越来越多的工作表明，深层神经网络容易受到对抗例子的影响。这些采用适用于模型输入的小扰动的形式，这导致了错误的预测。不幸的是，大多数文献都集中在视觉上不可见量的扰动上，该扰动将应用于数字图像上，这些数字图像通常无法通过设计将其部署到物理目标上。我们提出了对抗性划痕：一种新颖的L0黑盒攻击，它采用图像中的划痕形式，并且比其他最先进的攻击具有更大的可部署性。对抗性划痕利用了b \'Ezier曲线，以减少搜索空间的维度，并可能将攻击限制为特定位置。我们在几种情况下测试了对抗划痕，包括公开可用的API和交通标志的图像。结果表明，我们的攻击通常比其他可部署的最先进方法更高的愚弄率更高，同时需要更少的查询并修改很少的像素。

Deep Learning has recently become hugely popular in machine learning for its ability to solve end-to-end learning systems, in which the features and the classifiers are learned simultaneously, providing significant improvements in classification accuracy in the presence of highly-structured and large databases.Its success is due to a combination of recent algorithmic breakthroughs, increasingly powerful computers, and access to significant amounts of data.Researchers have also considered privacy implications of deep learning. Models are typically trained in a centralized manner with all the data being processed by the same training algorithm. If the data is a collection of users' private data, including habits, personal pictures, geographical positions, interests, and more, the centralized server will have access to sensitive information that could potentially be mishandled. To tackle this problem, collaborative deep learning models have recently been proposed where parties locally train their deep learning structures and only share a subset of the parameters in the attempt to keep their respective training sets private. Parameters can also be obfuscated via differential privacy (DP) to make information extraction even more challenging, as proposed by Shokri and Shmatikov at CCS'15.Unfortunately, we show that any privacy-preserving collaborative deep learning is susceptible to a powerful attack that we devise in this paper. In particular, we show that a distributed, federated, or decentralized deep learning approach is fundamentally broken and does not protect the training sets of honest participants. The attack we developed exploits the real-time nature of the learning process that allows the adversary to train a Generative Adversarial Network (GAN) that generates prototypical samples of the targeted training set that was meant to be private (the samples generated by the GAN are intended to come from the same distribution as the training data). Interestingly, we show that record-level differential privacy applied to the shared parameters of the model, as suggested in previous work, is ineffective (i.e., record-level DP is not designed to address our attack).

最近的生成机器学习模型的进展重新推出了密码猜测领域的研究兴趣。基于GAN的数据驱动密码猜测方法和深度潜变量模型的方法显示了令人印象深刻的泛化性能，并为密码猜测提供了引人注目的属性。在本文中，我们提出了Passflow，一种基于流的生成模型方法来猜测。基于流的模型允许精确的对数似然计算和优化，这实现了精确潜在的变量推断。此外，基于流的模型提供了有意义的潜在空间表示，这使得能够探索潜在空间和插值的特定子空间。我们展示了生成流量的适用性到密码猜测的背景下，脱离了主要限于图像生成的连续空间的流网络的先前应用。我们显示Passflow能够在使用培训集中的密码猜测任务中以前的最先进的GaN的方法，这是一个训练集，该训练集是小于前一体的训练集。此外，生成的样本的定性分析表明，通信流可以准确地模拟原始密码的分布，甚至是不匹配的样本非常类似于人类的密码。