The security of artificial intelligence (AI) is an important research area towards safe, reliable, and trustworthy AI systems. To accelerate the research on AI security, the Artificial Intelligence Security Competition (AISC) was organized by the Zhongguancun Laboratory, China Industrial Control Systems Cyber Emergency Response Team, Institute for Artificial Intelligence, Tsinghua University, and RealAI as part of the Zhongguancun International Frontier Technology Innovation Competition (https://www.zgc-aisc.com/en). The competition consists of three tracks, including Deepfake Security Competition, Autonomous Driving Security Competition, and Face Recognition Security Competition. This report will introduce the competition rules of these three tracks and the solutions of top-ranking teams in each track.

特洛伊木马攻击对AI系统构成了严重威胁。有关变压器模型的最新著作获得了爆炸性的流行，并且自我展示是无可争议的。这提出了一个核心问题：我们可以通过伯特和VIT中的注意力机制揭示特洛伊木马吗？在本文中，我们调查了特洛伊木马AIS中的注意力劫持模式，当存在特定的触发器时，触发令牌``绑架''的注意力重量。我们观察到来自自然语言处理（NLP）和计算机视觉（CV）域的Trojan变形金刚中劫持模式的一致性劫持模式。这种有趣的财产有助于我们了解伯特和VIT中的特洛伊木马机制。我们还提出了一个关注的特洛伊木马检测器（AHTD），以将特洛伊木马与干净的AI区分开。

多目标自组织追求（SOP）问题已广泛应用，并被认为是一个充满挑战的分布式系统的自组织游戏，在该系统中，智能代理在其中合作追求具有部分观察的多个动态目标。这项工作为分散的多机构系统提出了一个框架，以提高智能代理的搜索和追求能力。我们将一个自组织的系统建模为可观察到的马尔可夫游戏（POMG），具有权力下放，部分观察和非通信的特征。然后将拟议的分布式算法：模糊自组织合作协同进化（FSC2）杠杆化，以解决多目标SOP中的三个挑战：分布式自组织搜索（SOS），分布式任务分配和分布式单目标追踪。 FSC2包括一种协调的多代理深钢筋学习方法，该方法使均匀的代理能够学习天然SOS模式。此外，我们提出了一种基于模糊的分布式任务分配方法，该方法将多目标SOP分解为几个单目标追求问题。合作进化原则用于协调每个单一目标问题的分布式追随者。因此，可以缓解POMG中固有的部分观察和分布式决策的不确定性。实验结果表明，在所有三个子任务中，分布式不传动的多机构协调都具有部分观察结果，而2048 FSC2代理可以执行有效的多目标SOP，其捕获率几乎为100％。

特洛伊木马攻击引起了严重的安全问题。在本文中，我们研究了Trojaned Bert模型的潜在机制。我们观察到木马模型的注意力焦点漂移行为，即，在遇到中毒输入时，触发令牌劫持了注意力的焦点，无论上下文如何。我们对这种现象提供了彻底的定性和定量分析，揭示了对特洛伊木马机制的见解。基于观察结果，我们提出了一个基于注意力的特洛伊木马检测器，以将木马模型与干净的模型区分开。据我们所知，这是第一篇分析特洛伊木马机制并根据变压器的注意力开发特洛伊木马检测器的论文。

一滴联合学习（FL）最近被出现为有希望的方法，允许中央服务器在单个通信中学习模型。尽管通信成本低，但现有的一次性的单次方法大多是不切实际或面临的固有限制，例如，需要公共数据集，客户的型号是同质的，需要上传其他数据/型号信息。为了克服这些问题，我们提出了一种更实用的无数据方法，名为FEDSYN的一枪框架，具有异质性。我们的Fedsyn通过数据生成阶段和模型蒸馏阶段列出全球模型。据我们所知，FEDSYN是由于以下优点，FEDSYN可以实际应用于各种实际应用程序的方法：（1）FEDSYN不需要在客户端之间传输的其他信息（模型参数除外）服务器; （2）FEDSYN不需要任何用于培训的辅助数据集; （3）FEDSYN是第一个考虑FL中的模型和统计异质性，即客户的数据是非IID，不同的客户端可能具有不同的模型架构。关于各种现实世界数据集的实验表明了我们的Fedsyn的优越性。例如，当数据是非IID时，FEDSYN在CIFAR10数据集中优于CEFAR10数据集的最佳基线方法FED-ADI的最佳基准方法。

Few Shot Instance Segmentation (FSIS) requires models to detect and segment novel classes with limited several support examples. In this work, we explore a simple yet unified solution for FSIS as well as its incremental variants, and introduce a new framework named Reference Twice (RefT) to fully explore the relationship between support/query features based on a Transformer-like framework. Our key insights are two folds: Firstly, with the aid of support masks, we can generate dynamic class centers more appropriately to re-weight query features. Secondly, we find that support object queries have already encoded key factors after base training. In this way, the query features can be enhanced twice from two aspects, i.e., feature-level and instance-level. In particular, we firstly design a mask-based dynamic weighting module to enhance support features and then propose to link object queries for better calibration via cross-attention. After the above steps, the novel classes can be improved significantly over our strong baseline. Additionally, our new framework can be easily extended to incremental FSIS with minor modification. When benchmarking results on the COCO dataset for FSIS, gFSIS, and iFSIS settings, our method achieves a competitive performance compared to existing approaches across different shots, e.g., we boost nAP by noticeable +8.2/+9.4 over the current state-of-the-art FSIS method for 10/30-shot. We further demonstrate the superiority of our approach on Few Shot Object Detection. Code and model will be available.

Inferring missing links or detecting spurious ones based on observed graphs, known as link prediction, is a long-standing challenge in graph data analysis. With the recent advances in deep learning, graph neural networks have been used for link prediction and have achieved state-of-the-art performance. Nevertheless, existing methods developed for this purpose are typically discriminative, computing features of local subgraphs around two neighboring nodes and predicting potential links between them from the perspective of subgraph classification. In this formalism, the selection of enclosing subgraphs and heuristic structural features for subgraph classification significantly affects the performance of the methods. To overcome this limitation, this paper proposes a novel and radically different link prediction algorithm based on the network reconstruction theory, called GraphLP. Instead of sampling positive and negative links and heuristically computing the features of their enclosing subgraphs, GraphLP utilizes the feature learning ability of deep-learning models to automatically extract the structural patterns of graphs for link prediction under the assumption that real-world graphs are not locally isolated. Moreover, GraphLP explores high-order connectivity patterns to utilize the hierarchical organizational structures of graphs for link prediction. Our experimental results on all common benchmark datasets from different applications demonstrate that the proposed method consistently outperforms other state-of-the-art methods. Unlike the discriminative neural network models used for link prediction, GraphLP is generative, which provides a new paradigm for neural-network-based link prediction.

Despite excellent performance in image generation, Generative Adversarial Networks (GANs) are notorious for its requirements of enormous storage and intensive computation. As an awesome ''performance maker'', knowledge distillation is demonstrated to be particularly efficacious in exploring low-priced GANs. In this paper, we investigate the irreplaceability of teacher discriminator and present an inventive discriminator-cooperated distillation, abbreviated as DCD, towards refining better feature maps from the generator. In contrast to conventional pixel-to-pixel match methods in feature map distillation, our DCD utilizes teacher discriminator as a transformation to drive intermediate results of the student generator to be perceptually close to corresponding outputs of the teacher generator. Furthermore, in order to mitigate mode collapse in GAN compression, we construct a collaborative adversarial training paradigm where the teacher discriminator is from scratch established to co-train with student generator in company with our DCD. Our DCD shows superior results compared with existing GAN compression methods. For instance, after reducing over 40x MACs and 80x parameters of CycleGAN, we well decrease FID metric from 61.53 to 48.24 while the current SoTA method merely has 51.92. This work's source code has been made accessible at https://github.com/poopit/DCD-official.

Gradient-based explanation is the cornerstone of explainable deep networks, but it has been shown to be vulnerable to adversarial attacks. However, existing works measure the explanation robustness based on $\ell_p$-norm, which can be counter-intuitive to humans, who only pay attention to the top few salient features. We propose explanation ranking thickness as a more suitable explanation robustness metric. We then present a new practical adversarial attacking goal for manipulating explanation rankings. To mitigate the ranking-based attacks while maintaining computational feasibility, we derive surrogate bounds of the thickness that involve expensive sampling and integration. We use a multi-objective approach to analyze the convergence of a gradient-based attack to confirm that the explanation robustness can be measured by the thickness metric. We conduct experiments on various network architectures and diverse datasets to prove the superiority of the proposed methods, while the widely accepted Hessian-based curvature smoothing approaches are not as robust as our method.

The past two decades have seen increasingly rapid advances in the field of multi-view representation learning due to it extracting useful information from diverse domains to facilitate the development of multi-view applications. However, the community faces two challenges: i) how to learn robust representations from a large amount of unlabeled data to against noise or incomplete views setting, and ii) how to balance view consistency and complementary for various downstream tasks. To this end, we utilize a deep fusion network to fuse view-specific representations into the view-common representation, extracting high-level semantics for obtaining robust representation. In addition, we employ a clustering task to guide the fusion network to prevent it from leading to trivial solutions. For balancing consistency and complementary, then, we design an asymmetrical contrastive strategy that aligns the view-common representation and each view-specific representation. These modules are incorporated into a unified method known as CLustering-guided cOntrastiVE fusioN (CLOVEN). We quantitatively and qualitatively evaluate the proposed method on five datasets, demonstrating that CLOVEN outperforms 11 competitive multi-view learning methods in clustering and classification. In the incomplete view scenario, our proposed method resists noise interference better than those of our competitors. Furthermore, the visualization analysis shows that CLOVEN can preserve the intrinsic structure of view-specific representation while also improving the compactness of view-commom representation. Our source code will be available soon at https://github.com/guanzhou-ke/cloven.