└── README.md


/README.md:
--------------------------------------------------------------------------------
   1 | # Awesome-ML-Security-and-Privacy-Papers
   2 | 
   3 | [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)
   4 | [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
   5 | 
   6 | A curated list of Meachine learning Security & Privacy papers published in security top-4 conferences (IEEE S&P, ACM CCS, USENIX Security and NDSS).
   7 | 
   8 | ### Contents:
   9 | 
  10 | - [Awesome-ML-Security-and-Privacy-Papers](#awesome-ml-security-and-privacy-papers)
  11 |     - [Contents:](#contents)
  12 |   - [1. Security Papers](#1-security-papers)
  13 |     - [1.1 Adversarial Attack \& Defense](#11-adversarial-attack--defense)
  14 |       - [1.1.1 Image](#111-image)
  15 |       - [1.1.2 Text](#112-text)
  16 |       - [1.1.3 Audio](#113-audio)
  17 |       - [1.1.4 Video](#114-video)
  18 |       - [1.1.5 Graph](#115-graph)
  19 |       - [1.1.6 Software](#116-software)
  20 |       - [1.1.7 Hardware](#117-hardware)
  21 |       - [1.1.8 Interpret Method](#118-interpret-method)
  22 |       - [1.1.9 Physical World](#119-physical-world)
  23 |       - [1.1.10 Reinforcement Learning](#1110-reinforcement-learning)
  24 |       - [1.1.11 Robust Defense](#1111-robust-defense)
  25 |       - [1.1.12 Network Traffic](#1112-network-traffic)
  26 |       - [1.1.13 Wireless Communication System](#1113-wireless-communication-system)
  27 |       - [1.1.14 Tabular Data](#1114-tabular-data)
  28 |     - [1.2 Distributed Machine Learning](#12-distributed-machine-learning)
  29 |       - [1.2.1 Federated Learning](#121-federated-learning)
  30 |       - [1.2.2 Normal Distributed Learning](#122-normal-distributed-learning)
  31 |     - [1.3 Data Poisoning](#13-data-poisoning)
  32 |       - [1.3.1 Hijack Embedding](#131-hijack-embedding)
  33 |       - [1.3.2 Hijack Autocomplete Code](#132-hijack-autocomplete-code)
  34 |       - [1.3.3 Semi-Supervised Learning](#133-semi-supervised-learning)
  35 |       - [1.3.4 Recommender Systems](#134-recommender-systems)
  36 |       - [1.3.5 Classification](#135-classification)
  37 |       - [1.3.6 Constractive Learning](#136-constractive-learning)
  38 |       - [1.3.7 Privacy](#137-privacy)
  39 |       - [1.3.8 Test-Time Poisoning](#138-test-time-poisoning)
  40 |       - [1.3.9 Defense](#139-defense)
  41 |       - [1.3.10 Defense](#1310-defense)
  42 |     - [1.4 Backdoor](#14-backdoor)
  43 |       - [1.4.1 Image](#141-image)
  44 |       - [1.4.2 Text](#142-text)
  45 |       - [1.4.3 Graph](#143-graph)
  46 |       - [1.4.4 Software](#144-software)
  47 |       - [1.4.5 Audio](#145-audio)
  48 |       - [1.4.6 Multimedia](#146-multimedia)
  49 |       - [1.4.7 Neuromorphic Data](#147-neuromorphic-data)
  50 |     - [1.5 ML Library Security](#15-ml-library-security)
  51 |       - [1.5.1 Loss](#151-loss)
  52 |     - [1.6 AI4Security](#16-ai4security)
  53 |       - [1.6.1 Cyberbullying](#161-cyberbullying)
  54 |       - [1.6.2 Security Applications](#162-security-applications)
  55 |       - [1.6.3 Advertisement Detection](#163-advertisement-detection)
  56 |       - [1.6.4 CAPTCHA](#164-captcha)
  57 |       - [1.6.5 Code Analysis](#165-code-analysis)
  58 |       - [1.6.6 Chatbot](#166-chatbot)
  59 |       - [1.6.7 Side Channel Attack](#167-side-channel-attack)
  60 |       - [1.6.8 Guidline](#168-guidline)
  61 |       - [1.6.9 Security Event](#169-security-event)
  62 |       - [1.6.10 Vulnerability Discovery](#1610-vulnerability-discovery)
  63 |     - [1.7 AutoML Security](#17-automl-security)
  64 |       - [1.7.1 Security Analysis](#171-security-analysis)
  65 |     - [1.8 Hardware Related Security](#18-hardware-related-security)
  66 |       - [1.8.1 Verification](#181-verification)
  67 |     - [1.9 Security Related Interpreting Method](#19-security-related-interpreting-method)
  68 |       - [1.9.1 Anomaly Detection](#191-anomaly-detection)
  69 |       - [1.9.2 Faithfulness](#192-faithfulness)
  70 |       - [1.9.3 Security Applications](#193-security-applications)
  71 |     - [1.10 Face Security](#110-face-security)
  72 |       - [1.10.1 Deepfake Detection](#1101-deepfake-detection)
  73 |       - [1.10.2 Face Impersonation](#1102-face-impersonation)
  74 |       - [1.10.3 Face Verification Systems](#1103-face-verification-systems)
  75 |     - [1.10 AI Generation Security](#110-ai-generation-security)
  76 |       - [1.10.1 Text Generation Detection](#1101-text-generation-detection)
  77 |       - [1.10.2 Deepfake](#1102-deepfake)
  78 |     - [1.11 LLM Security](#111-llm-security)
  79 |       - [1.11.1 Code Analysis](#1111-code-analysis)
  80 |       - [1.11.2 Vision-Language Model](#1112-vision-language-model)
  81 |       - [1.11.3 Jailbreaking](#1113-jailbreaking)
  82 |       - [1.11.4 Robustness](#1114-robustness)
  83 |       - [1.11.5 Generated Concent Detection](#1115-generated-concent-detection)
  84 |       - [1.11.6 Backdoor Detection](#1116-backdoor-detection)
  85 |       - [1.11.7 Bias](#1117-bias)
  86 |       - [1.11.8 Prompt Injection](#1118-prompt-injection)
  87 |   - [2. Privacy Papers](#2-privacy-papers)
  88 |     - [2.1 Training Data](#21-training-data)
  89 |       - [2.1.1 Data Recovery](#211-data-recovery)
  90 |       - [2.1.2 Membership Inference Attack](#212-membership-inference-attack)
  91 |       - [2.1.3 Information Leakage in Distributed ML System](#213-information-leakage-in-distributed-ml-system)
  92 |       - [2.1.4 Information Leakage in Embedding](#214-information-leakage-in-embedding)
  93 |       - [2.1.5 Graph Leakage](#215-graph-leakage)
  94 |       - [2.1.6 Unlearning](#216-unlearning)
  95 |       - [2.1.7 Attribute Inference Attack](#217-attribute-inference-attack)
  96 |       - [2.1.7 Property Inference Attack](#217-property-inference-attack)
  97 |       - [2.1.8 Data Synthesis](#218-data-synthesis)
  98 |       - [2.1.8 Dataset Auditing](#218-dataset-auditing)
  99 |     - [2.2 Model](#22-model)
 100 |       - [2.2.1 Model Extraction](#221-model-extraction)
 101 |       - [2.2.2 Model Watermark](#222-model-watermark)
 102 |       - [2.2.3 Model Owenership](#223-model-owenership)
 103 |       - [2.2.4 Model Integrity](#224-model-integrity)
 104 |     - [2.3 User Related Privacy](#23-user-related-privacy)
 105 |       - [2.3.1 Image](#231-image)
 106 |     - [2.4 Private ML Protocols](#24-private-ml-protocols)
 107 |       - [2.4.1 3PC](#241-3pc)
 108 |       - [2.4.2 4PC](#242-4pc)
 109 |       - [2.4.3 SMPC](#243-smpc)
 110 |       - [2.4.4 Cryptographic NN Computation](#244-cryptographic-nn-computation)
 111 |       - [2.4.5 Secure Aggregation](#245-secure-aggregation)
 112 |     - [2.5 Platform](#25-platform)
 113 |       - [2.5.1 Inference Attack Measurement](#251-inference-attack-measurement)
 114 |       - [2.5.2 Survey](#252-survey)
 115 |     - [2.6 Differential Privacy](#26-differential-privacy)
 116 |       - [2.6.1 Tree Model](#261-tree-model)
 117 |       - [2.6.2 DP](#262-dp)
 118 |       - [2.6.3 LDP](#263-ldp)
 119 |     - [2.7 LLM Privacy](#27-llm-privacy)
 120 |       - [2.7.1 Prompt Privacy](#271-prompt-privacy)
 121 |   - [Contributing](#contributing)
 122 |   - [Licenses](#licenses)
 123 | 
 124 | ## 1. Security Papers
 125 | 
 126 | ### 1.1 Adversarial Attack & Defense
 127 | 
 128 | #### 1.1.1 Image
 129 | 
 130 | 1. **Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries**. USENIX Security 2020. `Transferability + Query. Black-box Attack ` [[pdf](https://www.usenix.org/system/files/sec20-suya.pdf)] [[code](https://github.com/suyeecav/Hybrid-Attack)]
 131 | 
 132 | 2. **Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning**. USENIX Security 2020. `Defense of Image Scaling Attack` [[pdf](https://www.usenix.org/system/files/sec20fall_quiring_prepub.pdf)] [[code](https://scaling-attacks.net/)]
 133 | 
 134 | 3. **HopSkipJumpAttack: A Query-Efficient Decision-Based Attack**. IEEE S&P 2020. `Query-based Black-box Attack` [[pdf](https://arxiv.org/pdf/1904.02144.pdf)] [[code](https://github.com/Jianbo-Lab/HSJA)]
 135 | 
 136 | 4. **PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking**. USENIX Security 2021. `Adversarial Patch Defense` [[pdf](https://www.usenix.org/system/files/sec21fall-xiang.pdf)] [[code](https://github.com/inspire-group/PatchGuard)]
 137 | 
 138 | 5. **Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks**. ACM CCS 2020. `Build an trap in model to induce specific adversarial perturbation` [[pdf](https://people.cs.uchicago.edu/~ravenben/publications/pdf/trapdoor-ccs20.pdf)] [[code](https://github.com/Shawn-Shan/trapdoor)]
 139 | 
 140 | 6. **A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models**. ACM CCS 2020. `Perturbate both input and model` [[pdf](https://arxiv.org/pdf/1911.01559.pdf)] [[code](https://github.com/alps-lab/imc)]
 141 | 
 142 | 7. **Feature-Indistinguishable Attack to Circumvent Trapdoor-Enabled Defense**. ACM CCS 2021. `A new attack method can break TeD defense mechanism` [[pdf](https://dl.acm.org/doi/pdf/10.1145/3460120.3485378)] [[code](https://github.innominds.com/CGCL-codes/FeatureIndistinguishableAttack)]
 143 | 
 144 | 8. **DetectorGuard: Provably Securing Object Detectors against Localized Patch Hiding Attacks**. ACM CCS 2021. `Provable robustness for patch hiding in object detection` [[pdf](https://arxiv.org/pdf/2102.02956.pdf)] [[code](https://github.com/inspire-group/DetectorGuard)]
 145 | 
 146 | 9.  **It's Not What It Looks Like: Manipulating Perceptual Hashing based Applications**. ACM CCS 2021. `Adversarial Attack against PHash` [[pdf](https://gangw.cs.illinois.edu/PHashing.pdf)] [[code](https://github.com/gyNancy/phash_public)]
 147 | 
 148 | 10. **RamBoAttack: A Robust and Query Efficient Deep Neural Network Decision Exploit**. NDSS 2022. `Query-based black box attack` [[pdf](https://arxiv.org/pdf/2112.05282.pdf)] [[code](https://github.com/RamBoAttack/RamBoAttack.github.io)]
 149 | 
 150 | 11. **What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction**. NDSS 2022. `Generative-based AE detection` [[pdf](https://arxiv.org/pdf/2201.09650.pdf)] [[code](https://github.com/cure-lab/ContraNet)]
 151 | 
 152 | 12. **AutoDA: Automated Decision-based Iterative Adversarial Attacks**. USENIX 2022. `Program Synthesis for Adversarial Attack` [[pdf](https://www.usenix.org/system/files/sec22_slides-fu-qi.pdf)]
 153 | 
 154 | 13. **Blacklight: Scalable Defense for Neural Networks against Query-Based Black-Box Attacks**. USENIX Security 2022. `AE Detection using probabilistic fingerprints based on hash of input similarity` [[pdf](https://www.usenix.org/system/files/sec22-li-huiying.pdf)] [[code](https://sandlab.cs.uchicago.edu/blacklight)]
 155 | 
 156 | 14. **Physical Hijacking Attacks against Object Trackers**. ACM CCS 2022. `Adversarial Attacks on Object Trackers` [[pdf](https://dl.acm.org/doi/10.1145/3548606.3559390)] [[code](https://github.com/purseclab/AttrackZone)]
 157 | 
 158 | 15. **Post-breach Recovery: Protection against White-box Adversarial Examples for Leaked DNN Models**. ACM CCS 2022. `Adversarial Attacks on Object Trackers` [[pdf](https://arxiv.org/pdf/2205.10686.pdf)]
 159 | 
 160 | 16. **Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning**. USENIX Security 2023. `Adversarial Attacks against PhotoDNA and PDQ` [[pdf](https://www.usenix.org/system/files/sec23summer_146-prokos-prepub.pdf)]
 161 | 
 162 | 17. **The Space of Adversarial Strategies**. USENIX Security 2023. `Decompose the Adversarial Attack Components and combine them together` [[pdf](https://www.usenix.org/system/files/sec23summer_256-sheatsley-prepub.pdf)]
 163 | 
 164 | 18. **Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks**. ACM CCS 2023. `Attack strategy to enhance the query-based attack against the stateful defense` [[pdf](https://arxiv.org/pdf/2303.06280.pdf)] [[code](https://github.com/purseclab/AttrackZone)]
 165 | 
 166 | 19. **BounceAttack: A Query-Efficient Decision-based Adversarial Attack by Bouncing into the Wild**. IEEE S&P 2024. `Query-based hard label attack` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a068/1RjEaEvldVS)]
 167 | 
 168 | 20. **Sabre: Cutting through Adversarial Noise with Adaptive Spectral Filtering and Input Reconstruction**. IEEE S&P 2024. `Filter-based adversarial perturbation defense` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a076/1RjEaLx3uAU)] [[code](https://github.com/Mobile-Intelligence-Lab/SABRE)]
 169 | 
 170 | 21. **Sabre: Cutting through Adversarial Noise with Adaptive Spectral Filtering and Input Reconstruction**. IEEE S&P 2024. `Adversarial attack against face recognization system` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a161/1Ub24A2RzHi)] [[code](https://github.com/Cryptology-Algorithm-Lab/Scores_Tell_Everything_about_Bob)]
 171 | 
 172 | 22. **Why Does Little Robustness Help? A Further Step Towards Understanding Adversarial Transferability**. IEEE S&P 2024. `Exploring the transferability of adversarial examples` [[pdf](https://arxiv.org/pdf/2307.07873.pdf)] [[code](https://github.com/CGCL-codes/TransferAttackSurrogates)]
 173 | 
 174 | 23. **Group-based Robustness: A General Framework for Customized Robustness in the Real World**. NDSS 2024. `New metrics to measure adversarial examples` [[pdf](https://arxiv.org/pdf/2306.16614.pdf)]
 175 | 
 176 | 24. **DorPatch: Distributed and Occlusion-Robust Adversarial Patch to Evade Certifiable Defenses**. NDSS 2024. `Adversarial path against certified robustness` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-920-paper.pdf)] [[code](https://github.com/CGCL-codes/DorPatch)]
 177 | 
 178 | 25. **UniID: Spoofing Face Authentication System by Universal Identity**. NDSS 2024. `Face apoofing attack` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-1036-paper.pdf)]
 179 | 
 180 | 26. **Enhance Stealthiness and Transferability of Adversarial Attacks with Class Activation Mapping Ensemble Attack**. NDSS 2024. `Enhancing transferability of adversarial examples` [[pdf](https://arxiv.org/pdf/2406.10285)] [[code](https://github.com/DreamyRainforest/Class_Activation_Mapping_Ensemble_Attack)]
 181 | 
 182 | 27. **I Don't Know You, But I Can Catch You: Real-Time Defense against Diverse Adversarial Patches for Object Detectors**. CCS 2024. `Adversarial Patch Detection` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-164-paper.pdf)] [[demo](https://sites.google.com/view/nutnet)]
 183 | 
 184 | 28. **Certifiable Black-Box Attacks with Randomized Adversarial Examples: Breaking Defenses with Provable Confidence**. CCS 2024. `Certified black-box attack` [[pdf](https://arxiv.org/pdf/2304.04343)] [[code](https://github.com/datasec-lab/CertifiedAttack)]
 185 | 
 186 | #### 1.1.2 Text
 187 | 
 188 | 1. **TextShield: Robust Text Classification Based on Multimodal Embedding and Neural Machine Translation**. USENIX Security 2020. `Defense in preprossing` [[pdf](https://www.usenix.org/system/files/sec20-li-jinfeng.pdf)]
 189 | 
 190 | 2. **Bad Characters: Imperceptible NLP Attacks**. IEEE S&P 2022. `Use unicode to conduct human imperceptible attack` [[pdf](https://arxiv.org/pdf/2106.09898.pdf)] [[code](https://github.com/nickboucher/imperceptible)]
 191 | 
 192 | 3. **Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models**. ACM CCS 2022. `Attack Neural Ranking Models` [[pdf](https://arxiv.org/pdf/2209.06506.pdf)]
 193 | 
 194 | 4. **No more Reviewer #2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning**. USENIX Security 2023. `Adversarial Attack on Paper Assignment` [[pdf](https://arxiv.org/pdf/2303.14443.pdf)]
 195 | 
 196 | #### 1.1.3 Audio
 197 | 
 198 | 1. **WaveGuard: Understanding and Mitigating Audio Adversarial Examples**. USENIX Security 2021. `Defense in preprossing` [[pdf](https://www.usenix.org/system/files/sec21fall-hussain.pdf)] [[code](https://github.com/shehzeen/waveguard_defense)]
 199 | 
 200 | 2. **Dompteur: Taming Audio Adversarial Examples**. USENIX Security 2021. `Defense in preprossing. Preprocessing the audio to make the noise human noticeable` [[pdf](https://www.usenix.org/system/files/sec21-eisenhofer.pdf)] [[code](https://github.com/RUB-SysSec/dompteur)]
 201 | 
 202 | 3. **EarArray: Defending against DolphinAttack via Acoustic Attenuation**. NDSS 2021. `Defense` [[pdf](https://www.ndss-symposium.org/ndss-paper/eararray-defending-against-dolphinattack-via-acoustic-attenuation/)]
 203 | 
 204 | 4. **Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems**. IEEE S&P 2021. `Attack` [[pdf](https://arxiv.org/pdf/1911.01840.pdf)] [[code](https://github.com/FAKEBOB-adversarial-attack/FAKEBOB)]
 205 | 
 206 | 5. **Hear "No Evil", See "Kenansville": Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems**. IEEE S&P 2021. `Black-box Attack` [[pdf](https://arxiv.org/pdf/1910.05262.pdf)]
 207 | 
 208 | 6. **SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems**. IEEE S&P 2021. `Survey` [[pdf](https://arxiv.org/pdf/2007.06622.pdf)]
 209 | 
 210 | 7. **AdvPulse: Universal, Synchronization-free, and Targeted Audio Adversarial Attacks via Subsecond Perturbations**. ACM CCS 2020. `Attack` [[pdf](http://www.winlab.rutgers.edu/~yychen/papers/li2020advpulse.pdf)]
 211 | 
 212 | 8. **Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information**. ACM CCS 2021. `Black-box Attack. Physical World` [[pdf](https://arxiv.org/pdf/2110.09714.pdf)]
 213 | 
 214 | 9. **Perception-Aware Attack: Creating Adversarial Music via Reverse-Engineering Human Perception**. ACM CCS 2022. `Adversarial Audio with human-aware noise` [[pdf](https://arxiv.org/pdf/2207.13192.pdf)]
 215 | 
 216 | 10. **SpecPatch: Human-in-the-Loop Adversarial Audio Spectrogram Patch Attack on Speech Recognition**. ACM CCS 2022. `Adversarial Patch for audio` [[pdf](https://cse.msu.edu/~qyan/paper/SpecPatch_CCS22.pdf)]
 217 | 
 218 | 11. **Learning Normality is Enough: A Software-based Mitigation against Inaudible Voice Attacks**. USENIX Security 2023. `Unsupervised learning-based defense` [[pdf](https://www.usenix.org/conference/usenixsecurity23/presentation/li-xinfeng)]
 219 | 
 220 | 12. **Understanding and Benchmarking the Commonality of Adversarial Examples**. IEEE S&P 2024. `Common features of adversarial audio examples` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a111/1Ub23jYBBHa)]
 221 | 
 222 | 13. **ALIF: Low-Cost Adversarial Audio Attacks on Black-Box Speech Platforms using Linguistic Features**. IEEE S&P 2024. `Black-box adverarial audio attack` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a056/1RjEav0Daa4)] [[code](https://github.com/TASER2023/TASER)]
 223 | 
 224 | 14. **Inaudible Adversarial Perturbation: Manipulating the Recognition of User Speech in Real Time**. NDSS 2024. `Compeletely inaudible adversarial attack` [[pdf](https://arxiv.org/pdf/2308.01040)] [[code](https://github.com/LetterLiGo/Inaudible-Adversarial-Perturbation-Vrifle)]
 225 | 
 226 | 15. **Parrot-Trained Adversarial Examples: Pushing the Practicality of Black-Box Audio Attacks against Speaker Recognition Models**. NDSS 2024. `Black-box adverarial audio attack using parrot` [[pdf](https://arxiv.org/pdf/2311.07780.pdf)]
 227 | 
 228 | 16. **Zero-Query Adversarial Attack on Black-box Automatic Speech Recognition Systems**. CCS 2024. `Transfer adversarial attack` [[pdf](https://arxiv.org/pdf/2406.19311)]
 229 | 
 230 | #### 1.1.4 Video
 231 | 
 232 | 1. **Universal 3-Dimensional Perturbations for Black-Box Attacks on Video Recognition Systems**. IEEE S&P 2022. `Adversarial attack in video recognition` [[pdf](https://arxiv.org/pdf/2107.04284.pdf)]
 233 | 
 234 | 2. **StyleFool: Fooling Video Classification Systems via Style Transfer**. IEEE S&P 2023. `Style Transfer to conduct adversarial attack` [[pdf](https://arxiv.org/pdf/2203.16000.pdf)] [[code](https://github.com/JosephCao0327/StyleFool)]
 235 | 
 236 | #### 1.1.5 Graph
 237 | 
 238 | 1. **A Hard Label Black-box Adversarial Attack Against Graph Neural Networks**. ACM CCS 2021. `Graph Classification` [[pdf](https://arxiv.org/pdf/2108.09513.pdf)]
 239 | 
 240 | #### 1.1.6 Software
 241 | 
 242 | 1. **Evading Classifiers by Morphing in the Dark**. ACM CCS 2017. `Morpher and search to generate adversarial PDF` [[pdf](https://arxiv.org/pdf/1705.07535.pdf)]
 243 | 
 244 | 2. **Misleading Authorship Attribution of Source Code using Adversarial Learning**. USENIX Security 2019. `Adversarial attack in source code, MCST` [[pdf](https://arxiv.org/pdf/1905.12386.pdf)] [[code](http://www.tu-braunschweig.de/sec/research/code/imitator)]
 245 | 
 246 | 3. **Intriguing Properties of Adversarial ML Attacks in the Problem Space**. IEEE S&P 2020. `Attack Malware Classification` [[pdf](https://arxiv.org/pdf/1911.02142.pdf)]
 247 | 
 248 | 4. **Structural Attack against Graph Based Android Malware Detection**. IEEE S&P 2020. `Perturbed function call graph` [[pdf](https://www4.comp.polyu.edu.hk/~csxluo/HRAT.pdf)]
 249 | 
 250 | 5. **URET: Universal Robustness Evaluation Toolkit (for Evasion)**. USENIX Security 2023. `General Toolbox to select the perdefined perturbations` [[pdf](https://www.usenix.org/system/files/sec23summer_347-eykholt-prepub.pdf)] [[code](https://github.com/IBM/URET)]
 251 | 
 252 | 6. **Adversarial Training for Raw-Binary Malware Classifiers**. USENIX Security 2023. `Adversarial Training for Windows PE malware` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-146-lucas.pdf)]
 253 | 
 254 | 7. **PELICAN: Exploiting Backdoors of Naturally Trained Deep Learning Models In Binary Code Analysis**. USENIX Security 2023. `Reverse engineering natural backdoor in transformer-based x86 binary code analysis task` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-493-zhang-zhuo.pdf)]
 255 | 
 256 | 8. **Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information**. USENIX Security 2023. `Black-box Android Adversarial Malware against the FCG-based ML classifier` [[pdf](https://arxiv.org/pdf/2303.08509.pdf)]
 257 | 
 258 | 9.  **Efficient Query-Based Attack against ML-Based Android Malware Detection under Zero Knowledge Setting**. ACM CCS 2023. `Semantic similar perturbations are more likely to have similar evasion effectiveness` [[pdf](https://arxiv.org/pdf/2309.01866.pdf)] [[code](https://github.com/gnipping/AdvDroidZero-Access-Instructions)]
 259 | 
 260 | #### 1.1.7 Hardware
 261 | 
 262 | 1. **ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning**. ACM CCS 2022. `Attack Hardware Trojan Detection` [[pdf](https://arxiv.org/pdf/2208.12897.pdf)]
 263 | 
 264 | 2. **DeepShuffle: A Lightweight Defense Framework against Adversarial Fault Injection Attacks on Deep Neural Networks in Multi-Tenant Cloud-FPGA**. IEEE S&P 2024. `Adversarial defense against adversarial fault injection` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a034/1RjEa9WUlPi)]
 265 | 
 266 | #### 1.1.8 Interpret Method
 267 | 
 268 | 1. **Interpretable Deep Learning under Fire**. USENIX Security 2020. `Attack both image classification and interpret method` [[pdf](https://www.usenix.org/system/files/sec20spring_zhang_prepub.pdf)]
 269 | 
 270 | 2. **“Is your explanation stable?”: A Robustness Evaluation Framework for Feature Attribution**. ACM CCS 2022. `Hypothesis Testing to increasing the robustness of explaination methods` [[pdf](https://arxiv.org/pdf/2209.01782.pdf)]
 271 | 
 272 | 3. **AIRS: Explanation for Deep Reinforcement Learning based Security Applications**. USENIX Security 2023. `DRL Interpertation Method to pinpoint the most influence step` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-36-yu-jiahao.pdf)] [[code](https://github.com/sherdencooper/AIRS)]
 273 | 
 274 | 4. **SoK: Explainable Machine Learning in Adversarial Environments**. IEEE S&P 2024. `Adversarial Explaination SoK`  [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a021/1RjE9XVNjnW)
 275 | 
 276 | #### 1.1.9 Physical World
 277 | 
 278 | 1. **SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations**. USENIX Security 2021. `Projector light causes misclassification` [[pdf](https://www.usenix.org/system/files/sec21fall-lovisotto.pdf)] [[code](https://github.com/ssloxford/short-lived-adversarial-perturbations)]
 279 | 
 280 | 2. **Understanding Real-world Threats to Deep Learning Models in Android Apps**. ACM CCS 2022. `Adversarial Attack in real-world models` [[pdf](https://arxiv.org/pdf/2209.09577.pdf)]
 281 | 
 282 | 3. **X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection**. USENIX Security 2023. `Adversarial Attack on X-ray Images` [[pdf](https://arxiv.org/pdf/2302.09491.pdf)] [[code](https://github.com/DIG-Beihang/X-adv)]
 283 | 
 284 | 4. **That Person Moves Like A Car: Misclassification Attack Detection for Autonomous Systems Using Spatiotemporal Consistency**. USENIX Security 2023. `Robust OD in Autonomous System using spatiotemporal information` [[pdf](https://www.usenix.org/system/files/sec23summer_278-man-prepub.pdf)]
 285 | 
 286 | 5. **You Can't See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks**. USENIX Security 2023. `Adversarial attack against Autonomous Vehicles using Laser` [[pdf](https://www.usenix.org/system/files/sec23summer_349-cao-prepub.pdf)] [demo](https://cpseclab.github.io/youcantseeme/)]
 287 | 
 288 | 6. **CAPatch: Physical Adversarial Patch against Image Captioning Systems**. USENIX Security 2023. `Physical Adversarial Patch against the image caption system` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-121-zhang-shibo.pdf)] [[code](https://github.com/USSLab/CAPatch)]
 289 | 
 290 | 7. **Exorcising "Wraith": Protecting LiDAR-based Object Detector in Automated Driving System from Appearing Attacks**. USENIX Security 2023. `Defend the appearing attack in autonomous system using local objectness predictor` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-190-xiao-qifan.pdf)] [[code](https://github.com/USSLab/CAPatch)]
 291 | 
 292 | 8. **Invisible Reflections: Leveraging Infrared Laser Reflections to Target Traffic Sign Perception**. NDSS 2024. `Adversarial attacks on automous vehicles using infrared laser reflections` [[pdf](https://arxiv.org/pdf/2401.03582.pdf)]
 293 | 
 294 | 9.  **Avara: A Uniform Evaluation System for Perceptibility Analysis Against Adversarial Object Evasion Attacks**. CCS 2024. `Adversarial Object Evasion attack evaluation system` [[pdf](https://drive.google.com/file/d/16qfqZpOED2W3wXmGibdDOIK5ctboend7/view)] [[code](https://sites.google.com/view/avara-artifacts)]
 295 | 
 296 | 10. **VisionGuard: Secure and Robust Visual Perception of Autonomous Vehicles in Practice**. CCS 2024. `Adversarial Patch detection in ` [[pdf](hhttps://tianweiz07.github.io/Papers/24-ccs1.pdf)] [[demo](https://sites.google.com/view/visionguard)]
 297 | 
 298 | #### 1.1.10 Reinforcement Learning
 299 | 
 300 | 1. **Adversarial Policy Training against Deep Reinforcement Learning**. USENIX Security 2021. `Weird behavior to trigger opposite abnormal action. Two-agent competitor game` [[pdf](https://www.usenix.org/system/files/sec21summer_wu-xian.pdf)] [[code](https://github.com/psuwuxian/rl_attack)]
 301 | 
 302 | 2. **SUB-PLAY: Adversarial Policies against Partially Observed Multi-Agent Reinforcement Learning Systems**. CCS 2024. `Adversarial policy against the reinforcement learning system` [[pdf](https://arxiv.org/pdf/2402.03741)] [[code](https://github.com/maoubo/SUB-PLAY)]
 303 | 
 304 | #### 1.1.11 Robust Defense
 305 | 
 306 | 1. **Cost-Aware Robust Tree Ensembles for Security Applications**. USENIX Security 2021. `Propose Cost of feature to certify the model robustness` [[pdf](https://www.usenix.org/system/files/sec21-chen-yizheng.pdf)] [[code](https://github.com/surrealyz/growtrees)]
 307 | 
 308 | 2. **CADE: Detecting and Explaining Concept Drift Samples for Security Applications**. USENIX Security 2021. `Detect Concept shift` [[pdf](https://www.usenix.org/system/files/sec21-yang-limin.pdf)] [[code](https://github.com/whyisyoung/CADE)]
 309 | 
 310 | 3. **Learning Security Classifiers with Verified Global Robustness Properties**. ACM CCS 2021. `Train a classifier with global robustness` [[pdf](https://arxiv.org/pdf/2105.11363.pdf)] [[code](https://github.com/surrealyz/verified-global-properties)]
 311 | 
 312 | 4. **On the Robustness of Domain Constraints**. ACM CCS 2021. `Domain constraints. Input space robustness` [[pdf](https://arxiv.org/pdf/2105.08619.pdf)]
 313 | 
 314 | 5. **Cert-RNN: Towards Certifying the Robustness of Recurrent Neural Networks**. ACM CCS 2021. `Certify robustness in RNN` [[pdf](https://nesa.zju.edu.cn/download/dty_pdf_cert_rnn.pdf)]
 315 | 
 316 | 6. **TSS: Transformation-Specific Smoothing for Robustness Certification**. ACM CCS 2021. `Certify robustness about transformation` [[pdf](https://arxiv.org/pdf/2002.12398.pdf)][[code](https://github.com/AI-secure/semantic-randomized-smoothing)]
 317 | 
 318 | 7. **Transcend: Detecting Concept Drift in Malware Classification Models**. USENIX Security 2017. `Conformal evaluators` [[pdf](https://s2lab.cs.ucl.ac.uk/downloads/sec17-jordaney.pdf)] [[code](https://s2lab.cs.ucl.ac.uk/projects/transcend/)]
 319 | 
 320 | 8. **Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift**. IEEE S&P 2022. `New conformal evaluators` [[pdf](https://s2lab.cs.ucl.ac.uk/downloads/transcending.pdf)][[code](https://s2lab.cs.ucl.ac.uk/projects/transcend/)]
 321 | 
 322 | 9.  **Transferring Adversarial Robustness Through Robust Representation Matching**. USENIX Security 2022. `Robust Transfer Learning` [[pdf](https://www.usenix.org/system/files/sec22-vaishnavi.pdf)]
 323 | 
 324 | 10. **DiffSmooth: Certifiably Robust Learning via Diffusion Models and Local Smoothing**. USENIX Security 2023. `Diffusion Model Improve Certified Robustness` [[pdf](https://www.usenix.org/system/files/sec22-vaishnavi.pdf)]
 325 | 
 326 | 12. **Anomaly Detection in the Open World: Normality Shift Detection, Explanation, and Adaptation**. NDSS 2023. `Concept Drift Detection using unsupervised approch` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f830_paper.pdf)] [[code](https://github.com/dongtsi/OWAD)]
 327 | 
 328 | 13. **BARS: Local Robustness Certification for Deep Learning based Traffic Analysis Systems**. NDSS 2023. `Certified Robustness for Traffic Analysis Systems` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f508_paper.pdf)] [[code](https://github.com/KaiWangGitHub/BARS)]
 329 | 
 330 | 14. **REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service**. NDSS 2023. `Build a certificable EaaS model` [[pdf](https://arxiv.org/pdf/2301.02905.pdf)]
 331 | 
 332 | 15. **Continuous Learning for Android Malware Detection**. USENIX Security 2023. `New Continual Learning Paridigram for Malware detection` [[pdf](https://arxiv.org/pdf/2302.04332.pdf)] [[code](https://github.com/wagner-group/active-learning)]
 333 | 
 334 | 16. **ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking**. IEEE S&P 2023. `Certified robustness of object detection` [[pdf](https://arxiv.org/pdf/2202.01811.pdf)] [[code](https://github.com/inspire-group/ObjectSeeker)]
 335 | 
 336 | 17. **On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks**. IEEE S&P 2023. `Adversarial attacks on feature space may enhance the robustness in problem space` [[pdf](https://arxiv.org/pdf/2202.03277.pdf)] [[code](https://github.com/serval-uni-lu/realistic_adversarial_hardening)]
 337 | 
 338 | 18. **Text-CRS: A Generalized Certified Robustness Framework against Textual Adversarial Attacks**. IEEE S&P 2024. `Certified robustness on adversarial text` [[pdf](https://arxiv.org/pdf/2307.16630.pdf)] [[code](https://github.com/Eyr3/TextCRS?tab=readme-ov-file)]
 339 | 
 340 | 19. **It's Simplex! Disaggregating Measures to Improve Certified Robustness**. IEEE S&P 2024. `Disagreement to improve the certified robustness` [[pdf](https://arxiv.org/pdf/2309.11005.pdf)] [[code](https://github.com/andrew-cullen/ensemble-simplex-certifications)]
 341 | 
 342 | #### 1.1.12 Network Traffic
 343 | 
 344 | 1. **Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations**. USENIX Security 2021. `Adversarial attack to defeat DNN-based traffic analysis` [[pdf](https://www.usenix.org/system/files/sec21fall-nasr.pdf)] [[code](https://github.com/SPIN-UMass/BLANKET)]
 345 | 
 346 | 2. **Pryde: A Modular Generalizable Workflow for Uncovering Evasion Attacks Against Stateful Firewall Deployments**. IEEE S&P 2024. `Evasion attack against Firewalls` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a144/1Ub242nYFoY)]
 347 | 
 348 | 3. **Multi-Instance Adversarial Attack on GNN-Based Malicious Domain Detection**. IEEE S&P 2024. `Adversarial attack on GNN-based malicious domain detection` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a006/1RjE9LaYR0c)] [[code](https://github.com/mahmoudkanazzal/MintA)]
 349 | 
 350 | #### 1.1.13 Wireless Communication System
 351 | 
 352 | 1. **Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems**. ACM CCS 2021. `Attack` [[pdf](https://arxiv.org/pdf/2102.00918.pdf)]
 353 | 
 354 | #### 1.1.14 Tabular Data
 355 | 
 356 | 1. **Adversarial Robustness for Tabular Data through Cost and Utility Awareness**. NDSS 2023. `Adversarial Attack & Defense on tabular data` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f924_paper.pdf)]
 357 | 
 358 | ### 1.2 Distributed Machine Learning
 359 | 
 360 | #### 1.2.1 Federated Learning
 361 | 
 362 | 1. **Local Model Poisoning Attacks to Byzantine-Robust Federated Learning**. USENIX Security 2020. `Poisoning Attack` [[pdf](https://www.usenix.org/system/files/sec20summer_fang_prepub.pdf)]
 363 | 
 364 | 2. **Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning**. NDSS 2021. `Poisoning Attack` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_6C-3_24498_paper.pdf)]
 365 | 
 366 | 3. **DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection**. NDSS 2022. `Backdoor defense` [[pdf](https://arxiv.org/pdf/2201.00763.pdf)]
 367 | 
 368 | 4. **FLAME: Taming Backdoors in Federated Learning**. USENIX Security 2022. `Backdoor defense` [[pdf](https://www.usenix.org/system/files/sec22-nguyen.pdf)]
 369 | 
 370 | 5. **EIFFeL: Ensuring Integrity for Federated Learning**. ACM CCS 2022. `New FL Protocol to guarteen integrity` [[pdf](https://arxiv.org/pdf/2112.12727.pdf)]
 371 | 
 372 | 6. **Eluding Secure Aggregation in Federated Learning via Model Inconsistency**. ACM CCS 2022. `Model inconsistency to break the secure aggregation` [[pdf](https://arxiv.org/pdf/2111.07380.pdf)]
 373 | 
 374 | 7. **FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information**. IEEE S&P 2023. `Poisoned Model Recovery Algorithm` [[pdf](https://arxiv.org/pdf/2210.10936.pdf)]
 375 | 
 376 | 8. **Every Vote Counts: Ranking-Based Training of Federated Learning to Resist Poisoning Attacks**. USENIX Security 2023. `Discrete the model updates and purning the model to defense the poisoning attack` [[pdf](https://arxiv.org/pdf/2110.04350.pdf)] [[code](https://github.com/SPIN-UMass/FRL)]
 377 | 
 378 | 9.  **Securing Federated Sensitive Topic Classification against Poisoning Attacks**. NDSS 2023. `Robust Aggregation against the poisoning attack` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s112_paper.pdf)]
 379 | 
 380 | 10. **BayBFed: Bayesian Backdoor Defense for Federated Learning**. IEEE S&P 2023. `Purify the model updates using bayesian` [[pdf](https://arxiv.org/pdf/2301.09508.pdf)]
 381 | 
 382 | 11. **ADI: Adversarial Dominating Inputs in Vertical Federated Learning Systems**. IEEE S&P 2023. `Poisoning the vertical federated learning system` [[pdf](https://arxiv.org/pdf/2201.02775.pdf)] [[code](https://github.com/Qi-Pang/ADI)]
 383 | 
 384 | 12. **3DFed: Adaptive and Extensible Framework for Covert Backdoor Attack in Federated Learning**. IEEE S&P 2023. `Convert normal backdoor into the federated learning scenario` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600b893/1NrbZhCP5ao)]
 385 | 
 386 | 13. **FLShield: A Validation Based Federated Learning Framework to Defend Against Poisoning Attacks**. IEEE S&P 2023. `Data poisoning defense` [[pdf](https://arxiv.org/pdf/2308.05832.pdf)]
 387 | 
 388 | 14. **BadVFL: Backdoor Attacks in Vertical Federated Learning**. IEEE S&P 2023. `Backdoor attacks against vertical federated learning` [[pdf](https://arxiv.org/pdf/2304.08847.pdf)]
 389 | 
 390 | 15. **CrowdGuard: Federated Backdoor Detection in Federated Learning**. NDSS 2024. `Backdoor detection in federated learning leveraging hidden layer outputs` [[pdf](https://arxiv.org/pdf/2210.07714.pdf)] [[code](https://github.com/TRUST-TUDa/crowdguard)]
 391 | 
 392 | 16. **Automatic Adversarial Adaption for Stealthy Poisoning Attacks in Federated Learning**. NDSS 2024. `Adaptative poisoning attacks in FL` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-1366-paper.pdf)]
 393 | 
 394 | 17. **FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning**. NDSS 2024. `Mitigate poisoning attack in FL using frequency analysis techniques` [[pdf](https://arxiv.org/pdf/2312.04432.pdf)]
 395 | 
 396 | 18. **Dealing Doubt: Unveiling Threat Models in Gradient Inversion Attacks under Federated Learning – A Survey and Taxonomy**. CCS 2024. `Mitigate poisoning attack in FL using frequency analysis techniques` [[pdf](https://arxiv.org/pdf/2312.04432.pdf)]
 397 | 
 398 | 19. **Byzantine-Robust Decentralized Federated Learning**. CCS 2024. `Byzantine robust federated learning` [[pdf](https://arxiv.org/pdf/2406.10416)]
 399 | 
 400 | #### 1.2.2 Normal Distributed Learning
 401 | 
 402 | 1. **Justinian's GAAvernor: Robust Distributed Learning with Gradient Aggregation Agent**. USENIX Security 2020. `Defense in Gradient Aggregation. Reinforcement learning` [[pdf](https://www.usenix.org/system/files/sec20-pan.pdf)]
 403 | 
 404 | ### 1.3 Data Poisoning
 405 | 
 406 | #### 1.3.1 Hijack Embedding
 407 | 
 408 | 1. **Humpty Dumpty: Controlling Word Meanings via Corpus Poisoning**. IEEE S&P 2020. `Hijack Word Embedding` [[pdf](https://www.cs.cornell.edu/~shmat/shmat_oak20.pdf)]
 409 | 
 410 | #### 1.3.2 Hijack Autocomplete Code
 411 | 
 412 | 1. **You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion**. USENIX Security 2021. `Hijack Code Autocomplete` [[pdf](https://www.usenix.org/system/files/sec21-schuster.pdf)]
 413 | 
 414 | 2. **TROJANPUZZLE: Covertly Poisoning Code-Suggestion Models**. IEEE S&P 2024. `Hijack Code Autocomplete` [[pdf](https://arxiv.org/pdf/2301.02344.pdf)] [[code](https://github.com/microsoft/CodeGenerationPoisoning)]
 415 | 
 416 | #### 1.3.3 Semi-Supervised Learning
 417 | 
 418 | 1. **Poisoning the Unlabeled Dataset of Semi-Supervised Learning**. USENIX Security 2021. `Poisoning semi-supervised learning` [[pdf](https://www.usenix.org/system/files/sec21-carlini-poisoning.pdf)]
 419 | 
 420 | #### 1.3.4 Recommender Systems
 421 | 
 422 | 1. **Data Poisoning Attacks to Deep Learning Based Recommender Systems**. NDSS 2021. `The attacker chosen items are recommended as much as possible` [[pdf](https://arxiv.org/pdf/2101.02644.pdf)]
 423 | 
 424 | 1. **Reverse Attack: Black-box Attacks on Collaborative Recommendation**. ACM CCS 2021. `Black-box setting. Surrogate model. Collaborative Filtering. Demoting and Promoting` [[pdf](https://dl.acm.org/doi/abs/10.1145/3460120.3484805)]
 425 | 
 426 | #### 1.3.5 Classification
 427 | 
 428 | 1. **Subpopulation Data Poisoning Attacks**. ACM CCS 2021. `Poisoning to flip a group of data samples` [[pdf](https://arxiv.org/pdf/2006.14026.pdf)]
 429 | 
 430 | 1. **Get a Model! Model Hijacking Attack Against Machine Learning Models**. NDSS 2022. `Fusing dataset to hijacking model` [[pdf](https://arxiv.org/pdf/2111.04394.pdf)] [[code](https://github.com/AhmedSalem2/Model-Hijacking)]
 431 | 
 432 | 
 433 | #### 1.3.6 Constractive Learning
 434 | 
 435 | 1. **PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning**. USENIX Security 2022. `Poison attack in constractive learning` [[pdf](https://www.usenix.org/system/files/sec22-liu-hongbin.pdf)]
 436 | 
 437 | #### 1.3.7 Privacy
 438 | 
 439 | 1. **Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets**. ACM CCS 2022. `Poison attack to reveal sensitive information` [[pdf](https://arxiv.org/pdf/2204.00032.pdf)]
 440 | 
 441 | 
 442 | #### 1.3.8 Test-Time Poisoning
 443 | 
 444 | 1. **Test-Time Poisoning Attacks Against Test-Time Adaptation Models**. IEEE S&P 2024. `Poisoning attack at test time` [[pdf](https://arxiv.org/pdf/2308.08505.pdf)] [[code](https://github.com/tianshuocong/TePA)]
 445 | 
 446 | #### 1.3.9 Defense
 447 | 
 448 | 1. **Poison Forensics: Traceback of Data Poisoning Attacks in Neural Networks**. USENIX Security 2022. `Identify poisioned subset by clustering and purning benign set` [[pdf](https://www.usenix.org/system/files/sec22-shan.pdf)]
 449 | 
 450 | 2. **Understanding Implosion in Text-to-Image Generative Models**. CCS 2024. `Analytic framework for the poisoning attack against T2I model` [[pdf](https://arxiv.org/pdf/2409.12314)]
 451 | 
 452 | #### 1.3.10 Defense
 453 | 
 454 | ### 1.4 Backdoor
 455 | 
 456 | #### 1.4.1 Image
 457 | 
 458 | 1. **Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection**. USENIX Security 2021. `Class-specific Backdoor. Defense by decomposition` [[pdf](https://www.usenix.org/system/files/sec21-tang-di.pdf)]
 459 | 
 460 | 2. **Double-Cross Attacks: Subverting Active Learning Systems**. USENIX Security 2021. `Active Learning System. Backdoor Attack` [[pdf](https://www.usenix.org/system/files/sec21-vicarte.pdf)] 
 461 | 
 462 | 3. **Detecting AI Trojans Using Meta Neural Analysis**. IEEE S&P 2021. `Meta Neural Classifier` [[pdf](https://arxiv.org/pdf/1910.03137.pdf)] [[code](https://github.com/AI-secure/Meta-Nerual-Trojan-Detection)]
 463 | 
 464 | 4. **BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning**. IEEE S&P 2022. `Backdoor attack in image-text pretrained model` [[pdf](https://arxiv.org/pdf/2108.00352.pdf)] [[code](https://github.com/jjy1994/BadEncoder)]
 465 | 
 466 | 5. **Composite Backdoor Attack for Deep Neural Network by Mixing Existing Benign Features**. ACM CCS 2020. `Composite backdoor. Image & text tasks` [[pdf](https://dl.acm.org/doi/10.1145/3372297.3423362)] [[code](https://github.com/TemporaryAcc0unt/composite-attack)]
 467 | 
 468 | 6. **AI-Lancet: Locating Error-inducing Neurons to Optimize Neural Networks**. ACM CCS 2021. `Locate neural location and finetuning it` [[pdf](https://dl.acm.org/doi/pdf/10.1145/3460120.3484818)]
 469 | 
 470 | 7. **LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks**. ACM CCS 2022. `Backdoor attack by modifying neuros` [[pdf](https://www.ittc.ku.edu/~bluo/download/liu2022ccs.pdf)]
 471 | 
 472 | 8. **ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks**. NDSS 2022. `Backdoor attack by attention techniques` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2022-12-paper.pdf)]
 473 | 
 474 | 9. **RAB: Provable Robustness Against Backdoor Attacks**. IEEE S&P 2023. `Backdoor Cetrification` [[pdf](https://arxiv.org/pdf/2003.08904.pdf)]
 475 | 
 476 | 10. **A Data-free Backdoor Injection Approach in Neural Networks**. USENIX Security 2023. `Data free backdoor injection` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-573-lv.pdf)] [[code](https://github.com/lvpeizhuo/Data-free_Backdoor)]
 477 | 
 478 | 11. **Backdoor Attacks Against Dataset Distillation**. NDSS 2023. `Backdoor attack against dataset istillation` [[pdf](https://arxiv.org/pdf/2301.01197.pdf)] [[code](https://github.com/liuyugeng/baadd)]
 479 | 
 480 | 12. **BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense**. NDSS 2023. `Backdoor Forensics` [[pdf](https://arxiv.org/pdf/2301.06241.pdf)] [[code](https://github.com/Megum1/BEAGLE)]
 481 | 
 482 | 13. **Disguising Attacks with Explanation-Aware Backdoors**. IEEE S&P 2023. `Backdoor to mislead the explaination method` [[pdf](https://intellisec.de/pubs/2023-ieeesp.pdf)]
 483 | 
 484 | 14. **Selective Amnesia: On Efficient, High-Fidelity and Blind Suppression of Backdoor Effects in Trojaned Machine Learning Models**. IEEE S&P 2023. `Finetuning to remove backdoor` [[pdf](https://arxiv.org/pdf/2212.04687.pdf)]
 485 | 
 486 | 15. **AI-Guardian: Defeating Adversarial Attacks using Backdoors**. IEEE S&P 2023. `using backdoor to detect adversarial example. Backdoor with all-to-all mapping and reverse the mapping` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600a701/1NrbXZPyl7W)]
 487 | 
 488 | 16. **REDEEM MYSELF: Purifying Backdoors in Deep Learning Models using Self Attention Distillation**. IEEE S&P 2023. `Purifying backdoor using model distillation` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600a755/1NrbYbKqcHS)]
 489 | 
 490 | 17. **NARCISSUS: A Practical Clean-Label Backdoor Attack with Limited Information**. ACM CCS 2023. `Clean label backdoor attack` [[pdf](https://arxiv.org/pdf/2204.05255.pdf)] [[code](https://github.com/ruoxi-jia-group/Narcissus-backdoor-attack)]
 491 | 
 492 | 18. **ASSET: Robust Backdoor Data Detection Across a Multiplicity of Deep Learning Paradigms**. USENIX Security 2023. `Backdoor Defense works in Different Learning Paradigms` [[pdf](https://www.usenix.org/system/files/usenixsecurity23-pan.pdf)] [[code](https://github.com/ruoxi-jia-group/ASSET)]
 493 | 
 494 | 19. **ODSCAN: Backdoor Scanning for Object Detection Models**. IEEE S&P 2024. `Backdoor defense by model dynamics` [[pdf](https://arxiv.org/pdf/2312.02673.pdf)] [[github](https://github.com/tedbackdoordefense/ted)]
 495 | 
 496 | 20. **MM-BD: Post-Training Detection of Backdoor Attacks with Arbitrary Backdoor Pattern Types Using a Maximum Margin Statistic**. IEEE S&P 2024. `Backdoor defense using maximum margin statistic in classification layer` [[pdf](https://arxiv.org/pdf/2205.06900.pdf)] [[github](https://github.com/wanghangpsu/MM-BD)]
 497 | 
 498 | 21. **Distribution Preserving Backdoor Attack in Self-supervised Learning**. IEEE S&P 2024. `Backdoor attack in contrastive learning by improving the distribution` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a029/1RjEa5rjsHK)] [[github](https://github.com/Gwinhen/DRUPE?tab=readme-ov-file)]
 499 | 
 500 | 22. **BadMerging: Backdoor Attacks Against Model Merging**. CCS 2024. `Backdoor attack in model merging` [[pdf](https://arxiv.org/pdf/2408.07362)] [[github](https://github.com/jzhang538/BadMerging)]
 501 | 
 502 | #### 1.4.2 Text
 503 | 
 504 | 1. **T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification**. USENIX Security 2021. `Backdoor Defense. GAN to recover trigger` [[pdf](https://www.usenix.org/system/files/sec21fall-azizi.pdf)] [[code](https://github.com/reza321/T-Miner)]
 505 | 
 506 | 2. **Hidden Backdoors in Human-Centric Language Models**. ACM CCS 2021. `Novel trigger` [[pdf](https://arxiv.org/pdf/2105.00164.pdf)] [[code](https://github.com/lishaofeng/NLP_Backdoor)]
 507 | 
 508 | 3. **Backdoor Pre-trained Models Can Transfer to All**. ACM CCS 2021. `Backdoor in pre-trained to poison the down stream task` [[pdf](https://arxiv.org/pdf/2111.00197.pdf)] [[code](https://github.com/lishaofeng/NLP_Backdoor)]
 509 | 
 510 | 4. **Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation**. USENIX Security 2022. `Backdoor via linguistic style manipulation` [[pdf](https://www.usenix.org/system/files/sec22-pan-hidden.pdf)]
 511 | 
 512 | 5. **TextGuard: Provable Defense against Backdoor Attacks on Text Classification**. NDSS 2024. `Provable backdoor defense by spliting the sentence and ensumble learning` [[pdf](https://arxiv.org/pdf/2311.11225.pdf)] [[code](https://github.com/AI-secure/TextGuard)]
 513 | 
 514 | #### 1.4.3 Graph
 515 | 
 516 | 1. **Graph Backdoor**. USENIX Security 2021. `Classification` [[pdf](https://arxiv.org/pdf/2006.11890.pdf)] [[code](https://github.com/HarrialX/GraphBackdoor)]
 517 | 
 518 | 2. **Distributed Backdoor Attacks on Federated Graph Learning and Certified Defenses**. CCS 2024. `Distributed Backdoor attacks on federated graph learning` [[pdf](https://arxiv.org/pdf/2407.08935)] [[code](https://github.com/Yuxin104/Opt-GDBA)]
 519 | 
 520 | #### 1.4.4 Software
 521 | 
 522 | 1. **Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers**. USENIX Security 2021. `Explanation Method. Evade Classification` [[pdf](https://www.usenix.org/system/files/sec21fall-severi.pdf)] [[code](https://github.com/ClonedOne/MalwareBackdoors)]
 523 | 
 524 | #### 1.4.5 Audio
 525 | 
 526 | 1. **TrojanModel: A Practical Trojan Attack against Automatic Speech Recognition Systems**. IEEE S&P 2023. `Backdoor attack in speech recognition systems` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600a906/1Js0DtfUrKw)]
 527 | 
 528 | 2. **MagBackdoor: Beware of Your Loudspeaker as Backdoor of Magnetic Attack for Malicious Command Injection**. IEEE S&P 2023. `Backdoor attack in audio using magentic trigget` [[pdf](https://huskyachao.github.io/publication/magbackdoor-oakland23/)]
 529 | 
 530 | #### 1.4.6 Multimedia
 531 | 
 532 | 1. **Backdooring Multimodal Learning**. IEEE S&P 2024. `Backdoor attack in multimedia learning` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a031/1RjEa7rmaxW)] [[code](https://github.com/multimodalbags/BAGS_Multimodal)]
 533 | 
 534 | #### 1.4.7 Neuromorphic Data
 535 | 
 536 | 1. **Sneaky Spikes: Uncovering Stealthy Backdoor Attacks in Spiking Neural Networks with Neuromorphic Data**. NDSS 2024. `Backdoor attack in neuromorphic data` [[pdf](https://arxiv.org/pdf/2302.06279.pdf)] [[code](https://github.com/GorkaAbad/Sneaky-Spikes)]
 537 | 
 538 | ### 1.5 ML Library Security
 539 | 
 540 | #### 1.5.1 Loss
 541 | 
 542 | 1. **Blind Backdoors in Deep Learning Models**. USENIX Security 2021. `Loss Manipulation. Backdoor` [[pdf](https://www.cs.cornell.edu/~shmat/shmat_usenix21blind.pdf)] [[code](https://github.com/ebagdasa/backdoors101)]
 543 | 
 544 | 2. **IvySyn: Automated Vulnerability Discovery in Deep Learning Frameworks**. USENIX Security 2023. `Automatic Bug Discovery in ML libraries` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-125-christou.pdf)]
 545 | 
 546 | ### 1.6 AI4Security
 547 | 
 548 | #### 1.6.1 Cyberbullying
 549 | 
 550 | 1. **Towards Understanding and Detecting Cyberbullying in Real-world Images**. NDSS 2021. `Detect image cyberbully` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_7C-4_24260_paper.pdf)]
 551 | 
 552 | 2. **You Only Prompt Once: On the Capabilities of Prompt Learning on Large Language Models to Tackle Toxic Content**. IEEE S&P 2024. `Using LLM for toxic content detection` [[pdf](https://arxiv.org/pdf/2308.05596.pdf)] [[code](https://github.com/xinleihe/toxic-prompt)]
 553 | 
 554 | #### 1.6.2 Security Applications
 555 | 
 556 | 1. **FARE: Enabling Fine-grained Attack Categorization under Low-quality Labeled Data**. NDSS 2021. `Clustering Method to complete the dataset label` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_5C-4_24403_paper.pdf)] [[code](https://github.com/junjieliang672/FARE)]
 557 | 
 558 | 2. **From Grim Reality to Practical Solution: Malware Classification in Real-World Noise**. IEEE S&P 2023. `Noise Learning method for malware detection` [[pdf](https://henrygwb.github.io/publications/sp23.pdf)] [[code](https://github.com/gnipping/morse)]
 559 | 
 560 | 3. **Decoding the Secrets of Machine Learning in Windows Malware Classification: A Deep Dive into Datasets, Features, and Model Performance**. ACM CCS 2023. `static features are better than dynamic feature in WindowsPE malware detection` [[pdf](https://arxiv.org/pdf/2307.14657.pdf)]
 561 | 
 562 | 4. **KAIROS: Practical Intrusion Detection and Investigation using Whole-system Provenance**. IEEE S&P 2024. `GNN-based intrusion detection method` [[pdf](https://arxiv.org/pdf/2308.05034.pdf)] [[code](https://github.com/ProvenanceAnalytics/kairos)]
 563 | 
 564 | 5. **FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning**. IEEE S&P 2024. `GNN-based intrusion detection method` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a139/1Ub23WQw20U)] [[code](https://github.com/DART-Laboratory/Flash-IDS)]
 565 | 
 566 | 6. **Understanding and Bridging the Gap Between Unsupervised Network Representation Learning and Security Analytics**. IEEE S&P 2024. `Unsupervised graph learning for graph-based security applications` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a012/1RjE9Q5gQrm)] [[code](https://github.com/C0ldstudy/Argus)]
 567 | 
 568 | 7. **FP-Fed: Privacy-Preserving Federated Detection of Browser Fingerprinting**. NDSS 2024. `Federated learning for browser fingerprinting` [[pdf](https://arxiv.org/pdf/2311.16940.pdf)]
 569 | 
 570 | 8. **GNNIC: Finding Long-Lost Sibling Functions with Abstract Similarity**. NDSS 2024. `GNN for static analysis` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-492-paper.pdf)]
 571 | 
 572 | 9.  **Experimental Analyses of the Physical Surveillance Risks in Client-Side Content Scanning**. NDSS 2024. `Attack client scanning systems` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-1401-paper.pdf)]
 573 | 
 574 | 10. **Attributions for ML-based ICS Anomaly Detection: From Theory to Practice**. NDSS 2024. `Evaluating attribution methods for industrial control systems` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-216-paper.pdf)] [[code](https://github.com/pwwl/ics-anomaly-attribution)]
 575 | 
 576 | 11. **DRAINCLoG: Detecting Rogue Accounts with Illegally-obtained NFTs using Classifiers Learned on Graphs**. NDSS 2024. `Detecting rogue accounts in NFTs using GNN` [[pdf](https://arxiv.org/pdf/2301.13577.pdf)]
 577 | 
 578 | 12. **Low-Quality Training Data Only? A Robust Framework for Detecting Encrypted Malicious Network Traffic**. NDSS 2024. `Training ML-based traffic detection using low-quality data` [[pdf](https://arxiv.org/pdf/2309.04798.pdf)] [[code](https://github.com/XXnormal/RAPIER)]
 579 | 
 580 | 13. **SafeEar: Content Privacy-Preserving Audio Deepfake Detection**. ACM CCS 2024. `Speech content privacy-preserving deepfake detection`  [[pdf](https://arxiv.org/pdf/2409.09272)] [[website](https://safeearweb.github.io/Project/)] [[code](https://github.com/LetterLiGo/SafeEar)] [[dataset](https://zenodo.org/records/11229569)]
 581 | 
 582 | 
 583 | #### 1.6.3 Advertisement Detection
 584 | 
 585 | 1. **WtaGraph: Web Tracking and Advertising Detection using Graph Neural Networks**. IEEE S&P 2022. `GNN` [[pdf](https://zhiju.me/assets/files/WtaGraph_SP22.pdf)]
 586 | 
 587 | #### 1.6.4 CAPTCHA
 588 | 
 589 | 1. **Text Captcha Is Dead? A Large Scale Deployment and Empirical Studys**. ACM CCS 2020. `Adversarial CAPTCHA` [[pdf](https://nesa.zju.edu.cn/download/Text%20Captcha%20Is%20Dead%20A%20Large%20Scale%20Deployment%20and%20Empirical%20Study.pdf)]
 590 | 
 591 | 2. **Attacks as Defenses: Designing Robust Audio CAPTCHAs Using Attacks on Automatic Speech Recognition Systems**. NDSS 2023. `Adversarial Audio CAPTCHA` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f243_paper.pdf)] [[demo](https://sites.google.com/view/attacksasdefenses/home)]
 592 | 
 593 | 3. **A Generic, Efficient, and Effortless Solver with Self-Supervised Learning for Breaking Text Captchas**. IEEE S&P 2023. `Text CAPTCHA Solver` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600b524/1Js0E2VGRhe)]
 594 | 
 595 | #### 1.6.5 Code Analysis
 596 | 
 597 | 1. **PalmTree: Learning an Assembly Language Model for Instruction Embedding**. ACM CCS 2021. `Pre-trained model to generate code embedding` [[pdf](https://arxiv.org/pdf/2103.03809.pdf)] [[code](https://github.com/palmtreemodel/PalmTree)]
 598 | 
 599 | 2. **CALLEE: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning**. IEEE S&P 2023. `Recovering call graph from binaries using transfer and contrastive learning` [[pdf](https://arxiv.org/pdf/2111.01415.pdf)] [[code](https://github.com/vul337/Callee)]
 600 | 
 601 | 3. **Examining Zero-Shot Vulnerability Repair with Large Language Models**. IEEE S&P 2023. `Zero-short vulnerability repair using large language model` [[pdf](https://arxiv.org/pdf/2112.02125.pdf)]
 602 | 
 603 | 4. **Raconteur: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer**. NDSS 2025. `LLM-powered malicious code analysis` [[pdf](https://arxiv.org/pdf/2409.02074)] [[website](https://raconteur-ndss.github.io/)]
 604 | 
 605 | #### 1.6.6 Chatbot
 606 | 
 607 | 1. **Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots**. ACM CCS 2022. `Measuring Chatbot Textico behavior` [[pdf](https://arxiv.org/pdf/2209.03463.pdf)]
 608 | 
 609 | #### 1.6.7 Side Channel Attack
 610 | 
 611 | 1. **Towards a General Video-based Keystroke Inference Attack**. USENIX Security 2023. `Self Supervised Learning to recover the keybroad input` [[pdf](https://www.usenix.org/system/files/sec23summer_338-yang_zhuolin-prepub.pdf)]
 612 | 
 613 | 2. **Deep perceptual hashing algorithms with hidden dual purpose: when client-side scanning does facial recognition**. IEEE S&P 2023. `Manipulate deep phash algorithm to conduct specific person inference` [[pdf](https://arxiv.org/pdf/2306.11924.pdf)] [[code](https://github.com/computationalprivacy/dual-purpose-client-side-scanning)]
 614 | 
 615 | 
 616 | #### 1.6.8 Guidline
 617 | 
 618 | 1. **Dos and Don'ts of Machine Learning in Computer Security**. USENIX Security 2022. `Survey pitfalls in ML4Security` [[pdf](https://www.usenix.org/system/files/sec22summer_arp.pdf)]
 619 | 
 620 | 2. **“Security is not my field, I’m a stats guy”: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry**. USENIX Security 2023. `Survey AML Application in Industry` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-324-mink.pdf)]
 621 | 
 622 | 3. **Everybody’s Got ML, Tell Me What Else You Have: Practitioners’ Perception of ML-Based Security Tools and Explanations**. IEEE S&P 2023. `Explainable AI in practice` [[pdf](https://gangw.cs.illinois.edu/Security_ML-user.pdf)]
 623 | 
 624 | 
 625 | #### 1.6.9 Security Event
 626 | 
 627 | 1. **CERBERUS: Exploring Federated Prediction of Security Events**. ACM CCS 2022. `Federated Learning to predict security event` [[pdf](https://arxiv.org/pdf/2209.03050.pdf)]
 628 | 
 629 | #### 1.6.10 Vulnerability Discovery
 630 | 
 631 | 1. **VulChecker: Graph-based Vulnerability Localization in Source Code**. USENIX Security 2023. `Detecting Bugs using GCN` [[pdf](https://www.usenix.org/conference/usenixsecurity23/presentation/mirsky)] [[code](https://github.com/ymirsky/VulChecker)]
 632 | 
 633 | ### 1.7 AutoML Security
 634 | 
 635 | #### 1.7.1 Security Analysis
 636 | 
 637 | 1. **On the Security Risks of AutoML**. USENIX Security 2022. `Adversarial evasion. Model poisoning. Backdoor. Functionality stealing. Membership Inference` [[pdf](https://www.usenix.org/system/files/sec22summer_pang.pdf)]
 638 | 
 639 | ### 1.8 Hardware Related Security 
 640 | 
 641 | #### 1.8.1 Verification
 642 | 
 643 | 1. **DeepDyve: Dynamic Verification for Deep Neural Networks**. ACM CCS 2020. [[pdf](https://arxiv.org/pdf/2009.09663.pdf)]
 644 | 
 645 | 2. **NeuroPots: Realtime Proactive Defense against Bit-Flip Attacks in Neural Networks**. USENIX Security 2023. `Honey Pot to trap the bitflip attacks` [[pdf](https://www.usenix.org/system/files/sec23summer_334-liu_qi-prepub.pdf)]
 646 | 
 647 | 3. **Aegis: Mitigating Targeted Bit-flip Attacks against Deep Neural Networks**. USENIX Security 2023. `Train multi classifer to defend the BFA` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-246-wang-jialai.pdf)] [[code](https://github.com/vul337/Aegis)]
 648 | 
 649 | ### 1.9 Security Related Interpreting Method
 650 | 
 651 | #### 1.9.1 Anomaly Detection
 652 | 
 653 | 1. **DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications**. ACM CCS 2021. `Anomaly detection`  [[pdf](https://arxiv.org/pdf/2109.11495.pdf)] [[code](https://github.com/dongtsi/DeepAID)]
 654 | 
 655 | #### 1.9.2 Faithfulness
 656 | 
 657 | 1. **Good-looking but Lacking Faithfulness: Understanding Local Explanation Methods through Trend-based Testing**. ACM CCS 2023. `Trend-based faithfulness testing`  [[pdf](https://arxiv.org/pdf/2309.05679.pdf)] [[code](https://github.com/JenniferHo97/XAI-TREND-TEST)]
 658 | 
 659 | #### 1.9.3 Security Applications
 660 | 
 661 | 1. **FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis**. ACM CCS 2023. `Ensumble explaination for different stakeholder`  [[pdf](https://arxiv.org/pdf/2308.05362.pdf)] [[code](https://github.com/E0HYL/FINER-explain)]
 662 | 
 663 | ### 1.10 Face Security
 664 | 
 665 | #### 1.10.1 Deepfake Detection
 666 | 
 667 | 1. **Who Are You (I Really Wanna Know)? Detecting Audio DeepFakes Through Vocal Tract Reconstruction**. USENIX Security 2022. `deepfake detection using vocal tract reconstruction`  [[pdf](https://www.usenix.org/system/files/sec22fall_blue.pdf)]
 668 | 
 669 | #### 1.10.2 Face Impersonation
 670 | 
 671 | 1. **ImU: Physical Impersonating Attack for Face Recognition System with Natural Style Changes**. IEEE S&P 2023. `StyleGAN to impersonate persion`  [[pdf](https://kaiyuanzhang.com/publications/SP23_ImU.pdf)] [[code](https://github.com/njuaplusplus/imu)]
 672 | 
 673 | 2. **DepthFake: Spoofing 3D Face Authentication with a 2D Photo**. IEEE S&P 2023. `Adversarial image to attack 3D photos`  [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600b710/1Js0EgNcf8A)] [[demo](https://sites.google.com/view/depthfake)]
 674 | 
 675 | #### 1.10.3 Face Verification Systems
 676 | 
 677 | 1. **Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective**. IEEE S&P 2023. `Measurement study of the security risks of cross-side face verification systems.`  [[pdf](https://yinzhicao.org/xfvschecker/XFVSChecker.pdf)]
 678 | 
 679 | ### 1.10 AI Generation Security
 680 | 
 681 | #### 1.10.1 Text Generation Detection
 682 | 
 683 | 1. **Deepfake Text Detection: Limitations and Opportunities**. IEEE S&P 2023. `Detecting the machine generated text`  [[pdf](https://arxiv.org/pdf/2210.09421.pdf)] [[code](https://github.com/jmpu/DeepfakeTextDetection)]
 684 | 
 685 | 2. **MGTBench: Benchmarking Machine-Generated Text Detection**. CCS 2024. `Benchmarking machine generated text detection`  [[pdf](https://arxiv.org/pdf/2303.14822)] [[code](https://github.com/xinleihe/MGTBench)]
 686 | 
 687 | #### 1.10.2 Deepfake
 688 | 
 689 | 1. **SoK: The Good, The Bad, and The Unbalanced: Measuring Structural Limitations of Deepfake Media Datasets**. USENIX Security 2024. `Issues in deepfake media dataset`  [[pdf](https://www.usenix.org/system/files/usenixsecurity24-layton.pdf)] [[website](https://sites.google.com/view/thegoodthebadandtheunbalanced)]
 690 | 
 691 | 2. **SafeEar: Content Privacy-Preserving Audio Deepfake Detection**. ACM CCS 2024. `Speech content privacy-preserving deepfake detection`  [[pdf](https://arxiv.org/pdf/2409.09272)] [[website](https://safeearweb.github.io/Project/)] [[code](https://github.com/LetterLiGo/SafeEar)] [[dataset](https://zenodo.org/records/11229569)]
 692 | 
 693 | 3. **"Better Be Computer or I’m Dumb": A Large-Scale Evaluation of Humans as Audio Deepfake Detectors**. ACM CCS 2024. `Huamn in deepfake detection`  [[pdf](https://cise.ufl.edu/~butler/pubs/ccs24-warren-deepfake.pdf)]
 694 | 
 695 | ### 1.11 LLM Security
 696 | 
 697 | #### 1.11.1 Code Analysis
 698 | 
 699 | 1. **Large Language Models for Code: Security Hardening and Adversarial Testing**. ACM CCS 2023. `Prefix tuning for secure code generation`  [[pdf](https://arxiv.org/pdf/2302.05319.pdf)] [[code](https://github.com/eth-sri/sven)]
 700 | 
 701 | 2. **DeGPT: Optimizing Decompiler Output with LLM**. NDSS 2024. `LLM-enhanced reverse engineering`  [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-401-paper.pdf)] [[code](https://github.com/PeiweiHu/DeGPT)]
 702 | 
 703 | 3. **Raconteur: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer**. NDSS 2025. `LLM-powered malicious code analysis` [[pdf](https://arxiv.org/pdf/2409.02074)] [[website](https://raconteur-ndss.github.io/)]
 704 | 
 705 | 4. **PromSec: Prompt Optimization for Secure Generation of Functional Source Code with Large Language Models (LLMs)**. CCS 2024. `Black-box LLM secure code generation` [[pdf](https://arxiv.org/pdf/2409.12699)] [[code](https://github.com/mahmoudkanazzal/PromSec)]
 706 | 
 707 | #### 1.11.2 Vision-Language Model
 708 | 
 709 | 1. **Transferable Multimodal Attack on Vision-Language Pre-training Models**. IEEE S&P 2024. `Transferable adversarial attack on VLM`  [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a102/1Ub239H4xyg)]
 710 | 
 711 | 2. **SneakyPrompt: Jailbreaking Text-to-image Generative Models**. IEEE S&P 2024. `Jailbreaking text-to-image generative model using reinforcement-learning adversarial NLP methods`  [[pdf](https://arxiv.org/pdf/2305.12082.pdf)] [[code](https://github.com/Yuchen413/text2image_safety)]
 712 |   
 713 | 3. **SafeGen: Mitigating Unsafe Content Generation in Text-to-Image Models**. ACM CCS 2024. `defending against unsafe content generation in text-to-image models`  [[pdf](https://arxiv.org/pdf/2404.06666)] [[code](https://github.com/LetterLiGo/SafeGen_CCS2024)] [[model](https://huggingface.co/LetterJohn/SafeGen-Pretrained-Weights)]
 714 | 
 715 | 4. **SurrogatePrompt: Bypassing the Safety Filter of Text-to-Image Models via Substitution**. ACM CCS 2024. `Bypassing the safety filter of T2I model` [[pdf](https://arxiv.org/pdf/2309.14122)]
 716 | 
 717 | 5. **Moderator: Moderating Text-to-Image Diffusion Models through Fine-grained Context-based Policies**. ACM CCS 2024. `Content moderating for T2I model` [[pdf](https://arxiv.org/pdf/2408.07728)] [[code](https://github.com/DataSmithLab/Moderator)]
 718 | 
 719 | 
 720 | #### 1.11.3 Jailbreaking
 721 | 
 722 | 1. **MASTERKEY: Automated Jailbreaking of Large Language Model Chatbots**. NDSS 2024. `LLM jailbreaking`  [[pdf](https://arxiv.org/pdf/2307.08715.pdf)]
 723 | 
 724 | 2. **Legilimens: Practical and Unified Content Moderation for Large Language Model Services**. ACM CCS 2024. `Jailbreaking input/output moderation` [[pdf](https://arxiv.org/pdf/2408.15488)] [[code](https://github.com/lin000001/Legilimens)]
 725 | 
 726 | #### 1.11.4 Robustness
 727 | 
 728 | 1. **Improving the Robustness of Transformer-based Large Language Models with Dynamic Attention**. NDSS 2024. `Improving the robustness of LLM by dynamic attention`  [[pdf](https://arxiv.org/pdf/2311.17400.pdf)]
 729 | 
 730 | #### 1.11.5 Generated Concent Detection
 731 | 
 732 | 1. **DEMASQ: Unmasking the ChatGPT Wordsmith**. NDSS 2024. `Generated text detection`  [[pdf](https://arxiv.org/pdf/2311.05019.pdf)]
 733 | 
 734 | 2. **Organic or Diffused: Can We Distinguish Human Art from AI-generated Images?**. CCS 2024. `Human arts and the AI-generated image detection`  [[pdf](https://arxiv.org/pdf/2402.03214)]
 735 | 
 736 | 3. **On the Detectability of ChatGPT Content: Benchmarking, Methodology, and Evaluation through the Lens of Academic Writing**. CCS 2024. `LLM generated concent detection`  [[pdf](https://arxiv.org/pdf/2306.05524v2)]
 737 | 
 738 | #### 1.11.6 Backdoor Detection
 739 | 
 740 | 1. **LMSanitator: Defending Prompt-Tuning Against Task-Agnostic Backdoors**. NDSS 2024. `Task-agnostic backdoor detection`  [[pdf](https://arxiv.org/pdf/2308.13904.pdf)] [[code](https://github.com/meng-wenlong/LMSanitator)]
 741 | 
 742 | #### 1.11.7 Bias
 743 | 
 744 | 1. **GenderCARE: A Comprehensive Framework for Assessing and Reducing Gender Bias in Large Language Models**. CCS 2024. `Measuring the gender bias in LLMs`  [[pdf](https://arxiv.org/pdf/2408.12494)] [[code](https://github.com/kstanghere/GenderCARE-ccs24)]
 745 | 
 746 | 2. **A Causal Explainable Guardrails for Large Language Models**. ACM CCS 2024. `Causal inference for debias` [[pdf](https://arxiv.org/pdf/2405.04160)] [[code](https://github.com/lin000001/Legilimens)]
 747 | 
 748 | 3. **Image-Perfect Imperfections: Safety, Bias, and Authenticity in the Shadow of Text-To-Image Model Evolution**. ACM CCS 2024. `Bias in text-to-image model` [[pdf](https://web3.arxiv.org/pdf/2408.17285)] [[code](https://github.com/lin000001/Legilimens)]
 749 | 
 750 | #### 1.11.8 Prompt Injection
 751 | 
 752 | 1. **Optimization-based Prompt Injection Attack to LLM-as-a-Judge**. CCS 2024. `Prompt injection attack for LLM-as-judge`  [[pdf](https://arxiv.org/pdf/2403.17710)] [[code](https://github.com/TrustAIRLab/T2I_Model_Evolution)]
 753 | 
 754 | ## 2. Privacy Papers
 755 | 
 756 | ### 2.1 Training Data
 757 | 
 758 | #### 2.1.1 Data Recovery
 759 | 
 760 | 1. **Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning**. USENIX Security 2020. `Online Learning. Model updates` [[pdf](https://www.usenix.org/system/files/sec20summer_salem_prepub.pdf)]
 761 | 
 762 | 2. **Extracting Training Data from Large Language Models**. USENIX Security 2021. `Membership inference attack. GPT-2` [[pdf](https://www.usenix.org/system/files/sec21-carlini-extracting.pdf)]
 763 | 
 764 | 3. **Analyzing Information Leakage of Updates to Natural Language Models**. ACM CCS 2020. `data leakage in model changes` [[pdf](https://www.microsoft.com/en-us/research/uploads/prod/2020/09/ccs20.pdf)]
 765 | 
 766 | 4. **TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing**. ACM CCS 2021. `Membership collision in GAN` [[pdf](https://arxiv.org/pdf/2107.13190.pdf)]
 767 | 
 768 | 5. **DataLens: Scalable Privacy Preserving Training via Gradient Compression and Aggregation**. ACM CCS 2021. `DP to train an privacy preserving GAN` [[pdf](https://arxiv.org/pdf/2103.11109.pdf)]
 769 | 
 770 | 6. **Property Inference Attacks Against GANs**. NDSS 2022. `Property Inference Attacks Against GAN`  [[pdf](https://yangzhangalmo.github.io/papers/NDSS22-PIAGAN.pdf)] [[code](https://github.com/Zhou-Junhao/PIA_GAN)]
 771 | 
 772 | 7. **MIRROR: Model Inversion for Deep Learning Network with High Fidelity**. NDSS 2022. `Model inversion attack using GAN`  [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2022-335-paper.pdf)] [[code](https://model-inversion.github.io/mirror/)]
 773 | 
 774 | 8. **Analyzing Leakage of Personally Identifiable Information in Language Models**. IEEE S&P 2023. `Personally identifiable information leakage in language model`  [[pdf](https://arxiv.org/pdf/2302.00539.pdf)] [[code](https://github.com/microsoft/analysing_pii_leakage)]
 775 | 
 776 | 9.  **Timing Channels in Adaptive Neural Networks**. NDSS 2024. `Infer input of adaptive NN using timing information`  [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-125-paper.pdf)] [[code](https://github.com/akinsanyaayomide/ADNNTimeLeaks)]
 777 | 
 778 | 10. **Crafter: Facial Feature Crafting against Inversion-based Identity Theft on Deep Models**. NDSS 2024. `Protect model inversion attack`  [[pdf](https://arxiv.org/pdf/2401.07205.pdf)] [[code](https://github.com/ShimingWang98/Facial_Feature_Crafting_against_Inversion_based_Identity_Theft/tree/main)]
 779 | 
 780 | 11. **Transpose Attack: Stealing Datasets with Bidirectional Training**. NDSS 2024. `Stealing dataset in bidirectional models`  [[pdf](https://arxiv.org/pdf/2311.07389.pdf)] [[code](https://github.com/guyAmit/Transpose-Attack-paper-NDSS24-/tree/main)]
 781 | 
 782 | 12. **SafeEar: Content Privacy-Preserving Audio Deepfake Detection**. ACM CCS 2024. `Speech content privacy-preserving deepfake detection`  [[pdf](https://arxiv.org/pdf/2409.09272)] [[website](https://safeearweb.github.io/Project/)] [[code](https://github.com/LetterLiGo/SafeEar)] [[dataset](https://zenodo.org/records/11229569)]
 783 | 
 784 | 13. **Dye4AI: Assuring Data Boundary on Generative AI Services**. ACM CCS 2024. `Dye testing system in LLM`  [[pdf](https://arxiv.org/pdf/2406.14114)]
 785 | 
 786 | 14. **Evaluations of Machine Learning Privacy Defenses are Misleading**. ACM CCS 2024. `Evaluation DP defense`  [[pdf](https://arxiv.org/pdf/2404.17399)] [[code](https://github.com/ethz-spylab/misleading-privacy-evals?tab=readme-ov-file)]
 787 | 
 788 | #### 2.1.2 Membership Inference Attack
 789 | 
 790 | 1. **Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference**. USENIX Security 2020. `White-box Setting` [[pdf](https://www.usenix.org/system/files/sec20-leino.pdf)]
 791 | 
 792 | 2. **Systematic Evaluation of Privacy Risks of Machine Learning Models**. USENIX Security 2020. `Metric-based Membership inference Attack Method. Define Privacy Risk Score` [[pdf](https://www.usenix.org/system/files/sec21fall-song.pdf)] [[code](https://github.com/inspire-group/membership-inference-evaluation)]
 793 | 
 794 | 3. **Practical Blind Membership Inference Attack via Differential Comparisons**. NDSS 2021. `Use non-member data to replace shadow model` [[pdf](https://arxiv.org/pdf/2101.01341.pdf)] [[code](https://github.com/hyhmia/BlindMI)]
 795 | 
 796 | 4. **GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models**. ACM CCS 2020. `Membership inference attack in Generative model. Member has small reconstruction error` [[pdf](https://arxiv.org/pdf/1909.03935.pdf)]
 797 | 
 798 | 5. **Quantifying and Mitigating Privacy Risks of Contrastive Learning**. ACM CCS 2021. `Membership inference attack. Property inference attack. Contrastive learning in classification task` [[pdf](https://yangzhangalmo.github.io/papers/CCS21-ContrastivePrivacy.pdf)] [[code](https://github.com/xinleihe/ContrastiveLeaks)]
 799 | 
 800 | 6. **Membership Inference Attacks Against Recommender Systems**. ACM CCS 2021. `Recommender System` [[pdf](https://yangzhangalmo.github.io/papers/CCS21-RecommenderMIA.pdf)] [[code](https://github.com/minxingzhang/MIARS)]
 801 | 
 802 | 7. **EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning**. ACM CCS 2021. `Contrastive learning in pre-trained model. Data augmentation has higher similarity` [[pdf](https://arxiv.org/pdf/2108.11023.pdf)] [[code](https://github.com/minxingzhang/MIARS)]
 803 | 
 804 | 8. **Auditing Membership Leakages of Multi-Exit Networks**. ACM CCS 2022. `Membership inference attack in multi-exit networks` [[pdf](https://arxiv.org/pdf/2208.11180.pdf)]
 805 | 
 806 | 9.  **Membership Inference Attacks by Exploiting Loss Trajectory**. ACM CCS 2022. `Membership inference attack, knowledge distillation` [[pdf](https://arxiv.org/pdf/2208.14933.pdf)]
 807 | 
 808 | 10. **On the Privacy Risks of Cell-Based NAS Architectures**. ACM CCS 2022. `Membership inference attack in NAS` [[pdf](https://arxiv.org/pdf/2209.01688.pdf)]
 809 | 
 810 | 12. **Membership Inference Attacks and Defenses in Neural Network Pruning**. USENIX Security 2022. `Membership inference attack in Neural Network Pruning` [[pdf](https://www.usenix.org/system/files/sec22-yuan-xiaoyong.pdf)]
 811 | 
 812 | 13. **Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture**. USENIX Security 2022. `Membership inference defense by ensemble` [[pdf](https://www.usenix.org/system/files/sec22-yuan-xiaoyong.pdf)]
 813 | 
 814 | 14. **Enhanced Membership Inference Attacks against Machine Learning Models**. USENIX Security 2022. `Membership inference attack with hypothesis testing` [[pdf](https://arxiv.org/pdf/2111.09679.pdf)] [[code](https://github.com/privacytrustlab/ml_privacy_meter/tree/master/research/2022_enhanced_mia)]
 815 | 
 816 | 15. **Membership Inference Attacks and Generalization: A Causal Perspective**. ACM CCS 2022. `Membership inference attack with casual reasoning` [[pdf](https://arxiv.org/pdf/2209.08615.pdf)]
 817 | 
 818 | 16. **SLMIA-SR: Speaker-Level Membership Inference Attacks against Speaker Recognition Systems**. NDSS 2024. `Membership inference attack in speaker recongization` [[pdf](https://arxiv.org/pdf/2309.07983.pdf)] [[code](https://github.com/S3L-official/SLMIA-SR)]
 819 | 
 820 | 17. **Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction**. NDSS 2024. `The defense of membership inference attack` [[pdf](https://arxiv.org/pdf/2307.01610.pdf)] [[code](https://github.com/DependableSystemsLab/MIA_defense_HAMP)]
 821 | 
 822 | 18. **A General Framework for Data-Use Auditing of ML Models**. CCS 2024. `Membership inference attack for data auditing` [[pdf](https://arxiv.org/pdf/2407.15100)] [[code](https://github.com/zonghaohuang007/ML_data_auditing)]
 823 | 
 824 | 19. **Membership Inference Attacks Against In-Context Learning**. CCS 2024. `Membership inference attack in in-context learning` [[pdf](https://arxiv.org/pdf/2409.01380)]
 825 | 
 826 | 20. **Is Difficulty Calibration All We Need? Towards More Practical Membership Inference Attacks**. CCS 2024. `Difficulity Calibration in membership inference attack` [[pdf](https://arxiv.org/pdf/2409.00426)] [[code](https://github.com/T0hsakar1n/Is-Difficulty-Calibration-All-We-Need-Towards-More-Practical-Membership-Inference-Attacks)]
 827 | 
 828 | #### 2.1.3 Information Leakage in Distributed ML System
 829 | 
 830 | 1. **Label Inference Attacks Against Vertical Federated Learning**. USENIX Security 2022. `Label Leakage. Federated Learning` [[pdf](https://www.usenix.org/system/files/sec22summer_fu.pdf)] [[code](https://github.com/minxingzhang/MIARS)]
 831 | 
 832 | 2. **The Value of Collaboration in Convex Machine Learning with Differential Privacy**. IEEE S&P 2020. `DP as Defense` [[pdf](https://arxiv.org/pdf/1906.09679.pdf)]
 833 | 
 834 | 3. **Leakage of Dataset Properties in Multi-Party Machine Learning**. USENIX Security 2021. `Dataset Properties Leakage` [[pdf](https://www.usenix.org/system/files/sec21-zhang-wanrong.pdf)]
 835 | 
 836 | 4. **Unleashing the Tiger: Inference Attacks on Split Learning**. ACM CCS 2021. `Split learning. Feature-space hijacking attack` [[pdf](https://arxiv.org/pdf/2012.02670.pdf)] [[code](https://github.com/pasquini-dario/SplitNN_FSHA)]
 837 | 
 838 | 5. **Local and Central Differential Privacy for Robustness and Privacy in Federated Learning**. NDSS 2022. `DP in federated learning` [[pdf](https://arxiv.org/pdf/2009.03561.pdf)]
 839 | 
 840 | 6. **Gradient Obfuscation Gives a False Sense of Security in Federated Learning**. USENIX Security 2023. `Data Recovery in federated learning` [[pdf](https://www.usenix.org/system/files/sec23summer_372-yue-prepub.pdf)]
 841 | 
 842 | 7. **PPA: Preference Profiling Attack Against Federated Learning**. NDSS 2023. `Preference Leakage in federated learning` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s171_paper.pdf)] [[code](https://github.com/PPAattack/PPAattack)]
 843 | 
 844 | 8. **On the (In)security of Peer-to-Peer Decentralized Machine Learning**. IEEE S&P 2023. `Information leakage in peer-to-peer decentralized machine learning system` [[pdf](https://arxiv.org/pdf/2205.08443.pdf)]
 845 | 
 846 | 9.  **RoFL: Robustness of Secure Federated Learning**. IEEE S&P 2023. `Robust Federated Learning Framework using Secuire Aggregation` [[pdf](https://arxiv.org/pdf/2107.03311.pdf)] [[code](https://github.com/pps-lab/rofl-project-code)]
 847 | 
 848 | 10. **Scalable and Privacy-Preserving Federated Principal Component Analysis**. IEEE S&P 2023. `Privacy preserving feaderated PCA algorithm` [[pdf](https://arxiv.org/pdf/2304.00129.pdf)]
 849 | 
 850 | 11. **Protecting Label Distribution in Cross-Silo Federated Learning**. IEEE S&P 2024. `Priveacy-preserving SGD to protect label distribution` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a113/1Ub23mqt0hG)]
 851 | 
 852 | 12. **LOKI: Large-scale Data Reconstruction Attack against Federated Learning through Model Manipulation**. IEEE S&P 2024. `Dataset reconstruction attack in fedearted learning by sending customized convoluational kernel` [[pdf](https://arxiv.org/pdf/2303.12233.pdf)]
 853 | 
 854 | 13. **Analyzing Inference Privacy Risks Through Gradients In Machine Learning**. CCS 2024. `information leakage through gradients` [[pdf](https://arxiv.org/pdf/2408.16913)]
 855 | 
 856 | #### 2.1.4 Information Leakage in Embedding
 857 | 
 858 | 1. **Privacy Risks of General-Purpose Language Models**. IEEE S&P 2020. `Pretrained Language Model` [[pdf](https://nesa.zju.edu.cn/download/Privacy%20Risks%20of%20General-Purpose%20Language%20Models.pdf)]
 859 | 
 860 | 1. **Information Leakage in Embedding Models**. ACM CCS 2020. `Exact Word Recovery. Attribute inference. Membership inference` [[pdf](https://arxiv.org/pdf/2004.00053.pdf)]
 861 | 
 862 | 1. **Honest-but-Curious Nets: Sensitive Attributes of Private Inputs Can Be Secretly Coded into the Classifiers' Outputs**. ACM CCS 2021. `Infer privacy information in classification output` [[pdf](https://arxiv.org/pdf/2105.12049.pdf)] [[code](https://github.com/mmalekzadeh/honest-but-curious-nets)]
 863 | 
 864 | #### 2.1.5 Graph Leakage
 865 | 
 866 | 1. **Stealing Links from Graph Neural Networks**. USENIX Security 2021. `Inference Graph Link` [[pdf](https://arxiv.org/pdf/2105.12049.pdf)]
 867 | 
 868 | 2. **Inference Attacks Against Graph Neural Networks**. USENIX Security 2022. `Property inference: number of nodes. Subgraph inference. Graph reconstruction` [[pdf](https://www.usenix.org/system/files/sec22summer_zhang-zhikun.pdf)] [[code](https://github.com/Zhangzhk0819/GNN-Embedding-Leaks)]
 869 | 
 870 | 3. **LinkTeller: Recovering Private Edges from Graph Neural Networks via Influence Analysis**. IEEE S&P 2022. `Use node connection influence to infer graph edges` [[pdf](https://arxiv.org/pdf/2108.06504.pdf)]
 871 | 
 872 | 4. **Locally Private Graph Neural Networks**. IEEE S&P 2022. `LDP as defense for node privacy` [[pdf](https://arxiv.org/pdf/2006.05535.pdf)] [[code](https://github.com/sisaman/LPGNN)]
 873 | 
 874 | 5. **Finding MNEMON: Reviving Memories of Node Embeddings**. ACM CCS 2022. `Graph recovery attack through node embedding` [[pdf](https://arxiv.org/pdf/2204.06963.pdf)]
 875 | 
 876 | 6. **Group Property Inference Attacks Against Graph Neural Networks**. ACM CCS 2022. `Group Property inference attack on GNN` [[pdf](https://arxiv.org/pdf/2209.01100.pdf)]
 877 | 
 878 | 7. **LPGNet: Link Private Graph Networks for Node Classification**. ACM CCS 2022. `DP to build private GNN` [[pdf](https://arxiv.org/pdf/2205.03105.pdf)]
 879 | 
 880 | 8. **GraphGuard: Detecting and Counteracting Training Data Misuse in Graph Neural Networks**. MDSS 2024. `Mitigate data misuse issues in GNN` [[pdf](https://arxiv.org/pdf/2312.07861.pdf)] [[code](https://github.com/GraphGuard/GraphGuard-Proactive)]
 881 | 
 882 | #### 2.1.6 Unlearning
 883 | 
 884 | 1. **Machine Unlearning**. IEEE S&P 2020. `Shard and isolate the training dataset` [[pdf](https://arxiv.org/pdf/1912.03817.pdf)] [[code](https://github.com/cleverhans-lab/machine-unlearning)]
 885 | 
 886 | 2. **When Machine Unlearning Jeopardizes Privacy**. ACM CCS 2021. `Membership inference attack in unlearning setting` [[pdf](https://arxiv.org/pdf/2005.02205.pdf)] [[code](https://github.com/MinChen00/UnlearningLeaks)]
 887 | 
 888 | 3. **Graph Unlearning**. ACM CCS 2022. `Graph Unlearning` [[pdf](https://arxiv.org/pdf/2103.14991.pdf)] [[code](https://github.com/MinChen00/Graph-Unlearning)]
 889 | 
 890 | 4. **On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning**. ACM CCS 2022. `Auditable Unlearning` [[pdf](https://www.usenix.org/system/files/sec22fall_thudi.pdf)]
 891 | 
 892 | 5. **Machine Unlearning of Features and Labels**. NDSS 2023. `Influence Function to achieve unlearning` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s87_paper.pdf)] [[code](https://github.com/alewarne/MachineUnlearning)]
 893 | 
 894 | 6. **A Duty to Forget, a Right to be Assured? Exposing Vulnerabilities in Machine Unlearning Services**. NDSS 2024. `The vulnerabilities in machine unlearning` [[pdf](https://arxiv.org/pdf/2309.08230.pdf)] [[code](https://github.com/TASI-LAB/Over-unlearning)]
 895 | 
 896 | 7. **ERASER: Machine Unlearning in MLaaS via an Inference Serving-Aware Approach**. CCS 2024. `Machine unlearning as a inferencing-aware approach` [[pdf](https://arxiv.org/pdf/2311.16136)]
 897 | 
 898 | #### 2.1.7 Attribute Inference Attack
 899 | 
 900 | 1. **Are Attribute Inference Attacks Just Imputation?**. ACM CCS 2022. `Attribute Inference Attack by identified neuro with data` [[pdf](https://arxiv.org/pdf/2209.01292.pdf)] [[code](https://github.com/bargavj/EvaluatingDPML)]
 901 | 
 902 | 2. **Feature Inference Attack on Shapley Values**. ACM CCS 2022. `Attribute Inference Attack using shapley values` [[pdf](https://dl.acm.org/doi/abs/10.1145/3548606.3560573)]
 903 | 
 904 | 3. **QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems**. ACM CCS 2022. `Attribute Inference detection` [[pdf](https://arxiv.org/pdf/2211.05249.pdf)]
 905 | 
 906 | #### 2.1.7 Property Inference Attack
 907 | 
 908 | 1. **SNAP: Efficient Extraction of Private Properties with Poisoning**. IEEE S&P 2023. `Stronger Property Inference Attack by poisoning the data` [[pdf](https://arxiv.org/pdf/2208.12348.pdf)] [[code](https://github.com/johnmath/snap-sp23)]
 909 | 
 910 | #### 2.1.8 Data Synthesis
 911 | 
 912 | 1. **SoK: Privacy-Preserving Data Synthesis**. IEEE S&P 2024. `Privacy-Preserving Data Synthesis` [[pdf](https://arxiv.org/pdf/2307.02106.pdf)] [[website](https://sok-ppds.github.io/)]
 913 | 
 914 | #### 2.1.8 Dataset Auditing
 915 | 
 916 | 1. **ORL-AUDITOR: Dataset Auditing in Offline Deep Reinforcement Learning**. NDSS 2024. `Dataset auditing in deep reinforcement learning` [[pdf](https://arxiv.org/pdf/2309.03081.pdf)] [[code](https://github.com/link-zju/ORL-Auditor)]
 917 | 
 918 | ### 2.2 Model
 919 | 
 920 | #### 2.2.1 Model Extraction
 921 | 
 922 | 1. **Exploring Connections Between Active Learning and Model Extraction**. USENIX Security 2020. `Active Learning` [[pdf](https://www.usenix.org/system/files/sec20-chandrasekaran.pdf)]
 923 | 
 924 | 2. **High Accuracy and High Fidelity Extraction of Neural Networks**. USENIX Security 2020. `Fidelity` [[pdf](https://arxiv.org/pdf/1909.01838.pdf)]
 925 | 
 926 | 3. **DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks**. USENIX Security 2021. `Query Data Selection Method to reduce the query` [[pdf](https://www.usenix.org/system/files/sec21-he-yingzhe.pdf)]
 927 | 
 928 | 4. **Entangled Watermarks as a Defense against Model Extraction**. USENIX Security 2021. `Backdoor as watermark against model extraction` [[pdf](https://www.usenix.org/system/files/sec21fall-jia.pdf)]
 929 | 
 930 | 5. **CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples**. NDSS 2020. `Adversarial Example to strengthen model stealing` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24178.pdf)]
 931 | 
 932 | 6. **Teacher Model Fingerprinting Attacks Against Transfer Learning**. USENIX Securiy 2022. `Teacher model fingerprinting` [[pdf](https://www.usenix.org/system/files/sec22-chen-yufei.pdf)]
 933 | 
 934 | 7. **StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning**. ACM CCS 2022. `Model Stealing attack in encoder` [[pdf](https://arxiv.org/pdf/2201.05889.pdf)]
 935 | 
 936 | 8. **D-DAE: Defense-Penetrating Model Extraction Attacks**. IEEE S&P 2023. `Meta classifier to classify the defense and generator model to reduce the noise` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600a432/1He7YbsiH4c)]
 937 | 
 938 | 9.  **SoK: Neural Network Extraction Through Physical Side Channels**. USENIX Security 2024. `Physical Side Channel-based model extraction` [[pdf](https://www.usenix.org/system/files/usenixsecurity24-horvath.pdf)]
 939 | 
 940 | 10. **SoK: All You Need to Know About On-Device ML Model Extraction - The Gap Between Research and Practice**. USENIX Security 2024. `on device model extraction` [[pdf](https://www.usenix.org/system/files/usenixsecurity24-nayan.pdf)]
 941 | 
 942 | #### 2.2.2 Model Watermark
 943 | 
 944 | 1. **Adversarial Watermarking Transformer: Towards Tracing Text Provenance with Data Hiding**. IEEE S&P 2021. `Encode secret message into LM` [[pdf](https://arxiv.org/pdf/2009.03015.pdf)]
 945 | 
 946 | 2. **Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation**. USENIX Security 2023. `Inject dummy neurons into the model to break the white-box model watermark` [[pdf](https://www.usenix.org/system/files/sec23fall-prepub-444-yan-yifan.pdf)]
 947 | 
 948 | 3. **MEA-Defender: A Robust Watermark against Model Extraction Attack**. IEEE S&P 2024. `Backdoor as watermark` [[pdf](https://arxiv.org/pdf/2401.15239.pdf)] [[code](https://github.com/lvpeizhuo/MEA-Defender)]
 949 | 
 950 | 4. **SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-Supervised Learning**. NDSS 2024. `Watermark on self-supervised learning` [[pdf](https://arxiv.org/pdf/2209.03563.pdf)] [[code](https://github.com/lvpeizhuo/SSL-WM)]
 951 | 
 952 | #### 2.2.3 Model Owenership
 953 | 
 954 | 1. **Proof-of-Learning: Definitions and Practice**. IEEE S&P 2021. `Proof the ownership of model parameters` [[pdf](https://arxiv.org/pdf/2103.05633.pdf)]
 955 | 
 956 | 2. **SoK: How Robust is Image Classification Deep Neural Network Watermarking?**. IEEE S&P 2022. `Survey of DNN watermarking` [[pdf](https://arxiv.org/pdf/2108.04974.pdf)]
 957 | 
 958 | 3. **Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models**. IEEE S&P 2022. `Calculate model similarity by generating test examples` [[pdf](https://nesa.zju.edu.cn/download/cjl_pdf_sp22.pdf)] [[code](https://github.com/Testing4AI/DeepJudge)]
 959 | 
 960 | 4. **SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders**. ACM CCS 2022. `Watermarking in encoder` [[pdf](https://arxiv.org/pdf/2201.11692.pdf)]
 961 | 
 962 | 5. **RAI2: Responsible Identity Audit Governing the Artificial Intelligence**. NDSS 2023. `Model and Data auditing in AI` [[pdf](https://arxiv.org/pdf/2201.11692.pdf)] [[code](https://github.com/chichidd/RAI2)]
 963 | 
 964 | 6. **ActiveDaemon: Unconscious DNN Dormancy and Waking Up via User-specific Invisible Token**. NDSS 2024. `Protecting DNN models by specific user tokens` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-588-paper.pdf)] [[code](https://github.com/LANCEREN/ActiveDaemon)]
 965 | 
 966 | #### 2.2.4 Model Integrity
 967 | 
 968 | 1. **PublicCheck: Public Integrity Verification for Services of Run-time Deep Models**. IEEE S&P 2023. `Model verification via crafted query` [[pdf](https://arxiv.org/pdf/2203.10902.pdf)]
 969 | 
 970 | ### 2.3 User Related Privacy
 971 | 
 972 | #### 2.3.1 Image
 973 | 
 974 | 1. **Fawkes: Protecting Privacy against Unauthorized Deep Learning Models**. USENIX Security 2020. `Protect Face Privacy` [[pdf](https://people.cs.uchicago.edu/~ravenben/publications/pdf/fawkes-usenix20.pdf)] [[code](https://github.com/Shawn-Shan/fawkes)]
 975 | 
 976 | 2. **Automatically Detecting Bystanders in Photos to Reduce Privacy Risks**. IEEE S&P 2020. `Detecting bystanders` [[pdf](http://vision.soic.indiana.edu/papers/bystander2020oakland.pdf)]
 977 | 
 978 | 3. **Characterizing and Detecting Non-Consensual Photo Sharing on Social Networks**. IEEE S&P 2020. `Detecting Non-Consensual People in a photo` [[pdf](https://dl.acm.org/doi/abs/10.1145/3548606.3560571)]
 979 | 
 980 | 4. **Fairness Properties of Face Recognition and Obfuscation Systems**. USENIX Security 2023. `Fairness in Face related models` [[pdf](https://www.usenix.org/conference/usenixsecurity23/presentation/rosenberg)] [[code](https://github.com/wi-pi/fairness_face_obfuscation)]
 981 | 
 982 | ### 2.4 Private ML Protocols
 983 | 
 984 | #### 2.4.1 3PC
 985 | 
 986 | 1. **SWIFT: Super-fast and Robust Privacy-Preserving Machine Learning**. USENIX Security 2021. [[pdf](https://arxiv.org/pdf/2005.10296.pdf)]
 987 | 
 988 | 2. **BLAZE: Blazing Fast Privacy-Preserving Machine Learning**. NDSS 2020. [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24202-paper.pdf)]
 989 | 
 990 | 3. **Bicoptor: Two-round Secure Three-party Non-linear Computation without Preprocessing for Privacy-preserving Machine Learning**. IEEE S&P 2023. [[pdf](https://arxiv.org/pdf/2210.01988.pdf)]
 991 | 
 992 | 3. **Ents: An Efficient Three-party Training Framework for Decision Trees by Communication Optimization**. CCS 2024. [[pdf](https://arxiv.org/pdf/2406.07948)]
 993 | 
 994 | #### 2.4.2 4PC
 995 | 
 996 | 1. **Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning**. NDSS 2020. [[pdf](https://arxiv.org/pdf/1912.02631.pdf)]
 997 | 
 998 | #### 2.4.3 SMPC
 999 | 
1000 | 1. **Cerebro: A Platform for Multi-Party Cryptographic Collaborative Learning**. USENIX Security 2021. [[pdf](https://www.usenix.org/system/files/sec21-zheng.pdf)] [[code](https://github.com/mc2-project/cerebro)]
1001 | 
1002 | 2. **Private, Efficient, and Accurate: Protecting Models Trained by Multi-party Learning with Differential Privacy**. IEEE S&P 2023. [[pdf](https://arxiv.org/pdf/2208.08662.pdf)]
1003 | 
1004 | 3. **MPCDiff: Testing and Repairing MPC-Hardened Deep Learning Models**. NDSS 2023. [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-380-paper.pdf)] [[code](https://github.com/Qi-Pang/MPCDiff)]
1005 | 
1006 | 4. **Pencil: Private and Extensible Collaborative Learning without the Non-Colluding Assumption**. NDSS 2024. [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-512-paper.pdf)] [[code](https://github.com/lightbulb128/Pencil)]
1007 | 
1008 | 5. **Securely Training Decision Trees Efficiently**. CCS 2024. [[pdf](https://eprint.iacr.org/2024/1077.pdf)]
1009 | 
1010 | 6. **CoGNN: Towards Secure and Efficient Collaborative Graph Learning**. CCS 2024. [[pdf](https://eprint.iacr.org/2024/987.pdf)]
1011 | 
1012 | #### 2.4.4 Cryptographic NN Computation
1013 | 
1014 | 1. **SoK: Cryptographic Neural-Network Computation**. IEEE S&P 2023. [[pdf](https://sokcryptonn.github.io/)]
1015 | 
1016 | 2. **From Individual Computation to Allied Optimization: Remodeling Privacy-Preserving Neural Inference with Function Input Tuning**. IEEE S&P 2024. [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a101/1Ub238IknIs)]
1017 | 
1018 | 3. **BOLT: Privacy-Preserving, Accurate and Efficient Inference for Transformers**. IEEE S&P 2024. [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a130/1Ub23O2X00U)] [[code](https://github.com/Clive2312/BOLT)]
1019 | 
1020 | #### 2.4.5 Secure Aggregation
1021 | 
1022 | 1. **Flamingo: Multi-Round Single-Server Secure Aggregation with Applications to Private Federated Learning**. IEEE S&P 2023. [[pdf](https://sokcryptonn.github.io/)] [[code](https://github.com/eniac/flamingo)]
1023 | 
1024 | 2. **ELSA: Secure Aggregation for Federated Learning with Malicious Actors**. IEEE S&P 2023. [[pdf](https://eprint.iacr.org/2022/1695.pdf)] [[code](https://github.com/ucbsky/elsa)]
1025 | 
1026 | ### 2.5 Platform
1027 | 
1028 | #### 2.5.1 Inference Attack Measurement
1029 | 
1030 | 1. **ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models**. USENIX Security 2022. `Membership inference attack. Model inversion. Attribute inference. Model stealing` [[pdf](https://www.usenix.org/system/files/sec22summer_liu-yugeng.pdf)] 
1031 | 
1032 | #### 2.5.2 Survey
1033 | 
1034 | 1. **SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning**. IEEE S&P 2023. `Systematizing privacy risks using game framework` [[pdf](https://arxiv.org/pdf/2212.10986.pdf)]
1035 | 
1036 | ### 2.6 Differential Privacy
1037 | 
1038 | #### 2.6.1 Tree Model
1039 | 
1040 | 1. **Federated Boosted Decision Trees with Differential Privacy**. ACM CCS 2022. `Federated Learning with Tree Model in DP` [[pdf](http://dimacs.rutgers.edu/~graham/pubs/papers/dpxgboost.pdf)] 
1041 | 
1042 | #### 2.6.2 DP
1043 | 
1044 | 1. **Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering**. IEEE S&P 2023. `Spectral DP` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600b944/1NrbZkrFZi8)]
1045 | 
1046 | 2. **Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering**. IEEE S&P 2024. `Spectral DP` [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a088/1Ub22UPYcsU)]
1047 | 
1048 | 3. **Bounded and Unbiased Composite Differential Privacy**. IEEE S&P 2024. `Composite DP` [[pdf](https://arxiv.org/pdf/2311.02324.pdf)] [[code](https://github.com/CompositeDP/CompositeDP)]
1049 | 
1050 | 4. **Cohere: Managing Differential Privacy in Large Scale Systems**. IEEE S&P 2024. `Unified DP in large system` [[pdf](https://arxiv.org/pdf/2301.08517.pdf)] [[code](https://github.com/pps-lab/cohere)]
1051 | 
1052 | 5. **You Can Use But Cannot Recognize: Preserving Visual Privacy in Deep Neural Networks**. NDSS 2024. `DP in image recognization` [[pdf](https://www.ndss-symposium.org/wp-content/uploads/2024-1361-paper.pdf)] [[code](https://github.com/Edison9419/ndss)]
1053 | 
1054 | #### 2.6.3 LDP
1055 | 
1056 | 1. **Locally Differentially Private Frequency Estimation Based on Convolution Framework**. IEEE S&P 2023. [[pdf](https://www.computer.org/csdl/proceedings-article/sp/2023/933600c208/1NrbZx7nFkI)]
1057 | 
1058 | 2. **Data Poisoning Attacks to Locally Differentially Private Frequent Itemset Mining Protocols**. CCS 2024. [[pdf](https://arxiv.org/pdf/2406.19466)]
1059 | 
1060 | ### 2.7 LLM Privacy
1061 | 
1062 | #### 2.7.1 Prompt Privacy
1063 | 
1064 | 1. **PLeak: Prompt Leaking Attacks against Large Language Model Applications**. CCS 2024. `Stealing system prompts` [[pdf](https://arxiv.org/pdf/2405.06823)] [[code](https://github.com/BHui97/PLeak)]
1065 | 
1066 | ## Contributing
1067 | 
1068 | This list is mainly maintained by Ping He from [NESA Lab](https://nesa.zju.edu.cn/index.html).
1069 | 
1070 | We are very much welcome contributors for contributing this repository!
1071 | 
1072 | **Markdown format**
1073 | ```markdown
1074 | **Paper Name**. Conference Year. `Keywords` [[pdf](pdf_link)] [[code](code_link)]
1075 | ```
1076 | 
1077 | ## Licenses
1078 | 
1079 | [![CC0](http://i.creativecommons.org/p/zero/1.0/88x31.png)](http://creativecommons.org/publicdomain/zero/1.0/)
1080 | 
1081 | To the extent possible under law, [gnipping](https://github.com/gnipping) holds all copyright and related or neighboring rights to this repository.
1082 | 


--------------------------------------------------------------------------------