Update README.md

README.md

@@ -22,9 +22,9 @@ Currently, this toolbox is still under development (but the attack parts are alm
 |                                                    **Method**                                                   |       **Source**      | **Key Properties**                                         | **Additional Notes**                                                    |
 |:---------------------------------------------------------------------------------------------------------------:|:---------------------:|------------------------------------------------------------|-------------------------------------------------------------|
 |             [BadNets](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/BadNets.py)             |   [Badnets: Evaluating Backdooring Attacks on Deep Neural Networks](https://ieeexplore.ieee.org/abstract/document/8685687). IEEE Access, 2019.   | poison-only                                                | first backdoor attack                                       |
-|          [Blended Attack](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/Blended.py)         |      arXiv, 2017      | poison-only, invisible                                     | first invisible attack                                      |
-|    [Refool (simplified version)](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/Refool.py)   |       ECCV, 2020      | poison-only, sample-specific                               | first stealthy attack with visible yet natural trigger      |
-| [Label-consistent Attack](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/LabelConsistent.py) |      arXiv, 2019      | poison-only, invisible, clean-label                        | first clean-label backdoor attack                           |
+|          [Blended Attack](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/Blended.py)         |      [Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning](https://arxiv.org/pdf/1712.05526.pdf). arXiv, 2017.      | poison-only, invisible                                     | first invisible attack                                      |
+|    [Refool (simplified version)](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/Refool.py)   |       [Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks](https://arxiv.org/pdf/2007.02343.pdf). ECCV, 2020      | poison-only, sample-specific                               | first stealthy attack with visible yet natural trigger      |
+| [Label-consistent Attack](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/LabelConsistent.py) |     [Label-Consistent Backdoor Attacks](https://arxiv.org/pdf/1912.02771.pdf). arXiv, 2019      | poison-only, invisible, clean-label                        | first clean-label backdoor attack                           |
 | [TUAP](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/TUAP.py) |      CVPR, 2020      | poison-only, invisible, clean-label                        | first clean-label backdoor attack with optimized trigger pattern                          |
 | [Sleeper Agent](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/SleeperAgent.py) |      arXiv, 2021      | poison-only, invisible, clean-label                        | effective clean-label backdoor attack                         |
 |               [ISSBA](https://github.com/THUYimingLi/BackdoorBox/blob/main/core/attacks/ISSBA.py)               |       ICCV, 2021      | poison-only, sample-specific, physical                     | first poison-only sample-specific attack                    |