Awesome-ML-Security-and-Privacy-Papers
A curated list of Meachine learning Security & Privacy papers published in security top-4 conferences (IEEE S&P, ACM CCS, USENIX Security and NDSS).
Contents:
- Awesome-ML-Security-and-Privacy-Papers
- Contents:
- 1. Security Papers
- 2. Privacy Papers
- Contributing
- Licenses
1. Security Papers
1.1 Adversarial Attack & Defense
1.1.1 Image
-
Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries. USENIX Security 2020.
Transferability + Query. Black-box Attack
[pdf] [code] -
Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning. USENIX Security 2020.
Defense of Image Scaling Attack
[pdf] [code] -
HopSkipJumpAttack: A Query-Efficient Decision-Based Attack. IEEE S&P 2020.
Query-based Black-box Attack
[pdf] [code] -
PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking. USENIX Security 2021.
Adversarial Patch Defense
[pdf] [code] -
Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. ACM CCS 2020.
Build an trap in model to induce specific adversarial perturbation
[pdf] [code] -
A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models. ACM CCS 2020.
Perturbate both input and model
[pdf] [code] -
Feature-Indistinguishable Attack to Circumvent Trapdoor-Enabled Defense. ACM CCS 2021.
A new attack method can break TeD defense mechanism
[pdf] [code] -
DetectorGuard: Provably Securing Object Detectors against Localized Patch Hiding Attacks. ACM CCS 2021.
Provable robustness for patch hiding in object detection
[pdf] [code] -
It's Not What It Looks Like: Manipulating Perceptual Hashing based Applications. ACM CCS 2021.
Adversarial Attack against PHash
[pdf] [code] -
RamBoAttack: A Robust and Query Efficient Deep Neural Network Decision Exploit. NDSS 2022.
Query-based black box attack
[pdf] [code] -
What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction. NDSS 2022.
Generative-based AE detection
[pdf] [code] -
AutoDA: Automated Decision-based Iterative Adversarial Attacks. USENIX 2022.
Program Synthesis for Adversarial Attack
[pdf] -
Blacklight: Scalable Defense for Neural Networks against Query-Based Black-Box Attacks. USENIX Security 2022.
AE Detection using probabilistic fingerprints based on hash of input similarity
[pdf] [code] -
Physical Hijacking Attacks against Object Trackers. ACM CCS 2022.
Adversarial Attacks on Object Trackers
[pdf] [code] -
Post-breach Recovery: Protection against White-box Adversarial Examples for Leaked DNN Models. ACM CCS 2022.
Adversarial Attacks on Object Trackers
[pdf] -
Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning. USENIX Security 2023.
Adversarial Attacks against PhotoDNA and PDQ
[pdf] -
The Space of Adversarial Strategies. USENIX Security 2023.
Decompose the Adversarial Attack Components and combine them together
[pdf] -
Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks. ACM CCS 2023.
Attack strategy to enhance the query-based attack against the stateful defense
[pdf] [code]
1.1.2 Text
-
TextShield: Robust Text Classification Based on Multimodal Embedding and Neural Machine Translation. USENIX Security 2020.
Defense in preprossing
[pdf] -
Bad Characters: Imperceptible NLP Attacks. IEEE S&P 2022.
Use unicode to conduct human imperceptible attack
[pdf] [code] -
Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models. ACM CCS 2022.
Attack Neural Ranking Models
[pdf] -
No more Reviewer #2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning. USENIX Security 2023.
Adversarial Attack on Paper Assignment
[pdf]
1.1.3 Audio
-
WaveGuard: Understanding and Mitigating Audio Adversarial Examples. USENIX Security 2021.
Defense in preprossing
[pdf] [code] -
Dompteur: Taming Audio Adversarial Examples. USENIX Security 2021.
Defense in preprossing. Preprocessing the audio to make the noise human noticeable
[pdf] [code] -
Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems. IEEE S&P 2021.
Attack
[pdf] [code] -
Hear "No Evil", See "Kenansville": Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems. IEEE S&P 2021.
Black-box Attack
[pdf] -
SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems. IEEE S&P 2021.
Survey
[pdf] -
AdvPulse: Universal, Synchronization-free, and Targeted Audio Adversarial Attacks via Subsecond Perturbations. ACM CCS 2020.
Attack
[pdf] -
Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information. ACM CCS 2021.
Black-box Attack. Physical World
[pdf] -
Perception-Aware Attack: Creating Adversarial Music via Reverse-Engineering Human Perception. ACM CCS 2022.
Adversarial Audio with human-aware noise
[pdf] -
SpecPatch: Human-in-the-Loop Adversarial Audio Spectrogram Patch Attack on Speech Recognition. ACM CCS 2022.
Adversarial Patch for audio
[pdf]
1.1.4 Video
-
Universal 3-Dimensional Perturbations for Black-Box Attacks on Video Recognition Systems. IEEE S&P 2022.
Adversarial attack in video recognition
[pdf] -
StyleFool: Fooling Video Classification Systems via Style Transfer. IEEE S&P 2023.
Style Transfer to conduct adversarial attack
[pdf] [code]
1.1.5 Graph
- A Hard Label Black-box Adversarial Attack Against Graph Neural Networks. ACM CCS 2021.
Graph Classification
[pdf]
1.1.6 Software
-
Evading Classifiers by Morphing in the Dark. ACM CCS 2017.
Morpher and search to generate adversarial PDF
[pdf] -
Misleading Authorship Attribution of Source Code using Adversarial Learning. USENIX Security 2019.
Adversarial attack in source code, MCST
[pdf] [code] -
Intriguing Properties of Adversarial ML Attacks in the Problem Space. IEEE S&P 2020.
Attack Malware Classification
[pdf] -
Structural Attack against Graph Based Android Malware Detection. IEEE S&P 2020.
Perturbed function call graph
[pdf] -
URET: Universal Robustness Evaluation Toolkit (for Evasion). USENIX Security 2023.
General Toolbox to select the perdefined perturbations
[pdf] [code] -
Adversarial Training for Raw-Binary Malware Classifiers. USENIX Security 2023.
Adversarial Training for Windows PE malware
[pdf] -
PELICAN: Exploiting Backdoors of Naturally Trained Deep Learning Models In Binary Code Analysis. USENIX Security 2023.
Reverse engineering natural backdoor in transformer-based x86 binary code analysis task
[pdf] -
Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information. USENIX Security 2023.
Black-box Android Adversarial Malware against the FCG-based ML classifier
[pdf] -
Efficient Query-Based Attack against ML-Based Android Malware Detection under Zero Knowledge Setting. ACM CCS 2023.
Semantic similar perturbations are more likely to have similar evasion effectiveness
[pdf] [code]
1.1.7 Hardware
- ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning. ACM CCS 2022.
Attack Hardware Trojan Detection
[pdf]
1.1.8 Interpret Method
-
Interpretable Deep Learning under Fire. USENIX Security 2020.
Attack both image classification and interpret method
[pdf] -
βIs your explanation stable?β: A Robustness Evaluation Framework for Feature Attribution. ACM CCS 2022.
Hypothesis Testing to increasing the robustness of explaination methods
[pdf] -
AIRS: Explanation for Deep Reinforcement Learning based Security Applications. USENIX Security 2023.
DRL Interpertation Method to pinpoint the most influence step
[pdf] [code]
1.1.9 Physical World
-
SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations. USENIX Security 2021.
Projector light causes misclassification
[pdf] [code] -
Understanding Real-world Threats to Deep Learning Models in Android Apps. ACM CCS 2022.
Adversarial Attack in real-world models
[pdf] -
X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection. USENIX Security 2023.
Adversarial Attack on X-ray Images
[pdf] [code] -
That Person Moves Like A Car: Misclassification Attack Detection for Autonomous Systems Using Spatiotemporal Consistency. USENIX Security 2023.
Robust OD in Autonomous System using spatiotemporal information
[pdf] -
You Can't See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks. USENIX Security 2023.
Adversarial attack against Autonomous Vehicles using Laser
[pdf] demo] -
CAPatch: Physical Adversarial Patch against Image Captioning Systems. USENIX Security 2023.
Physical Adversarial Patch against the image caption system
[pdf] [code] -
Exorcising "Wraith": Protecting LiDAR-based Object Detector in Automated Driving System from Appearing Attacks. USENIX Security 2023.
Defend the appearing attack in autonomous system using local objectness predictor
[pdf] [code]
1.1.10 Reinforcement Learning
- Adversarial Policy Training against Deep Reinforcement Learning. USENIX Security 2021.
Weird behavior to trigger opposite abnormal action. Two-agent competitor game
[pdf] [code]
1.1.11 Robust Defense
-
Cost-Aware Robust Tree Ensembles for Security Applications. USENIX Security 2021.
Propose Cost of feature to certify the model robustness
[pdf] [code] -
CADE: Detecting and Explaining Concept Drift Samples for Security Applications. USENIX Security 2021.
Detect Concept shift
[pdf] [code] -
Learning Security Classifiers with Verified Global Robustness Properties. ACM CCS 2021.
Train a classifier with global robustness
[pdf] [code] -
On the Robustness of Domain Constraints. ACM CCS 2021.
Domain constraints. Input space robustness
[pdf] -
Cert-RNN: Towards Certifying the Robustness of Recurrent Neural Networks. ACM CCS 2021.
Certify robustness in RNN
[pdf] -
TSS: Transformation-Specific Smoothing for Robustness Certification. ACM CCS 2021.
Certify robustness about transformation
[pdf][code] -
Transcend: Detecting Concept Drift in Malware Classification Models. USENIX Security 2017.
Conformal evaluators
[pdf] [code] -
Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift. IEEE S&P 2022.
New conformal evaluators
[pdf][code] -
Transferring Adversarial Robustness Through Robust Representation Matching. USENIX Security 2022.
Robust Transfer Learning
[pdf] -
DiffSmooth: Certifiably Robust Learning via Diffusion Models and Local Smoothing. USENIX Security 2023.
Diffusion Model Improve Certified Robustness
[pdf] -
Anomaly Detection in the Open World: Normality Shift Detection, Explanation, and Adaptation. NDSS 2023.
Concept Drift Detection using unsupervised approch
[pdf] [code] -
BARS: Local Robustness Certification for Deep Learning based Traffic Analysis Systems. NDSS 2023.
Certified Robustness for Traffic Analysis Systems
[pdf] [code] -
REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service. NDSS 2023.
Build a certificable EaaS model
[pdf] -
Continuous Learning for Android Malware Detection. USENIX Security 2023.
New Continual Learning Paridigram for Malware detection
[pdf] [code] -
ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking. IEEE S&P 2023.
Certified robustness of object detection
[pdf] [code] -
On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks. IEEE S&P 2023.
Adversarial attacks on feature space may enhance the robustness in problem space
[pdf] [code]
1.1.12 Network Traffic
- Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations. USENIX Security 2021.
Adversarial attack to defeat DNN-based traffic analysis
[pdf] [code]
1.1.13 Wireless Communication System
- Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems. ACM CCS 2021.
Attack
[pdf]
1.1.14 Tabular Data
- Adversarial Robustness for Tabular Data through Cost and Utility Awareness. NDSS 2023.
Adversarial Attack & Defense on tabular data
[pdf]
1.2 Distributed Machine Learning
1.2.1 Federated Learning
-
Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. USENIX Security 2020.
Poisoning Attack
[pdf] -
Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning. NDSS 2021.
Poisoning Attack
[pdf] -
DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection. NDSS 2022.
Backdoor defense
[pdf] -
FLAME: Taming Backdoors in Federated Learning. USENIX Security 2022.
Backdoor defense
[pdf] -
EIFFeL: Ensuring Integrity for Federated Learning. ACM CCS 2022.
New FL Protocol to guarteen integrity
[pdf] -
Eluding Secure Aggregation in Federated Learning via Model Inconsistency. ACM CCS 2022.
Model inconsistency to break the secure aggregation
[pdf] -
FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information. IEEE S&P 2023.
Poisoned Model Recovery Algorithm
[pdf] -
Every Vote Counts: Ranking-Based Training of Federated Learning to Resist Poisoning Attacks. USENIX Security 2023.
Discrete the model updates and purning the model to defense the poisoning attack
[pdf] [code] -
Securing Federated Sensitive Topic Classification against Poisoning Attacks. NDSS 2023.
Robust Aggregation against the poisoning attack
[pdf] -
BayBFed: Bayesian Backdoor Defense for Federated Learning. IEEE S&P 2023.
Purify the model updates using bayesian
[pdf] -
ADI: Adversarial Dominating Inputs in Vertical Federated Learning Systems. IEEE S&P 2023.
Poisoning the vertical federated learning system
[pdf] [code] -
3DFed: Adaptive and Extensible Framework for Covert Backdoor Attack in Federated Learning. IEEE S&P 2023.
Convert normal backdoor into the federated learning scenario
[pdf]
1.2.2 Normal Distributed Learning
- Justinian's GAAvernor: Robust Distributed Learning with Gradient Aggregation Agent. USENIX Security 2020.
Defense in Gradient Aggregation. Reinforcement learning
[pdf]
1.3 Data Poisoning
1.3.1 Hijack Embedding
- Humpty Dumpty: Controlling Word Meanings via Corpus Poisoning. IEEE S&P 2020.
Hijack Word Embedding
[pdf]
1.3.2 Hijack Autocomplete Code
- You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion. USENIX Security 2021.
Hijack Code Autocomplete
[pdf]
1.3.3 Semi-Supervised Learning
- Poisoning the Unlabeled Dataset of Semi-Supervised Learning. USENIX Security 2021.
Poisoning semi-supervised learning
[pdf]
1.3.4 Recommender Systems
-
Data Poisoning Attacks to Deep Learning Based Recommender Systems. NDSS 2021.
The attacker chosen items are recommended as much as possible
[pdf] -
Reverse Attack: Black-box Attacks on Collaborative Recommendation. ACM CCS 2021.
Black-box setting. Surrogate model. Collaborative Filtering. Demoting and Promoting
[pdf]
1.3.5 Classification
-
Subpopulation Data Poisoning Attacks. ACM CCS 2021.
Poisoning to flip a group of data samples
[pdf] -
Get a Model! Model Hijacking Attack Against Machine Learning Models. NDSS 2022.
Fusing dataset to hijacking model
[pdf] [code]
1.3.6 Constractive Learning
- PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. USENIX Security 2022.
Poison attack in constractive learning
[pdf]
1.3.7 Privacy
- Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. ACM CCS 2022.
Poison attack to reveal sensitive information
[pdf]
1.3.8 Defense
-
Poison Forensics: Traceback of Data Poisoning Attacks in Neural Networks. USENIX Security 2022.
Identify poisioned subset by clustering and purning benign set
[pdf] -
Meta-Sift: How to Sift Out a Clean Subset in the Presence of Data Poisoning?. USENIX Security 2023.
Obtain a clean subset from the poisoned set
[pdf] [code]
1.4 Backdoor
1.4.1 Image
-
Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection. USENIX Security 2021.
Class-specific Backdoor. Defense by decomposition
[pdf] -
Double-Cross Attacks: Subverting Active Learning Systems. USENIX Security 2021.
Active Learning System. Backdoor Attack
[pdf] -
Detecting AI Trojans Using Meta Neural Analysis. IEEE S&P 2021.
Meta Neural Classifier
[pdf] [code] -
BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. IEEE S&P 2022.
Backdoor attack in image-text pretrained model
[pdf] [code] -
Composite Backdoor Attack for Deep Neural Network by Mixing Existing Benign Features. ACM CCS 2020.
Composite backdoor. Image & text tasks
[pdf] [code] -
AI-Lancet: Locating Error-inducing Neurons to Optimize Neural Networks. ACM CCS 2021.
Locate neural location and finetuning it
[pdf] -
LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks. ACM CCS 2022.
Backdoor attack by modifying neuros
[pdf] -
ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks. NDSS 2022.
Backdoor attack by attention techniques
[pdf] -
RAB: Provable Robustness Against Backdoor Attacks. IEEE S&P 2023.
Backdoor Cetrification
[pdf] -
A Data-free Backdoor Injection Approach in Neural Networks. USENIX Security 2023.
Data free backdoor injection
[pdf] [code] -
Backdoor Attacks Against Dataset Distillation. NDSS 2023.
Backdoor attack against dataset istillation
[pdf] [code] -
BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense. NDSS 2023.
Backdoor Forensics
[pdf] [code] -
Disguising Attacks with Explanation-Aware Backdoors. IEEE S&P 2023.
Backdoor to mislead the explaination method
[pdf] -
Selective Amnesia: On Efficient, High-Fidelity and Blind Suppression of Backdoor Effects in Trojaned Machine Learning Models. IEEE S&P 2023.
Finetuning to remove backdoor
[pdf] -
AI-Guardian: Defeating Adversarial Attacks using Backdoors. IEEE S&P 2023.
using backdoor to detect adversarial example. Backdoor with all-to-all mapping and reverse the mapping
[pdf] -
REDEEM MYSELF: Purifying Backdoors in Deep Learning Models using Self Attention Distillation. IEEE S&P 2023.
Purifying backdoor using model distillation
[pdf] -
NARCISSUS: A Practical Clean-Label Backdoor Attack with Limited Information. ACM CCS 2023.
Clean label backdoor attack
[pdf] [code] -
ASSET: Robust Backdoor Data Detection Across a Multiplicity of Deep Learning Paradigms. USENIX Security 2023.
Backdoor Defense works in Different Learning Paradigms
[pdf] [code]
1.4.2 Text
-
T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification. USENIX Security 2021.
Backdoor Defense. GAN to recover trigger
[pdf] [code] -
Hidden Backdoors in Human-Centric Language Models. ACM CCS 2021.
Novel trigger
[pdf] [code] -
Backdoor Pre-trained Models Can Transfer to All. ACM CCS 2021.
Backdoor in pre-trained to poison the down stream task
[pdf] [code] -
Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation. USENIX Security 2022.
Backdoor via linguistic style manipulation
[pdf]
1.4.3 Graph
1.4.4 Software
- Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. USENIX Security 2021.
Explanation Method. Evade Classification
[pdf] [code]
1.4.5 Audio
-
TrojanModel: A Practical Trojan Attack against Automatic Speech Recognition Systems. IEEE S&P 2023.
Backdoor attack in speech recognition systems
[pdf] -
MagBackdoor: Beware of Your Loudspeaker as Backdoor of Magnetic Attack for Malicious Command Injection. IEEE S&P 2023.
Backdoor attack in audio using magentic trigget
[pdf]
1.5 ML Library Security
1.5.1 Loss
-
Blind Backdoors in Deep Learning Models. USENIX Security 2021.
Loss Manipulation. Backdoor
[pdf] [code] -
IvySyn: Automated Vulnerability Discovery in Deep Learning Frameworks. USENIX Security 2023.
Automatic Bug Discovery in ML libraries
[pdf]
1.6 AI4Security
1.6.1 Cyberbullying
- Towards Understanding and Detecting Cyberbullying in Real-world Images. NDSS 2021.
Detect image cyberbully
[pdf]
1.6.2 Security Applications
-
FARE: Enabling Fine-grained Attack Categorization under Low-quality Labeled Data. NDSS 2021.
Clustering Method to complete the dataset label
[pdf] [code] -
From Grim Reality to Practical Solution: Malware Classification in Real-World Noise. IEEE S&P 2023.
Noise Learning method for malware detection
[pdf] [code] -
Decoding the Secrets of Machine Learning in Windows Malware Classification: A Deep Dive into Datasets, Features, and Model Performance. ACM CCS 2023.
static features are better than dynamic feature in WindowsPE malware detection
[pdf]
1.6.3 Advertisement Detection
- WtaGraph: Web Tracking and Advertising Detection using Graph Neural Networks. IEEE S&P 2022.
GNN
[pdf]
1.6.4 CAPTCHA
-
Text Captcha Is Dead? A Large Scale Deployment and Empirical Studys. ACM CCS 2020.
Adversarial CAPTCHA
[pdf] -
Attacks as Defenses: Designing Robust Audio CAPTCHAs Using Attacks on Automatic Speech Recognition Systems. NDSS 2023.
Adversarial Audio CAPTCHA
[pdf] [demo] -
A Generic, Efficient, and Effortless Solver with Self-Supervised Learning for Breaking Text Captchas. IEEE S&P 2023.
Text CAPTCHA Solver
[pdf]
1.6.5 Code Analysis
-
PalmTree: Learning an Assembly Language Model for Instruction Embedding. ACM CCS 2021.
Pre-trained model to generate code embedding
[pdf] [code] -
CALLEE: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning. IEEE S&P 2023.
Recovering call graph from binaries using transfer and contrastive learning
[pdf] [code] -
Examining Zero-Shot Vulnerability Repair with Large Language Models. IEEE S&P 2023.
Zero-short vulnerability repair using large language model
[pdf]
1.6.6 Chatbot
- Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots. ACM CCS 2022.
Measuring Chatbot Textico behavior
[pdf]
1.6.7 Side Channel Attack
-
Towards a General Video-based Keystroke Inference Attack. USENIX Security 2023.
Self Supervised Learning to recover the keybroad input
[pdf] -
Deep perceptual hashing algorithms with hidden dual purpose: when client-side scanning does facial recognition. IEEE S&P 2023.
Manipulate deep phash algorithm to conduct specific person inference
[pdf] [code]
1.6.8 Guidline
-
Dos and Don'ts of Machine Learning in Computer Security. USENIX Security 2022.
Survey pitfalls in ML4Security
[pdf] -
βSecurity is not my field, Iβm a stats guyβ: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry. USENIX Security 2023.
Survey AML Application in Industry
[pdf] -
Everybodyβs Got ML, Tell Me What Else You Have: Practitionersβ Perception of ML-Based Security Tools and Explanations. IEEE S&P 2023.
Explainable AI in practice
[pdf]
1.6.9 Security Event
- CERBERUS: Exploring Federated Prediction of Security Events. ACM CCS 2022.
Federated Learning to predict security event
[pdf]
1.6.10 Vulnerability Discovery
- VulChecker: Graph-based Vulnerability Localization in Source Code. USENIX Security 2023.
Detecting Bugs using GCN
[pdf] [code]
1.7 AutoML Security
1.7.1 Security Analysis
- On the Security Risks of AutoML. USENIX Security 2022.
Adversarial evasion. Model poisoning. Backdoor. Functionality stealing. Membership Inference
[pdf]
1.8 Hardware Related Security
1.8.1 Verification
-
DeepDyve: Dynamic Verification for Deep Neural Networks. ACM CCS 2020. [pdf]
-
NeuroPots: Realtime Proactive Defense against Bit-Flip Attacks in Neural Networks. USENIX Security 2023.
Honey Pot to trap the bitflip attacks
[pdf] -
Aegis: Mitigating Targeted Bit-flip Attacks against Deep Neural Networks. USENIX Security 2023.
Train multi classifer to defend the BFA
[pdf] [code]
1.9 Security Related Interpreting Method
-
DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications. ACM CCS 2021.
Anomaly detection
[pdf] [code] -
Good-looking but Lacking Faithfulness: Understanding Local Explanation Methods through Trend-based Testing. ACM CCS 2023.
Trend-based faithfulness testing
[pdf] [code] -
FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis. ACM CCS 2023.
Ensumble explaination for different stakeholder
[pdf] [code]
1.10 Face Security
1.10.1 Deepfake Detection
- Who Are You (I Really Wanna Know)? Detecting Audio DeepFakes Through Vocal Tract Reconstruction. USENIX Security 2022.
deepfake detection using vocal tract reconstruction
[pdf]
1.10.2 Face Impersonation
-
ImU: Physical Impersonating Attack for Face Recognition System with Natural Style Changes. IEEE S&P 2023.
StyleGAN to impersonate persion
[pdf] [code] -
DepthFake: Spoofing 3D Face Authentication with a 2D Photo. IEEE S&P 2023.
Adversarial image to attack 3D photos
[pdf] [demo]
1.10.3 Face Verification Systems
- Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective. IEEE S&P 2023.
Measurement study of the security risks of cross-side face verification systems.
[pdf]
1.10 AI Generation Detection
1.10.1 Text
- Deepfake Text Detection: Limitations and Opportunities. IEEE S&P 2023.
Detecting the machine generated text
[pdf] [code]
1.11 LLM Security
1.11.1 Code Generation
- Large Language Models for Code: Security Hardening and Adversarial Testing. ACM CCS 2023.
Prefix tuning for secure code generation
[pdf] [code]
2. Privacy Papers
2.1 Training Data
2.1.1 Data Recovery
-
Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. USENIX Security 2020.
Online Learning. Model updates
[pdf] -
Extracting Training Data from Large Language Models. USENIX Security 2021.
Membership inference attack. GPT-2
[pdf] -
Analyzing Information Leakage of Updates to Natural Language Models. ACM CCS 2020.
data leakage in model changes
[pdf] -
TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing. ACM CCS 2021.
Membership collision in GAN
[pdf] -
DataLens: Scalable Privacy Preserving Training via Gradient Compression and Aggregation. ACM CCS 2021.
DP to train an privacy preserving GAN
[pdf] -
Property Inference Attacks Against GANs. NDSS 2022.
Property Inference Attacks Against GAN
[pdf] [code] -
MIRROR: Model Inversion for Deep Learning Network with High Fidelity. NDSS 2022.
Model inversion attack using GAN
[pdf] [code] -
Analyzing Leakage of Personally Identifiable Information in Language Models. IEEE S&P 2023.
Personally identifiable information leakage in language model
[pdf] [code]
2.1.2 Membership Inference Attack
-
Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. USENIX Security 2020.
White-box Setting
[pdf] -
Systematic Evaluation of Privacy Risks of Machine Learning Models. USENIX Security 2020.
Metric-based Membership inference Attack Method. Define Privacy Risk Score
[pdf] [code] -
Practical Blind Membership Inference Attack via Differential Comparisons. NDSS 2021.
Use non-member data to replace shadow model
[pdf] [code] -
GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. ACM CCS 2020.
Membership inference attack in Generative model. Member has small reconstruction error
[pdf] -
Quantifying and Mitigating Privacy Risks of Contrastive Learning. ACM CCS 2021.
Membership inference attack. Property inference attack. Contrastive learning in classification task
[pdf] [code] -
Membership Inference Attacks Against Recommender Systems. ACM CCS 2021.
Recommender System
[pdf] [code] -
EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning. ACM CCS 2021.
Contrastive learning in pre-trained model. Data augmentation has higher similarity
[pdf] [code] -
Auditing Membership Leakages of Multi-Exit Networks. ACM CCS 2022.
Membership inference attack in multi-exit networks
[pdf] -
Membership Inference Attacks by Exploiting Loss Trajectory. ACM CCS 2022.
Membership inference attack, knowledge distillation
[pdf] -
On the Privacy Risks of Cell-Based NAS Architectures. ACM CCS 2022.
Membership inference attack in NAS
[pdf] -
Membership Inference Attacks and Defenses in Neural Network Pruning. USENIX Security 2022.
Membership inference attack in Neural Network Pruning
[pdf] -
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture. USENIX Security 2022.
Membership inference defense by ensemble
[pdf] -
Enhanced Membership Inference Attacks against Machine Learning Models. USENIX Security 2022.
Membership inference attack with hypothesis testing
[pdf] [code] -
Membership Inference Attacks and Generalization: A Causal Perspective. ACM CCS 2022.
Membership inference attack with casual reasoning
[pdf]
2.1.3 Information Leakage in Distributed ML System
-
Label Inference Attacks Against Vertical Federated Learning. USENIX Security 2022.
Label Leakage. Federated Learning
[pdf] [code] -
The Value of Collaboration in Convex Machine Learning with Differential Privacy. IEEE S&P 2020.
DP as Defense
[pdf] -
Leakage of Dataset Properties in Multi-Party Machine Learning. USENIX Security 2021.
Dataset Properties Leakage
[pdf] -
Unleashing the Tiger: Inference Attacks on Split Learning. ACM CCS 2021.
Split learning. Feature-space hijacking attack
[pdf] [code] -
Local and Central Differential Privacy for Robustness and Privacy in Federated Learning. NDSS 2022.
DP in federated learning
[pdf] -
Gradient Obfuscation Gives a False Sense of Security in Federated Learning. USENIX Security 2023.
Data Recovery in federated learning
[pdf] -
PPA: Preference Profiling Attack Against Federated Learning. NDSS 2023.
Preference Leakage in federated learning
[pdf] [code] -
On the (In)security of Peer-to-Peer Decentralized Machine Learning. IEEE S&P 2023.
Information leakage in peer-to-peer decentralized machine learning system
[pdf] -
RoFL: Robustness of Secure Federated Learning. IEEE S&P 2023.
Robust Federated Learning Framework using Secuire Aggregation
[pdf] [code] -
Scalable and Privacy-Preserving Federated Principal Component Analysis. IEEE S&P 2023.
Privacy preserving feaderated PCA algorithm
[pdf]
2.1.4 Information Leakage in Embedding
-
Privacy Risks of General-Purpose Language Models. IEEE S&P 2020.
Pretrained Language Model
[pdf] -
Information Leakage in Embedding Models. ACM CCS 2020.
Exact Word Recovery. Attribute inference. Membership inference
[pdf] -
Honest-but-Curious Nets: Sensitive Attributes of Private Inputs Can Be Secretly Coded into the Classifiers' Outputs. ACM CCS 2021.
Infer privacy information in classification output
[pdf] [code]
2.1.5 Graph Leakage
-
Stealing Links from Graph Neural Networks. USENIX Security 2021.
Inference Graph Link
[pdf] -
Inference Attacks Against Graph Neural Networks. USENIX Security 2022.
Property inference: number of nodes. Subgraph inference. Graph reconstruction
[pdf] [code] -
LinkTeller: Recovering Private Edges from Graph Neural Networks via Influence Analysis. IEEE S&P 2022.
Use node connection influence to infer graph edges
[pdf] -
Locally Private Graph Neural Networks. IEEE S&P 2022.
LDP as defense for node privacy
[pdf] [code] -
Finding MNEMON: Reviving Memories of Node Embeddings. ACM CCS 2022.
Graph recovery attack through node embedding
[pdf] -
Group Property Inference Attacks Against Graph Neural Networks. ACM CCS 2022.
Group Property inference attack on GNN
[pdf] -
LPGNet: Link Private Graph Networks for Node Classification. ACM CCS 2022.
DP to build private GNN
[pdf]
2.1.6 Unlearning
-
Machine Unlearning. IEEE S&P 2020.
Shard and isolate the training dataset
[pdf] [code] -
When Machine Unlearning Jeopardizes Privacy. ACM CCS 2021.
Membership inference attack in unlearning setting
[pdf] [code] -
Graph Unlearning. ACM CCS 2022.
Graph Unlearning
[pdf] [code] -
On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. ACM CCS 2022.
Auditable Unlearning
[pdf] -
Machine Unlearning of Features and Labels. NDSS 2023.
Influence Function to achieve unlearning
[pdf] [code]
2.1.7 Attribute Inference Attack
-
Are Attribute Inference Attacks Just Imputation?. ACM CCS 2022.
Attribute Inference Attack by identified neuro with data
[pdf] [code] -
Feature Inference Attack on Shapley Values. ACM CCS 2022.
Attribute Inference Attack using shapley values
[pdf] -
QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems. ACM CCS 2022.
Attribute Inference detection
[pdf]
2.1.7 Property Inference Attack
- SNAP: Efficient Extraction of Private Properties with Poisoning. IEEE S&P 2023.
Stronger Property Inference Attack by poisoning the data
[pdf] [code]
2.2 Model
2.2.1 Model Extraction
-
Exploring Connections Between Active Learning and Model Extraction. USENIX Security 2020.
Active Learning
[pdf] -
High Accuracy and High Fidelity Extraction of Neural Networks. USENIX Security 2020.
Fidelity
[pdf] -
DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks. USENIX Security 2021.
Query Data Selection Method to reduce the query
[pdf] -
Entangled Watermarks as a Defense against Model Extraction. USENIX Security 2021.
Backdoor as watermark against model extraction
[pdf] -
CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. NDSS 2020.
Adversarial Example to strengthen model stealing
[pdf] -
Teacher Model Fingerprinting Attacks Against Transfer Learning. USENIX Securiy 2022.
Teacher model fingerprinting
[pdf] -
StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning. ACM CCS 2022.
Model Stealing attack in encoder
[pdf] -
D-DAE: Defense-Penetrating Model Extraction Attacks. IEEE S&P 2023.
Meta classifier to classify the defense and generator model to reduce the noise
[pdf]
2.2.2 Model Watermark
-
Adversarial Watermarking Transformer: Towards Tracing Text Provenance with Data Hiding. IEEE S&P 2021.
Encode secret message into LM
[pdf] -
Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation. USENIX Security 2023.
Inject dummy neurons into the model to break the white-box model watermark
[pdf]
2.2.3 Model Owenership
-
Proof-of-Learning: Definitions and Practice. IEEE S&P 2021.
Proof the ownership of model parameters
[pdf] -
SoK: How Robust is Image Classification Deep Neural Network Watermarking?. IEEE S&P 2022.
Survey of DNN watermarking
[pdf] -
Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models. IEEE S&P 2022.
Calculate model similarity by generating test examples
[pdf] [code] -
SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. ACM CCS 2022.
Watermarking in encoder
[pdf] -
RAI2: Responsible Identity Audit Governing the Artificial Intelligence. NDSS 2023.
Model and Data auditing in AI
[pdf] [code]
2.2.4 Model Integrity
- PublicCheck: Public Integrity Verification for Services of Run-time Deep Models. IEEE S&P 2023.
Model verification via crafted query
[pdf]
2.3 User Related Privacy
2.3.1 Image
-
Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020.
Protect Face Privacy
[pdf] [code] -
Automatically Detecting Bystanders in Photos to Reduce Privacy Risks. IEEE S&P 2020.
Detecting bystanders
[pdf] -
Characterizing and Detecting Non-Consensual Photo Sharing on Social Networks. IEEE S&P 2020.
Detecting Non-Consensual People in a photo
[pdf] -
Fairness Properties of Face Recognition and Obfuscation Systems. USENIX Security 2023.
Fairness in Face related models
[pdf] [code]
2.4 Private ML Protocols
2.4.1 3PC
-
SWIFT: Super-fast and Robust Privacy-Preserving Machine Learning. USENIX Security 2021. [pdf]
-
BLAZE: Blazing Fast Privacy-Preserving Machine Learning. NDSS 2020. [pdf]
-
Bicoptor: Two-round Secure Three-party Non-linear Computation without Preprocessing for Privacy-preserving Machine Learning. IEEE S&P 2023. [pdf]
2.4.2 4PC
- Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning. NDSS 2020. [pdf]
2.4.3 SMPC
-
Cerebro: A Platform for Multi-Party Cryptographic Collaborative Learning. USENIX Security 2021. [pdf] [code]
-
Private, Efficient, and Accurate: Protecting Models Trained by Multi-party Learning with Differential Privacy. IEEE S&P 2023. [pdf]
2.4.4 Cryptographic NN Computation
- SoK: Cryptographic Neural-Network Computation. IEEE S&P 2023. [pdf]
2.4.5 Secure Aggregation
-
Flamingo: Multi-Round Single-Server Secure Aggregation with Applications to Private Federated Learning. IEEE S&P 2023. [pdf] [code]
-
ELSA: Secure Aggregation for Federated Learning with Malicious Actors. IEEE S&P 2023. [pdf] [code]
2.5 Platform
2.5.1 Inference Attack Measurement
- ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. USENIX Security 2022.
Membership inference attack. Model inversion. Attribute inference. Model stealing
[pdf]
2.5.2 Survey
- SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning. IEEE S&P 2023.
Systematizing privacy risks using game framework
[pdf]
2.6 Differential Privacy
2.6.1 Tree Model
- Federated Boosted Decision Trees with Differential Privacy. ACM CCS 2022.
Federated Learning with Tree Model in DP
[pdf]
2.6.2 DP
- Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering. IEEE S&P 2023.
Spectral DP
[pdf]
2.6.3 LDP
- Locally Differentially Private Frequency Estimation Based on Convolution Framework. IEEE S&P 2023. [pdf]
Contributing
This list is mainly maintained by Ping He from NESA Lab.
We are very much welcome contributors for contributing this repository!
Markdown format
**Paper Name**. Conference Year. `Keywords` [[pdf](pdf_link)] [[code](code_link)]
Licenses
To the extent possible under law, gnipping all copyright and related or neighboring rights to this repository.