特洛伊木马后门是针对神经网络（NN）分类器的中毒攻击，对手试图利用（高度理想的）模型重用属性将特洛伊木马植入模型参数中，以通过中毒训练过程进行后门漏洞。大多数针对特洛伊木马攻击的防御措施都假设了白盒设置，其中防守者可以访问NN的内部状态，或者能够通过它进行后传播。在这项工作中，我们提出了一个更实用的黑盒防御，称为Trojdef，只能在NN上进行前进。 Trojdef试图通过监视输入因随机噪声反复扰动预测置信度的变化来识别和滤除特洛伊木马输入（即用Trojan触发器增强的输入）。我们根据预测输出得出一个函数，该函数称为预测置信度，以决定输入示例是否为特洛伊木马。直觉是，由于错误分类仅取决于触发因素，因此特洛伊木马的输入更加稳定，而由于分类特征的扰动，良性输入会受到损失。通过数学分析，我们表明，如果攻击者在注入后门时是完美的，则将训练特洛伊木马感染的模型以学习适当的预测置信度结合，该模型用于区分特洛伊木马和良性输入，并在任意扰动下。但是，由于攻击者在注入后门时可能不是完美的，因此我们将非线性转换引入了预测置信度，以提高实际环境中的检测准确性。广泛的经验评估表明，即使分类器体系结构，培训过程或超参数变化，Trojdef的表现明显优于州的防御能力，并且在不同的设置下也很稳定。

The data consistency for the physical forward model is crucial in inverse problems, especially in MR imaging reconstruction. The standard way is to unroll an iterative algorithm into a neural network with a forward model embedded. The forward model always changes in clinical practice, so the learning component's entanglement with the forward model makes the reconstruction hard to generalize. The proposed method is more generalizable for different MR acquisition settings by separating the forward model from the deep learning component. The deep learning-based proximal gradient descent was proposed to create a learned regularization term independent of the forward model. We applied the one-time trained regularization term to different MR acquisition settings to validate the proposed method and compared the reconstruction with the commonly used $\ell_1$ regularization. We showed ~3 dB improvement in the peak signal to noise ratio, compared with conventional $\ell_1$ regularized reconstruction. We demonstrated the flexibility of the proposed method in choosing different undersampling patterns. We also evaluated the effect of parameter tuning for the deep learning regularization.

目的：开发基于深度学习的图像重建框架，以在MRI中可复制研究。方法：Bart Toolbox提供了丰富的校准和重建算法的实现，用于并行成像和压缩传感。在这项工作中，BART由非线性操作员框架扩展，该框架提供了自动差异以允许计算梯度。 BART的现有特定于MRI的操作员，例如非均匀的快速傅立叶变换，直接集成到该框架中，并与神经网络中使用的常见构件相辅相成。为了评估用于先进的基于深度学习的重建框架的使用，实现了两个最先进的展开的重建网络，即变异网络[1]和MODL [2]。结果：可以使用BART的基于BART的优化算法来构建和训练最新的深层图像重建网络。与基于TensorFlow的原始实现相比，BART实施在训练时间和重建质量方面具有相似的性能。结论：通过将非线性操作员和神经网络整合到BART中，我们为MRI中的深度学习重建提供了一个一般框架。

我们引入了一个框架，该框架可以从学习概率分布中进行有效的MRI重建。与传统的基于深度学习的MRI重建技术不同，鉴于使用Markov链蒙特卡洛（MCMC）方法测得的K空间，样品是从后部分布中得出的。除了可以通过常规方法获得的图像的最大后验（MAP）估计值外，还可以计算最小平方误差（MMSE）估计值和不确定性图。数据驱动的马尔可夫链是根据从给定的图像数据库中学到的生成模型构建的，并且独立于用于建模K空间测量的前向操作员。这提供了灵活性，因为该方法可以应用于使用不同的采样方案获得的K空间或使用相同的预训练模型接收线圈。此外，我们使用基于反向扩散过程的框架来利用高级生成模型。该方法的性能使用K空间中的10倍下采样在开放数据集上进行评估。

In this paper, we propose a robust 3D detector, named Cross Modal Transformer (CMT), for end-to-end 3D multi-modal detection. Without explicit view transformation, CMT takes the image and point clouds tokens as inputs and directly outputs accurate 3D bounding boxes. The spatial alignment of multi-modal tokens is performed implicitly, by encoding the 3D points into multi-modal features. The core design of CMT is quite simple while its performance is impressive. CMT obtains 73.0% NDS on nuScenes benchmark. Moreover, CMT has a strong robustness even if the LiDAR is missing. Code will be released at https://github.com/junjie18/CMT.

Dataset distillation has emerged as a prominent technique to improve data efficiency when training machine learning models. It encapsulates the knowledge from a large dataset into a smaller synthetic dataset. A model trained on this smaller distilled dataset can attain comparable performance to a model trained on the original training dataset. However, the existing dataset distillation techniques mainly aim at achieving the best trade-off between resource usage efficiency and model utility. The security risks stemming from them have not been explored. This study performs the first backdoor attack against the models trained on the data distilled by dataset distillation models in the image domain. Concretely, we inject triggers into the synthetic data during the distillation procedure rather than during the model training stage, where all previous attacks are performed. We propose two types of backdoor attacks, namely NAIVEATTACK and DOORPING. NAIVEATTACK simply adds triggers to the raw data at the initial distillation phase, while DOORPING iteratively updates the triggers during the entire distillation procedure. We conduct extensive evaluations on multiple datasets, architectures, and dataset distillation techniques. Empirical evaluation shows that NAIVEATTACK achieves decent attack success rate (ASR) scores in some cases, while DOORPING reaches higher ASR scores (close to 1.0) in all cases. Furthermore, we conduct a comprehensive ablation study to analyze the factors that may affect the attack performance. Finally, we evaluate multiple defense mechanisms against our backdoor attacks and show that our attacks can practically circumvent these defense mechanisms.

Few Shot Instance Segmentation (FSIS) requires models to detect and segment novel classes with limited several support examples. In this work, we explore a simple yet unified solution for FSIS as well as its incremental variants, and introduce a new framework named Reference Twice (RefT) to fully explore the relationship between support/query features based on a Transformer-like framework. Our key insights are two folds: Firstly, with the aid of support masks, we can generate dynamic class centers more appropriately to re-weight query features. Secondly, we find that support object queries have already encoded key factors after base training. In this way, the query features can be enhanced twice from two aspects, i.e., feature-level and instance-level. In particular, we firstly design a mask-based dynamic weighting module to enhance support features and then propose to link object queries for better calibration via cross-attention. After the above steps, the novel classes can be improved significantly over our strong baseline. Additionally, our new framework can be easily extended to incremental FSIS with minor modification. When benchmarking results on the COCO dataset for FSIS, gFSIS, and iFSIS settings, our method achieves a competitive performance compared to existing approaches across different shots, e.g., we boost nAP by noticeable +8.2/+9.4 over the current state-of-the-art FSIS method for 10/30-shot. We further demonstrate the superiority of our approach on Few Shot Object Detection. Code and model will be available.

This paper focuses on designing efficient models with low parameters and FLOPs for dense predictions. Even though CNN-based lightweight methods have achieved stunning results after years of research, trading-off model accuracy and constrained resources still need further improvements. This work rethinks the essential unity of efficient Inverted Residual Block in MobileNetv2 and effective Transformer in ViT, inductively abstracting a general concept of Meta-Mobile Block, and we argue that the specific instantiation is very important to model performance though sharing the same framework. Motivated by this phenomenon, we deduce a simple yet efficient modern \textbf{I}nverted \textbf{R}esidual \textbf{M}obile \textbf{B}lock (iRMB) for mobile applications, which absorbs CNN-like efficiency to model short-distance dependency and Transformer-like dynamic modeling capability to learn long-distance interactions. Furthermore, we design a ResNet-like 4-phase \textbf{E}fficient \textbf{MO}del (EMO) based only on a series of iRMBs for dense applications. Massive experiments on ImageNet-1K, COCO2017, and ADE20K benchmarks demonstrate the superiority of our EMO over state-of-the-art methods, \eg, our EMO-1M/2M/5M achieve 71.5, 75.1, and 78.4 Top-1 that surpass \textbf{SoTA} CNN-/Transformer-based models, while trading-off the model accuracy and efficiency well.

Benefiting from the intrinsic supervision information exploitation capability, contrastive learning has achieved promising performance in the field of deep graph clustering recently. However, we observe that two drawbacks of the positive and negative sample construction mechanisms limit the performance of existing algorithms from further improvement. 1) The quality of positive samples heavily depends on the carefully designed data augmentations, while inappropriate data augmentations would easily lead to the semantic drift and indiscriminative positive samples. 2) The constructed negative samples are not reliable for ignoring important clustering information. To solve these problems, we propose a Cluster-guided Contrastive deep Graph Clustering network (CCGC) by mining the intrinsic supervision information in the high-confidence clustering results. Specifically, instead of conducting complex node or edge perturbation, we construct two views of the graph by designing special Siamese encoders whose weights are not shared between the sibling sub-networks. Then, guided by the high-confidence clustering information, we carefully select and construct the positive samples from the same high-confidence cluster in two views. Moreover, to construct semantic meaningful negative sample pairs, we regard the centers of different high-confidence clusters as negative samples, thus improving the discriminative capability and reliability of the constructed sample pairs. Lastly, we design an objective function to pull close the samples from the same cluster while pushing away those from other clusters by maximizing and minimizing the cross-view cosine similarity between positive and negative samples. Extensive experimental results on six datasets demonstrate the effectiveness of CCGC compared with the existing state-of-the-art algorithms.

As one of the prevalent methods to achieve automation systems, Imitation Learning (IL) presents a promising performance in a wide range of domains. However, despite the considerable improvement in policy performance, the corresponding research on the explainability of IL models is still limited. Inspired by the recent approaches in explainable artificial intelligence methods, we proposed a model-agnostic explaining framework for IL models called R2RISE. R2RISE aims to explain the overall policy performance with respect to the frames in demonstrations. It iteratively retrains the black-box IL model from the randomized masked demonstrations and uses the conventional evaluation outcome environment returns as the coefficient to build an importance map. We also conducted experiments to investigate three major questions concerning frames' importance equality, the effectiveness of the importance map, and connections between importance maps from different IL models. The result shows that R2RISE successfully distinguishes important frames from the demonstrations.