• Title: Special Topics on AI Security
• Provided by: Dept. of Computer Engineering, Myongji University
• Lead by: Minho Shin (mhshin@mju.ac.kr, Rm5736)
• Period: Spring semester, 2026
• Location: 5701 at 5th Engineering Building
• Time: Wed, 10am to 1pm
• Type: Graduate Seminar
• Goal of the class
  • This class aims to familiarize students with current research topics in AI Security & Privacy area
  • This class also aims to train students with their communication skills including oral presentation, discussion, writing, and collaboration
• Resources for researchers from Publishing Campus of Elsevier
  • Learning Center
  • Setting sail on your research journey

TBD

* order: Cho --> Han --> Kwak
* # of presentations per week: 2, 2, 2, ...
* # of presentations per person: 

• Rules for the class
  • We have 15 presentations in total by three students
  • Each present 5 presentations throughout the semester
  • One presentation per day
  • The presenter announces the paper to present at least one week ahead
  • The presenter prepares a powerpoint slides for 30-60min talk
  • The other students submit a review article (1-2 pages) before class
  • The presentation should contain:
    • (Motivation) What are the motivations for this particular problem? What is the backgrounds for understanding the problem? Why is this important?
    • (Problem) What is, on earth, the exact problem the authors aim to address, and why on earth, is the problem important?
    • (Related work) What has been done by other researchers to address the same or similar problem on the table? Why the existing work is not enough to call done?
    • (Method) What is their main methodology to address the problem? How did they actually solve the problem in detail?
    • (Evaluation) What are the evidences for their success found in the paper? What is missing in their evaluation?
    • (Contribution) What is the contribution of the paper and what is not their contributions? Are there any limitations in their result? How would you evaluate the value of the paper?
    • (Future work) What is the remaining problems that were only partially addressed or never covered by the paper? What will be a possible approach to the problem?
  • A review article contains
    • The same content as described for the presenter
    • But in a succinctly written words form
    • Not exceeding two pages
    • Submit in Word/PDF by email
  • Evaluation
    • As a Presenter (10 points each)
      • Slide Quality
      • Talk Quality
      • Knowledge Level
    • As a reviewer (5 points each)
      • Clarity of the review
      • Understanding level

1. Explaining and Harnessing Adversarial Examples
   • Ian Goodfellow, Jonathon Shlens, Christian Szegedy, ICLR 2015 | Pages: 11 | Difficulty: 2/5
   • Abstract: This seminal paper introduces the Fast Gradient Sign Method (FGSM) and demonstrates that neural networks are vulnerable to adversarial examples - inputs with imperceptible perturbations that cause misclassification. The authors show that adversarial examples transfer across models and propose that linearity in high-dimensional spaces is the primary cause of vulnerability, challenging previous hypotheses about model overfitting.
2. Towards Evaluating the Robustness of Neural Networks
   • Nicholas Carlini, David Wagner, IEEE S&P 2017 | Pages: 16 | Difficulty: 3/5
   • Abstract: This paper presents the powerful C&W attack, demonstrating that defensive distillation and other defenses can be bypassed. The authors formulate adversarial example generation as an optimization problem and introduce targeted attacks that achieve near-perfect success rates. They establish important evaluation methodology for measuring model robustness and show that many claimed defenses provide false security.
3. Intriguing Properties of Neural Networks
   • Christian Szegedy et al., ICLR 2014 | Pages: 10 | Difficulty: 3/5
   • Abstract: The first paper to formally identify adversarial examples in deep neural networks. The authors demonstrate that small, carefully crafted perturbations can fool state-of-the-art models and that these adversarial examples transfer between different models. They introduce the L-BFGS attack method and show that adversarial examples reveal fundamental properties of neural network decision boundaries rather than being mere artifacts of overfitting.
4. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks
   • Seyed-Mohsen Moosavi-Dezfooli et al., CVPR 2016 | Pages: 9 | Difficulty: 3/5
   • Abstract: This paper introduces DeepFool, an efficient algorithm to compute minimal adversarial perturbations. Unlike FGSM which produces large perturbations, DeepFool iteratively linearizes the classifier to find the closest decision boundary. The method provides a way to measure model robustness quantitatively and demonstrates that different architectures have varying levels of robustness to adversarial perturbations.
5. Universal Adversarial Perturbations
   • Seyed-Mohsen Moosavi-Dezfooli et al., CVPR 2017 | Pages: 10 | Difficulty: 3/5
   • Abstract: This paper demonstrates the existence of universal perturbations - single perturbations that can fool a classifier on most inputs from a dataset. These image-agnostic perturbations reveal fundamental geometric properties of decision boundaries and challenge the notion that adversarial examples are input-specific artifacts. The work shows that universal perturbations transfer across different models trained on the same task.
6. Adversarial Examples Are Not Bugs, They Are Features
   • Andrew Ilyas et al., NeurIPS 2019 | Pages: 25 | Difficulty: 3/5
   • Abstract: This influential paper argues that adversarial vulnerability arises from models relying on highly predictive but non-robust features in the data. The authors demonstrate that models trained only on adversarial examples can achieve good accuracy on clean data, showing that adversarial examples exploit genuine patterns. This challenges the view of adversarial examples as bugs and suggests they reveal fundamental properties of standard machine learning.
7. Adversarial Patch
   • Tom Brown et al., NIPS 2017 Workshop | Pages: 5 | Difficulty: 2/5
   • Abstract: This paper introduces adversarial patches - printable, physical perturbations that can fool classifiers in the real world. Unlike digital perturbations, patches are robust to viewing angle, distance, and lighting conditions. The authors demonstrate attacks where a small sticker can cause an image classifier to ignore everything else in the scene, raising serious concerns for real-world ML deployment in security-critical applications.
8. Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey
   • Naveed Akhtar, Ajmal Mian, IEEE Access 2018 | Pages: 31 | Difficulty: 1/5 (Survey)
   • Abstract: A comprehensive survey covering adversarial attacks and defenses in computer vision. The paper categorizes attacks based on adversary knowledge, attack specificity, and attack frequency. It reviews major attack methods (FGSM, C&W, DeepFool) and defense strategies (adversarial training, defensive distillation, gradient masking). An excellent entry-level resource for understanding the adversarial ML landscape.

1. (Jo) You autocomplete me: Poisoning vulnerabilities in neural code completion
   • Schuster et al
   • Abstract: This paper demonstrates that neural code autocompleters are vulnerable to data and model poisoning attacks where attackers can inject specially-crafted files into training corpora or fine-tune models to influence autocomplete suggestions toward insecure coding practices such as weak encryption modes or outdated SSL versions
2. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain
   • Tianyu Gu et al., NIPS 2017 Workshop | Pages: 6 | Difficulty: 2/5
   • Abstract: This pioneering work introduces backdoor attacks on neural networks where an attacker poisons training data with trigger patterns. The resulting model performs normally on clean inputs but misclassifies when the trigger is present. The authors demonstrate attacks on traffic sign recognition and face identification, showing that backdoored models are difficult to detect through standard accuracy testing.
3. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks
   • Ali Shafahi et al., NeurIPS 2018 | Pages: 11 | Difficulty: 3/5
   • Abstract: This paper introduces clean-label poisoning where poisoned training samples maintain correct labels, making attacks harder to detect. The authors craft imperceptible perturbations to training images that cause targeted misclassification. They use feature collision in the network's representation space to make the target input appear similar to a chosen class, demonstrating successful attacks on transfer learning scenarios.
4. Trojaning Attack on Neural Networks
   • Yingqi Liu et al., IEEE ICCD 2018 | Pages: 8 | Difficulty: 3/5
   • Abstract: Presents a systematic approach to injecting hardware-based trojans in neural networks. Shows how attackers can manipulate model behavior through malicious hardware modifications. Demonstrates attacks that activate only under specific trigger conditions while maintaining normal behavior otherwise.
5. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks
   • Bolun Wang et al., IEEE S&P 2019 | Pages: 15 | Difficulty: 3/5
   • Abstract: Proposes the first defense mechanism specifically designed to detect and remove backdoors from neural networks. Uses optimization to reverse-engineer potential triggers and identifies anomalous patterns. Successfully detects backdoors with high accuracy and can remove them through fine-tuning or neuron pruning.
6. Bypassing Backdoor Detection Algorithms in Deep Learning
   • Te Juin Lester Tan, Reza Shokri, NeurIPS 2020 | Pages: 11 | Difficulty: 4/5
   • Abstract: Demonstrates sophisticated backdoor attacks that evade state-of-the-art detection methods. Shows that adaptive attackers can craft triggers that appear natural and avoid detection by Neural Cleanse and similar defenses. Challenges the security of existing backdoor detection approaches.
7. Backdoor Attacks Against Deep Learning Systems in the Physical World
   • Emily Wenger et al., CVPR 2021 | Pages: 10 | Difficulty: 3/5
   • Abstract: Extends backdoor attacks to the physical world using robust physical triggers. Demonstrates attacks on traffic sign recognition where physical stickers serve as backdoor triggers. Shows that backdoors can survive in real-world conditions with varying angles, distances, and lighting.
8. Blind Backdoors in Deep Learning Models
   • Eugene Bagdasaryan, Vitaly Shmatikov, USENIX Security 2021 | Pages: 18 | Difficulty: 4/5
   • Abstract: Introduces blind backdoor attacks where the attacker doesn't need to control the training process. Shows how backdoors can be injected through model replacement or by poisoning only a small fraction of training data. Demonstrates attacks on federated learning and transfer learning scenarios.
9. WaNet: Imperceptible Warping-based Backdoor Attack
   • Anh Nguyen et al., ICLR 2021 | Pages: 18 | Difficulty: 3/5
   • Abstract: Proposes a novel backdoor attack using smooth warping transformations instead of visible patches. These backdoors are nearly imperceptible and harder to detect than traditional patch-based triggers. Demonstrates high attack success rates while evading multiple defense mechanisms.
10. Backdoor Learning: A Survey
    • Yiming Li et al., arXiv 2022 | Pages: 45 | Difficulty: 1/5 (Survey)
    • Abstract: Comprehensive survey of backdoor attacks and defenses in deep learning. Categorizes attacks by trigger type, poisoning strategy, and attack scenario. Reviews detection and mitigation methods. Provides taxonomy and identifies open research challenges.

1. Membership Inference Attacks Against Machine Learning Models
   • Reza Shokri et al., IEEE S&P 2017 | Pages: 15 | Difficulty: 3/5
   • Abstract: Introduces membership inference attacks where an attacker determines if a specific data point was in the training set. Demonstrates attacks on commercial ML services including Google Prediction API. Shows that overfitting makes models vulnerable and that confidence scores leak membership information.
2. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures
   • Matt Fredrikson et al., CCS 2015 | Pages: 12 | Difficulty: 3/5
   • Abstract: Demonstrates model inversion attacks that reconstruct training data from model outputs. Shows successful reconstruction of facial images from face recognition models and recovery of sensitive attributes from genomic data predictors. Proposes confidence masking as a partial defense.
3. Extracting Training Data from Large Language Models
   • Nicholas Carlini et al., USENIX Security 2021 | Pages: 17 | Difficulty: 3/5
   • Abstract: Shows that large language models like GPT-2 memorize and can be made to emit verbatim training data including personal information. Demonstrates extraction of phone numbers, addresses, and copyrighted content. Raises serious privacy concerns for LLMs trained on web data.
4. The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks
   • Nicholas Carlini et al., USENIX Security 2019 | Pages: 18 | Difficulty: 3/5
   • Abstract: Studies unintended memorization in neural networks, showing models can memorize rare or sensitive training examples. Proposes exposure metrics to quantify memorization and demonstrates extraction attacks. Shows that differential privacy provides limited protection against memorization.
5. Stealing Machine Learning Models via Prediction APIs
   • Florian Tramèr et al., USENIX Security 2016 | Pages: 20 | Difficulty: 3/5
   • Abstract: Demonstrates model extraction attacks where an attacker queries a black-box model to steal its functionality. Shows successful extraction of logistic regression, neural networks, and decision trees. Analyzes the cost-accuracy tradeoff and proposes defenses based on output perturbation.
6. Deep Models Under the GAN: Information Leakage from Collaborative Deep Learning
   • Briland Hitaj et al., CCS 2017 | Pages: 14 | Difficulty: 4/5
   • Abstract: Presents a novel attack on collaborative learning using GANs. Shows that an adversarial participant can use a GAN to reconstruct private training data from model updates in federated learning. Demonstrates attacks that recover recognizable images from gradient information.
7. SoK: Privacy-Preserving Machine Learning
   • Maria Rigaki, Sebastian Garcia, arXiv 2023 | Pages: 38 | Difficulty: 1/5 (Survey)
   • Abstract: Systematization of knowledge on privacy attacks and defenses in machine learning. Covers membership inference, model inversion, and data extraction. Reviews privacy-preserving techniques including differential privacy, secure computation, and federated learning.

1. Jailbroken: How Does LLM Safety Training Fail?
   • Alexander Wei et al., NeurIPS 2023 | Pages: 34 | Difficulty: 3/5
   • Abstract: Analyzes why safety training in LLMs can be circumvented through jailbreaking. Identifies two failure modes: competing objectives during training and mismatched generalization between safety and capabilities. Provides theoretical framework for understanding jailbreak vulnerabilities.
2. Universal and Transferable Adversarial Attacks on Aligned Language Models
   • Andy Zou et al., arXiv 2023 | Pages: 25 | Difficulty: 3/5
   • Abstract: Introduces automated methods to generate adversarial suffixes that jailbreak LLMs. Shows these attacks transfer across models including GPT-3.5, GPT-4, and Claude. Demonstrates that aligned models remain vulnerable to optimization-based attacks despite safety training.
3. Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection
   • Kai Greshake et al., AISec 2023 | Pages: 17 | Difficulty: 2/5
   • Abstract: Introduces indirect prompt injection where attackers manipulate LLM behavior through external data sources. Demonstrates attacks on real applications including email assistants and document processors. Shows how injected instructions in websites or documents can compromise LLM-integrated systems.
4. Poisoning Language Models During Instruction Tuning
   • Alexander Wan et al., ICML 2023 | Pages: 12 | Difficulty: 3/5
   • Abstract: Demonstrates backdoor attacks during instruction tuning phase of LLMs. Shows that small amounts of poisoned instruction data can inject persistent backdoors. Attacks remain effective even after additional fine-tuning on clean data.
5. Red Teaming Language Models with Language Models
   • Ethan Perez et al., EMNLP 2022 | Pages: 23 | Difficulty: 2/5
   • Abstract: Uses LLMs to automatically generate test cases for red-teaming other LLMs. Discovers diverse failure modes including offensive outputs and privacy leaks. Shows automated red-teaming can scale safety testing beyond manual efforts.
6. Prompt Injection Attacks and Defenses in LLM-Integrated Applications
   • Yupei Liu et al., arXiv 2023 | Pages: 14 | Difficulty: 2/5
   • Abstract: Formalizes prompt injection attacks and proposes taxonomy. Analyzes both direct and indirect injection vectors. Evaluates existing defenses and proposes new mitigation strategies including prompt sandboxing and input validation.
7. Are Aligned Neural Networks Adversarially Aligned?
   • Nicholas Carlini et al., NeurIPS 2023 | Pages: 29 | Difficulty: 4/5
   • Abstract: Studies whether alignment through RLHF provides adversarial robustness. Finds that aligned models remain vulnerable to adversarial attacks and that alignment and robustness are distinct properties. Challenges assumptions about safety of aligned models.
8. SoK: Exploring the State of the Art and the Future Potential of Artificial Intelligence in Digital Forensic Investigation
   • Yiming Liu et al., IEEE S&P 2024 | Pages: 52 | Difficulty: 1/5 (Survey)
   • Abstract: Comprehensive survey on LLM security covering jailbreaking, prompt injection, data extraction, and misuse. Categorizes attacks and defenses. Discusses open challenges in securing LLM-based applications.

1. How To Backdoor Federated Learning
   • Eugene Bagdasaryan et al., AISTATS 2020 | Pages: 11 | Difficulty: 3/5
   • Abstract: Demonstrates that a single malicious participant can inject backdoors into federated learning models. Shows model replacement attacks where the attacker's update overrides honest participants. Proposes defenses based on norm clipping and differential privacy.
2. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent
   • Peva Blanchard et al., NeurIPS 2017 | Pages: 11 | Difficulty: 4/5
   • Abstract: Addresses Byzantine attacks in distributed learning where participants send arbitrary malicious updates. Proposes Krum aggregation rule that is robust to Byzantine workers. Provides theoretical guarantees on convergence under adversarial conditions.
3. The Limitations of Backdoor Detection in Federated Learning
   • Cong Xie et al., NeurIPS 2020 | Pages: 11 | Difficulty: 3/5
   • Abstract: Shows that existing backdoor detection methods for federated learning can be evaded. Demonstrates adaptive attacks that bypass norm-based and clustering-based defenses. Highlights fundamental challenges in securing federated learning against sophisticated attackers.
4. Analyzing Federated Learning through an Adversarial Lens
   • Arjun Nitin Bhagoji et al., ICML 2019 | Pages: 18 | Difficulty: 3/5
   • Abstract: Comprehensive analysis of attack vectors in federated learning. Studies both untargeted poisoning and targeted backdoor attacks. Analyzes the impact of attacker capabilities and proposes anomaly detection defenses.
5. DBA: Distributed Backdoor Attacks against Federated Learning
   • Chulin Xie et al., ICLR 2020 | Pages: 13 | Difficulty: 3/5
   • Abstract: Introduces distributed backdoor attacks where multiple attackers collaborate to inject backdoors while evading detection. Shows that distributed attacks are harder to detect than single-attacker scenarios. Demonstrates successful attacks under defensive aggregation rules.
6. Attack of the Tails: Yes, You Really Can Backdoor Federated Learning
   • Hongyi Wang et al., NeurIPS 2020 | Pages: 12 | Difficulty: 4/5
   • Abstract: Presents edge-case backdoor attacks that are harder to detect. Shows that backdoors can be designed to activate only on rare inputs while maintaining model utility. Demonstrates attacks that bypass existing defenses including differential privacy.
7. Advances and Open Problems in Federated Learning
   • Peter Kairouz et al., Foundations and Trends in Machine Learning 2021 | Pages: 269 | Difficulty: 2/5 (Survey)
   • Abstract: Comprehensive survey of federated learning including security and privacy challenges. Covers poisoning attacks, privacy attacks, and defenses. Discusses open problems in Byzantine-robust aggregation and privacy-preserving protocols.

1. Deep Learning for Malware Detection
   • Edward Raff et al., arXiv 2017 | Pages: 10 | Difficulty: 2/5
   • Abstract: Applies deep learning to static malware detection using raw bytes. Achieves high accuracy on large-scale malware datasets. Discusses practical deployment challenges and adversarial robustness concerns for ML-based malware detection.
2. KITSUNE: An Ensemble of Autoencoders for Online Network Intrusion Detection
   • Yisroel Mirsky et al., NDSS 2018 | Pages: 15 | Difficulty: 2/5
   • Abstract: Proposes unsupervised intrusion detection using ensemble of autoencoders. Detects anomalies in network traffic without labeled data. Demonstrates effectiveness against various attacks including DDoS and reconnaissance.
3. Adversarial Deep Learning in Intrusion Detection Systems
   • Luca Demetrio et al., arXiv 2019 | Pages: 12 | Difficulty: 3/5
   • Abstract: Studies adversarial robustness of deep learning IDS. Shows that malware can evade detection through adversarial perturbations. Evaluates defenses including adversarial training for improving IDS robustness.
4. Deep Learning Approach for Phishing Detection
   • Alejandro Correa Bahnsen et al., IEEE CIT 2017 | Pages: 8 | Difficulty: 2/5
   • Abstract: Uses deep learning for phishing website detection based on URL and HTML features. Achieves high accuracy compared to traditional methods. Discusses real-time deployment considerations for phishing detection systems.
5. DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning
   • Min Du et al., CCS 2017 | Pages: 12 | Difficulty: 3/5
   • Abstract: Applies LSTM networks to system log anomaly detection. Models normal execution patterns and detects deviations. Demonstrates effectiveness in detecting system intrusions and failures through log analysis.
6. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
   • Robin Sommer, Vern Paxson, IEEE S&P 2010 | Pages: 15 | Difficulty: 2/5
   • Abstract: Classic paper discussing fundamental challenges of applying ML to intrusion detection. Highlights the open-world problem, concept drift, and adversarial manipulation. Argues for careful evaluation and realistic assumptions in security ML.
7. Large Language Models for Cybersecurity: A Systematic Survey
   • Hansheng Yao et al., arXiv 2024 | Pages: 42 | Difficulty: 1/5 (Survey)
   • Abstract: Comprehensive survey on using LLMs for security applications including vulnerability detection, malware analysis, and threat intelligence. Discusses prompt engineering for security tasks and limitations of LLMs in security contexts.

1. Evading Classifiers by Morphing in the Dark
   • Qian Hu, Saumya Debray, Black Hat 2017 | Pages: 8 | Difficulty: 2/5
   • Abstract: Demonstrates practical evasion of ML-based malware detectors. Shows adversarial perturbations that preserve malware functionality while evading detection. Discusses implications for deploying ML in security-critical applications.
2. Automating Network Exploitation Using Reinforcement Learning
   • William Glodek, Sandia National Labs 2018 | Pages: 10 | Difficulty: 3/5
   • Abstract: Uses reinforcement learning for automated network penetration testing. Agents learn to exploit vulnerabilities through trial and error. Demonstrates potential and limitations of RL for offensive security automation.
3. DeepFuzz: Automatic Generation of Syntax Valid C Programs for Fuzz Testing
   • Xiao Liu et al., AAAI 2019 | Pages: 8 | Difficulty: 3/5
   • Abstract: Uses deep learning to generate valid C programs for fuzzing compilers. Learns syntax rules from existing code. Discovers previously unknown compiler bugs through automated test generation.
4. Adversarial Examples for Evaluating Reading Comprehension Systems
   • Robin Jia, Percy Liang, EMNLP 2017 | Pages: 11 | Difficulty: 2/5
   • Abstract: Creates adversarial examples for NLP systems by adding distracting sentences. Shows that reading comprehension models are brittle to such perturbations. Demonstrates importance of robust evaluation for NLP security.
5. Generating Natural Language Adversarial Examples
   • Moustafa Alzantot et al., EMNLP 2018 | Pages: 12 | Difficulty: 3/5
   • Abstract: Uses genetic algorithms to generate adversarial examples for text classification. Maintains semantic similarity while fooling models. Demonstrates vulnerabilities in sentiment analysis and textual entailment systems.
6. LLM-Fuzzer: Fuzzing Large Language Models with Chain-of-Thought Prompts
   • Jiahao Yu et al., arXiv 2023 | Pages: 16 | Difficulty: 2/5
   • Abstract: Automated fuzzing framework for discovering LLM vulnerabilities. Uses mutation-based approach to generate test cases. Finds jailbreak prompts and alignment failures.

1. Towards Deep Learning Models Resistant to Adversarial Attacks
   • Aleksander Madry et al., ICLR 2018 | Pages: 28 | Difficulty: 3/5
   • Abstract: Introduces PGD adversarial training as a robust defense. Formulates adversarial training as a min-max optimization problem. Shows significantly improved robustness against strong attacks.
2. Certified Adversarial Robustness via Randomized Smoothing
   • Jeremy Cohen et al., ICML 2019 | Pages: 17 | Difficulty: 4/5
   • Abstract: Provides provable robustness certificates using randomized smoothing. Transforms any classifier into certifiably robust version. Achieves state-of-the-art certified accuracy.
3. Provable Defenses against Adversarial Examples via the Convex Outer Adversarial Polytope
   • Eric Wong, Zico Kolter, ICML 2018 | Pages: 11 | Difficulty: 5/5
   • Abstract: Uses convex optimization to train provably robust networks. Computes exact worst-case adversarial loss during training. Limited to small networks but provides strong guarantees.
4. Obfuscated Gradients Give a False Sense of Security
   • Anish Athalye et al., ICML 2018 | Pages: 19 | Difficulty: 3/5
   • Abstract: Exposes gradient obfuscation as a common failure mode in adversarial defenses. Shows many published defenses can be broken with adaptive attacks. Introduces BPDA for attacking defenses.
5. Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-free Attacks
   • Francesco Croce, Matthias Hein, ICML 2020 | Pages: 32 | Difficulty: 3/5
   • Abstract: Introduces AutoAttack, an ensemble of parameter-free attacks for robust evaluation. Reveals overestimated robustness in many defenses. Now standard evaluation benchmark.
6. Benchmarking Neural Network Robustness to Common Corruptions and Perturbations
   • Dan Hendrycks, Thomas Dietterich, ICLR 2019 | Pages: 17 | Difficulty: 2/5
   • Abstract: Introduces ImageNet-C for evaluating robustness to natural corruptions. Shows models often fail on common corruptions despite adversarial training.
7. A Survey on Robustness of Neural Networks
   • Jiefeng Huang et al., arXiv 2023 | Pages: 52 | Difficulty: 1/5 (Survey)
   • Abstract: Comprehensive survey covering adversarial robustness, certified defenses, and evaluation methods. Covers attack types, defense strategies, and theoretical foundations.

1. Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks
   • Guy Katz et al., CAV 2017 | Pages: 20 | Difficulty: 5/5
   • Abstract: Introduces formal verification of neural networks using SMT solving. Can prove properties about network behavior. Foundational work in neural network verification.
2. Interpretable Machine Learning for Security
   • Archana Kuppa, Nhien-An Le-Khac, arXiv 2020 | Pages: 24 | Difficulty: 2/5
   • Abstract: Survey on interpretability methods for security applications. Discusses LIME, SHAP, attention mechanisms. Argues for interpretability in security-critical ML.
3. Activation Atlas: Exploring Neural Network Activations
   • Shan Carter et al., Distill 2019 | Pages: 12 | Difficulty: 2/5
   • Abstract: Visualizes what neurons in neural networks respond to. Uses feature visualization to understand internal representations. Helps identify adversarial vulnerabilities.
4. Quantifying Uncertainties in Neural Networks for Security Applications
   • Lewis Smith, Yarin Gal, arXiv 2018 | Pages: 10 | Difficulty: 3/5
   • Abstract: Uses Bayesian neural networks to quantify uncertainty. Shows uncertainty can detect adversarial examples and out-of-distribution data.
5. DeepXplore: Automated Whitebox Testing of Deep Learning Systems
   • Kexin Pei et al., SOSP 2017 | Pages: 18 | Difficulty: 3/5
   • Abstract: Automated testing framework using neuron coverage as a metric. Generates inputs that maximize differential behavior across models. Finds thousands of erroneous behaviors.
6. Attention is Not Explanation
   • Sarthak Jain, Byron Wallace, NAACL 2019 | Pages: 11 | Difficulty: 2/5
   • Abstract: Challenges the use of attention weights as explanations. Shows attention can be manipulated without changing predictions. Important for security relying on interpretability.
7. Explainability for AI Security: A Survey
   • Fatima Alsubaei et al., arXiv 2022 | Pages: 38 | Difficulty: 1/5 (Survey)
   • Abstract: Comprehensive survey on explainability in AI security. Covers interpretability methods, their application to security, and limitations.

1. Protecting Intellectual Property of Deep Neural Networks with Watermarking
   • Yusuke Uchida et al., AsiaCCS 2017 | Pages: 13 | Difficulty: 3/5
   • Abstract: Embeds watermarks in neural networks to prove ownership. Watermarks survive fine-tuning and model extraction attempts.
2. Model Stealing Attacks Against Inductive Graph Neural Networks
   • Asim Waheed Duddu et al., IEEE S&P 2022 | Pages: 16 | Difficulty: 3/5
   • Abstract: Demonstrates model extraction attacks on graph neural networks. Shows GNNs are particularly vulnerable to stealing.
3. Weight Poisoning Attacks on Pre-trained Models
   • Keita Kurita et al., ACL 2020 | Pages: 11 | Difficulty: 3/5
   • Abstract: Shows attackers can poison pre-trained models in model hubs. Injected backdoors persist through fine-tuning on downstream tasks.
4. Backdoor Attacks on Self-Supervised Learning
   • Aniruddha Saha et al., CVPR 2022 | Pages: 10 | Difficulty: 3/5
   • Abstract: Demonstrates backdoor attacks during self-supervised pre-training. Backdoors transfer to downstream tasks after fine-tuning.
5. Proof-of-Learning: Definitions and Practice
   • Hengrui Jia et al., IEEE S&P 2021 | Pages: 17 | Difficulty: 4/5
   • Abstract: Introduces proof-of-learning to verify models were trained as claimed. Prevents model theft and verifies computational work.
6. SoK: Hate, Harassment, and the Changing Landscape of Social Media
   • Shagun Jhaver et al., IEEE S&P 2021 | Pages: 47 | Difficulty: 1/5 (Survey)
   • Abstract: Systematization of knowledge on using AI for content moderation. Discusses ML models for detecting hate speech and harassment.