Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation. USENIX Security 2022. Backdoor via linguistic style manipulation [pdf]

1.4.3 Graph

  1. Graph Backdoor. USENIX Security 2021. Classification [pdf] [code]

1.4.4 Software

  1. Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. USENIX Security 2021. Explanation Method. Evade Classification [pdf] [code]

1.4.5 Audio

  1. TrojanModel: A Practical Trojan Attack against Automatic Speech Recognition Systems. IEEE S&P 2023. Backdoor attack in speech recognition systems [pdf]

  2. MagBackdoor: Beware of Your Loudspeaker as Backdoor of Magnetic Attack for Malicious Command Injection. IEEE S&P 2023. Backdoor attack in audio using magentic trigget [pdf]

1.5 ML Library Security

1.5.1 Loss

  1. Blind Backdoors in Deep Learning Models. USENIX Security 2021. Loss Manipulation. Backdoor [pdf] [code]

  2. IvySyn: Automated Vulnerability Discovery in Deep Learning Frameworks. USENIX Security 2023. Automatic Bug Discovery in ML libraries [pdf]

1.6 AI4Security

1.6.1 Cyberbullying

  1. Towards Understanding and Detecting Cyberbullying in Real-world Images. NDSS 2021. Detect image cyberbully [pdf]

1.6.2 Security Applications

  1. FARE: Enabling Fine-grained Attack Categorization under Low-quality Labeled Data. NDSS 2021. Clustering Method to complete the dataset label [pdf] [code]

  2. From Grim Reality to Practical Solution: Malware Classification in Real-World Noise. IEEE S&P 2023. Noise Learning method for malware detection [pdf] [code]

  3. Decoding the Secrets of Machine Learning in Windows Malware Classification: A Deep Dive into Datasets, Features, and Model Performance. ACM CCS 2023. static features are better than dynamic feature in WindowsPE malware detection [pdf]

1.6.3 Advertisement Detection

  1. WtaGraph: Web Tracking and Advertising Detection using Graph Neural Networks. IEEE S&P 2022. GNN [pdf]

1.6.4 CAPTCHA

  1. Text Captcha Is Dead? A Large Scale Deployment and Empirical Studys. ACM CCS 2020. Adversarial CAPTCHA [pdf]

  2. Attacks as Defenses: Designing Robust Audio CAPTCHAs Using Attacks on Automatic Speech Recognition Systems. NDSS 2023. Adversarial Audio CAPTCHA [pdf] [demo]

  3. A Generic, Efficient, and Effortless Solver with Self-Supervised Learning for Breaking Text Captchas. IEEE S&P 2023. Text CAPTCHA Solver [pdf]

1.6.5 Code Analysis

  1. PalmTree: Learning an Assembly Language Model for Instruction Embedding. ACM CCS 2021. Pre-trained model to generate code embedding [pdf] [code]

  2. CALLEE: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning. IEEE S&P 2023. Recovering call graph from binaries using transfer and contrastive learning [pdf] [code]

  3. Examining Zero-Shot Vulnerability Repair with Large Language Models. IEEE S&P 2023. Zero-short vulnerability repair using large language model [pdf]

1.6.6 Chatbot

  1. Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots. ACM CCS 2022. Measuring Chatbot Textico behavior [pdf]

1.6.7 Side Channel Attack

  1. Towards a General Video-based Keystroke Inference Attack. USENIX Security 2023. Self Supervised Learning to recover the keybroad input [pdf]

  2. Deep perceptual hashing algorithms with hidden dual purpose: when client-side scanning does facial recognition. IEEE S&P 2023. Manipulate deep phash algorithm to conduct specific person inference [pdf] [code]

1.6.8 Guidline

  1. Dos and Don'ts of Machine Learning in Computer Security. USENIX Security 2022. Survey pitfalls in ML4Security [pdf]

  2. β€œSecurity is not my field, I’m a stats guy”: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry. USENIX Security 2023. Survey AML Application in Industry [pdf]

  3. Everybody’s Got ML, Tell Me What Else You Have: Practitioners’ Perception of ML-Based Security Tools and Explanations. IEEE S&P 2023. Explainable AI in practice [pdf]

1.6.9 Security Event

  1. CERBERUS: Exploring Federated Prediction of Security Events. ACM CCS 2022. Federated Learning to predict security event [pdf]

1.6.10 Vulnerability Discovery

  1. VulChecker: Graph-based Vulnerability Localization in Source Code. USENIX Security 2023. Detecting Bugs using GCN [pdf] [code]

1.7 AutoML Security

1.7.1 Security Analysis

  1. On the Security Risks of AutoML. USENIX Security 2022. Adversarial evasion. Model poisoning. Backdoor. Functionality stealing. Membership Inference [pdf]

1.8 Hardware Related Security

1.8.1 Verification

  1. DeepDyve: Dynamic Verification for Deep Neural Networks. ACM CCS 2020. [pdf]

  2. NeuroPots: Realtime Proactive Defense against Bit-Flip Attacks in Neural Networks. USENIX Security 2023. Honey Pot to trap the bitflip attacks [pdf]

  3. Aegis: Mitigating Targeted Bit-flip Attacks against Deep Neural Networks. USENIX Security 2023. Train multi classifer to defend the BFA [pdf] [code]

1.9 Security Related Interpreting Method

  1. DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications. ACM CCS 2021. Anomaly detection [pdf] [code]

  2. Good-looking but Lacking Faithfulness: Understanding Local Explanation Methods through Trend-based Testing. ACM CCS 2023. Trend-based faithfulness testing [pdf] [code]

  3. FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis. ACM CCS 2023. Ensumble explaination for different stakeholder [pdf] [code]

1.10 Face Security

1.10.1 Deepfake Detection

  1. Who Are You (I Really Wanna Know)? Detecting Audio DeepFakes Through Vocal Tract Reconstruction. USENIX Security 2022. deepfake detection using vocal tract reconstruction [pdf]

1.10.2 Face Impersonation

  1. ImU: Physical Impersonating Attack for Face Recognition System with Natural Style Changes. IEEE S&P 2023. StyleGAN to impersonate persion [pdf] [code]

  2. DepthFake: Spoofing 3D Face Authentication with a 2D Photo. IEEE S&P 2023. Adversarial image to attack 3D photos [pdf] [demo]

1.10.3 Face Verification Systems

  1. Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective. IEEE S&P 2023. Measurement study of the security risks of cross-side face verification systems. [pdf]

1.10 AI Generation Detection

1.10.1 Text

  1. Deepfake Text Detection: Limitations and Opportunities. IEEE S&P 2023. Detecting the machine generated text [pdf] [code]

1.11 LLM Security

1.11.1 Code Generation

  1. Large Language Models for Code: Security Hardening and Adversarial Testing. ACM CCS 2023. Prefix tuning for secure code generation [pdf] [code]

2. Privacy Papers

2.1 Training Data

2.1.1 Data Recovery

  1. Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. USENIX Security 2020. Online Learning. Model updates [pdf]

  2. Extracting Training Data from Large Language Models. USENIX Security 2021. Membership inference attack. GPT-2 [pdf]

  3. Analyzing Information Leakage of Updates to Natural Language Models. ACM CCS 2020. data leakage in model changes [pdf]

  4. TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing. ACM CCS 2021. Membership collision in GAN [pdf]

  5. DataLens: Scalable Privacy Preserving Training via Gradient Compression and Aggregation. ACM CCS 2021. DP to train an privacy preserving GAN [pdf]

  6. Property Inference Attacks Against GANs. NDSS 2022. Property Inference Attacks Against GAN [pdf] [code]

  7. MIRROR: Model Inversion for Deep Learning Network with High Fidelity. NDSS 2022. Model inversion attack using GAN [pdf] [code]

  8. Analyzing Leakage of Personally Identifiable Information in Language Models. IEEE S&P 2023. Personally identifiable information leakage in language model [pdf] [code]

2.1.2 Membership Inference Attack

  1. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. USENIX Security 2020. White-box Setting [pdf]

  2. Systematic Evaluation of Privacy Risks of Machine Learning Models. USENIX Security 2020. Metric-based Membership inference Attack Method. Define Privacy Risk Score [pdf] [code]

  3. Practical Blind Membership Inference Attack via Differential Comparisons. NDSS 2021. Use non-member data to replace shadow model [pdf] [code]

  4. GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. ACM CCS 2020. Membership inference attack in Generative model. Member has small reconstruction error [pdf]

  5. Quantifying and Mitigating Privacy Risks of Contrastive Learning. ACM CCS 2021. Membership inference attack. Property inference attack. Contrastive learning in classification task [pdf] [code]

  6. Membership Inference Attacks Against Recommender Systems. ACM CCS 2021. Recommender System [pdf] [code]

  7. EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning. ACM CCS 2021. Contrastive learning in pre-trained model. Data augmentation has higher similarity [pdf] [code]

  8. Auditing Membership Leakages of Multi-Exit Networks. ACM CCS 2022. Membership inference attack in multi-exit networks [pdf]

  9. Membership Inference Attacks by Exploiting Loss Trajectory. ACM CCS 2022. Membership inference attack, knowledge distillation [pdf]

  10. On the Privacy Risks of Cell-Based NAS Architectures. ACM CCS 2022. Membership inference attack in NAS [pdf]

  11. Membership Inference Attacks and Defenses in Neural Network Pruning. USENIX Security 2022. Membership inference attack in Neural Network Pruning [pdf]

  12. Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture. USENIX Security 2022. Membership inference defense by ensemble [pdf]

  13. Enhanced Membership Inference Attacks against Machine Learning Models. USENIX Security 2022. Membership inference attack with hypothesis testing [pdf] [code]

  14. Membership Inference Attacks and Generalization: A Causal Perspective. ACM CCS 2022. Membership inference attack with casual reasoning [pdf]

2.1.3 Information Leakage in Distributed ML System

  1. Label Inference Attacks Against Vertical Federated Learning. USENIX Security 2022. Label Leakage. Federated Learning [pdf] [code]

  2. The Value of Collaboration in Convex Machine Learning with Differential Privacy. IEEE S&P 2020. DP as Defense [pdf]

  3. Leakage of Dataset Properties in Multi-Party Machine Learning. USENIX Security 2021. Dataset Properties Leakage [pdf]

  4. Unleashing the Tiger: Inference Attacks on Split Learning. ACM CCS 2021. Split learning. Feature-space hijacking attack [pdf] [code]

  5. Local and Central Differential Privacy for Robustness and Privacy in Federated Learning. NDSS 2022. DP in federated learning [pdf]

  6. Gradient Obfuscation Gives a False Sense of Security in Federated Learning. USENIX Security 2023. Data Recovery in federated learning [pdf]

  7. PPA: Preference Profiling Attack Against Federated Learning. NDSS 2023. Preference Leakage in federated learning [pdf] [code]

  8. On the (In)security of Peer-to-Peer Decentralized Machine Learning. IEEE S&P 2023. Information leakage in peer-to-peer decentralized machine learning system [pdf]

  9. RoFL: Robustness of Secure Federated Learning. IEEE S&P 2023. Robust Federated Learning Framework using Secuire Aggregation [pdf] [code]

  10. Scalable and Privacy-Preserving Federated Principal Component Analysis. IEEE S&P 2023. Privacy preserving feaderated PCA algorithm [pdf]

2.1.4 Information Leakage in Embedding

  1. Privacy Risks of General-Purpose Language Models. IEEE S&P 2020. Pretrained Language Model [pdf]

  2. Information Leakage in Embedding Models. ACM CCS 2020. Exact Word Recovery. Attribute inference. Membership inference [pdf]

  3. Honest-but-Curious Nets: Sensitive Attributes of Private Inputs Can Be Secretly Coded into the Classifiers' Outputs. ACM CCS 2021. Infer privacy information in classification output [pdf] [code]

2.1.5 Graph Leakage

  1. Stealing Links from Graph Neural Networks. USENIX Security 2021. Inference Graph Link [pdf]

  2. Inference Attacks Against Graph Neural Networks. USENIX Security 2022. Property inference: number of nodes. Subgraph inference. Graph reconstruction [pdf] [code]

  3. LinkTeller: Recovering Private Edges from Graph Neural Networks via Influence Analysis. IEEE S&P 2022. Use node connection influence to infer graph edges [pdf]

  4. Locally Private Graph Neural Networks. IEEE S&P 2022. LDP as defense for node privacy [pdf] [code]

  5. Finding MNEMON: Reviving Memories of Node Embeddings. ACM CCS 2022. Graph recovery attack through node embedding [pdf]

  6. Group Property Inference Attacks Against Graph Neural Networks. ACM CCS 2022. Group Property inference attack on GNN [pdf]

  7. LPGNet: Link Private Graph Networks for Node Classification. ACM CCS 2022. DP to build private GNN [pdf]

2.1.6 Unlearning

  1. Machine Unlearning. IEEE S&P 2020. Shard and isolate the training dataset [pdf] [code]

  2. When Machine Unlearning Jeopardizes Privacy. ACM CCS 2021. Membership inference attack in unlearning setting [pdf] [code]

  3. Graph Unlearning. ACM CCS 2022. Graph Unlearning [pdf] [code]

  4. On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. ACM CCS 2022. Auditable Unlearning [pdf]

  5. Machine Unlearning of Features and Labels. NDSS 2023. Influence Function to achieve unlearning [pdf] [code]

2.1.7 Attribute Inference Attack

  1. Are Attribute Inference Attacks Just Imputation?. ACM CCS 2022. Attribute Inference Attack by identified neuro with data [pdf] [code]

  2. Feature Inference Attack on Shapley Values. ACM CCS 2022. Attribute Inference Attack using shapley values [pdf]

  3. QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems. ACM CCS 2022. Attribute Inference detection [pdf]

2.1.7 Property Inference Attack

  1. SNAP: Efficient Extraction of Private Properties with Poisoning. IEEE S&P 2023. Stronger Property Inference Attack by poisoning the data [pdf] [code]

2.2 Model

2.2.1 Model Extraction

  1. Exploring Connections Between Active Learning and Model Extraction. USENIX Security 2020. Active Learning [pdf]

  2. High Accuracy and High Fidelity Extraction of Neural Networks. USENIX Security 2020. Fidelity [pdf]

  3. DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks. USENIX Security 2021. Query Data Selection Method to reduce the query [pdf]

  4. Entangled Watermarks as a Defense against Model Extraction. USENIX Security 2021. Backdoor as watermark against model extraction [pdf]

  5. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. NDSS 2020. Adversarial Example to strengthen model stealing [pdf]

  6. Teacher Model Fingerprinting Attacks Against Transfer Learning. USENIX Securiy 2022. Teacher model fingerprinting [pdf]

  7. StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning. ACM CCS 2022. Model Stealing attack in encoder [pdf]

  8. D-DAE: Defense-Penetrating Model Extraction Attacks. IEEE S&P 2023. Meta classifier to classify the defense and generator model to reduce the noise [pdf]

2.2.2 Model Watermark

  1. Adversarial Watermarking Transformer: Towards Tracing Text Provenance with Data Hiding. IEEE S&P 2021. Encode secret message into LM [pdf]

  2. Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation. USENIX Security 2023. Inject dummy neurons into the model to break the white-box model watermark [pdf]

2.2.3 Model Owenership

  1. Proof-of-Learning: Definitions and Practice. IEEE S&P 2021. Proof the ownership of model parameters [pdf]

  2. SoK: How Robust is Image Classification Deep Neural Network Watermarking?. IEEE S&P 2022. Survey of DNN watermarking [pdf]

  3. Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models. IEEE S&P 2022. Calculate model similarity by generating test examples [pdf] [code]

  4. SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. ACM CCS 2022. Watermarking in encoder [pdf]

  5. RAI2: Responsible Identity Audit Governing the Artificial Intelligence. NDSS 2023. Model and Data auditing in AI [pdf] [code]

2.2.4 Model Integrity

  1. PublicCheck: Public Integrity Verification for Services of Run-time Deep Models. IEEE S&P 2023. Model verification via crafted query [pdf]

2.3 User Related Privacy

2.3.1 Image

  1. Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020. Protect Face Privacy [pdf] [code]

  2. Automatically Detecting Bystanders in Photos to Reduce Privacy Risks. IEEE S&P 2020. Detecting bystanders [pdf]

  3. Characterizing and Detecting Non-Consensual Photo Sharing on Social Networks. IEEE S&P 2020. Detecting Non-Consensual People in a photo [pdf]

  4. Fairness Properties of Face Recognition and Obfuscation Systems. USENIX Security 2023. Fairness in Face related models [pdf] [code]

2.4 Private ML Protocols

2.4.1 3PC

  1. SWIFT: Super-fast and Robust Privacy-Preserving Machine Learning. USENIX Security 2021. [pdf]

  2. BLAZE: Blazing Fast Privacy-Preserving Machine Learning. NDSS 2020. [pdf]

  3. Bicoptor: Two-round Secure Three-party Non-linear Computation without Preprocessing for Privacy-preserving Machine Learning. IEEE S&P 2023. [pdf]

2.4.2 4PC

  1. Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning. NDSS 2020. [pdf]

2.4.3 SMPC

  1. Cerebro: A Platform for Multi-Party Cryptographic Collaborative Learning. USENIX Security 2021. [pdf] [code]

  2. Private, Efficient, and Accurate: Protecting Models Trained by Multi-party Learning with Differential Privacy. IEEE S&P 2023. [pdf]

2.4.4 Cryptographic NN Computation

  1. SoK: Cryptographic Neural-Network Computation. IEEE S&P 2023. [pdf]

2.4.5 Secure Aggregation

  1. Flamingo: Multi-Round Single-Server Secure Aggregation with Applications to Private Federated Learning. IEEE S&P 2023. [pdf] [code]

  2. ELSA: Secure Aggregation for Federated Learning with Malicious Actors. IEEE S&P 2023. [pdf] [code]

2.5 Platform

2.5.1 Inference Attack Measurement

  1. ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. USENIX Security 2022. Membership inference attack. Model inversion. Attribute inference. Model stealing [pdf]

2.5.2 Survey

  1. SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning. IEEE S&P 2023. Systematizing privacy risks using game framework [pdf]

2.6 Differential Privacy

2.6.1 Tree Model

  1. Federated Boosted Decision Trees with Differential Privacy. ACM CCS 2022. Federated Learning with Tree Model in DP [pdf]

2.6.2 DP

  1. Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering. IEEE S&P 2023. Spectral DP [pdf]

2.6.3 LDP

  1. Locally Differentially Private Frequency Estimation Based on Convolution Framework. IEEE S&P 2023. [pdf]

Contributing

This list is mainly maintained by Ping He from NESA Lab.

We are very much welcome contributors for contributing this repository!

Markdown format

**Paper Name**. Conference Year. `Keywords` [[pdf](pdf_link)] [[code](code_link)]

Licenses

CC0

To the extent possible under law, gnipping all copyright and related or neighboring rights to this repository.