The security of artificial intelligence (AI) is an important research area towards safe, reliable, and trustworthy AI systems. To accelerate the research on AI security, the Artificial Intelligence Security Competition (AISC) was organized by the Zhongguancun Laboratory, China Industrial Control Systems Cyber Emergency Response Team, Institute for Artificial Intelligence, Tsinghua University, and RealAI as part of the Zhongguancun International Frontier Technology Innovation Competition (https://www.zgc-aisc.com/en). The competition consists of three tracks, including Deepfake Security Competition, Autonomous Driving Security Competition, and Face Recognition Security Competition. This report will introduce the competition rules of these three tracks and the solutions of top-ranking teams in each track.

垂直联合学习（VFL）是一个新兴的范式，允许不同的方（例如组织或企业）协作建立具有隐私保护的机器学习模型。在训练阶段，VFL仅交换跨各方的中间统计数据，即正向激活和向后导数，以计算模型梯度。然而，由于其地理分布性质，VFL训练通常会受到低WAN带宽的影响。在本文中，我们介绍了一种新颖有效的VFL培训框架Celu-VFL，该框架利用了本地更新技术来减少跨党的交流回合。 CELU-VFL缓存了陈旧的统计数据，并将其重新估算模型梯度，而无需交换临时统计。提出了重要的技术来提高收敛性能。首先，为了解决随机方差问题，我们提出了一种统一的采样策略，以公平地选择本地更新的陈旧统计信息。其次，为了利用稳定性带来的错误，我们设计了一种实例加权机制，以衡量估计梯度的可靠性。理论分析证明，CELU-VFL达到了与Vanilla VFL训练相似的亚线性收敛率，但需要更少的通信回合。公共和现实世界工作负载的经验结果验证了CELU-VFL的速度可能比现有作品快六倍。

由于对隐私保护的关注不断增加，因此如何在不同数据源上建立机器学习（ML）模型具有安全保证，这越来越受欢迎。垂直联合学习（VFL）描述了这种情况，其中ML模型建立在不同参与方的私人数据上，该数据与同一集合相同的实例中拥有不相交的功能，这适合许多现实世界中的协作任务。但是，我们发现VFL现有的解决方案要么支持有限的输入功能，要么在联合执行过程中遭受潜在数据泄漏的损失。为此，本文旨在研究VFL方案中ML模式的功能和安全性。具体来说，我们介绍了BlindFL，这是VFL训练和推理的新型框架。首先，为了解决VFL模型的功能，我们建议联合源层团结不同各方的数据。联合源层可以有效地支持各种特征，包括密集，稀疏，数值和分类特征。其次，我们在联合执行期间仔细分析了安全性，并正式化了隐私要求。基于分析，我们设计了安全，准确的算法协议，并进一步证明了在理想真实的仿真范式下的安全保证。广泛的实验表明，BlindFL支持各种数据集和模型，同时获得强大的隐私保证。

K-Core Deconnosition是一个常用的指标来分析图形结构或研究节点在复杂图中的相对重要性。近年来，图表的规模迅速增长，特别是在工业环境中。例如，我们的工业伙伴以数十亿用户运行流行的社交应用程序，并且能够收集丰富的用户数据。因此，对大型图形的k核分解应用于学术界和行业的越来越多的关注。处理大图的简单但有效的方法是在分布式设置中训练它们，并且还提出了一些分布式k核分解算法。尽管他们有效性，我们在实验和理论上观察到这些算法消耗了太多资源，并在超大型图表上变得不稳定，特别是当给定的资源有限时。在本文中，我们处理那些超大型图形，并在分布式K核分解算法的顶部提出了分行和征服策略。我们在三个大图中评估我们的方法。实验结果表明，资源的消耗可以显着降低，大规模图的计算比现有方法更稳定。例如，分布式K-Core分解算法可以缩放到具有1360亿边缘的大图，而不会与我们的分行和征服技术丢失正确性。

内核逻辑回归（KLR）是机器学习中常规的非线性分类器。随着数据大小的爆炸性增长，大型核矩阵的存储和计算是扩展KLR的主要挑战。即使是nyStr \” {o} m近似也用于求解KLR，它还面临$ O（nc^2）$的时间复杂性和$ O（NC）$的空间复杂性，其中$ n是$ n $的数字培训实例和$ c $是抽样大小。在本文中，我们提出了一种快速的牛顿方法，通过利用存储和计算优势，有效地解决了大规模KLR问题，多级循环矩阵（MCM）。带有MCM的矩阵，存储空间减少到$ O（n）$，并进一步近似于牛顿方程的系数矩阵作为MCM，牛顿迭代的计算复杂性降低到$ O（n \ log n \ log n）$。所提出的方法可以在迭代中以对数线性的时间复杂性运行，因为可以实现MCM（或其逆）和向量的乘法多维快速傅立叶变换（MFFT）。 - 分类问题表明，提出的方法启用了S KLR可以扩展到大规模的问题，而不必牺牲测试准确性的情况下，记忆消耗较少，较少的训练时间。

A recent study has shown a phenomenon called neural collapse in that the within-class means of features and the classifier weight vectors converge to the vertices of a simplex equiangular tight frame at the terminal phase of training for classification. In this paper, we explore the corresponding structures of the last-layer feature centers and classifiers in semantic segmentation. Based on our empirical and theoretical analysis, we point out that semantic segmentation naturally brings contextual correlation and imbalanced distribution among classes, which breaks the equiangular and maximally separated structure of neural collapse for both feature centers and classifiers. However, such a symmetric structure is beneficial to discrimination for the minor classes. To preserve these advantages, we introduce a regularizer on feature centers to encourage the network to learn features closer to the appealing structure in imbalanced semantic segmentation. Experimental results show that our method can bring significant improvements on both 2D and 3D semantic segmentation benchmarks. Moreover, our method ranks 1st and sets a new record (+6.8% mIoU) on the ScanNet200 test leaderboard. Code will be available at https://github.com/dvlab-research/Imbalanced-Learning.

Despite significant progress in object categorization, in recent years, a number of important challenges remain; mainly, the ability to learn from limited labeled data and to recognize object classes within large, potentially open, set of labels. Zero-shot learning is one way of addressing these challenges, but it has only been shown to work with limited sized class vocabularies and typically requires separation between supervised and unsupervised classes, allowing former to inform the latter but not vice versa. We propose the notion of vocabulary-informed learning to alleviate the above mentioned challenges and address problems of supervised, zero-shot, generalized zero-shot and open set recognition using a unified framework. Specifically, we propose a weighted maximum margin framework for semantic manifold-based recognition that incorporates distance constraints from (both supervised and unsupervised) vocabulary atoms. Distance constraints ensure that labeled samples are projected closer to their correct prototypes, in the embedding space, than to others. We illustrate that resulting model shows improvements in supervised, zero-shot, generalized zero-shot, and large open set recognition, with up to 310K class vocabulary on Animal with Attributes and ImageNet datasets.

When using LiDAR semantic segmentation models for safety-critical applications such as autonomous driving, it is essential to understand and improve their robustness with respect to a large range of LiDAR corruptions. In this paper, we aim to comprehensively analyze the robustness of LiDAR semantic segmentation models under various corruptions. To rigorously evaluate the robustness and generalizability of current approaches, we propose a new benchmark called SemanticKITTI-C, which features 16 out-of-domain LiDAR corruptions in three groups, namely adverse weather, measurement noise and cross-device discrepancy. Then, we systematically investigate 11 LiDAR semantic segmentation models, especially spanning different input representations (e.g., point clouds, voxels, projected images, and etc.), network architectures and training schemes. Through this study, we obtain two insights: 1) We find out that the input representation plays a crucial role in robustness. Specifically, under specific corruptions, different representations perform variously. 2) Although state-of-the-art methods on LiDAR semantic segmentation achieve promising results on clean data, they are less robust when dealing with noisy data. Finally, based on the above observations, we design a robust LiDAR segmentation model (RLSeg) which greatly boosts the robustness with simple but effective modifications. It is promising that our benchmark, comprehensive analysis, and observations can boost future research in robust LiDAR semantic segmentation for safety-critical applications.

A noisy training set usually leads to the degradation of the generalization and robustness of neural networks. In this paper, we propose a novel theoretically guaranteed clean sample selection framework for learning with noisy labels. Specifically, we first present a Scalable Penalized Regression (SPR) method, to model the linear relation between network features and one-hot labels. In SPR, the clean data are identified by the zero mean-shift parameters solved in the regression model. We theoretically show that SPR can recover clean data under some conditions. Under general scenarios, the conditions may be no longer satisfied; and some noisy data are falsely selected as clean data. To solve this problem, we propose a data-adaptive method for Scalable Penalized Regression with Knockoff filters (Knockoffs-SPR), which is provable to control the False-Selection-Rate (FSR) in the selected clean data. To improve the efficiency, we further present a split algorithm that divides the whole training set into small pieces that can be solved in parallel to make the framework scalable to large datasets. While Knockoffs-SPR can be regarded as a sample selection module for a standard supervised training pipeline, we further combine it with a semi-supervised algorithm to exploit the support of noisy data as unlabeled data. Experimental results on several benchmark datasets and real-world noisy datasets show the effectiveness of our framework and validate the theoretical results of Knockoffs-SPR. Our code and pre-trained models will be released.

As natural language processing (NLP) for gender bias becomes a significant interdisciplinary topic, the prevalent data-driven techniques such as large-scale language models suffer from data inadequacy and biased corpus, especially for languages with insufficient resources such as Chinese. To this end, we propose a Chinese cOrpus foR Gender bIas Probing and Mitigation CORGI-PM, which contains 32.9k sentences with high-quality labels derived by following an annotation scheme specifically developed for gender bias in the Chinese context. Moreover, we address three challenges for automatic textual gender bias mitigation, which requires the models to detect, classify, and mitigate textual gender bias. We also conduct experiments with state-of-the-art language models to provide baselines. To our best knowledge, CORGI-PM is the first sentence-level Chinese corpus for gender bias probing and mitigation.