README.md

Awesome-ML-Security-and-Privacy-Papers

A curated list of Meachine learning Security & Privacy papers published in security top-4 conferences (IEEE S&P, ACM CCS, USENIX Security and NDSS).

Contents:

• Awesome-ML-Security-and-Privacy-Papers
  • Contents:
  • 1. Security Papers
    • 1.1 Adversarial Attack & Defense
      • 1.1.1 Image
      • 1.1.2 Text
      • 1.1.3 Audio
      • 1.1.4 Video
      • 1.1.5 Graph
      • 1.1.6 Software
      • 1.1.7 Hardware
      • 1.1.8 Interpret Method
      • 1.1.9 Physical World
      • 1.1.10 Reinforcement Learning
      • 1.1.11 Robust Defense
      • 1.1.12 Network Traffic
      • 1.1.13 Wireless Communication System
      • 1.1.14 Tabular Data
    • 1.2 Distributed Machine Learning
      • 1.2.1 Federated Learning
      • 1.2.2 Normal Distributed Learning
    • 1.3 Data Poisoning
      • 1.3.1 Hijack Embedding
      • 1.3.2 Hijack Autocomplete Code
      • 1.3.3 Semi-Supervised Learning
      • 1.3.4 Recommender Systems
      • 1.3.5 Classification
      • 1.3.6 Constractive Learning
      • 1.3.7 Privacy
      • 1.3.8 Test-Time Poisoning
      • 1.3.9 Defense
    • 1.4 Backdoor
      • 1.4.1 Image
      • 1.4.2 Text
      • 1.4.3 Graph
      • 1.4.4 Software
      • 1.4.5 Audio
      • 1.4.6 Multimedia
      • 1.4.7 Neuromorphic Data
    • 1.5 ML Library Security
      • 1.5.1 Loss
    • 1.6 AI4Security
      • 1.6.1 Cyberbullying
      • 1.6.2 Security Applications
      • 1.6.3 Advertisement Detection
      • 1.6.4 CAPTCHA
      • 1.6.5 Code Analysis
      • 1.6.6 Chatbot
      • 1.6.7 Side Channel Attack
      • 1.6.8 Guidline
      • 1.6.9 Security Event
      • 1.6.10 Vulnerability Discovery
    • 1.7 AutoML Security
      • 1.7.1 Security Analysis
    • 1.8 Hardware Related Security
      • 1.8.1 Verification
    • 1.9 Security Related Interpreting Method
      • 1.9.1 Anomaly Detection
      • 1.9.2 Faithfulness
      • 1.9.3 Security Applications
    • 1.10 Face Security
      • 1.10.1 Deepfake Detection
      • 1.10.2 Face Impersonation
      • 1.10.3 Face Verification Systems
    • 1.10 AI Generation Security
      • 1.10.1 Text Generation Detection
      • 1.10.2 Deepfake
    • 1.11 LLM Security
      • 1.11.1 Code Analysis
      • 1.11.2 Vision-Language Model
      • 1.11.3 Jailbreaking
      • 1.11.4 Robustness
      • 1.11.5 Generated Text Detection
      • 1.11.6 Backdoor Detection
  • 2. Privacy Papers
    • 2.1 Training Data
      • 2.1.1 Data Recovery
      • 2.1.2 Membership Inference Attack
      • 2.1.3 Information Leakage in Distributed ML System
      • 2.1.4 Information Leakage in Embedding
      • 2.1.5 Graph Leakage
      • 2.1.6 Unlearning
      • 2.1.7 Attribute Inference Attack
      • 2.1.7 Property Inference Attack
      • 2.1.8 Data Synthesis
      • 2.1.8 Dataset Auditing
    • 2.2 Model
      • 2.2.1 Model Extraction
      • 2.2.2 Model Watermark
      • 2.2.3 Model Owenership
      • 2.2.4 Model Integrity
    • 2.3 User Related Privacy
      • 2.3.1 Image
    • 2.4 Private ML Protocols
      • 2.4.1 3PC
      • 2.4.2 4PC
      • 2.4.3 SMPC
      • 2.4.4 Cryptographic NN Computation
      • 2.4.5 Secure Aggregation
    • 2.5 Platform
      • 2.5.1 Inference Attack Measurement
      • 2.5.2 Survey
    • 2.6 Differential Privacy
      • 2.6.1 Tree Model
      • 2.6.2 DP
      • 2.6.3 LDP
  • Contributing
  • Licenses

1. Security Papers

1.1 Adversarial Attack & Defense

1.1.1 Image

1. Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries. USENIX Security 2020. Transferability + Query. Black-box Attack [pdf] [code]

2. Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning. USENIX Security 2020. Defense of Image Scaling Attack [pdf] [code]

3. HopSkipJumpAttack: A Query-Efficient Decision-Based Attack. IEEE S&P 2020. Query-based Black-box Attack [pdf] [code]

4. PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking. USENIX Security 2021. Adversarial Patch Defense [pdf] [code]

5. Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. ACM CCS 2020. Build an trap in model to induce specific adversarial perturbation [pdf] [code]

6. A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models. ACM CCS 2020. Perturbate both input and model [pdf] [code]

7. Feature-Indistinguishable Attack to Circumvent Trapdoor-Enabled Defense. ACM CCS 2021. A new attack method can break TeD defense mechanism [pdf] [code]

8. DetectorGuard: Provably Securing Object Detectors against Localized Patch Hiding Attacks. ACM CCS 2021. Provable robustness for patch hiding in object detection [pdf] [code]

9. It's Not What It Looks Like: Manipulating Perceptual Hashing based Applications. ACM CCS 2021. Adversarial Attack against PHash [pdf] [code]

10. RamBoAttack: A Robust and Query Efficient Deep Neural Network Decision Exploit. NDSS 2022. Query-based black box attack [pdf] [code]

11. What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction. NDSS 2022. Generative-based AE detection [pdf] [code]

12. AutoDA: Automated Decision-based Iterative Adversarial Attacks. USENIX 2022. Program Synthesis for Adversarial Attack [pdf]

13. Blacklight: Scalable Defense for Neural Networks against Query-Based Black-Box Attacks. USENIX Security 2022. AE Detection using probabilistic fingerprints based on hash of input similarity [pdf] [code]

14. Physical Hijacking Attacks against Object Trackers. ACM CCS 2022. Adversarial Attacks on Object Trackers [pdf] [code]

15. Post-breach Recovery: Protection against White-box Adversarial Examples for Leaked DNN Models. ACM CCS 2022. Adversarial Attacks on Object Trackers [pdf]

16. Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning. USENIX Security 2023. Adversarial Attacks against PhotoDNA and PDQ [pdf]

17. The Space of Adversarial Strategies. USENIX Security 2023. Decompose the Adversarial Attack Components and combine them together [pdf]

18. Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks. ACM CCS 2023. Attack strategy to enhance the query-based attack against the stateful defense [pdf] [code])]

19. BounceAttack: A Query-Efficient Decision-based Adversarial Attack by Bouncing into the Wild. IEEE S&P 2024. Query-based hard label attack [pdf]

20. Sabre: Cutting through Adversarial Noise with Adaptive Spectral Filtering and Input Reconstruction. IEEE S&P 2024. Filter-based adversarial perturbation defense [pdf] [code])]

21. Sabre: Cutting through Adversarial Noise with Adaptive Spectral Filtering and Input Reconstruction. IEEE S&P 2024. Adversarial attack against face recognization system [pdf] [code])]

22. Why Does Little Robustness Help? A Further Step Towards Understanding Adversarial Transferability. IEEE S&P 2024. Exploring the transferability of adversarial examples [pdf] [code])]

23. Group-based Robustness: A General Framework for Customized Robustness in the Real World. NDSS 2024. New metrics to measure adversarial examples [pdf]

24. DorPatch: Distributed and Occlusion-Robust Adversarial Patch to Evade Certifiable Defenses. NDSS 2024. Adversarial path against certified robustness [pdf] [code])]

25. UniID: Spoofing Face Authentication System by Universal Identity. NDSS 2024. Face apoofing attack [pdf]

26. Enhance Stealthiness and Transferability of Adversarial Attacks with Class Activation Mapping Ensemble Attack. NDSS 2024. Enhancing transferability of adversarial examples [pdf] [code])]

1.1.2 Text

1. TextShield: Robust Text Classification Based on Multimodal Embedding and Neural Machine Translation. USENIX Security 2020. Defense in preprossing [pdf]

2. Bad Characters: Imperceptible NLP Attacks. IEEE S&P 2022. Use unicode to conduct human imperceptible attack [pdf] [code]

3. Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models. ACM CCS 2022. Attack Neural Ranking Models [pdf]

4. No more Reviewer #2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning. USENIX Security 2023. Adversarial Attack on Paper Assignment [pdf]

1.1.3 Audio

1. WaveGuard: Understanding and Mitigating Audio Adversarial Examples. USENIX Security 2021. Defense in preprossing [pdf] [code]

2. Dompteur: Taming Audio Adversarial Examples. USENIX Security 2021. Defense in preprossing. Preprocessing the audio to make the noise human noticeable [pdf] [code]

3. EarArray: Defending against DolphinAttack via Acoustic Attenuation. NDSS 2021. Defense [pdf]

4. Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems. IEEE S&P 2021. Attack [pdf] [code]

5. Hear "No Evil", See "Kenansville": Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems. IEEE S&P 2021. Black-box Attack [pdf]

6. SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems. IEEE S&P 2021. Survey [pdf]

7. AdvPulse: Universal, Synchronization-free, and Targeted Audio Adversarial Attacks via Subsecond Perturbations. ACM CCS 2020. Attack [pdf]

8. Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information. ACM CCS 2021. Black-box Attack. Physical World [pdf]

9. Perception-Aware Attack: Creating Adversarial Music via Reverse-Engineering Human Perception. ACM CCS 2022. Adversarial Audio with human-aware noise [pdf]

10. SpecPatch: Human-in-the-Loop Adversarial Audio Spectrogram Patch Attack on Speech Recognition. ACM CCS 2022. Adversarial Patch for audio [pdf]

11. Learning Normality is Enough: A Software-based Mitigation against Inaudible Voice Attacks. USENIX Security 2023. Unsupervised learning-based defense [pdf]

12. Understanding and Benchmarking the Commonality of Adversarial Examples. IEEE S&P 2024. Common features of adversarial audio examples [pdf]

13. ALIF: Low-Cost Adversarial Audio Attacks on Black-Box Speech Platforms using Linguistic Features. IEEE S&P 2024. Black-box adverarial audio attack [pdf] [code]

14. Inaudible Adversarial Perturbation: Manipulating the Recognition of User Speech in Real Time. NDSS 2024. Compeletely inaudible adversarial attack [pdf] [code]

15. Parrot-Trained Adversarial Examples: Pushing the Practicality of Black-Box Audio Attacks against Speaker Recognition Models. NDSS 2024. Black-box adverarial audio attack using parrot [pdf]

1.1.4 Video

1. Universal 3-Dimensional Perturbations for Black-Box Attacks on Video Recognition Systems. IEEE S&P 2022. Adversarial attack in video recognition [pdf]

2. StyleFool: Fooling Video Classification Systems via Style Transfer. IEEE S&P 2023. Style Transfer to conduct adversarial attack [pdf] [code]

1.1.5 Graph

1. A Hard Label Black-box Adversarial Attack Against Graph Neural Networks. ACM CCS 2021. Graph Classification [pdf]

1.1.6 Software

1. Evading Classifiers by Morphing in the Dark. ACM CCS 2017. Morpher and search to generate adversarial PDF [pdf]

2. Misleading Authorship Attribution of Source Code using Adversarial Learning. USENIX Security 2019. Adversarial attack in source code, MCST [pdf] [code]

3. Intriguing Properties of Adversarial ML Attacks in the Problem Space. IEEE S&P 2020. Attack Malware Classification [pdf]

4. Structural Attack against Graph Based Android Malware Detection. IEEE S&P 2020. Perturbed function call graph [pdf]

5. URET: Universal Robustness Evaluation Toolkit (for Evasion). USENIX Security 2023. General Toolbox to select the perdefined perturbations [pdf] [code]

6. Adversarial Training for Raw-Binary Malware Classifiers. USENIX Security 2023. Adversarial Training for Windows PE malware [pdf]

7. PELICAN: Exploiting Backdoors of Naturally Trained Deep Learning Models In Binary Code Analysis. USENIX Security 2023. Reverse engineering natural backdoor in transformer-based x86 binary code analysis task [pdf]

8. Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information. USENIX Security 2023. Black-box Android Adversarial Malware against the FCG-based ML classifier [pdf]

9. Efficient Query-Based Attack against ML-Based Android Malware Detection under Zero Knowledge Setting. ACM CCS 2023. Semantic similar perturbations are more likely to have similar evasion effectiveness [pdf] [code]

1.1.7 Hardware

1. ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning. ACM CCS 2022. Attack Hardware Trojan Detection [pdf]

2. DeepShuffle: A Lightweight Defense Framework against Adversarial Fault Injection Attacks on Deep Neural Networks in Multi-Tenant Cloud-FPGA. IEEE S&P 2024. Adversarial defense against adversarial fault injection [pdf]

1.1.8 Interpret Method

1. Interpretable Deep Learning under Fire. USENIX Security 2020. Attack both image classification and interpret method [pdf]

2. “Is your explanation stable?”: A Robustness Evaluation Framework for Feature Attribution. ACM CCS 2022. Hypothesis Testing to increasing the robustness of explaination methods [pdf]

3. AIRS: Explanation for Deep Reinforcement Learning based Security Applications. USENIX Security 2023. DRL Interpertation Method to pinpoint the most influence step [pdf] [code]

4. SoK: Explainable Machine Learning in Adversarial Environments. IEEE S&P 2024. Adversarial Explaination SoK [pdf

1.1.9 Physical World

1. SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations. USENIX Security 2021. Projector light causes misclassification [pdf] [code]

2. Understanding Real-world Threats to Deep Learning Models in Android Apps. ACM CCS 2022. Adversarial Attack in real-world models [pdf]

3. X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection. USENIX Security 2023. Adversarial Attack on X-ray Images [pdf] [code]

4. That Person Moves Like A Car: Misclassification Attack Detection for Autonomous Systems Using Spatiotemporal Consistency. USENIX Security 2023. Robust OD in Autonomous System using spatiotemporal information [pdf]

5. You Can't See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks. USENIX Security 2023. Adversarial attack against Autonomous Vehicles using Laser [pdf] demo]

6. CAPatch: Physical Adversarial Patch against Image Captioning Systems. USENIX Security 2023. Physical Adversarial Patch against the image caption system [pdf] [code]

7. Exorcising "Wraith": Protecting LiDAR-based Object Detector in Automated Driving System from Appearing Attacks. USENIX Security 2023. Defend the appearing attack in autonomous system using local objectness predictor [pdf] [code]

8. Invisible Reflections: Leveraging Infrared Laser Reflections to Target Traffic Sign Perception. NDSS 2024. Adversarial attacks on automous vehicles using infrared laser reflections [pdf]

1.1.10 Reinforcement Learning

1. Adversarial Policy Training against Deep Reinforcement Learning. USENIX Security 2021. Weird behavior to trigger opposite abnormal action. Two-agent competitor game [pdf] [code]

1.1.11 Robust Defense

1. Cost-Aware Robust Tree Ensembles for Security Applications. USENIX Security 2021. Propose Cost of feature to certify the model robustness [pdf] [code]

2. CADE: Detecting and Explaining Concept Drift Samples for Security Applications. USENIX Security 2021. Detect Concept shift [pdf] [code]

3. Learning Security Classifiers with Verified Global Robustness Properties. ACM CCS 2021. Train a classifier with global robustness [pdf] [code]

4. On the Robustness of Domain Constraints. ACM CCS 2021. Domain constraints. Input space robustness [pdf]

5. Cert-RNN: Towards Certifying the Robustness of Recurrent Neural Networks. ACM CCS 2021. Certify robustness in RNN [pdf]

6. TSS: Transformation-Specific Smoothing for Robustness Certification. ACM CCS 2021. Certify robustness about transformation [pdf][code]

7. Transcend: Detecting Concept Drift in Malware Classification Models. USENIX Security 2017. Conformal evaluators [pdf] [code]

8. Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift. IEEE S&P 2022. New conformal evaluators [pdf][code]

9. Transferring Adversarial Robustness Through Robust Representation Matching. USENIX Security 2022. Robust Transfer Learning [pdf]

10. DiffSmooth: Certifiably Robust Learning via Diffusion Models and Local Smoothing. USENIX Security 2023. Diffusion Model Improve Certified Robustness [pdf]

11. Anomaly Detection in the Open World: Normality Shift Detection, Explanation, and Adaptation. NDSS 2023. Concept Drift Detection using unsupervised approch [pdf] [code]

12. BARS: Local Robustness Certification for Deep Learning based Traffic Analysis Systems. NDSS 2023. Certified Robustness for Traffic Analysis Systems [pdf] [code]

13. REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service. NDSS 2023. Build a certificable EaaS model [pdf]

14. Continuous Learning for Android Malware Detection. USENIX Security 2023. New Continual Learning Paridigram for Malware detection [pdf] [code]

15. ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking. IEEE S&P 2023. Certified robustness of object detection [pdf] [code]

16. On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks. IEEE S&P 2023. Adversarial attacks on feature space may enhance the robustness in problem space [pdf] [code]

17. Text-CRS: A Generalized Certified Robustness Framework against Textual Adversarial Attacks. IEEE S&P 2024. Certified robustness on adversarial text [pdf] [code]

18. It's Simplex! Disaggregating Measures to Improve Certified Robustness. IEEE S&P 2024. Disagreement to improve the certified robustness [pdf] [code]

1.1.12 Network Traffic

1. Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations. USENIX Security 2021. Adversarial attack to defeat DNN-based traffic analysis [pdf] [code]

2. Pryde: A Modular Generalizable Workflow for Uncovering Evasion Attacks Against Stateful Firewall Deployments. IEEE S&P 2024. Evasion attack against Firewalls [pdf]

3. Multi-Instance Adversarial Attack on GNN-Based Malicious Domain Detection. IEEE S&P 2024. Adversarial attack on GNN-based malicious domain detection [pdf] [code]

1.1.13 Wireless Communication System

1. Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems. ACM CCS 2021. Attack [pdf]

1.1.14 Tabular Data

1. Adversarial Robustness for Tabular Data through Cost and Utility Awareness. NDSS 2023. Adversarial Attack & Defense on tabular data [pdf]

1.2 Distributed Machine Learning

1.2.1 Federated Learning

1. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. USENIX Security 2020. Poisoning Attack [pdf]

2. Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning. NDSS 2021. Poisoning Attack [pdf]

3. DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection. NDSS 2022. Backdoor defense [pdf]

4. FLAME: Taming Backdoors in Federated Learning. USENIX Security 2022. Backdoor defense [pdf]

5. EIFFeL: Ensuring Integrity for Federated Learning. ACM CCS 2022. New FL Protocol to guarteen integrity [pdf]

6. Eluding Secure Aggregation in Federated Learning via Model Inconsistency. ACM CCS 2022. Model inconsistency to break the secure aggregation [pdf]

7. FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information. IEEE S&P 2023. Poisoned Model Recovery Algorithm [pdf]

8. Every Vote Counts: Ranking-Based Training of Federated Learning to Resist Poisoning Attacks. USENIX Security 2023. Discrete the model updates and purning the model to defense the poisoning attack [pdf] [code]

9. Securing Federated Sensitive Topic Classification against Poisoning Attacks. NDSS 2023. Robust Aggregation against the poisoning attack [pdf]

10. BayBFed: Bayesian Backdoor Defense for Federated Learning. IEEE S&P 2023. Purify the model updates using bayesian [pdf]

11. ADI: Adversarial Dominating Inputs in Vertical Federated Learning Systems. IEEE S&P 2023. Poisoning the vertical federated learning system [pdf] [code]

12. 3DFed: Adaptive and Extensible Framework for Covert Backdoor Attack in Federated Learning. IEEE S&P 2023. Convert normal backdoor into the federated learning scenario [pdf]

13. FLShield: A Validation Based Federated Learning Framework to Defend Against Poisoning Attacks. IEEE S&P 2023. Data poisoning defense [pdf]

14. BadVFL: Backdoor Attacks in Vertical Federated Learning. IEEE S&P 2023. Backdoor attacks against vertical federated learning [pdf]

15. CrowdGuard: Federated Backdoor Detection in Federated Learning. NDSS 2024. Backdoor detection in federated learning leveraging hidden layer outputs [pdf] [code]

16. Automatic Adversarial Adaption for Stealthy Poisoning Attacks in Federated Learning. NDSS 2024. Adaptative poisoning attacks in FL [pdf]

17. FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning. NDSS 2024. Mitigate poisoning attack in FL using frequency analysis techniques [pdf]

1.2.2 Normal Distributed Learning

1. Justinian's GAAvernor: Robust Distributed Learning with Gradient Aggregation Agent. USENIX Security 2020. Defense in Gradient Aggregation. Reinforcement learning [pdf]

1.3 Data Poisoning

1.3.1 Hijack Embedding

1. Humpty Dumpty: Controlling Word Meanings via Corpus Poisoning. IEEE S&P 2020. Hijack Word Embedding [pdf]

1.3.2 Hijack Autocomplete Code

1. You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion. USENIX Security 2021. Hijack Code Autocomplete [pdf]

2. TROJANPUZZLE: Covertly Poisoning Code-Suggestion Models. IEEE S&P 2024. Hijack Code Autocomplete [pdf] [code]

1.3.3 Semi-Supervised Learning

1. Poisoning the Unlabeled Dataset of Semi-Supervised Learning. USENIX Security 2021. Poisoning semi-supervised learning [pdf]

1.3.4 Recommender Systems

1. Data Poisoning Attacks to Deep Learning Based Recommender Systems. NDSS 2021. The attacker chosen items are recommended as much as possible [pdf]

2. Reverse Attack: Black-box Attacks on Collaborative Recommendation. ACM CCS 2021. Black-box setting. Surrogate model. Collaborative Filtering. Demoting and Promoting [pdf]

1.3.5 Classification

1. Subpopulation Data Poisoning Attacks. ACM CCS 2021. Poisoning to flip a group of data samples [pdf]

2. Get a Model! Model Hijacking Attack Against Machine Learning Models. NDSS 2022. Fusing dataset to hijacking model [pdf] [code]

1.3.6 Constractive Learning

1. PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. USENIX Security 2022. Poison attack in constractive learning [pdf]

1.3.7 Privacy

1. Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. ACM CCS 2022. Poison attack to reveal sensitive information [pdf]

1.3.8 Test-Time Poisoning

1. Test-Time Poisoning Attacks Against Test-Time Adaptation Models. IEEE S&P 2024. Poisoning attack at test time [pdf] [code]

1.3.9 Defense

1. Poison Forensics: Traceback of Data Poisoning Attacks in Neural Networks. USENIX Security 2022. Identify poisioned subset by clustering and purning benign set [pdf]

2. Meta-Sift: How to Sift Out a Clean Subset in the Presence of Data Poisoning?. USENIX Security 2023. Obtain a clean subset from the poisoned set [pdf] [code]

1.4 Backdoor

1.4.1 Image

1. Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection. USENIX Security 2021. Class-specific Backdoor. Defense by decomposition [pdf]

2. Double-Cross Attacks: Subverting Active Learning Systems. USENIX Security 2021. Active Learning System. Backdoor Attack [pdf]

3. Detecting AI Trojans Using Meta Neural Analysis. IEEE S&P 2021. Meta Neural Classifier [pdf] [code]

4. BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. IEEE S&P 2022. Backdoor attack in image-text pretrained model [pdf] [code]

5. Composite Backdoor Attack for Deep Neural Network by Mixing Existing Benign Features. ACM CCS 2020. Composite backdoor. Image & text tasks [pdf] [code]

6. AI-Lancet: Locating Error-inducing Neurons to Optimize Neural Networks. ACM CCS 2021. Locate neural location and finetuning it [pdf]

7. LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks. ACM CCS 2022. Backdoor attack by modifying neuros [pdf]

8. ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks. NDSS 2022. Backdoor attack by attention techniques [pdf]

9. RAB: Provable Robustness Against Backdoor Attacks. IEEE S&P 2023. Backdoor Cetrification [pdf]

10. A Data-free Backdoor Injection Approach in Neural Networks. USENIX Security 2023. Data free backdoor injection [pdf] [code]

11. Backdoor Attacks Against Dataset Distillation. NDSS 2023. Backdoor attack against dataset istillation [pdf] [code]

12. BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense. NDSS 2023. Backdoor Forensics [pdf] [code]

13. Disguising Attacks with Explanation-Aware Backdoors. IEEE S&P 2023. Backdoor to mislead the explaination method [pdf]

14. Selective Amnesia: On Efficient, High-Fidelity and Blind Suppression of Backdoor Effects in Trojaned Machine Learning Models. IEEE S&P 2023. Finetuning to remove backdoor [pdf]

15. AI-Guardian: Defeating Adversarial Attacks using Backdoors. IEEE S&P 2023. using backdoor to detect adversarial example. Backdoor with all-to-all mapping and reverse the mapping [pdf]

16. REDEEM MYSELF: Purifying Backdoors in Deep Learning Models using Self Attention Distillation. IEEE S&P 2023. Purifying backdoor using model distillation [pdf]

17. NARCISSUS: A Practical Clean-Label Backdoor Attack with Limited Information. ACM CCS 2023. Clean label backdoor attack [pdf] [code]

18. ASSET: Robust Backdoor Data Detection Across a Multiplicity of Deep Learning Paradigms. USENIX Security 2023. Backdoor Defense works in Different Learning Paradigms [pdf] [code]

19. ODSCAN: Backdoor Scanning for Object Detection Models. IEEE S&P 2024. Backdoor defense by model dynamics [pdf] [github]

20. MM-BD: Post-Training Detection of Backdoor Attacks with Arbitrary Backdoor Pattern Types Using a Maximum Margin Statistic. IEEE S&P 2024. Backdoor defense using maximum margin statistic in classification layer [pdf] [github]

21. Distribution Preserving Backdoor Attack in Self-supervised Learning. IEEE S&P 2024. Backdoor attack in contrastive learning by improving the distribution [pdf] [github]

1.4.2 Text

1. T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification. USENIX Security 2021. Backdoor Defense. GAN to recover trigger [pdf] [code]

2. Hidden Backdoors in Human-Centric Language Models. ACM CCS 2021. Novel trigger [pdf] [code]

3. Backdoor Pre-trained Models Can Transfer to All. ACM CCS 2021. Backdoor in pre-trained to poison the down stream task [pdf] [code]

4. Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation. USENIX Security 2022. Backdoor via linguistic style manipulation [pdf]

5. TextGuard: Provable Defense against Backdoor Attacks on Text Classification. NDSS 2024. Provable backdoor defense by spliting the sentence and ensumble learning [pdf] [code]

1.4.3 Graph

1. Graph Backdoor. USENIX Security 2021. Classification [pdf] [code]

1.4.4 Software

1. Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. USENIX Security 2021. Explanation Method. Evade Classification [pdf] [code]

1.4.5 Audio

1. TrojanModel: A Practical Trojan Attack against Automatic Speech Recognition Systems. IEEE S&P 2023. Backdoor attack in speech recognition systems [pdf]

2. MagBackdoor: Beware of Your Loudspeaker as Backdoor of Magnetic Attack for Malicious Command Injection. IEEE S&P 2023. Backdoor attack in audio using magentic trigget [pdf]

1.4.6 Multimedia

1. Backdooring Multimodal Learning. IEEE S&P 2024. Backdoor attack in multimedia learning [pdf] [code]

1.4.7 Neuromorphic Data

1. Sneaky Spikes: Uncovering Stealthy Backdoor Attacks in Spiking Neural Networks with Neuromorphic Data. NDSS 2024. Backdoor attack in neuromorphic data [pdf] [code]

1.5 ML Library Security

1.5.1 Loss

1. Blind Backdoors in Deep Learning Models. USENIX Security 2021. Loss Manipulation. Backdoor [pdf] [code]

2. IvySyn: Automated Vulnerability Discovery in Deep Learning Frameworks. USENIX Security 2023. Automatic Bug Discovery in ML libraries [pdf]

1.6 AI4Security

1.6.1 Cyberbullying

1. Towards Understanding and Detecting Cyberbullying in Real-world Images. NDSS 2021. Detect image cyberbully [pdf]

2. You Only Prompt Once: On the Capabilities of Prompt Learning on Large Language Models to Tackle Toxic Content. IEEE S&P 2024. Using LLM for toxic content detection [pdf] [code]

1.6.2 Security Applications

1. FARE: Enabling Fine-grained Attack Categorization under Low-quality Labeled Data. NDSS 2021. Clustering Method to complete the dataset label [pdf] [code]

2. From Grim Reality to Practical Solution: Malware Classification in Real-World Noise. IEEE S&P 2023. Noise Learning method for malware detection [pdf] [code]

3. Decoding the Secrets of Machine Learning in Windows Malware Classification: A Deep Dive into Datasets, Features, and Model Performance. ACM CCS 2023. static features are better than dynamic feature in WindowsPE malware detection [pdf]

4. KAIROS: Practical Intrusion Detection and Investigation using Whole-system Provenance. IEEE S&P 2024. GNN-based intrusion detection method [pdf] [code]

5. FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning. IEEE S&P 2024. GNN-based intrusion detection method [pdf] [code]

6. Understanding and Bridging the Gap Between Unsupervised Network Representation Learning and Security Analytics. IEEE S&P 2024. Unsupervised graph learning for graph-based security applications [pdf] [code]

7. FP-Fed: Privacy-Preserving Federated Detection of Browser Fingerprinting. NDSS 2024. Federated learning for browser fingerprinting [pdf]

8. GNNIC: Finding Long-Lost Sibling Functions with Abstract Similarity. NDSS 2024. GNN for static analysis [pdf]

9. Experimental Analyses of the Physical Surveillance Risks in Client-Side Content Scanning. NDSS 2024. Attack client scanning systems [pdf]

10. Attributions for ML-based ICS Anomaly Detection: From Theory to Practice. NDSS 2024. Evaluating attribution methods for industrial control systems [pdf] [code]

11. DRAINCLoG: Detecting Rogue Accounts with Illegally-obtained NFTs using Classifiers Learned on Graphs. NDSS 2024. Detecting rogue accounts in NFTs using GNN [pdf]

12. Low-Quality Training Data Only? A Robust Framework for Detecting Encrypted Malicious Network Traffic. NDSS 2024. Training ML-based traffic detection using low-quality data [pdf] [code]

13. SafeEar: Content Privacy-Preserving Audio Deepfake Detection. ACM CCS 2024. Speech content privacy-preserving deepfake detection [pdf] [website] [code] [dataset]

1.6.3 Advertisement Detection

1. WtaGraph: Web Tracking and Advertising Detection using Graph Neural Networks. IEEE S&P 2022. GNN [pdf]

1.6.4 CAPTCHA

1. Text Captcha Is Dead? A Large Scale Deployment and Empirical Studys. ACM CCS 2020. Adversarial CAPTCHA [pdf]

2. Attacks as Defenses: Designing Robust Audio CAPTCHAs Using Attacks on Automatic Speech Recognition Systems. NDSS 2023. Adversarial Audio CAPTCHA [pdf] [demo]

3. A Generic, Efficient, and Effortless Solver with Self-Supervised Learning for Breaking Text Captchas. IEEE S&P 2023. Text CAPTCHA Solver [pdf]

1.6.5 Code Analysis

1. PalmTree: Learning an Assembly Language Model for Instruction Embedding. ACM CCS 2021. Pre-trained model to generate code embedding [pdf] [code]

2. CALLEE: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning. IEEE S&P 2023. Recovering call graph from binaries using transfer and contrastive learning [pdf] [code]

3. Examining Zero-Shot Vulnerability Repair with Large Language Models. IEEE S&P 2023. Zero-short vulnerability repair using large language model [pdf]

4. Raconteur: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer. NDSS 2025. LLM-powered malicious code analysis [pdf] [website]

1.6.6 Chatbot

1. Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots. ACM CCS 2022. Measuring Chatbot Textico behavior [pdf]

1.6.7 Side Channel Attack

1. Towards a General Video-based Keystroke Inference Attack. USENIX Security 2023. Self Supervised Learning to recover the keybroad input [pdf]

2. Deep perceptual hashing algorithms with hidden dual purpose: when client-side scanning does facial recognition. IEEE S&P 2023. Manipulate deep phash algorithm to conduct specific person inference [pdf] [code]

1.6.8 Guidline

1. Dos and Don'ts of Machine Learning in Computer Security. USENIX Security 2022. Survey pitfalls in ML4Security [pdf]

2. “Security is not my field, I’m a stats guy”: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry. USENIX Security 2023. Survey AML Application in Industry [pdf]

3. Everybody’s Got ML, Tell Me What Else You Have: Practitioners’ Perception of ML-Based Security Tools and Explanations. IEEE S&P 2023. Explainable AI in practice [pdf]

1.6.9 Security Event

1. CERBERUS: Exploring Federated Prediction of Security Events. ACM CCS 2022. Federated Learning to predict security event [pdf]

1.6.10 Vulnerability Discovery

1. VulChecker: Graph-based Vulnerability Localization in Source Code. USENIX Security 2023. Detecting Bugs using GCN [pdf] [code]

1.7 AutoML Security

1.7.1 Security Analysis

1. On the Security Risks of AutoML. USENIX Security 2022. Adversarial evasion. Model poisoning. Backdoor. Functionality stealing. Membership Inference [pdf]

1.8 Hardware Related Security

1.8.1 Verification

1. DeepDyve: Dynamic Verification for Deep Neural Networks. ACM CCS 2020. [pdf]

2. NeuroPots: Realtime Proactive Defense against Bit-Flip Attacks in Neural Networks. USENIX Security 2023. Honey Pot to trap the bitflip attacks [pdf]

3. Aegis: Mitigating Targeted Bit-flip Attacks against Deep Neural Networks. USENIX Security 2023. Train multi classifer to defend the BFA [pdf] [code]

1.9 Security Related Interpreting Method

1.9.1 Anomaly Detection

1. DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications. ACM CCS 2021. Anomaly detection [pdf] [code]

1.9.2 Faithfulness

1. Good-looking but Lacking Faithfulness: Understanding Local Explanation Methods through Trend-based Testing. ACM CCS 2023. Trend-based faithfulness testing [pdf] [code]

1.9.3 Security Applications

1. FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis. ACM CCS 2023. Ensumble explaination for different stakeholder [pdf] [code]

1.10 Face Security

1.10.1 Deepfake Detection

1. Who Are You (I Really Wanna Know)? Detecting Audio DeepFakes Through Vocal Tract Reconstruction. USENIX Security 2022. deepfake detection using vocal tract reconstruction [pdf]

1.10.2 Face Impersonation

1. ImU: Physical Impersonating Attack for Face Recognition System with Natural Style Changes. IEEE S&P 2023. StyleGAN to impersonate persion [pdf] [code]

2. DepthFake: Spoofing 3D Face Authentication with a 2D Photo. IEEE S&P 2023. Adversarial image to attack 3D photos [pdf] [demo]

1.10.3 Face Verification Systems

1. Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective. IEEE S&P 2023. Measurement study of the security risks of cross-side face verification systems. [pdf]

1.10 AI Generation Security

1.10.1 Text Generation Detection

1. Deepfake Text Detection: Limitations and Opportunities. IEEE S&P 2023. Detecting the machine generated text [pdf] [code]

1.10.2 Deepfake

1. SoK: The Good, The Bad, and The Unbalanced: Measuring Structural Limitations of Deepfake Media Datasets. USENIX Security 2024. Issues in deepfake media dataset [pdf] [website]

2. SafeEar: Content Privacy-Preserving Audio Deepfake Detection. ACM CCS 2024. Speech content privacy-preserving deepfake detection [pdf] [website] [code] [dataset]

1.11 LLM Security

1.11.1 Code Analysis

1. Large Language Models for Code: Security Hardening and Adversarial Testing. ACM CCS 2023. Prefix tuning for secure code generation [pdf] [code]

2. DeGPT: Optimizing Decompiler Output with LLM. NDSS 2024. LLM-enhanced reverse engineering [pdf] [code]

3. Raconteur: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer. NDSS 2025. LLM-powered malicious code analysis [pdf] [website]

1.11.2 Vision-Language Model

1. Transferable Multimodal Attack on Vision-Language Pre-training Models. IEEE S&P 2024. Transferable adversarial attack on VLM [pdf]

2. SneakyPrompt: Jailbreaking Text-to-image Generative Models. IEEE S&P 2024. Jailbreaking text-to-image generative model using reinforcement-learning adversarial NLP methods [pdf] [code]

3. SafeGen: Mitigating Unsafe Content Generation in Text-to-Image Models. ACM CCS 2024. defending against unsafe content generation in text-to-image models [pdf] [code] [model]

1.11.3 Jailbreaking

1. MASTERKEY: Automated Jailbreaking of Large Language Model Chatbots. NDSS 2024. LLM jailbreaking [pdf]

2. Legilimens: Practical and Unified Content Moderation for Large Language Model Services. ACM CCS 2024. Jailbreaking input/output moderation [pdf] [code]

1.11.4 Robustness

1. Improving the Robustness of Transformer-based Large Language Models with Dynamic Attention. NDSS 2024. Improving the robustness of LLM by dynamic attention [pdf]

1.11.5 Generated Text Detection

1. DEMASQ: Unmasking the ChatGPT Wordsmith. NDSS 2024. Generated text detection [pdf]

1.11.6 Backdoor Detection

1. LMSanitator: Defending Prompt-Tuning Against Task-Agnostic Backdoors. NDSS 2024. Task-agnostic backdoor detection [pdf] [code]

2. Privacy Papers

2.1 Training Data

2.1.1 Data Recovery

1. Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. USENIX Security 2020. Online Learning. Model updates [pdf]

2. Extracting Training Data from Large Language Models. USENIX Security 2021. Membership inference attack. GPT-2 [pdf]

3. Analyzing Information Leakage of Updates to Natural Language Models. ACM CCS 2020. data leakage in model changes [pdf]

4. TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing. ACM CCS 2021. Membership collision in GAN [pdf]

5. DataLens: Scalable Privacy Preserving Training via Gradient Compression and Aggregation. ACM CCS 2021. DP to train an privacy preserving GAN [pdf]

6. Property Inference Attacks Against GANs. NDSS 2022. Property Inference Attacks Against GAN [pdf] [code]

7. MIRROR: Model Inversion for Deep Learning Network with High Fidelity. NDSS 2022. Model inversion attack using GAN [pdf] [code]

8. Analyzing Leakage of Personally Identifiable Information in Language Models. IEEE S&P 2023. Personally identifiable information leakage in language model [pdf] [code]

9. Timing Channels in Adaptive Neural Networks. NDSS 2024. Infer input of adaptive NN using timing information [pdf] [code]

10. Crafter: Facial Feature Crafting against Inversion-based Identity Theft on Deep Models. NDSS 2024. Protect model inversion attack [pdf] [code]

11. Transpose Attack: Stealing Datasets with Bidirectional Training. NDSS 2024. Stealing dataset in bidirectional models [pdf] [code]

12. SafeEar: Content Privacy-Preserving Audio Deepfake Detection. ACM CCS 2024. Speech content privacy-preserving deepfake detection [pdf] [website] [code] [dataset]

2.1.2 Membership Inference Attack

1. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. USENIX Security 2020. White-box Setting [pdf]

2. Systematic Evaluation of Privacy Risks of Machine Learning Models. USENIX Security 2020. Metric-based Membership inference Attack Method. Define Privacy Risk Score [pdf] [code]

3. Practical Blind Membership Inference Attack via Differential Comparisons. NDSS 2021. Use non-member data to replace shadow model [pdf] [code]

4. GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models. ACM CCS 2020. Membership inference attack in Generative model. Member has small reconstruction error [pdf]

5. Quantifying and Mitigating Privacy Risks of Contrastive Learning. ACM CCS 2021. Membership inference attack. Property inference attack. Contrastive learning in classification task [pdf] [code]

6. Membership Inference Attacks Against Recommender Systems. ACM CCS 2021. Recommender System [pdf] [code]

7. EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning. ACM CCS 2021. Contrastive learning in pre-trained model. Data augmentation has higher similarity [pdf] [code]

8. Auditing Membership Leakages of Multi-Exit Networks. ACM CCS 2022. Membership inference attack in multi-exit networks [pdf]

9. Membership Inference Attacks by Exploiting Loss Trajectory. ACM CCS 2022. Membership inference attack, knowledge distillation [pdf]

10. On the Privacy Risks of Cell-Based NAS Architectures. ACM CCS 2022. Membership inference attack in NAS [pdf]

11. Membership Inference Attacks and Defenses in Neural Network Pruning. USENIX Security 2022. Membership inference attack in Neural Network Pruning [pdf]

12. Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture. USENIX Security 2022. Membership inference defense by ensemble [pdf]

13. Enhanced Membership Inference Attacks against Machine Learning Models. USENIX Security 2022. Membership inference attack with hypothesis testing [pdf] [code]

14. Membership Inference Attacks and Generalization: A Causal Perspective. ACM CCS 2022. Membership inference attack with casual reasoning [pdf]

15. SLMIA-SR: Speaker-Level Membership Inference Attacks against Speaker Recognition Systems. NDSS 2024. Membership inference attack in speaker recongization [pdf] [code]

16. Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction. NDSS 2024. The defense of membership inference attack [pdf] [code]

2.1.3 Information Leakage in Distributed ML System

1. Label Inference Attacks Against Vertical Federated Learning. USENIX Security 2022. Label Leakage. Federated Learning [pdf] [code]

2. The Value of Collaboration in Convex Machine Learning with Differential Privacy. IEEE S&P 2020. DP as Defense [pdf]

3. Leakage of Dataset Properties in Multi-Party Machine Learning. USENIX Security 2021. Dataset Properties Leakage [pdf]

4. Unleashing the Tiger: Inference Attacks on Split Learning. ACM CCS 2021. Split learning. Feature-space hijacking attack [pdf] [code]

5. Local and Central Differential Privacy for Robustness and Privacy in Federated Learning. NDSS 2022. DP in federated learning [pdf]

6. Gradient Obfuscation Gives a False Sense of Security in Federated Learning. USENIX Security 2023. Data Recovery in federated learning [pdf]

7. PPA: Preference Profiling Attack Against Federated Learning. NDSS 2023. Preference Leakage in federated learning [pdf] [code]

8. On the (In)security of Peer-to-Peer Decentralized Machine Learning. IEEE S&P 2023. Information leakage in peer-to-peer decentralized machine learning system [pdf]

9. RoFL: Robustness of Secure Federated Learning. IEEE S&P 2023. Robust Federated Learning Framework using Secuire Aggregation [pdf] [code]

10. Scalable and Privacy-Preserving Federated Principal Component Analysis. IEEE S&P 2023. Privacy preserving feaderated PCA algorithm [pdf]

11. Protecting Label Distribution in Cross-Silo Federated Learning. IEEE S&P 2024. Priveacy-preserving SGD to protect label distribution [pdf]

12. LOKI: Large-scale Data Reconstruction Attack against Federated Learning through Model Manipulation. IEEE S&P 2024. Dataset reconstruction attack in fedearted learning by sending customized convoluational kernel [pdf]

2.1.4 Information Leakage in Embedding

1. Privacy Risks of General-Purpose Language Models. IEEE S&P 2020. Pretrained Language Model [pdf]

2. Information Leakage in Embedding Models. ACM CCS 2020. Exact Word Recovery. Attribute inference. Membership inference [pdf]

3. Honest-but-Curious Nets: Sensitive Attributes of Private Inputs Can Be Secretly Coded into the Classifiers' Outputs. ACM CCS 2021. Infer privacy information in classification output [pdf] [code]

2.1.5 Graph Leakage

1. Stealing Links from Graph Neural Networks. USENIX Security 2021. Inference Graph Link [pdf]

2. Inference Attacks Against Graph Neural Networks. USENIX Security 2022. Property inference: number of nodes. Subgraph inference. Graph reconstruction [pdf] [code]

3. LinkTeller: Recovering Private Edges from Graph Neural Networks via Influence Analysis. IEEE S&P 2022. Use node connection influence to infer graph edges [pdf]

4. Locally Private Graph Neural Networks. IEEE S&P 2022. LDP as defense for node privacy [pdf] [code]

5. Finding MNEMON: Reviving Memories of Node Embeddings. ACM CCS 2022. Graph recovery attack through node embedding [pdf]

6. Group Property Inference Attacks Against Graph Neural Networks. ACM CCS 2022. Group Property inference attack on GNN [pdf]

7. LPGNet: Link Private Graph Networks for Node Classification. ACM CCS 2022. DP to build private GNN [pdf]

8. GraphGuard: Detecting and Counteracting Training Data Misuse in Graph Neural Networks. MDSS 2024. Mitigate data misuse issues in GNN [pdf] [code]

2.1.6 Unlearning

1. Machine Unlearning. IEEE S&P 2020. Shard and isolate the training dataset [pdf] [code]

2. When Machine Unlearning Jeopardizes Privacy. ACM CCS 2021. Membership inference attack in unlearning setting [pdf] [code]

3. Graph Unlearning. ACM CCS 2022. Graph Unlearning [pdf] [code]

4. On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. ACM CCS 2022. Auditable Unlearning [pdf]

5. Machine Unlearning of Features and Labels. NDSS 2023. Influence Function to achieve unlearning [pdf] [code]

6. A Duty to Forget, a Right to be Assured? Exposing Vulnerabilities in Machine Unlearning Services. NDSS 2024. The vulnerabilities in machine unlearning [pdf] [code]

2.1.7 Attribute Inference Attack

1. Are Attribute Inference Attacks Just Imputation?. ACM CCS 2022. Attribute Inference Attack by identified neuro with data [pdf] [code]

2. Feature Inference Attack on Shapley Values. ACM CCS 2022. Attribute Inference Attack using shapley values [pdf]

3. QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems. ACM CCS 2022. Attribute Inference detection [pdf]

2.1.7 Property Inference Attack

1. SNAP: Efficient Extraction of Private Properties with Poisoning. IEEE S&P 2023. Stronger Property Inference Attack by poisoning the data [pdf] [code]

2.1.8 Data Synthesis

1. SoK: Privacy-Preserving Data Synthesis. IEEE S&P 2024. Privacy-Preserving Data Synthesis [pdf] [website]

2.1.8 Dataset Auditing

1. ORL-AUDITOR: Dataset Auditing in Offline Deep Reinforcement Learning. NDSS 2024. Dataset auditing in deep reinforcement learning [pdf] [code]

2.2 Model

2.2.1 Model Extraction

1. Exploring Connections Between Active Learning and Model Extraction. USENIX Security 2020. Active Learning [pdf]

2. High Accuracy and High Fidelity Extraction of Neural Networks. USENIX Security 2020. Fidelity [pdf]

3. DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks. USENIX Security 2021. Query Data Selection Method to reduce the query [pdf]

4. Entangled Watermarks as a Defense against Model Extraction. USENIX Security 2021. Backdoor as watermark against model extraction [pdf]

5. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. NDSS 2020. Adversarial Example to strengthen model stealing [pdf]

6. Teacher Model Fingerprinting Attacks Against Transfer Learning. USENIX Securiy 2022. Teacher model fingerprinting [pdf]

7. StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning. ACM CCS 2022. Model Stealing attack in encoder [pdf]

8. D-DAE: Defense-Penetrating Model Extraction Attacks. IEEE S&P 2023. Meta classifier to classify the defense and generator model to reduce the noise [pdf]

9. SoK: Neural Network Extraction Through Physical Side Channels. USENIX Security 2024. Physical Side Channel-based model extraction [pdf]

10. SoK: All You Need to Know About On-Device ML Model Extraction - The Gap Between Research and Practice. USENIX Security 2024. on device model extraction [pdf]

2.2.2 Model Watermark

1. Adversarial Watermarking Transformer: Towards Tracing Text Provenance with Data Hiding. IEEE S&P 2021. Encode secret message into LM [pdf]

2. Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation. USENIX Security 2023. Inject dummy neurons into the model to break the white-box model watermark [pdf]

3. MEA-Defender: A Robust Watermark against Model Extraction Attack. IEEE S&P 2024. Backdoor as watermark [pdf] [code]

4. SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning. NDSS 2024. Watermark on self-supervised learning [pdf] [code]

2.2.3 Model Owenership

1. Proof-of-Learning: Definitions and Practice. IEEE S&P 2021. Proof the ownership of model parameters [pdf]

2. SoK: How Robust is Image Classification Deep Neural Network Watermarking?. IEEE S&P 2022. Survey of DNN watermarking [pdf]

3. Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models. IEEE S&P 2022. Calculate model similarity by generating test examples [pdf] [code]

4. SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. ACM CCS 2022. Watermarking in encoder [pdf]

5. RAI2: Responsible Identity Audit Governing the Artificial Intelligence. NDSS 2023. Model and Data auditing in AI [pdf] [code]

6. ActiveDaemon: Unconscious DNN Dormancy and Waking Up via User-specific Invisible Token. NDSS 2024. Protecting DNN models by specific user tokens [pdf] [code]

2.2.4 Model Integrity

1. PublicCheck: Public Integrity Verification for Services of Run-time Deep Models. IEEE S&P 2023. Model verification via crafted query [pdf]

2.3 User Related Privacy

2.3.1 Image

1. Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020. Protect Face Privacy [pdf] [code]

2. Automatically Detecting Bystanders in Photos to Reduce Privacy Risks. IEEE S&P 2020. Detecting bystanders [pdf]

3. Characterizing and Detecting Non-Consensual Photo Sharing on Social Networks. IEEE S&P 2020. Detecting Non-Consensual People in a photo [pdf]

4. Fairness Properties of Face Recognition and Obfuscation Systems. USENIX Security 2023. Fairness in Face related models [pdf] [code]

2.4 Private ML Protocols

2.4.1 3PC

1. SWIFT: Super-fast and Robust Privacy-Preserving Machine Learning. USENIX Security 2021. [pdf]

2. BLAZE: Blazing Fast Privacy-Preserving Machine Learning. NDSS 2020. [pdf]

3. Bicoptor: Two-round Secure Three-party Non-linear Computation without Preprocessing for Privacy-preserving Machine Learning. IEEE S&P 2023. [pdf]

2.4.2 4PC

1. Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning. NDSS 2020. [pdf]

2.4.3 SMPC

1. Cerebro: A Platform for Multi-Party Cryptographic Collaborative Learning. USENIX Security 2021. [pdf] [code]

2. Private, Efficient, and Accurate: Protecting Models Trained by Multi-party Learning with Differential Privacy. IEEE S&P 2023. [pdf]

3. MPCDiff: Testing and Repairing MPC-Hardened Deep Learning Models. NDSS 2023. [pdf] [code]

4. Pencil: Private and Extensible Collaborative Learning without the Non-Colluding Assumption. NDSS 2024. [pdf] [code]

2.4.4 Cryptographic NN Computation

1. SoK: Cryptographic Neural-Network Computation. IEEE S&P 2023. [pdf]

2. From Individual Computation to Allied Optimization: Remodeling Privacy-Preserving Neural Inference with Function Input Tuning. IEEE S&P 2024. [pdf]

3. BOLT: Privacy-Preserving, Accurate and Efficient Inference for Transformers. IEEE S&P 2024. [pdf] [code]

2.4.5 Secure Aggregation

1. Flamingo: Multi-Round Single-Server Secure Aggregation with Applications to Private Federated Learning. IEEE S&P 2023. [pdf] [code]

2. ELSA: Secure Aggregation for Federated Learning with Malicious Actors. IEEE S&P 2023. [pdf] [code]

2.5 Platform

2.5.1 Inference Attack Measurement

1. ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. USENIX Security 2022. Membership inference attack. Model inversion. Attribute inference. Model stealing [pdf]

2.5.2 Survey

1. SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning. IEEE S&P 2023. Systematizing privacy risks using game framework [pdf]

2.6 Differential Privacy

2.6.1 Tree Model

1. Federated Boosted Decision Trees with Differential Privacy. ACM CCS 2022. Federated Learning with Tree Model in DP [pdf]

2.6.2 DP

1. Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering. IEEE S&P 2023. Spectral DP [pdf]

2. Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering. IEEE S&P 2024. Spectral DP [pdf]

3. Bounded and Unbiased Composite Differential Privacy. IEEE S&P 2024. Composite DP [pdf] [code]

4. Cohere: Managing Differential Privacy in Large Scale Systems. IEEE S&P 2024. Unified DP in large system [pdf] [code]

5. You Can Use But Cannot Recognize: Preserving Visual Privacy in Deep Neural Networks. NDSS 2024. DP in image recognization [pdf] [code]

2.6.3 LDP

1. Locally Differentially Private Frequency Estimation Based on Convolution Framework. IEEE S&P 2023. [pdf]

Contributing

This list is mainly maintained by Ping He from NESA Lab.

We are very much welcome contributors for contributing this repository!

Markdown format

**Paper Name**. Conference Year. `Keywords` [[pdf](pdf_link)] [[code](code_link)]

Licenses

To the extent possible under law, gnipping holds all copyright and related or neighboring rights to this repository.