Deploying machine learning models in production may allow adversaries to infer sensitive information about training data. There is a vast literature analyzing different types of inference risks, ranging from membership inference to reconstruction attacks. Inspired by the success of games (i.e., probabilistic experiments) to study security properties in cryptography, some authors describe privacy inference risks in machine learning using a similar game-based style. However, adversary capabilities and goals are often stated in subtly different ways from one presentation to the other, which makes it hard to relate and compose results. In this paper, we present a game-based framework to systematize the body of knowledge on privacy inference risks in machine learning.

The number of international benchmarking competitions is steadily increasing in various fields of machine learning (ML) research and practice. So far, however, little is known about the common practice as well as bottlenecks faced by the community in tackling the research questions posed. To shed light on the status quo of algorithm development in the specific field of biomedical imaging analysis, we designed an international survey that was issued to all participants of challenges conducted in conjunction with the IEEE ISBI 2021 and MICCAI 2021 conferences (80 competitions in total). The survey covered participants' expertise and working environments, their chosen strategies, as well as algorithm characteristics. A median of 72% challenge participants took part in the survey. According to our results, knowledge exchange was the primary incentive (70%) for participation, while the reception of prize money played only a minor role (16%). While a median of 80 working hours was spent on method development, a large portion of participants stated that they did not have enough time for method development (32%). 25% perceived the infrastructure to be a bottleneck. Overall, 94% of all solutions were deep learning-based. Of these, 84% were based on standard architectures. 43% of the respondents reported that the data samples (e.g., images) were too large to be processed at once. This was most commonly addressed by patch-based training (69%), downsampling (37%), and solving 3D analysis tasks as a series of 2D tasks. K-fold cross-validation on the training set was performed by only 37% of the participants and only 50% of the participants performed ensembling based on multiple identical models (61%) or heterogeneous models (39%). 48% of the respondents applied postprocessing steps.

诸如私人SGD之类的算法启用具有正式隐私保证的培训机器学习模型。但是，这种算法在理论上保证的保护与实践中提供的保护之间存在差异。一系列新兴的工作经验估计了差异私人培训作为隐私预算$ \ varepsilon $用于培训模型的置信区间提供的保护。现有方法从置信区间从置信区间获得了置信区间，以置信为误报和假阴性攻击。不幸的是，使用这种方法获得$ \ epsilon $的狭窄高信心间隔需要不切实际的样本量和训练与样品一样多的型号。我们提出了一种新颖的贝叶斯方法，可大大减少样本量，并适应和验证启发式方法，以绘制每个训练有素的模型多个样本。我们的贝叶斯方法利用了对差异隐私的假设测试解释，从$ \ varepsilon $（不仅仅是置信区间）获得后部的后验，这是从误报和假阴性的成员推理攻击的共同后部。对于相同的样本量和信心，我们以$ \ varepsilon $ 40％的狭窄范围比先前的工作得出置信区间。我们从仅标签DP适应的启发式方法可用于进一步减少最多2个数量级获得足够样品所需的训练模型数量。

在手写文件中指定实体执行的相关信息的提取仍然是一个具有挑战性的任务。与通常将文本转录和命名实体识别的传统信息提取方法与单独的后续任务不同，我们提出了基于端到端的变换器的方法，共同执行这两个任务。拟议的方法在段落水平上运作，带来了两个主要福利。首先，它允许模型避免由于线分割而无法恢复的早期误差。其次，它允许模型利用更大的双维上下文信息来识别语义类别，达到更高的最终预测精度。我们还探讨了不同的培训方案，以表明他们对性能的影响，我们证明了两级学习策略可以使模型达到更高的最终预测精度。据我们所知，这项工作提出了一种采用传感器网络，用于在手写文档中指定实体识别的变压器网络。我们在ICDAR 2017信息提取竞争中实现了新的最先进的性能，即使建议的技术不使用任何词典，语言建模或后处理，即使完整的任务也可以实现新的最先进的表现。

机器学习（ML）已将自身驾驶到认证系统的自主驱动范围的各种关键应用的基石。然而，随着机器学习模型的增加，已经出现了多次攻击。一类这样的攻击正在培训时间攻击，由此对手在机器学习模型培训之前或期间执行他们的攻击。在这项工作中，我们提出了一种对基于计算机视觉的机器学习模型的新培训时间攻击，即模型劫持攻击。对手旨在劫持目标模型，而不是模特所有者注意到的原始任务。模型劫持可能会导致问责制和安全风险，因为可以将劫持型号所有者构成，以便拥有其型号提供非法或不道德的服务。模型劫持攻击以与现有数据中毒攻击相同的方式启动。然而，模型劫持攻击的一个要求是隐身，即劫持目标模型的数据样本应该类似于模型的原始训练数据集。为此，我们提出了两种不同的模型劫持攻击，即Chameleon和不良变色龙，基于新颖的编码器解码器样式ML模型，即Camouflager。我们的评价表明，我们的模型劫持攻击都达到了高攻击成功率，模型实用程序下降了不计。

In a membership inference attack, an attacker aims to infer whether a data sample is in a target classifier's training dataset or not. Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of the target classifier's training dataset. Membership inference attacks pose severe privacy and security threats to the training dataset. Most existing defenses leverage differential privacy when training the target classifier or regularize the training process of the target classifier. These defenses suffer from two key limitations: 1) they do not have formal utility-loss guarantees of the confidence score vectors, and 2) they achieve suboptimal privacy-utility tradeoffs.In this work, we propose MemGuard, the first defense with formal utility-loss guarantees against black-box membership inference attacks. Instead of tampering the training process of the target classifier, MemGuard adds noise to each confidence score vector predicted by the target classifier. Our key observation is that attacker uses a classifier to predict member or non-member and classifier is vulnerable to adversarial examples. Based on the observation, we propose to add a carefully crafted noise vector to a confidence score vector to turn it into an adversarial example that misleads the attacker's classifier. Specifically, MemGuard works in two phases. In Phase I, MemGuard finds a carefully crafted noise vector that can turn a confidence score vector into an adversarial example, which is likely to mislead the attacker's classifier to make a random guessing at member or non-member. We find such carefully crafted noise vector via a new method that we design to incorporate the unique utility-loss constraints on the noise vector. In Phase II, Mem-Guard adds the noise vector to the confidence score vector with a certain probability, which is selected to satisfy a given utility-loss budget on the confidence score vector. Our experimental results on

Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications.However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains.In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.

The performance of the Deep Learning (DL) models depends on the quality of labels. In some areas, the involvement of human annotators may lead to noise in the data. When these corrupted labels are blindly regarded as the ground truth (GT), DL models suffer from performance deficiency. This paper presents a method that aims to learn a confident model in the presence of noisy labels. This is done in conjunction with estimating the uncertainty of multiple annotators. We robustly estimate the predictions given only the noisy labels by adding entropy or information-based regularizer to the classifier network. We conduct our experiments on a noisy version of MNIST, CIFAR-10, and FMNIST datasets. Our empirical results demonstrate the robustness of our method as it outperforms or performs comparably to other state-of-the-art (SOTA) methods. In addition, we evaluated the proposed method on the curated dataset, where the noise type and level of various annotators depend on the input image style. We show that our approach performs well and is adept at learning annotators' confusion. Moreover, we demonstrate how our model is more confident in predicting GT than other baselines. Finally, we assess our approach for segmentation problem and showcase its effectiveness with experiments.

Recent advances in upper limb prostheses have led to significant improvements in the number of movements provided by the robotic limb. However, the method for controlling multiple degrees of freedom via user-generated signals remains challenging. To address this issue, various machine learning controllers have been developed to better predict movement intent. As these controllers become more intelligent and take on more autonomy in the system, the traditional approach of representing the human-machine interface as a human controlling a tool becomes limiting. One possible approach to improve the understanding of these interfaces is to model them as collaborative, multi-agent systems through the lens of joint action. The field of joint action has been commonly applied to two human partners who are trying to work jointly together to achieve a task, such as singing or moving a table together, by effecting coordinated change in their shared environment. In this work, we compare different prosthesis controllers (proportional electromyography with sequential switching, pattern recognition, and adaptive switching) in terms of how they present the hallmarks of joint action. The results of the comparison lead to a new perspective for understanding how existing myoelectric systems relate to each other, along with recommendations for how to improve these systems by increasing the collaborative communication between each partner.

Nowadays, the current neural network models of dialogue generation(chatbots) show great promise for generating answers for chatty agents. But they are short-sighted in that they predict utterances one at a time while disregarding their impact on future outcomes. Modelling a dialogue's future direction is critical for generating coherent, interesting dialogues, a need that has led traditional NLP dialogue models that rely on reinforcement learning. In this article, we explain how to combine these objectives by using deep reinforcement learning to predict future rewards in chatbot dialogue. The model simulates conversations between two virtual agents, with policy gradient methods used to reward sequences that exhibit three useful conversational characteristics: the flow of informality, coherence, and simplicity of response (related to forward-looking function). We assess our model based on its diversity, length, and complexity with regard to humans. In dialogue simulation, evaluations demonstrated that the proposed model generates more interactive responses and encourages a more sustained successful conversation. This work commemorates a preliminary step toward developing a neural conversational model based on the long-term success of dialogues.