A backdoor attack places triggers in victims' deep learning models to enable a targeted misclassification at testing time. In general, triggers are fixed artifacts attached to samples, making backdoor attacks easy to spot. Only recently, a new trigger generation harder to detect has been proposed: the stylistic triggers that apply stylistic transformations to the input samples (e.g., a specific writing style). Currently, stylistic backdoor literature lacks a proper formalization of the attack, which is established in this paper. Moreover, most studies of stylistic triggers focus on text and images, while there is no understanding of whether they can work in sound. This work fills this gap. We propose JingleBack, the first stylistic backdoor attack based on audio transformations such as chorus and gain. Using 444 models in a speech classification task, we confirm the feasibility of stylistic triggers in audio, achieving 96% attack success.

Did you know that over 70 million of Dota2 players have their in-game data freely accessible? What if such data is used in malicious ways? This paper is the first to investigate such a problem. Motivated by the widespread popularity of video games, we propose the first threat model for Attribute Inference Attacks (AIA) in the Dota2 context. We explain how (and why) attackers can exploit the abundant public data in the Dota2 ecosystem to infer private information about its players. Due to lack of concrete evidence on the efficacy of our AIA, we empirically prove and assess their impact in reality. By conducting an extensive survey on $\sim$500 Dota2 players spanning over 26k matches, we verify whether a correlation exists between a player's Dota2 activity and their real-life. Then, after finding such a link ($p\!<\!0.01$ and $\rho>0.3$), we ethically perform diverse AIA. We leverage the capabilities of machine learning to infer real-life attributes of the respondents of our survey by using their publicly available in-game data. Our results show that, by applying domain expertise, some AIA can reach up to 98% precision and over 90% accuracy. This paper hence raises the alarm on a subtle, but concrete threat that can potentially affect the entire competitive gaming landscape. We alerted the developers of Dota2.

在过去的几年中，卷积神经网络（CNN）在各种现实世界的网络安全应用程序（例如网络和多媒体安全）中表现出了有希望的性能。但是，CNN结构的潜在脆弱性构成了主要的安全问题，因此不适合用于以安全为导向的应用程序，包括此类计算机网络。保护这些体系结构免受对抗性攻击，需要使用挑战性攻击的安全体系结构。在这项研究中，我们提出了一种基于合奏分类器的新型体系结构，该结构将1级分类（称为1C）的增强安全性与在没有攻击的情况下的传统2级分类（称为2C）的高性能结合在一起。我们的体系结构称为1.5级（Spritz-1.5c）分类器，并使用最终密度分类器，一个2C分类器（即CNNS）和两个并行1C分类器（即自动编码器）构造。在我们的实验中，我们通过在各种情况下考虑八次可能的对抗性攻击来评估我们提出的架构的鲁棒性。我们分别对2C和Spritz-1.5c体系结构进行了这些攻击。我们研究的实验结果表明，I-FGSM攻击对2C分类器的攻击成功率（ASR）是N-Baiot数据集训练的2C分类器的0.9900。相反，Spritz-1.5C分类器的ASR为0.0000。

在过去的几十年中，人工智能的兴起使我们有能力解决日常生活中最具挑战性的问题，例如癌症的预测和自主航行。但是，如果不保护对抗性攻击，这些应用程序可能不会可靠。此外，最近的作品表明，某些对抗性示例可以在不同的模型中转移。因此，至关重要的是避免通过抵抗对抗性操纵的强大模型进行这种可传递性。在本文中，我们提出了一种基于特征随机化的方法，该方法抵抗了八次针对测试阶段深度学习模型的对抗性攻击。我们的新方法包括改变目标网络分类器中的训练策略并选择随机特征样本。我们认为攻击者具有有限的知识和半知识条件，以进行最普遍的对抗性攻击。我们使用包括现实和合成攻击的众所周知的UNSW-NB15数据集评估了方法的鲁棒性。之后，我们证明我们的策略优于现有的最新方法，例如最强大的攻击，包括针对特定的对抗性攻击进行微调网络模型。最后，我们的实验结果表明，我们的方法可以确保目标网络并抵抗对抗性攻击的转移性超过60％。

受卷积神经网络（CNN）启发的图形神经网络（GNN）汇总了节点邻居的信息和结构信息，以获取节点分类，图形分类和链接预测的节点的表达性表示。先前的研究表明，GNN容易受到会员推理攻击（MIA）的攻击，这些攻击（MIAS）推断出节点是否在GNNS的训练数据中，并泄漏了节点的私人信息，例如患者的疾病史。以前的MIA的实现利用了模型的概率输出，如果GNN仅提供输入的预测标签（仅标签），则是不可行的。在本文中，我们在GNNS的柔性预测机制（例如，即使邻居的信息不可用，也可以获得一个节点的预测标签，借助GNNS的灵活预测机制，即使获得一个节点的预测标签，我们提出了针对GNNS的标签MIA。对于大多数数据集和GNN模型，我们的攻击方法实现了曲线（AUC）下60 \％的准确性，精度和区域，其中一些模型比我们在我们的下实施的基于最新概率的MIA具有竞争力甚至更好环境和设置。此外，我们分析了采样方法，模型选择方法和过度拟合水平对仅标签MIA攻击性能的影响。这两个因素都会影响攻击性能。然后，我们考虑有关对手的附加数据集（影子数据集）的假设以及有关目标模型的额外信息的情况。即使在这种情况下，我们仅使用标签的MIA在大多数情况下都能取得更好的攻击性能。最后，我们探讨了可能的防御能力，包括辍学，正则化，归一化和跳跃知识。这四个防御都没有完全阻止我们的攻击。

如今，人们在网上平台上生成并分享大量内容（例如，社交网络，博客）。 2021年，每分钟为119亿日常积极的Facebook用户发布了大约15万张照片。内容主持人不断监控这些在线平台，以防止扩散不适当的内容（例如，讨厌语音，裸露图像）。基于深度学习（DL）的进步，自动内容主持人（ACM）帮助人类主持人处理高数据量。尽管他们的优势，攻击者可以利用DL组件的弱点（例如，预处理，模型）来影响其性能。因此，攻击者可以利用这些技术来通过逃避ACM来扩散不适当的内容。在这项工作中，我们提出了CAPTCHA攻击（CAPA），这是一种允许用户通过逃避ACM控件来扩散不恰当的文本的对抗技术。通过生成自定义文本CAPTCHAS的CAPA，利用ACM的粗心设计实现和内部程序漏洞。我们对现实世界ACM的攻击进行了测试，结果证实了我们简单但有效攻击的凶猛，在大多数情况下达到了100％的逃避成功。与此同时，我们展示了设计CAPA缓解，在CAPTCHAS研究区开辟了新挑战的困难。

自动柜员机（ATM）代表最常用的撤销现金系统。欧洲中央银行于2019年报告了110亿美元的现金提取和在欧洲ATM上装载/卸载交易。虽然ATM经历了各种技术演变，但个人识别号码（PIN）仍然是这些设备的最常见的认证方法。不幸的是，PIN机构容易通过安装在ATM附近的隐藏照相机进行的肩部冲浪攻击来捕获针脚垫。为了克服这个问题，人们习惯于另一方面覆盖打字。虽然这些用户可能相信这种行为足够安全，但无法防范提到的攻击，但对科学文献中的这种对策没有明确评估。本文提出了一种新的攻击，以重建被另一方面覆盖着键入的受害者进入的别针。我们考虑攻击者可以访问与目标相同品牌/型号的ATM引脚垫的设置。之后，攻击者使用该模型推断受害者在进入PIN的同时按下的数字。我们的攻击归功于精心选择的深度学习架构，可以从打字的手势和运动中推断出别针。我们运行详细的实验分析，包括58个用户。通过我们的方法，我们可以猜出三次尝试中的5位点引脚的30％ - 在阻塞卡之前通常允许的那些。我们还对78名用户进行了一项调查，该调查设法达到了相同的设置平均仅为7.92％的准确性。最后，除非整个键盘被屏蔽，否则我们评估了被证明的屏蔽反应。

We present a novel depth completion approach agnostic to the sparsity of depth points, that is very likely to vary in many practical applications. State-of-the-art approaches yield accurate results only when processing a specific density and distribution of input points, i.e. the one observed during training, narrowing their deployment in real use cases. On the contrary, our solution is robust to uneven distributions and extremely low densities never witnessed during training. Experimental results on standard indoor and outdoor benchmarks highlight the robustness of our framework, achieving accuracy comparable to state-of-the-art methods when tested with density and distribution equal to the training one while being much more accurate in the other cases. Our pretrained models and further material are available in our project page.

We develop the first fully dynamic algorithm that maintains a decision tree over an arbitrary sequence of insertions and deletions of labeled examples. Given $\epsilon > 0$ our algorithm guarantees that, at every point in time, every node of the decision tree uses a split with Gini gain within an additive $\epsilon$ of the optimum. For real-valued features the algorithm has an amortized running time per insertion/deletion of $O\big(\frac{d \log^3 n}{\epsilon^2}\big)$, which improves to $O\big(\frac{d \log^2 n}{\epsilon}\big)$ for binary or categorical features, while it uses space $O(n d)$, where $n$ is the maximum number of examples at any point in time and $d$ is the number of features. Our algorithm is nearly optimal, as we show that any algorithm with similar guarantees uses amortized running time $\Omega(d)$ and space $\tilde{\Omega} (n d)$. We complement our theoretical results with an extensive experimental evaluation on real-world data, showing the effectiveness of our algorithm.

We consider the nonlinear inverse problem of learning a transition operator $\mathbf{A}$ from partial observations at different times, in particular from sparse observations of entries of its powers $\mathbf{A},\mathbf{A}^2,\cdots,\mathbf{A}^{T}$. This Spatio-Temporal Transition Operator Recovery problem is motivated by the recent interest in learning time-varying graph signals that are driven by graph operators depending on the underlying graph topology. We address the nonlinearity of the problem by embedding it into a higher-dimensional space of suitable block-Hankel matrices, where it becomes a low-rank matrix completion problem, even if $\mathbf{A}$ is of full rank. For both a uniform and an adaptive random space-time sampling model, we quantify the recoverability of the transition operator via suitable measures of incoherence of these block-Hankel embedding matrices. For graph transition operators these measures of incoherence depend on the interplay between the dynamics and the graph topology. We develop a suitable non-convex iterative reweighted least squares (IRLS) algorithm, establish its quadratic local convergence, and show that, in optimal scenarios, no more than $\mathcal{O}(rn \log(nT))$ space-time samples are sufficient to ensure accurate recovery of a rank-$r$ operator $\mathbf{A}$ of size $n \times n$. This establishes that spatial samples can be substituted by a comparable number of space-time samples. We provide an efficient implementation of the proposed IRLS algorithm with space complexity of order $O(r n T)$ and per-iteration time complexity linear in $n$. Numerical experiments for transition operators based on several graph models confirm that the theoretical findings accurately track empirical phase transitions, and illustrate the applicability and scalability of the proposed algorithm.