USENIX Security '21 - Double-Cross Attacks: Subverting Active Learning Systems