pith. sign in

arxiv: 2605.21146 · v1 · pith:DNU2UI5Fnew · submitted 2026-05-20 · 💻 cs.CR · cs.AI· cs.SE

Detecting Trojaned DNNs via Spectral Regression Analysis

Samuele Pasini , Jinhan Kim , Paolo Tonella This is my paper

Pith reviewed 2026-05-21 04:00 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.SE
keywords trojan detectiondnn securityspectral analysisfine-tuningmodel updatesbackdoor detectionregression
0
0 comments X

The pith

Spectral regression on pre-activation changes during fine-tuning detects Trojaned DNN updates without trigger knowledge.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a detection method that tracks how internal representations evolve during model updates by examining pre-activation spectra. It learns a reference pattern from clean fine-tuning and flags updates whose spectral deviations fall outside that pattern. This turns Trojan detection into a regression task over successive model states rather than an attempt to recover hidden triggers. The approach works after a single update step and continues to function as the model undergoes further benign changes. Results across four datasets and eight different attacks show consistent separation between Trojaned and clean updates.

Core claim

Trojan insertion during fine-tuning creates spectral deviations in pre-activation layers that are statistically inconsistent with the distribution produced by clean fine-tuning, enabling reliable detection by regressing update spectra against a learned benign reference without access to poisoned data or trigger patterns.

What carries the argument

Pre-activation spectra that characterize benign model evolution, with spectral distance metrics serving as the regression signal to identify inconsistent Trojaned updates.

If this is right

  • Detection succeeds after only one fine-tuning step without any poisoned samples or trigger information.
  • Spectral distances separate Trojaned from clean updates across four datasets and eight attack types.
  • Performance degrades gracefully and remains bounded when the model continues through multiple clean updates afterward.
  • The method outperforms prior detection approaches in accuracy under the single-update setting.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same spectral monitoring could be applied to other update-time attacks such as data poisoning that alters representations without explicit triggers.
  • Continuous integration pipelines could run lightweight spectral checks on every model checkpoint to catch anomalies before deployment.
  • The regression framing suggests treating security monitoring as distributional shift detection in representation space rather than pattern matching on inputs.
  • Extending the reference construction to include multiple architectures or tasks might produce more general benign evolution models.

Load-bearing premise

The spectral pattern of normal fine-tuning forms a stable reference distribution that Trojan insertions will measurably violate.

What would settle it

A Trojaned update whose pre-activation spectral distance falls inside the range observed for clean fine-tuning on the same task and architecture, or a clean update that exceeds the detection threshold.

Figures

Figures reproduced from arXiv: 2605.21146 by Jinhan Kim, Paolo Tonella, Samuele Pasini.

Figure 1
Figure 1. Figure 1: Spectral differences induced by benign (Clean) and malicious (Trojaned) fine-tuning. The figure shows [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of MIST. The top part illustrates [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Example Trojaned samples of CIFAR-10. For each attack, samples with high trigger visibility have been [PITH_FULL_IMAGE:figures/full_fig_p012_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Distributions of spectral distances to the reference model [PITH_FULL_IMAGE:figures/full_fig_p014_4.png] view at source ↗
read the original abstract

Modern DNNs are repeatedly fine-tuned to incorporate new data and functionality. This evolutionary workflow introduces a security risk when updated data cannot be fully trusted, as adversaries may implant Trojans during fine-tuning. We present MIST, a Trojan detection approach that analyzes how a model's internal representations change during fine-tuning. Rather than attempting to reconstruct trigger conditions, MIST characterizes benign model evolution using pre-activation spectra and flags updates whose spectral deviations are inconsistent with this reference. This framing treats Trojan detection as a regression problem over model updates. An empirical evaluation across four datasets and eight Trojan attacks shows that spectral distances reliably distinguish Trojaned updates from clean fine-tuning. MIST outperforms state-of-the-art detection accuracy after a single update, without requiring any knowledge about the poisoned data or the trigger, and remains effective under multi-step benign evolution, with graceful and bounded degradation. These results indicate that spectral evolution provides a stable and assumption-light signal for detecting malicious model updates.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript introduces MIST, a Trojan detection method for DNN fine-tuning updates that characterizes benign model evolution via pre-activation spectra and treats detection as a regression problem over spectral deviations from this reference. It claims reliable distinction of Trojaned updates from clean fine-tuning across four datasets and eight attacks, outperforming prior methods after a single update without requiring poisoned data or trigger knowledge, while showing graceful bounded degradation under multi-step benign evolution.

Significance. If the central empirical distinction holds under broader benign variations, the work offers a practical, assumption-light signal for securing evolutionary DNN workflows against Trojan insertion during fine-tuning. The spectral regression framing avoids trigger reconstruction and provides a stable reference without poisoned-data knowledge, which would be a notable advance in ML security if the separability is robust.

major comments (2)
  1. [§4 (Empirical Evaluation)] §4 (Empirical Evaluation): the experiments across four datasets and eight Trojan attacks do not include explicit stress-tests for benign fine-tuning variations (different optimizers, learning-rate schedules, or data ordering) that could induce spectral shifts comparable to the evaluated attacks; this directly affects the load-bearing premise that the benign reference distribution remains stably separable.
  2. [Abstract and §3 (Method)] Abstract and §3 (Method): no details are given on the precise computation of spectral distances, threshold selection for regression-based flagging, or any statistical tests/error bars supporting the distinction claim; without these, the reported reliable separation after one update cannot be fully assessed.
minor comments (2)
  1. [§2 (Background)] §2 (Background): the notation for pre-activation spectra and the exact regression objective could be formalized with an equation to aid reproducibility.
  2. [Figures] Figure captions: ensure multi-step evolution plots include clear legends distinguishing clean vs. Trojaned trajectories and report the number of runs per curve.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. The comments identify areas where additional experiments and methodological details will strengthen the presentation and better support the central claims. We address each point below and commit to revisions in the next version.

read point-by-point responses

  1. Referee: [§4 (Empirical Evaluation)] §4 (Empirical Evaluation): the experiments across four datasets and eight Trojan attacks do not include explicit stress-tests for benign fine-tuning variations (different optimizers, learning-rate schedules, or data ordering) that could induce spectral shifts comparable to the evaluated attacks; this directly affects the load-bearing premise that the benign reference distribution remains stably separable.

    Authors: We agree that broader stress-testing of benign variations would further substantiate the stability of the reference distribution. While the manuscript already reports results under multi-step benign evolution showing bounded degradation, it does not explicitly vary optimizers, learning-rate schedules, or data ordering. In the revised manuscript we will add these experiments to §4 (using Adam/SGD, step/cosine schedules, and shuffled vs. sequential batching) and report the resulting spectral deviation distributions to confirm separability is preserved. revision: yes

  2. Referee: [Abstract and §3 (Method)] Abstract and §3 (Method): no details are given on the precise computation of spectral distances, threshold selection for regression-based flagging, or any statistical tests/error bars supporting the distinction claim; without these, the reported reliable separation after one update cannot be fully assessed.

    Authors: We acknowledge that the initial submission omitted explicit formulas and statistical support. The revised manuscript will expand §3 with the exact spectral distance definition (L2 norm of regression residuals on the DFT of pre-activation vectors), the threshold rule (mean + 3σ of the benign reference distribution), and will include error bars plus paired t-test p-values for all accuracy claims. The abstract will be updated to note these additions. revision: yes

Circularity Check

0 steps flagged

No circularity: reference built from independent benign data

full rationale

The derivation constructs a reference distribution of pre-activation spectra exclusively from benign fine-tuning trajectories, then measures spectral deviations of new updates against that fixed reference via regression. Because the reference is learned only on clean data and the detection decision is an inconsistency test against it, the reported distances and accuracy claims do not reduce to any fitted parameter or self-citation that incorporates the Trojaned updates being evaluated. The method therefore remains self-contained against external benchmarks and does not exhibit any of the enumerated circular patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The method rests on the domain assumption that benign fine-tuning produces consistent spectral trajectories that can serve as a reference distribution. No free parameters or invented entities are explicitly introduced in the abstract.

axioms (1)
  • domain assumption Benign model updates produce spectral patterns that form a stable reference distribution usable for regression-based anomaly detection.
    Invoked when the method flags updates whose spectral deviations are inconsistent with the benign reference.

pith-pipeline@v0.9.0 · 5691 in / 1214 out tokens · 29099 ms · 2026-05-21T04:00:25.874698+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

91 extracted references · 91 canonical work pages · 2 internal anchors

  1. [1]

    BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

    T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnerabilities in the machine learning model supply chain, ” arXiv preprint arXiv:1708.06733, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  2. [2]

    Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

    X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning, ” arXiv preprint arXiv:1712.05526, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  3. [3]

    Input-aware dynamic backdoor attack,

    T. A. Nguyen and A. Tran, “Input-aware dynamic backdoor attack, ”Advances in Neural Information Processing Systems, vol. 33, pp. 3454–3464, 2020

    work page 2020

  4. [4]

    Reflection backdoor: A natural backdoor attack on deep neural networks,

    Y. Liu, X. Ma, J. Bailey, and F. Lu, “Reflection backdoor: A natural backdoor attack on deep neural networks, ” in European Conference on Computer Vision. Springer, 2020, pp. 182–199

    work page 2020

  5. [5]

    A new backdoor attack in cnns by training set corruption without label poisoning,

    M. Barni, K. Kallas, and B. Tondi, “A new backdoor attack in cnns by training set corruption without label poisoning, ” in2019 IEEE International Conference on Image Processing (ICIP). IEEE, 2019, pp. 101–105

    work page 2019

  6. [6]

    Invisible backdoor attack with sample-specific triggers,

    Y. Li, Y. Li, B. Wu, L. Li, R. He, and S. Lyu, “Invisible backdoor attack with sample-specific triggers, ” inProceedings of the IEEE/CVF international conference on computer vision, 2021, pp. 16 463–16 472

    work page 2021

  7. [7]

    Trojaning attack on neural networks,

    Y. Liu, S. Ma, Y. Aafer, W.-C. Lee, J. Zhai, W. Wang, and X. Zhang, “Trojaning attack on neural networks, ” inProceedings 2018 Network and Distributed System Security Symposium. Internet Society, 2018

    work page 2018

  8. [8]

    Wanet-imperceptible warping-based backdoor attack,

    T. A. Nguyen and A. T. Tran, “Wanet-imperceptible warping-based backdoor attack, ” inInternational Conference on Learning Representations

    work page

  9. [9]

    Spectral signatures in backdoor attacks,

    B. Tran, J. Li, and A. Madry, “Spectral signatures in backdoor attacks, ”Advances in neural information processing systems, vol. 31, 2018

    work page 2018

  10. [10]

    Dynamic backdoor attacks against machine learning models,

    A. Salem, R. Wen, M. Backes, S. Ma, and Y. Zhang, “Dynamic backdoor attacks against machine learning models, ” in 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). IEEE, 2022, pp. 703–718

    work page 2022

  11. [11]

    Badnl: Backdoor attacks against nlp models with semantic-preserving improvements,

    X. Chen, A. Salem, D. Chen, M. Backes, S. Ma, Q. Shen, Z. Wu, and Y. Zhang, “Badnl: Backdoor attacks against nlp models with semantic-preserving improvements, ” inProceedings of the 37th Annual Computer Security Applications Conference, 2021, pp. 554–569

    work page 2021

  12. [12]

    Hidden killer: Invisible textual backdoor attacks with syntactic trigger,

    F. Qi, M. Li, Y. Chen, Z. Zhang, Z. Liu, Y. Wang, and M. Sun, “Hidden killer: Invisible textual backdoor attacks with syntactic trigger, ” inProceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing (Volume 1: Long Papers), 2021, pp. 443–453

    work page 2021

  13. [13]

    Graph backdoor,

    Z. Xi, R. Pang, S. Ji, and T. Wang, “Graph backdoor, ” in30th USENIX security symposium (USENIX Security 21), 2021, pp. 1523–1540

    work page 2021

  14. [14]

    Backdoor attacks to graph neural networks,

    Z. Zhang, J. Jia, B. Wang, and N. Z. Gong, “Backdoor attacks to graph neural networks, ” inProceedings of the 26th ACM symposium on access control models and technologies, 2021, pp. 15–26

    work page 2021

  15. [15]

    Trojdrl: evaluation of backdoor attacks on deep reinforcement learning,

    P. Kiourti, K. Wardega, S. Jha, and W. Li, “Trojdrl: evaluation of backdoor attacks on deep reinforcement learning, ” in 2020 57th ACM/IEEE Design Automation Conference (DAC). IEEE, 2020, pp. 1–6

    work page 2020

  16. [16]

    Backdoorl: Backdoor attack against competitive reinforcement learning,

    L. Wang, Z. Javed, X. Wu, W. Guo, X. Xing, and D. Song, “Backdoorl: Backdoor attack against competitive reinforcement learning, ” in30th International Joint Conference on Artificial Intelligence, IJCAI 2021. International Joint Conferences on Artificial Intelligence, 2021, pp. 3699–3705

    work page 2021

  17. [17]

    Spectral analysis of the relation between deep learning faults and neural activation values,

    N. Humbatova, G. Jahangirova, and P. Tonella, “Spectral analysis of the relation between deep learning faults and neural activation values, ” in2024 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE, 2024, pp. 245–256

    work page 2024

  18. [18]

    Learning representations by back-propagating errors,

    D. E. Rumelhart, G. E. Hinton, and R. J. Williams, “Learning representations by back-propagating errors, ”nature, vol. 323, no. 6088, pp. 533–536, 1986

    work page 1986

  19. [19]

    Gradient-based learning applied to document recognition,

    “Gradient-based learning applied to document recognition, ”Proceedings of the IEEE, vol. 86, no. 11, pp. 2278–2324, 2002

    work page 2002

  20. [20]

    Attention is all you need,

    A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, Ł. Kaiser, and I. Polosukhin, “Attention is all you need, ”Advances in neural information processing systems, vol. 30, 2017. 3https://github.com/PasiniSamuele/MIST , Vol. 1, No. 1, Article . Publication date: May 2026. Detecting Trojaned DNNs via Spectral Regression Analysis 19

    work page 2017

  21. [21]

    Strip: A defence against trojan attacks on deep neural networks,

    Y. Gao, C. Xu, D. Wang, S. Chen, D. C. Ranasinghe, and S. Nepal, “Strip: A defence against trojan attacks on deep neural networks, ” inProceedings of the 35th annual computer security applications conference, 2019, pp. 113–125

    work page 2019

  22. [22]

    Sentinet: Detecting localized universal attacks against deep learning systems,

    E. Chou, F. Tramer, and G. Pellegrino, “Sentinet: Detecting localized universal attacks against deep learning systems, ” in2020 IEEE Security and Privacy Workshops (SPW). IEEE, 2020, pp. 48–54

    work page 2020

  23. [23]

    Februus: Input purification defense against trojan attacks on deep neural network systems,

    B. G. Doan, E. Abbasnejad, and D. C. Ranasinghe, “Februus: Input purification defense against trojan attacks on deep neural network systems, ” inProceedings of the 36th Annual Computer Security Applications Conference, 2020, pp. 897–912

    work page 2020

  24. [24]

    Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,

    B. Wang, Y. Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y. Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks, ” in2019 IEEE symposium on security and privacy (SP). IEEE, 2019, pp. 707–723

    work page 2019

  25. [25]

    Abs: Scanning neural networks for back-doors by artificial brain stimulation,

    Y. Liu, W.-C. Lee, G. Tao, S. Ma, Y. Aafer, and X. Zhang, “Abs: Scanning neural networks for back-doors by artificial brain stimulation, ” inProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1265–1282

    work page 2019

  26. [26]

    Backdoor scanning for deep neural networks through k-arm optimization,

    G. Shen, Y. Liu, G. Tao, S. An, Q. Xu, S. Cheng, S. Ma, and X. Zhang, “Backdoor scanning for deep neural networks through k-arm optimization, ” inInternational Conference on Machine Learning. PMLR, 2021, pp. 9525–9536

    work page 2021

  27. [27]

    arXiv preprint arXiv:1908.01763 (2019) 2

    W. Guo, L. Wang, X. Xing, M. Du, and D. Song, “Tabor: A highly accurate approach to inspecting and restoring trojan backdoors in ai systems, ”arXiv preprint arXiv:1908.01763, 2019

    work page arXiv 1908

  28. [28]

    Deepinspect: A black-box trojan detection and mitigation framework for deep neural networks

    H. Chen, C. Fu, J. Zhao, and F. Koushanfar, “Deepinspect: A black-box trojan detection and mitigation framework for deep neural networks. ” inIJCAI, vol. 2, no. 5, 2019, p. 8

    work page 2019

  29. [29]

    Rethinking the reverse-engineering of trojan triggers,

    Z. Wang, K. Mei, H. Ding, J. Zhai, and S. Ma, “Rethinking the reverse-engineering of trojan triggers, ” inAdvances in Neural Information Processing Systems, S. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, and A. Oh, Eds., vol. 35. Curran Associates, Inc., 2022, pp. 9738–9753. [Online]. Available: https: //proceedings.neurips.cc/paper_files/paper/2...

    work page 2022

  30. [30]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, “Learning multiple layers of features from tiny images, ” University of Toronto, Tech. Rep., 2009

    work page 2009

  31. [31]

    Deep learning face attributes in the wild,

    Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes in the wild, ” inProceedings of the IEEE International Conference on Computer Vision, 2015, pp. 3730–3738

    work page 2015

  32. [32]

    Reading digits in natural images with unsupervised feature learning,

    Y. Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Y. Ng, “Reading digits in natural images with unsupervised feature learning, ”NIPS Workshop on Deep Learning and Unsupervised Feature Learning, 2011

    work page 2011

  33. [33]

    The german traffic sign recognition benchmark: A multi-class classification competition,

    J. Stallkamp, M. Schlipsing, J. Salmen, and C. Igel, “The german traffic sign recognition benchmark: A multi-class classification competition, ” inProceedings of the IEEE International Joint Conference on Neural Networks. IEEE, 2011, pp. 1453–1460

    work page 2011

  34. [34]

    Deep residual learning for image recognition,

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition, ” inProceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778

    work page 2016

  35. [35]

    Demon in the variant: Statistical analysis of{DNNs} for robust backdoor contamination detection,

    D. Tang, X. Wang, H. Tang, and K. Zhang, “Demon in the variant: Statistical analysis of{DNNs} for robust backdoor contamination detection, ” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 1541–1558

    work page 2021

  36. [36]

    Deep partition aggregation: Provable defense against general poisoning attacks,

    A. Levine and S. Feizi, “Deep partition aggregation: Provable defense against general poisoning attacks, ”arXiv preprint arXiv:2006.14768, 2020

    work page arXiv 2006

  37. [37]

    Bagflip: A certified defense against data poisoning,

    Y. Zhang, A. Albarghouthi, and L. D’Antoni, “Bagflip: A certified defense against data poisoning, ”Advances in Neural Information Processing Systems, vol. 35, pp. 31 474–31 483, 2022

    work page 2022

  38. [38]

    Backdoor secrets unveiled: Identifying backdoor data with optimized scaled prediction consistency,

    S. Pal, Y. Yao, R. Wang, B. Shen, and S. Liu, “Backdoor secrets unveiled: Identifying backdoor data with optimized scaled prediction consistency, ”arXiv preprint arXiv:2403.10717, 2024

    work page arXiv 2024

  39. [39]

    Adversarial neuron pruning purifies backdoored deep models,

    D. Wu and Y. Wang, “Adversarial neuron pruning purifies backdoored deep models, ”Advances in Neural Information Processing Systems, vol. 34, pp. 16 913–16 925, 2021

    work page 2021

  40. [40]

    Neural attention distillation: Erasing backdoor triggers from deep neural networks,

    Y. Li, X. Lyu, N. Koren, L. Lyu, B. Li, and X. Ma, “Neural attention distillation: Erasing backdoor triggers from deep neural networks, ”arXiv preprint arXiv:2101.05930, 2021

    work page arXiv 2021

  41. [41]

    Towards stable backdoor purification through feature shift tuning,

    R. Min, Z. Qin, L. Shen, and M. Cheng, “Towards stable backdoor purification through feature shift tuning, ”Advances in Neural Information Processing Systems, vol. 36, pp. 75 286–75 306, 2023

    work page 2023

  42. [42]

    Badexpert: Extracting backdoor functionality for accurate backdoor input detection,

    T. Xie, X. Qi, P. He, Y. Li, J. T. Wang, and P. Mittal, “Badexpert: Extracting backdoor functionality for accurate backdoor input detection, ”arXiv preprint arXiv:2308.12439, 2023

    work page arXiv 2023

  43. [43]

    A continual learning survey: Defying forgetting in classification tasks,

    M. De Lange, R. Aljundi, M. Masana, S. Parisot, X. Jia, A. Leonardis, G. Slabaugh, and T. Tuytelaars, “A continual learning survey: Defying forgetting in classification tasks, ”IEEE transactions on pattern analysis and machine intelligence, vol. 44, no. 7, pp. 3366–3385, 2021

    work page 2021

  44. [44]

    Machine learning testing: Survey, landscapes and horizons,

    J. M. Zhang, M. Harman, L. Ma, and Y. Liu, “Machine learning testing: Survey, landscapes and horizons, ”IEEE Transactions on Software Engineering, vol. 48, no. 1, pp. 1–36, 2020

    work page 2020

  45. [45]

    Guidelines for performing systematic literature reviews in software engineering,

    B. Kitchenham and S. Charters, “Guidelines for performing systematic literature reviews in software engineering, ” 2007

    work page 2007

  46. [46]

    Taxonomy and definitions for terms related to driving automation systems for on-road motor vehicles,

    “Taxonomy and definitions for terms related to driving automation systems for on-road motor vehicles, ” SAE Interna- tional, Tech. Rep. J3016_202104, April 2021. , Vol. 1, No. 1, Article . Publication date: May 2026. 20 Pasini et al

    work page 2021

  47. [47]

    Findpapers: A tool for helping researchers who are looking for related works,

    J. Grosman, “Findpapers: A tool for helping researchers who are looking for related works, ” https://github.com/ jonatasgrosman/findpapers, 2020

    work page 2020

  48. [48]

    Wild patterns: Ten years after the rise of adversarial machine learning,

    B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning, ” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 2154–2156

    work page 2018

  49. [49]

    Wild patterns reloaded: A survey of machine learning security against training data poisoning,

    A. E. Cinà, K. Grosse, A. Demontis, S. Vascon, W. Zellinger, B. A. Moser, A. Oprea, B. Biggio, M. Pelillo, and F. Roli, “Wild patterns reloaded: A survey of machine learning security against training data poisoning, ”ACM Computing Surveys, vol. 55, no. 13s, pp. 1–39, 2023

    work page 2023

  50. [50]

    Guidelines for snowballing in systematic literature studies and a replication in software engineering,

    C. Wohlin, “Guidelines for snowballing in systematic literature studies and a replication in software engineering, ” in Proceedings of the 18th international conference on evaluation and assessment in software engineering, 2014, pp. 1–10

    work page 2014

  51. [51]

    Deepbillboard: Systematic physical-world testing of autonomous driving systems,

    H. Zhou, W. Li, Z. Kong, J. Guo, Y. Zhang, B. Yu, L. Zhang, and C. Liu, “Deepbillboard: Systematic physical-world testing of autonomous driving systems, ” inProceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 2020, pp. 347–358

    work page 2020

  52. [52]

    Sok: On the semantic ai security in autonomous driving,

    J. Shen, N. Wang, Z. Wan, Y. Luo, T. Sato, Z. Hu, X. Zhang, S. Guo, Z. Zhong, K. Li, Z. Zhao, C. Qiao, and Q. A. Chen, “Sok: On the semantic ai security in autonomous driving, ” 2024. [Online]. Available: https://arxiv.org/abs/2203.05314

    work page arXiv 2024

  53. [53]

    A survey of deep learning applications to autonomous vehicle control,

    S. Kuutti, R. Bowden, Y. Jin, P. Barber, and S. Fallah, “A survey of deep learning applications to autonomous vehicle control, ”IEEE Transactions on Intelligent Transportation Systems, vol. 22, no. 2, pp. 712–733, 2020

    work page 2020

  54. [54]

    Understanding autonomous vehicles,

    A. Faisal, M. Kamruzzaman, T. Yigitcanlar, and G. Currie, “Understanding autonomous vehicles, ”Journal of transport and land use, vol. 12, no. 1, pp. 45–72, 2019

    work page 2019

  55. [55]

    CARLA: An open urban driving simulator,

    A. Dosovitskiy, G. Ros, F. Codevilla, A. Lopez, and V. Koltun, “CARLA: An open urban driving simulator, ” inProceedings of the 1st Annual Conference on Robot Learning, 2017, pp. 1–16

    work page 2017

  56. [56]

    Apollo: Open source autonomous driving

    B. A. team, “Apollo: Open source autonomous driving. ” [Online]. Available: https://github.com/ApolloAuto/apollo

    work page

  57. [57]

    Lgsvl simulator: A high fidelity simulator for autonomous driving,

    G. Rong, B. H. Shin, H. Tabatabaee, Q. Lu, S. Lemke, M. Možeiko, E. Boise, G. Uhm, M. Gerow, S. Mehtaet al., “Lgsvl simulator: A high fidelity simulator for autonomous driving, ”arXiv preprint arXiv:2005.03778, 2020

    work page arXiv 2005

  58. [58]

    BeamNG.tech

    BeamNG GmbH, “BeamNG.tech. ” [Online]. Available: https://www.beamng.tech/

    work page

  59. [59]

    A self-driving car simulator built with unity

    Udacity, “A self-driving car simulator built with unity. ” [Online]. Available: https://github.com/udacity/self-driving- car-sim

    work page

  60. [60]

    Physical hijacking attacks against object trackers,

    R. Muller, Y. Man, Z. B. Celik, M. Li, and R. Gerdes, “Physical hijacking attacks against object trackers, ” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 2309–2322

    work page 2022

  61. [61]

    Ad 2 attack: Adaptive adversarial attack on real-time uav tracking,

    C. Fu, S. Li, X. Yuan, J. Ye, Z. Cao, and F. Ding, “Ad 2 attack: Adaptive adversarial attack on real-time uav tracking, ” in 2022 International Conference on Robotics and Automation (ICRA). IEEE, 2022, pp. 5893–5899

    work page 2022

  62. [62]

    You can’t see me: Physical removal attacks on {lidar-based} autonomous vehicles driving frameworks,

    Y. Cao, S. H. Bhupathiraju, P. Naghavi, T. Sugawara, Z. M. Mao, and S. Rampazzi, “You can’t see me: Physical removal attacks on {lidar-based} autonomous vehicles driving frameworks, ” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 2993–3010

    work page 2023

  63. [63]

    Unmanned ground vehicle,

    Wikipedia contributors, “Unmanned ground vehicle, ” https://en.wikipedia.org/wiki/Unmanned_ground_vehicle, 2025, accessed: 2025-07-11

    work page 2025

  64. [64]

    Self-driving car,

    ——, “Self-driving car, ” https://en.wikipedia.org/wiki/Self-driving_car, 2025, accessed: 2025-07-11

    work page 2025

  65. [65]

    Unmanned aerial vehicle,

    ——, “Unmanned aerial vehicle, ” https://en.wikipedia.org/wiki/Unmanned_aerial_vehicle, 2025, accessed: 2025-07-11

    work page 2025

  66. [66]

    Unmanned surface vehicle,

    ——, “Unmanned surface vehicle, ” https://en.wikipedia.org/wiki/Unmanned_surface_vehicle, 2025, accessed: 2025-07-11

    work page 2025

  67. [67]

    Autonomous underwater vehicle,

    ——, “Autonomous underwater vehicle, ” https://en.wikipedia.org/wiki/Autonomous_underwater_vehicle, 2025, ac- cessed: 2025-07-11

    work page 2025

  68. [68]

    Vehicular automation,

    ——, “Vehicular automation, ” https://en.wikipedia.org/wiki/Vehicular_automation, 2025, accessed: 2025-07-11

    work page 2025

  69. [69]

    Voxelnet: End-to-end learning for point cloud based 3d object detection,

    Y. Zhou and O. Tuzel, “Voxelnet: End-to-end learning for point cloud based 3d object detection, ” inProceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 4490–4499

    work page 2018

  70. [70]

    Pointrcnn: 3d object proposal generation and detection from point cloud,

    S. Shi, X. Wang, and H. Li, “Pointrcnn: 3d object proposal generation and detection from point cloud, ” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 770–779

    work page 2019

  71. [71]

    Mask r-cnn,

    K. He, G. Gkioxari, P. Dollár, and R. Girshick, “Mask r-cnn, ” inProceedings of the IEEE international conference on computer vision, 2017, pp. 2961–2969

    work page 2017

  72. [72]

    You only look once: Unified, real-time object detection,

    J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You only look once: Unified, real-time object detection, ” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 779–788

    work page 2016

  73. [73]

    Simultaneous localization, mapping and moving object tracking,

    C.-C. Wang, C. Thorpe, S. Thrun, M. Hebert, and H. Durrant-Whyte, “Simultaneous localization, mapping and moving object tracking, ”The International Journal of Robotics Research, vol. 26, no. 9, pp. 889–916, 2007

    work page 2007

  74. [74]

    Airsim: High-fidelity visual and physical simulation for autonomous vehicles,

    S. Shah, D. Dey, C. Lovett, and A. Kapoor, “Airsim: High-fidelity visual and physical simulation for autonomous vehicles, ” inField and service robotics: Results of the 11th international conference. Springer, 2017, pp. 621–635

    work page 2017

  75. [75]

    http://www.cyberbotics.com,

    Webots, “http://www.cyberbotics.com, ” open-source Mobile Robot Simulation Software. [Online]. Available: http://www.cyberbotics.com

    work page

  76. [76]

    Coppeliasim (formerly v-rep): a versatile and scalable robot simulation framework,

    E. Rohmer, S. P. N. Singh, and M. Freese, “Coppeliasim (formerly v-rep): a versatile and scalable robot simulation framework, ” inProc. of The International Conference on Intelligent Robots and Systems (IROS), 2013. , Vol. 1, No. 1, Article . Publication date: May 2026. Detecting Trojaned DNNs via Spectral Regression Analysis 21

    work page 2013

  77. [77]

    Design and use paradigms for gazebo, an open-source multi-robot simulator,

    N. Koenig and A. Howard, “Design and use paradigms for gazebo, an open-source multi-robot simulator, ” in2004 IEEE/RSJ international conference on intelligent robots and systems (IROS)(IEEE Cat. No. 04CH37566), vol. 3. Ieee, 2004, pp. 2149–2154

    work page 2004

  78. [78]

    The flightgear flight simulator,

    A. R. Perry, “The flightgear flight simulator, ” inProceedings of the USENIX annual technical conference, vol. 686, 2004, pp. 1–12

    work page 2004

  79. [79]

    The trick simulation toolkit: a nasa/opensource framework for running time based physics models,

    J. Penn and A. Lin, “The trick simulation toolkit: a nasa/opensource framework for running time based physics models, ” inAIAA modeling and simulation technologies conference, 2016, p. 1187

    work page 2016

  80. [80]

    Vulnerability of clean-label poisoning attack for object detection in maritime autonomous surface ships,

    C. Lee and S. Lee, “Vulnerability of clean-label poisoning attack for object detection in maritime autonomous surface ships, ”Journal of Marine Science and Engineering, vol. 11, no. 6, p. 1179, 2023

    work page 2023

Showing first 80 references.