This Github repository summarizes a list of research papers on AI security from the four top academic conferences, namely IEEE Symposium on Security and Privacy (S&P), Network and Distributed System Security Symposium (NDSS), USENIX Security Symposium, and ACM Conference on Computer and Communications Security (CCS).

This repository is supported by the Trustworthy Artificial Intelligence (T-AI) Lab at Huazhong University of Science and Technology (HUST).

We will try our best to continuously maintain this Github Repository in a weekly manner.

• 2023/8/6: Shi Junyu adds CCS papers.
• 2023/7/25: Zhang Hangtao adds NDSS & USENIX Security papers.
• 2023/7/24: Zhou Ziqi adds S&P papers.
• 2023/7/23: We create the AI-Security-Resources repository.

• Papers in S&P
  • S&P'2024
  • S&P'2023
  • S&P'2022
  • S&P'2021
• Papers in NDSS
  • NDSS'2023
  • NDSS'2022
  • NDSS'2021
• Papers in USENIX Security
  • USENIX Security'2023
  • USENIX Security'2022
  • USENIX Security'2021
• Papers in CCS
  • CCS'2023
  • CCS'2022
  • CCS'2021

• Why Does Little Robustness Help? A Further Step Towards Understanding Adversarial Transferability. [Topic: AEs] [Code][pdf]
  • Yechao Zhang, Shengshan Hu, Leo Yu Zhang, Junyu Shi, Xiaogeng Liu, Minghui Li, Wei Wan, Hai Jin. IEEE Symposium on Security and Privacy, 2024.

• “Adversarial Examples” for Proof-of-Learning. [Topic: AEs] [pdf]

  • Rui Zhang, Jian Liu, Yuan Ding, Zhibo Wang, Qingbiao Wu, and Kui Ren. IEEE Symposium on Security and Privacy, 2022.

• Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings. [Topic:AEs] [pdf]

  • Yuhao Mao, Chong Fu, Saizhuo Wang, Shouling Ji, Xuhong Zhang, Zhenguang Liu, Jun Zhou, Alex X.Liu, Raheem Beyah, Ting Wang. IEEE Symposium on Security and Privacy, 2022.

• Bad Characters: Imperceptible NLP Attacks. [Topic: AEs] [Code][pdf]

  • Nicholas Boucher, Ilia Shumailov, Ross Anderson, Nicolas Papernot. IEEE Symposium on Security and Privacy, 2022.

• Universal 3-Dimensional Perturbations for Black-Box Attacks on Video Recognition Systems. [Topic: AEs] [pdf]

  • Shangyu Xie, Han Wang, Yu Kong, Yuan Hong. IEEE Symposium on Security and Privacy, 2022.

• BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. [Topic: Backdoor] [Code][pdf]

  • Jinyuan Jia, Yupei Liu, Neil Zhenqiang Gong. IEEE Symposium on Security and Privacy, 2022.

• PICCOLO: Exposing Complex Backdoors in NLP Transformer Models. [Topic: Backdoor] [pdf]

  • Yingqi Liu, Guangyu Shen, Guanhong Tao, Shengwei An, Shiqing Ma, Xiangyu Zhang. IEEE Symposium on Security and Privacy, 2022.

• Membership Inference Attacks From First Principles. [Topic: MIA] [pdf]

  • Nicholas Carlini, Steve Chien, Milad Nasr, Shuang Song, Andreas Terzis, Florian Tramer. IEEE Symposium on Security and Privacy, 2022.

• Back to the Drawing Board: A Critical Evaluation of Poisoning Attacks on Production Federated Learning. [Topic: PA & FL] [pdf]

  • Virat Shejwalkar, Amir Houmansadr, Peter Kairouz, Daniel Ramage. IEEE Symposium on Security and Privacy, 2022.

• Model Stealing Attacks Against Inductive Graph Neural Networks. [Topic: MSA & GNN] [pdf]

  • Yun Shen, Xinlei He, Yufei Han, Yang Zhang. IEEE Symposium on Security and Privacy, 2022.

• SoK: How Robust is Image Classification Deep Neural Network Watermarking? [Topic: Watermark] [pdf]

  • Nils Lukas, Edward Jiang, Xinda Li, Florian Kerschbaum. IEEE Symposium on Security and Privacy, 2022.

• Hear "No Evil", See "Kenansville": Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems. [Topic: AEs] [pdf]

  • Hadi Abdullah, Muhammad Sajidur Rahman, Washington Garcia, Logan Blue, Kevin Warren, Anurag Swarnim Yadav, Tom Shrimpton, Patrick Traynor. IEEE Symposium on Security and Privacy, 2021.

• SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems. [Topic: AEs] [pdf]

  • Hadi Abdullah, Kevin Warren, Vincent Bindschaedler, Nicolas Papernot, Patrick Traynor. IEEE Symposium on Security and Privacy, 2021.

• Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks. [Topic: AEs] [pdf]

  • Yulong Cao, Ningfei Wang, Chaowei Xiao, Dawei Yang, Jin Fang, Ruigang Yang, Qi Alfred Chen, Mingyan Liu, Bo Li. IEEE Symposium on Security and Privacy, 2021.

• Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems. [Topic: AEs] [pdf]

  • Guangke Chen, Sen Chen, Lingling Fan, Xiaoning Du, Zhe Zhao, Fu Song, Yang Liu. IEEE Symposium on Security and Privacy, 2021.

• Adversarial Watermarking Transformer: Towards Tracing Text Provenance with Data Hiding. [Topic: Watermark] [pdf]

  • Sahar Abdelnabi, Mario Fritz. IEEE Symposium on Security and Privacy, 2021.

• Fusion: Efficient and Secure Inference Resilient to Malicious Servers. [Topic: MLaaS] [pdf]

  • Caiqin Dong, Jian Weng, Jia-Nan Liu, Yue Zhang, Yao Tong, Anjia Yang, Yudan Cheng, Shun Hu. Network and Distributed System Security, 2023.

• Machine Unlearning of Features and Labels. [Topic: Machine-Unlearning] [pdf]

  • Alexander Warnecke, Lukas Pirch, Christian Wressnegger, Konrad Rieck. Network and Distributed System Security, 2023.

• PPA: Preference Profiling Attack Against Federated Learning. [Topic: FL] [pdf]

  • Chunyi Zhou, Yansong Gao, Anmin Fu, Kai Chen, Zhiyang Dai, Zhi Zhang, Minhui Xue, Yuqing Zhang. Network and Distributed System Security, 2023.

• RoVISQ: Reduction of Video Service Quality via Adversarial Attacks on Deep Learning-based Video Compression. [Topic: AEs] [pdf]

  • Jung-Woo Chang, Mojan Javaheripi, Seira Hidano, Farinaz Koushanfar. Network and Distributed System Security, 2023.

• Securing Federated Sensitive Topic Classification against Poisoning Attacks. [Topic: FL] [pdf]

  • Tianyue Chu, Alvaro Garcia-Recuero, Costas Iordanou, Georgios Smaragdakis, Nikolaos Laoutaris. Network and Distributed System Security, 2023.

• The “Beatrix” Resurrections: Robust Backdoor Detection via Gram Matrices. [Topic: Backdoor] [pdf]

  • Wanlun Ma, Derui Wang, Ruoxi Sun, Minhui Xue, Sheng Wen, Yang Xiang. Network and Distributed System Security, 2023.

• Adversarial Robustness for Tabular Data through Cost and Utility Awareness. [Topic: AEs] [pdf]

  • Klim Kireev, Bogdan Kulynych, Carmela Troncoso. Network and Distributed System Security, 2023.

• Backdoor Attacks Against Dataset Distillation. [Topic: Backdoor] [pdf]

  • Yugeng Liu, Zheng Li, Michael Backes, Yun Shen, Yang Zhang. Network and Distributed System Security, 2023.

• BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense. [Topic: Backdoor] [pdf]

  • Siyuan Cheng, Guanhong Tao, Yingqi Liu, Shengwei An, Xiangzhe Xu, Shiwei Feng, Guangyu Shen, Kaiyuan Zhang, Qiuling Xu, Shiqing Ma, Xiangyu Zhang. Network and Distributed System Security, 2023.

• Focusing on Pinocchio's Nose: A Gradients Scrutinizer to Thwart Split-Learning Hijacking Attacks Using Intrinsic Attributes. [Topic: SL] [pdf]

  • Jiayun Fu, Xiaojing Ma, Bin B. Zhu, Pingyi Hu, Ruixin Zhao, Yaru Jia, Peng Xu, Hai Jin, Dongmei Zhang. Network and Distributed System Security, 2023.

• REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service. [Topic: AEs] [pdf]

  • Wenjie Qu, Jinyuan Jia, Neil Zhenqiang Gong. Network and Distributed System Security, 2023.

• DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection. [Topic: Backdoor] [pdf]

  • Phillip Rieger, Thien Duc Nguyen, Markus Miettinen, Ahmad-Reza Sadeghi. Network and Distributed System Security, 2022.

• FedCRI: Federated Mobile Cyber-Risk Intelligence. [Topic: FL] [pdf]

  • Hossein Fereidooni, Alexandra Dmitrienko, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi, Felix Madlener. Network and Distributed System Security, 2022.

• Get a Model! Model Hijacking Attack Against Machine Learning Models. [Topic: Model-Hijacking] [pdf]

  • Ahmed Salem, Michael Backes, Yang Zhang. Network and Distributed System Security, 2022.

• Local and Central Differential Privacy for Robustness and Privacy in Federated Learning. [Topic: FL] [pdf]

  • Mohammad Naseri, Jamie Hayes, Emiliano De Cristofaro. Network and Distributed System Security, 2022.

• Property Inference Attacks Against GANs. [Topic: IA & GAN] [pdf]

  • Junhao Zhou, Yufei Chen, Chao Shen, Yang Zhang. Network and Distributed System Security, 2022.

• ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks. [Topic: Backdoor] [pdf]

  • Xueluan Gong, Yanjiao Chen, Jianshuo Dong, Qian Wang. Network and Distributed System Security, 2022.

• Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems. [Topic: AEs] [pdf]

  • Wei Jia, Zhaojun Lu, Haichun Zhang, Zhenglin Liu, Jie Wang, Gang Qu. Network and Distributed System Security, 2022.

• MIRROR: Model Inversion for Deep Learning Network with High Fidelity. [Topic: MIA] [pdf]

  • Shengwei An, Guanhong Tao, Qiuling Xu, Yingqi Liu, Guangyu Shen, Yuan Yao, Jingwei Xu, Xiangyu Zhang. Network and Distributed System Security, 2022.

• RamBoAttack: A Robust and Query Efficient Deep Neural Network Decision Exploit. [Topic: AEs] [pdf]

  • Viet Quoc Vo, Ehsan Abbasnejad, Damith C. Ranasinghe. Network and Distributed System Security, 2022.

• Data Poisoning Attacks to Deep Learning Based Recommender Systems. [Topic: PAs] [pdf]

  • Hai Huang, Jiaming Mu, Neil Zhenqiang Gong, Qi Li, Bin Liu, Mingwei Xu. Network and Distributed System Security, 2021.

• FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping. [Topic: PA & FL] [pdf]

  • Xiaoyu Cao, Minghong Fang, Jia Liu, Neil Zhenqiang Gong. Network and Distributed System Security, 2021.

• Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning. [Topic: PA & FL] [pdf]

  • Virat Shejwalkar, Amir Houmansadr. Network and Distributed System Security, 2021.

• Practical Blind Membership Inference Attack via Differential Comparisons. [Topic: MIA] [pdf]

  • Bo Hui, Yuchen Yang, Haolin Yuan, Philippe Burlina, Neil Zhenqiang Gong, Yinzhi Cao. Network and Distributed System Security, 2021.

• POSEIDON: Privacy-Preserving Federated Neural Network Learning. [Topic: FL] [pdf]

  • Sinem Sav, Apostolos Pyrgelis, Juan Ramón Troncoso-Pastoriza, David Froelicher, Jean-Philippe Bossuat, Joao Sa Sousa, Jean-Pierre Hubaux. Network and Distributed System Security, 2021.

• “Security is not my field, I’m a stats guy”: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry. [Topic: AEs] [pdf]

  • Jaron Mink, Harjot Kaur, Juliane Schmüser and Sascha Fahl, Yasemin Acar. USENIX Security, 2023.

• A Data-free Backdoor Injection Approach in Neural Networks. [Topic: Backdoor] [pdf]

  • Peizhuo Lv, Chang Yue, Ruigang Liang, Yunfei Yang. USENIX Security, 2023.

• A Plot is Worth a Thousand Words: Model Information Stealing Attacks via Scientific Plots. [Topic: MSA] [pdf]

  • Boyang Zhang, Xinlei He, Yun Shen, Tianhao Wang, Yang Zhang. USENIX Security, 2023.

• Aegis: Mitigating Targeted Bit-flip Attacks against Deep Neural Networks. [Topic: BFA] [pdf]

  • Jialai Wang, Ziyuan Zhang, Meiqi Wang, Han Qiu, Tianwei Zhang, Qi Li, Zongpeng Li, Tao Wei, Chao Zhang. USENIX Security, 2023.

• Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information. [Topic: AEs] [pdf]

  • Heng Li, Zhang Cheng, Bang Wu, Liheng Yuan, Cuiying Gao, Wei Yuan, Xiapu Luo. USENIX Security, 2023.

• CAPatch: Physical Adversarial Patch against Image Captioning Systems. [Topic: AEs] [pdf]

  • Shibo Zhang, Yushi Cheng, Wenjun Zhu, Xiaoyu Ji, Wenyuan Xu. USENIX Security, 2023.

• DiffSmooth: Certifiably Robust Learning via Diffusion Models and Local Smoothing. [Topic: AEs] [pdf]

  • Jiawei Zhang, Zhongzhu Chen, Huan Zhang, Chaowei Xiao, Bo Li. USENIX Security, 2023.

• Every Vote Counts: Ranking-Based Training of Federated Learning to Resist Poisoning Attacks. [Topic: PA & FL] [pdf]

  • Hamid Mozaffari, Virat Shejwalkar, Amir Houmansadr. USENIX Security, 2023.

• Exorcising "Wraith": Protecting LiDAR-based Object Detector in Automated Driving System from Appearing Attacks. [Topic: Appearing-Attack] [pdf]

  • Qifan Xiao, Xudong Pan, Yifan Lu, Mi Zhang, Jiarun Dai, Min Yang. USENIX Security, 2023.

• Fine-grained Poisoning Attack to Local Differential Privacy Protocols for Mean and Variance Estimation. [Topic: DP] [pdf]

  • Xiaoguang Li, Ninghui Li, Wenhai Sun, Neil Zhenqiang Gong, Hui Li. USENIX Security, 2023.

• FreeEagle: Detecting Complex Neural Trojans in Data-Free Cases. [Topic: Backdoor] [pdf]

  • Chong Fu, Xuhong Zhang, Shouling Ji, Ting Wang, Peng Lin, Yanghe Feng, Jianwei Yin. USENIX Security, 2023.

• GAP: Differentially Private Graph Neural Networks with Aggregation Perturbation. [Topic: DP & GNN] [pdf]

  • Sina Sajadmanesh, Ali Shahin Shamsabadi, Aurélien Bellet, Daniel Gatica-Perez. USENIX Security, 2023.

• Lost at C: A User Study on the Security Implications of Large Language Model Code Assistants. [Topic: LLM] [pdf]

  • Gustavo Sandoval, Hammond Pearce, Teo Nys, Ramesh Karri, Siddharth Garg, Brendan Dolan-Gavitt. USENIX Security, 2023.

• Meta-Sift: How to Sift Out a Clean Subset in the Presence of Data Poisoning?. [Topic: PA] [pdf]

  • Yi Zeng, Minzhou Pan, Himanshu Jahagirdar, Ming Jin, Lingjuan Lyu, Ruoxi Jia. USENIX Security, 2023.

• No more Reviewer #2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning. [Topic: AEs] [pdf]

  • Thorsten Eisenhofer, Erwin Quiring, Jonas Möller, Doreen Riepel, Thorsten Holz, Konrad Rieck. USENIX Security, 2023.

• PELICAN: Exploiting Backdoors of Naturally Trained Deep Learning Models In Binary Code Analysis. [Topic: Backdoor] [pdf]

  • Zhuo Zhang, Guanhong Tao, Guangyu Shen, Shengwei An, Qiuling Xu, Yingqi Liu, Yapeng Ye, Yaoxuan Wu, Xiangyu Zhang. USENIX Security, 2023.

• PrivateFL: Accurate, Differentially Private Federated Learning via Personalized Data Transformation. [Topic: DP & FL] [pdf]

  • Yuchen Yang, Bo Hui, Haolin Yuan, Neil Gong, Yinzhi Cao. USENIX Security, 2023.

• Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation. [Topic: Watermark] [pdf]

  • Yifan Yan, Xudong Pan, Mi Zhang, and Min Yang. USENIX Security, 2023.

• X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection. [Topic: AEs] [pdf]

  • Aishan Liu, Jun Guo, Jiakai Wang, Siyuan Liang, Renshuai Tao, Wenbo Zhou, Cong Liu, Xianglong Liu. USENIX Security, 2023.

• TPatch: A Triggered Physical Adversarial Patch. [Topic: AEs] [pdf]

  • Wenjun Zhu, Xiaoyu Ji, Yushi Cheng, Shibo Zhang, Wenyuan Xu. USENIX Security, 2023.

• UnGANable: Defending Against GAN-based Face Manipulation. [Topic: Deepfake] [pdf]

  • WZheng Li, Ning Yu, Ahmed Salem, Michael Backes, Mario Fritz, Yang Zhang. USENIX Security, 2023.

• Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning. [Topic: AEs] [pdf]

  • Jonathan Prokos, Neil Fendley, Matthew Green, Roei Schuster, Eran Tromer, Tushar Jois, Yinzhi Cao. USENIX Security, 2023.

• The Space of Adversarial Strategies. [Topic: AEs] [pdf]

  • Ryan Sheatsley, Blaine Hoak, Eric Pauley, Patrick McDaniel. USENIX Security, 2023.

• That Person Moves Like A Car: Misclassification Attack Detection for Autonomous Systems Using Spatiotemporal Consistency. [Topic: AEs] [pdf]

  • Yanmao Man, Raymond Muller, Ming Li, Z. Berkay Celik, Ryan Gerdes. USENIX Security, 2023.

• NeuroPots: Realtime Proactive Defense against Bit-Flip Attacks in Neural Networks. [Topic: BFA] [pdf]

  • Qi Liu, Jieming Yin, Wujie Wen, Chengmo Yang, Shi Sha. USENIX Security, 2023.

• URET: Universal Robustness Evaluation Toolkit (for Evasion). [Topic: AEs] [pdf]

  • Kevin Eykholt, Taesung Lee, Douglas Schales, Jiyong Jang, Ian Molloy, Masha Zorin. USENIX Security, 2023.

• SMACK: Semantically Meaningful Adversarial Audio Attack. [Topic: AEs] [pdf]

  • Zhiyuan Yu, Yuanhaur Chang, Ning Zhang, Chaowei Xiao. USENIX Security, 2023.

• Gradient Obfuscation Gives a False Sense of Security in Federated Learning. [Topic: FL] [pdf]

  • Kai Yue, Richeng Jin, Chau-Wai Wong, Dror Baron, Huaiyu Dai. USENIX Security, 2023.

• Fairness Properties of Face Recognition and Obfuscation Systems. [Topic: AEs] [pdf]

  • Harrison Rosenberg, Brian Tang, Kassem Fawaz, Somesh Jha. USENIX Security, 2023.

• PCAT: Functionality and Data Stealing from Split Learning by Pseudo-Client Attack. [Topic: SL] [pdf]

  • Xinben Gao, Lan Zhang. USENIX Security, 2023.

• ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models. [Topic: MIA] [pdf]

  • Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, Yang Zhang. USENIX Security, 2022.

• Blacklight: Scalable Defense for Neural Networks against Query-Based Black-Box Attacks. [Topic: AEs] [pdf]

  • Huiying Li, Shawn Shan, Emily Wenger, Jiayun Zhang, Haitao Zheng, Ben Y. Zhao. USENIX Security, 2022.

• AutoDA: Automated Decision-based Iterative Adversarial Attacks. [Topic: AEs] [pdf]

  • Qi-An Fu, Yinpeng Dong, Hang Su, Jun Zhu, Chao Zhang. USENIX Security, 2022.

• Poison Forensics: Traceback of Data Poisoning Attacks in Neural Networks. [Topic: PA] [pdf]

  • Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, Ben Y. Zhao. USENIX Security, 2022.

• Teacher Model Fingerprinting Attacks Against Transfer Learning. [Topic: Fingerprinting] [pdf]

  • Yufei Chen, Chao Shen, Cong Wang, Yang Zhang. USENIX Security, 2022.

• Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation. [Topic: Backdoor] [pdf]

  • Xudong Pan, Mi Zhang, Beina Sheng, Jiaming Zhu, Min Yang. USENIX Security, 2022.

• PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. [Topic: PA] [pdf]

  • Hongbin Liu, Jinyuan Jia, Neil Zhenqiang Gong. USENIX Security, 2022.

• Pool Inference Attacks on Local Differential Privacy: Quantifying the Privacy Guarantees of Apple's Count Mean Sketch in Practice. [Topic: IA & DP] [pdf]

  • Andrea Gadotti, Florimond Houssiau, Meenatchi Sundaram Muthu Selva Annamalai, Yves-Alexandre de Montjoye. USENIX Security, 2022.

• PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier. [Topic: AEs] [pdf]

  • Chong Xiang, Saeed Mahloujifar, Prateek Mittal. USENIX Security, 2022.

• Exploring the Security Boundary of Data Reconstruction via Neuron Exclusivity Analysis. [Topic: DRA] [pdf]

  • Xudong Pan, Mi Zhang, Yifan Yan, Jiaming Zhu, Min Yang. USENIX Security, 2022.

• Poisoning Attacks to Local Differential Privacy Protocols for Key-Value Data. [Topic: PA & DP] [pdf]

  • Yongji Wu, Xiaoyu Cao, Jinyuan Jia, Neil Zhenqiang Gong. USENIX Security, 2022.

• Communication-Efficient Triangle Counting under Local Differential Privacy. [Topic: DP] [pdf]

  • Jacob Imola, Takao Murakami, Kamalika Chaudhuri. USENIX Security, 2022.

• Security Analysis of Camera-LiDAR Fusion Against Black-Box Attacks on Autonomous Vehicles. [Topic: AEs & AV] [pdf]

  • R. Spencer Hallyburton, Yupei Liu, Yulong Cao, Z. Morley Mao, Miroslav Pajic. USENIX Security, 2022.

• Transferring Adversarial Robustness Through Robust Representation Matching. [Topic: AEs] [pdf]

  • Pratik Vaishnavi, Kevin Eykholt, Amir Rahmati. USENIX Security, 2022.

• Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era. [Topic: Deepfake] [pdf]

  • Changjiang Li, Li Wang, Shouling Ji, Xuhong Zhang, Zhaohan Xi, Shanqing Guo, Ting Wang. USENIX Security, 2022.

• On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. [Topic: Machine-Unlearning] [pdf]

  • Anvith Thudi, Hengrui Jia, Ilia Shumailov, Nicolas Papernot. USENIX Security, 2022.

• Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture. [Topic: MIA] [pdf]

  • Xinyu Tang, Saeed Mahloujifar, Liwei Song, Virat Shejwalkar, Milad Nasr, Amir Houmansadr, Prateek Mittal. USENIX Security, 2022.

• Membership Inference Attacks and Defenses in Neural Network Pruning. [Topic: MIA] [pdf]

  • Xiaoyong Yuan, Lan Zhang. USENIX Security, 2022.

• Efficient Differentially Private Secure Aggregation for Federated Learning via Hardness of Learning with Errors. [Topic: DP & FL] [pdf]

  • Timothy Stevens, Christian Skalka, Christelle Vincent, John Ring, Samuel Clark, Joseph Near. USENIX Security, 2022.

• Who Are You (I Really Wanna Know)? Detecting Audio DeepFakes Through Vocal Tract Reconstruction. [Topic: Deepfake] [pdf]

  • Logan Blue, Kevin Warren, Hadi Abdullah, Cassidy Gibson, Luis Vargas, Jessica O'Dell, Kevin Butler, Patrick Traynor. USENIX Security, 2022.

• Are Your Sensitive Attributes Private? Novel Model Inversion Attribute Inference Attacks on Classification Models. [Topic: MIAI] [pdf]

  • Shagufta Mehnaz, Sayanton V. Dibbo, Ehsanul Kabir, Ninghui Li, Elisa Bertino. USENIX Security, 2022.

• FLAME: Taming Backdoors in Federated Learning. [Topic: FL & Backdoor] [pdf]

  • Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad-Reza Sadeghi, Thomas Schneider. USENIX Security, 2022.

• Synthetic Data – Anonymisation Groundhog Day. [Topic: Synthetic-Data] [pdf]

  • Theresa Stadler, Bristena Oprisanu, Carmela Troncoso. USENIX Security, 2022.

• On the Security Risks of AutoML. [Topic: NAS] [pdf]

  • Ren Pang, Zhaohan Xi, Shouling Ji, Xiapu Luo, Ting Wang. USENIX Security, 2022.

• Inference Attacks Against Graph Neural Networks. [Topic: IA & GNN] [pdf]

  • Zhikun Zhang, Min Chen, Michael Backes, Yun Shen, Yang Zhang. USENIX Security, 2022.

• Adversarial Detection Avoidance Attacks: Evaluating the robustness of perceptual hashing-based client-side scanning. [Topic: AEs] [pdf]

  • Shubham Jain, Ana-Maria Crețu, Yves-Alexandre de Montjoye. USENIX Security, 2022.

• Label Inference Attacks Against Vertical Federated Learning. [Topic: IA & FL] [pdf]

  • Chong Fu, Xuhong Zhang, Shouling Ji, Jinyin Chen, Jingzheng Wu, Shanqing Guo, Jun Zhou, Alex X. Liu, Ting Wang. USENIX Security, 2022.

• Rolling Colors: Adversarial Laser Exploits against Traffic Light Recognition. [Topic: AEs] [pdf]

  • Chen Yan, Zhijian Xu, Zhanyuan Yin, Xiaoyu Ji, Wenyuan Xu. USENIX Security, 2022.

• PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking. [Topic: AEs] [pdf]

  • Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, Prateek Mittal. USENIX Security, 2021.

• PrivSyn: Differentially Private Data Synthesis. [Topic: DP] [pdf]

  • Zhikun Zhang, Tianhao Wang, Ninghui Li, Jean Honorio, Michael Backes, Shibo He, Jiming Chen, Yang Zhang. USENIX Security, 2021.

• Muse: Secure Inference Resilient to Malicious Clients. [Topic: IA] [pdf]

  • Ryan Lehmkuhl, Pratyush Mishra, Akshayaram Srinivasan, Raluca Ada Popa. USENIX Security, 2021.

• Systematic Evaluation of Privacy Risks of Machine Learning Models. [Topic: IA] [pdf]

  • Liwei Song, Prateek Mittal. USENIX Security, 2021.

• Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. [Topic: Backdoor] [pdf]

  • Giorgio Severi, Jim Meyer, Scott Coull, Alina Oprea. USENIX Security, 2021.

• Cerebro: A Platform for Multi-Party Cryptographic Collaborative Learning. [Topic: MPC] [pdf]

  • Wenting Zheng, Ryan Deng, Weikeng Chen, Raluca Ada Popa, Aurojit Panda, Ion Stoica. USENIX Security, 2021.

• T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification. [Topic: Backdoor] [pdf]

  • Ahmadreza Azizi, Ibrahim Asadullah Tahmid, Asim Waheed, Neal Mangaokar, Jiameng Pu, Mobin Javed, Chandan K. Reddy, Bimal Viswanath, Virginia Tech. USENIX Security, 2021.

• Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations. [Topic: AEs] [pdf]

  • Milad Nasr, Alireza Bahramali, Amir Houmansadr. USENIX Security, 2021.

• Data Poisoning Attacks to Local Differential Privacy Protocols. [Topic: PA & DP] [pdf]

  • Xiaoyu Cao, Jinyuan Jia, Neil Zhenqiang Gong. USENIX Security, 2021.

• How to Make Private Distributed Cardinality Estimation Practical, and Get Differential Privacy for Free. [Topic: DP] [pdf]

  • Changhui Hu, Jin Li, Zheli Liu, Xiaojie Guo, Yu Wei, and Xuan Guang, Grigorios Loukides, Changyu Dong. USENIX Security, 2021.

• SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations. [Topic: AEs] [pdf]

  • Giulio Lovisotto, Henry Turner, Ivo Sluganovic, Martin Strohmeier, Ivan Martinovic. USENIX Security, 2021.

• WaveGuard: Understanding and Mitigating Audio Adversarial Examples. [Topic: AEs] [pdf]

  • Shehzeen Hussain, Paarth Neekhara, Shlomo Dubnov, Julian McAuley, Farinaz Koushanfar. USENIX Security, 2021.

• Graph Backdoor. [Topic: Backdoor] [pdf]

  • Zhaohan Xi, Ren Pang, Shouling Ji, Ting Wang. USENIX Security, 2021.

• Entangled Watermarks as a Defense against Model Extraction. [Topic: Watermark] [pdf]

  • Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot. USENIX Security, 2021.

• Too Good to Be Safe: Tricking Lane Detection in Autonomous Driving with Crafted Perturbations. [Topic: AEs] [pdf]

  • Pengfei Jing, Qiyi Tang, Yuefeng Du, Lei Xue, Xiapu Luo, Ting Wang, Sen Nie, Shi Wu. USENIX Security, 2021.

• Fantastic Four: Honest-Majority Four-Party Secure Computation With Malicious Security. [Topic: MPC] [pdf]

  • Anders Dalskov, Daniel Escudero, Marcel Keller. USENIX Security, 2021.

• Locally Differentially Private Analysis of Graph Statistics. [Topic: DP] [pdf]

  • Jacob Imola, Takao Murakami, Kamalika Chaudhuri. USENIX Security, 2021.

• Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection. [Topic: Backdoor] [pdf]

  • Di Tang, XiaoFeng Wang, Haixu Tang, Kehuan Zhang. USENIX Security, 2021.

• Stealing Links from Graph Neural Networks. [Topic: GNN] [pdf]

  • Xinlei He, Jinyuan Jia, Michael Backes, Neil Zhenqiang Gong, Yang Zhang. USENIX Security, 2021.

• Adversarial Policy Training against Deep Reinforcement Learning. [Topic: AEs & RL] [pdf]

  • Xian Wu, Wenbo Guo, Hua Wei, Xinyu Xing. USENIX Security, 2021.

• Characterizing and Detecting Non-Consensual Photo Sharing on Social Networks. [Topic: Non-consensual Sharing] [pdf]

  • Tengfei Zheng, Tongqing Zhou, Qiang Liu, Kui Wu, Zhiping Cai. ACM CCS, 2022.

• DPIS: An Enhanced Mechanism for Differentially Private SGD with Importance Sampling. [Topic: DP & DNN] [pdf]

  • Jianxin Wei, Ergute Bao, Xiaokui Xiao, Yin Yang. ACM CCS, 2022.

• DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing. [Topic: AD] [pdf]

  • Seulbae Kim, Major Liu, Junghwan "John" Rhee, Yuseok Jeon, Yonghwi Kwon, Chung Hwan Kim. ACM CCS, 2022.

• EIFFeL: Ensuring Integrity for Federated Learning. [Topic: FL] [pdf]

  • Amrita Roy Chowdhury, Chuan Guo, Somesh Jha, Laurens van der Maaten. ACM CCS, 2022.

• Eluding Secure Aggregation in Federated Learning via Model Inconsistency. [Topic: FL] [pdf]

  • Dario Pasquini, Danilo Francati, Giuseppe Ateniese. ACM CCS, 2022.

• Enhanced Membership Inference Attacks against Machine Learning Models. [Topic: MI] [pdf]

  • Jiayuan Ye, Aadyaa Maddi, Sasi Kumar Murakonda, Vincent Bindschaedler, Reza Shokri. ACM CCS, 2022.

• Feature Inference Attack on Shapley Values. [Topic: MLaaS] [pdf]

  • Xinjian Luo, Yangfan Jiang, Xiaokui Xiao. ACM CCS, 2022.

• Graph Unlearning. [Topic: Machine Unlearning] [pdf]

  • Min Chen, Zhikun Zhang, Tianhao Wang, Michael Backes, Mathias Humbert, Yang Zhang. ACM CCS, 2022.

• Group Property Inference Attacks Against Graph Neural Networks. [Topic: GNNs] [pdf]

  • Xiuling Wang, Wendy Hui Wang. ACM CCS, 2022.

• Harnessing Perceptual Adversarial Patches for Crowd Counting. [Topic: AEs] [pdf]

  • Shunchang Liu, Jiakai Wang, Aishan Liu, Yingwei Li, Yijie Gao, Xianglong Liu, Dacheng Tao. ACM CCS, 2022.

• Training Set Debugging Using Trusted Items. [Topic: ML] [pdf]

  • Zayd Hammoudeh, Daniel Lowd. ACM CCS, 2022.

• LPGNet: Link Private Graph Networks for Node Classification. [Topic: GCNs & DP] [pdf]

  • Aashish Kolluri, Teodora Baluta, Bryan Hooi, Prateek Saxena. ACM CCS, 2022.

• LoneNeuron: a Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks. [Topic: DNNs & Watermark] [pdf]

  • Zeyan Liu, Fengjun Li, Zhu Li, Bo Luo. ACM CCS, 2022.

• Membership Inference Attacks and Generalization: A Causal Perspective. [Topic: MI] [pdf]

  • Teodora Baluta, Shiqi Shen, S. Hitarth, Shruti Tople, Prateek Saxena. ACM CCS, 2022.

• Membership Inference Attacks by Exploiting Loss Trajectory. [Topic: MI] [pdf]

  • Yiyong Liu, Zhengyu Zhao, Michael Backes, Yang Zhang. ACM CCS, 2022.

• Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models. [Topic: IR] [pdf]

  • Jiawei Liu, Yangyang Kang, Di Tang, Kaisong Song, Changlong Sun, Xiaofeng Wang, Wei Lu, Xiaozhong Liu. ACM CCS, 2022.

• Perception-Aware Attack: Creating Adversarial Music via Reverse-Engineering Human Perception. [Topic: AEs] [pdf]

  • Rui Duan, Zhe Qu, Shangqing Zhao, Leah Ding, Yao Liu, Zhuo Lu. ACM CCS, 2022.

• Physical Hijacking Attacks against Object Trackers. [Topic: AV] [pdf]

  • Raymond Muller, Yanmao Man, Z. Berkay Celik, Ming Li, Ryan Gerdes. ACM CCS, 2022.

• Post-breach Recovery: Protection against White-box Adversarial Examples for Leaked DNN Models. [Topic: DNN] [pdf]

  • Shawn Shan, Wenxin Ding, Emily Wenger, Haitao Zheng, Ben Y. Zhao. ACM CCS, 2022.

• QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems. [Topic: QBS] [pdf]

  • Ana-Maria Crețu, Florimond Houssiau, Antoine Cully, Yves-Alexandre de Montjoye. ACM CCS, 2022.

• SSLGuard: A Watermarking Scheme for Self-supervised Learning Pre-trained Encoders. [Topic: Watermark] [pdf]

  • Tianshuo Cong, Xinlei He, Yang Zhang. ACM CCS, 2022.

• SpecPatch: Human-In-The-Loop Adversarial Audio Spectrogram Patch Attack on Speech Recognition. [Topic: AEs] [pdf]

  • Hanqing Guo, Yuanda Wang, Nikolay Ivanov, Li Xiao, Qiben Yan. ACM CCS, 2022.

• StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning. [Topic: EaaS] [pdf]

  • Yupei Liu, Jinyuan Jia, Hongbin Liu, Neil Gong. ACM CCS, 2022.

• Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. [Topic: ML] [pdf]

  • Florian Tramer, Reza Shokri, Ayrton San Joaquin, Hoang Le, Matthew Jagielski, Sanghyun Hong, Nicholas Carlini. ACM CCS, 2022.

• Understanding Real-world Threats to Deep Learning Models in Android Apps. [Topic: AEs] [pdf]

  • Zizhuang Deng, Kai Chen, Guozhu Meng, Xiaodong Zhang, Ke Xu, Yao Cheng. ACM CCS, 2022.

• When Evil Calls: Targeted Adversarial Voice over IP Network. [Topic: AEs] [pdf]

  • Han Liu, Zhiyuan Yu, Mingming Zha, XiaoFeng Wang, William Yeoh, Yevgeniy Vorobeychik, Ning Zhang. ACM CCS, 2022.

• Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots. [Topic: AEs] [pdf]

  • Wai Man Si, Michael Backes, Jeremy Blackburn, Emiliano De Cristofaro, Gianluca Stringhini, Savvas Zannettou, Yang Zhang. ACM CCS, 2022.

• "Is your explanation stable?": A Robustness Evaluation Framework for Feature Attribution. [Topic: NNs] [pdf]

  • Yuyou Gan, Yuhao Mao, Xuhong Zhang, Shouling Ji, Yuwen Pu, Meng Han, Jianwei Yin, Ting Wang. ACM CCS, 2022.

• Cert-RNN: Towards Certifying the Robustness of Recurrent Neural Networks. [Topic: AEs] [pdf]

  • Tianyu Du, Shouling Ji, Lujia Shen, Yao Zhang, Jinfeng Li, Jie Shi, Chengfang Fang, Jianwei Yin, Raheem Beyah, Ting Wang. ACM CCS, 2021.

• AHEAD: Adaptive Hierarchical Decomposition for Range Query under Local Differential Privacy. [Topic: LDP] [pdf]

  • Linkang Du, Zhikun Zhang, Shaojie Bai, Changchang Liu, Shouling Ji, Peng Cheng, Jiming Chen. ACM CCS, 2021.

• Unleashing the Tiger: Inference Attacks on Split Learning. [Topic: SL] [pdf]

  • Dario Pasquini, Giuseppe Ateniese, Massimo Bernaschi. ACM CCS, 2021.

• TableGAN-MCA: Evaluating Membership Collisions of GAN-Synthesized Tabular Data Releasing. [Topic: GAN] [pdf]

  • Aoting Hu, Renjie Xie, Zhigang Lu, Aiqun Hu, Minhui Xue. ACM CCS, 2021.

• "I need a better description": An Investigation Into User Expectations For Differential Privacy. [Topic: DP] [pdf]

  • Rachel Cummings, Gabriel Kaptchuk, Elissa M. Redmiles. ACM CCS, 2021.

• Locally Private Graph Neural Networks. [Topic: GNNs] [pdf]

  • Sina Sajadmanesh, Daniel Gatica-Perez. ACM CCS, 2021.

• A One-Pass Distributed and Private Sketch for Kernel Sums with Applications to Machine Learning at Scale. [Topic: DP] [pdf]

  • Benjamin Coleman, Anshumali Shrivastava. ACM CCS, 2021.

• On the Robustness of Domain Constraints. [Topic: AEs] [pdf]

  • Ryan Sheatsley, Blaine Hoak, Eric Pauley, Yohan Beugin, Michael J. Weisman, Patrick McDaniel. ACM CCS, 2021.

• Membership Leakage in Label-Only Exposures. [Topic: MI] [pdf]

  • Zheng Li, Yang Zhang. ACM CCS, 2021.

• Hidden Backdoors in Human-Centric Language Models. [Topic: Backdoor] [pdf]

  • Shaofeng Li, Hui Liu, Tian Dong, Benjamin Zi Hao Zhao, Minhui Xue, Haojin Zhu, Jialiang Lu. ACM CCS, 2021.

• DataLens: Scalable Privacy Preserving Training via Gradient Compression and Aggregation. [Topic: DP] [pdf]

  • Boxin Wang, Fan Wu, Yunhui Long, Luka Rimanic, Ce Zhang, Bo Li. ACM CCS, 2021.

• DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications. [Topic: DL] [pdf]

  • Dongqi Han, Zhiliang Wang, Wenqi Chen, Ying Zhong, Su Wang, Han Zhang, Jiahai Yang, Xingang Shi, Xia Yin. ACM CCS, 2021.

• Honest-but-Curious Nets: Sensitive Attributes of Private Inputs Can Be Secretly Coded into the Classifiers' Outputs. [Topic: Classifer] [pdf]

  • Mohammad Malekzadeh, Anastasia Borovykh, Deniz Gunduz. ACM CCS, 2021.

• Differential Privacy for Directional Data. [Topic: DP] [pdf]

  • Benjamin Weggenmann, Florian Kerschbaum. ACM CCS, 2021.

• "Hello, It's Me": Deep Learning-based Speech Synthesis Attacks in the Real World. [Topic: Speech Synthesis Attack] [pdf]

  • Emily Wenge, Max Bronckers, Christian Cianfarani, Jenna Cryan, Angela Sha, Haitao Zheng, Ben Y. Zhao. ACM CCS, 2021.

• EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning. [Topic: MI] [pdf]

  • Hongbin Liu, Jinyuan Jia, Wenjie Qu, Neil Gong. ACM CCS, 2021.

• Subpopulation Data Poisoning Attacks. [Topic: Poisoning Attack] [pdf]

  • Matthew Jagielski, Giorgio Severi, Niklas Pousette Harger, Alina Oprea. ACM CCS, 2021.

• Continuous Release of Data Streams under both Centralized and Local Differential Privacy. [Topic: DP] [pdf]

  • Tianhao Wang, Joann Qiongna Chen, Zhikun Zhang, Dong Su, Yueqiang Cheng, Zhou Li, Ninghui Li, Somesh Jha. ACM CCS, 2021.

• When Machine Unlearning Jeopardizes Privacy. [Topic: MI] [pdf]

  • Min Chen, Zhikun Zhang, Tianhao Wang, Michael Backes, Mathias Humbert, Yang Zhang. ACM CCS, 2021.

• DetectorGuard: Provably Securing Object Detectors against Localized Patch Hiding Attacks. [Topic: AEs] [pdf]

  • Chong Xiang, Prateek Mittal. ACM CCS, 2021.

• I Can See the Light: Attacks on Autonomous Vehicles Using Invisible Lights. [Topic: AV] [pdf]

  • Wei Wang, Yao Yao, Xin Liu, Xiang Li, Pei Hao, Ting Zhu. ACM CCS, 2021.

• Backdoor Pre-trained Models Can Transfer to All. [Topic: Backdoor] [pdf]

  • Lujia Shen, Shouling Ji, Xuhong Zhang, Jinfeng Li, Jing Chen, Jie Shi, Chengfang Fang, Jianwei Yin, Ting Wang. ACM CCS, 2021.

• Quantifying and Mitigating Privacy Risks of Contrastive Learning. [Topic: CL] [pdf]

  • Xinlei He, Yang Zhang. ACM CCS, 2021.

• Membership Inference Attacks Against Recommender Systems. [Topic: MI] [pdf]

  • Minxing Zhang, Zihan Wang, Yang Zhang, Zhaochun Ren, Pengjie Ren, Zhunmin Chen, Pengfei Hu. ACM CCS, 2021.

• Learning Security Classifiers with Verified Global Robustness Properties. [Topic: Classifier] [pdf]

  • Yizheng Chen, Shiqi Wang, Yue Qin, Xiaojing Liao, Suman Jana, David Wagner. ACM CCS, 2021.

• Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems. [Topic: AEs] [pdf]

  • Alireza Bahramali, Milad Nasr, Amir Houmansadr, Dennis Goeckel, Don Towsley. ACM CCS, 2021.

• Can We Use Arbitrary Objects to Attack LiDAR Perception in Autonomous Driving? [Topic: AEs] [pdf]

  • Yi Zhu, Chenglin Miao, Tianhang Zheng, Foad Hajiaghajani, Lu Su, Chunming Qiao. ACM CCS, 2021.

• Feature Indistinguishable Attack to Circumvent Trapdoor-enabled Defense. [Topic: AEs] [Code][pdf]

  • Chaoxiang He, Bin (Benjamin) Zhu, Xiaojing Ma, Hai Jin, Shengshan Hu. ACM CCS, 2021.

• A Hard Label Black-box Adversarial Attack Against Graph Neural Networks. [Topic: AEs & DNN] [pdf]

  • Jiaming Mu, Binghui Wang, Qi Li, Kun Sun, Mingwei Xu, Zhuotao Liu. ACM CCS, 2021.

• Reverse Attack: Black-box Attacks on Collaborative Recommendation. [Topic: CF & Poisoning Attack] [pdf]

  • Yihe Zhang, Xu Yuan, Jin Li, Jiadong Lou, Li Chen, Nianfeng Tzeng. ACM CCS, 2021.

• zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy. [Topic: CNN] [pdf]

  • Tianyi Liu, Xiang Xie, Yupeng Zhang. ACM CCS, 2021.

• Black-box Adversarial Attacks on Commercial Speech Platforms with Minimal Information. [Topic: AEs] [pdf]

  • Baolin Zheng, Peipei Jiang, Qian Wang, Qi Li, Chao Shen, Cong Wang, Yunjie Ge, Qingyang Teng, Shenyi Zhang. ACM CCS, 2021.

• AI-Lancet: Locating Error-inducing Neurons to Optimize Neural Networks. [Topic: DNN] [pdf]

  • Yue Zhao, Hong Zhu, Kai Chen, Shengzhi Zhang. ACM CCS, 2021.