单步逆势培训（AT）受到了广泛的关注，因为它被证明是有效和健壮的。然而，存在严重的灾难性过度问题，即反对投影梯度下降（PGD）攻击的强劲准确性突然下降到培训期间的0.5美元。在本文中，我们从优化的新角度来看，首先揭示每个样品和过度装箱的快速增长梯度之间的密切联系，这也可以应用于了解多步骤中的稳健的过度拟合现象。为了控制培训期间梯度的增长，我们提出了一种新的方法，子空间对抗训练（子AT），限制了仔细提取的子空间。它成功地解决了两种过度装备，因此显着提高了鲁棒性。在子空间中，我们还允许单步合并较大的步骤和更大的半径，从而进一步提高了鲁棒性性能。因此，我们实现了最先进的单步性能：我们的纯单步可以达到超过$ \ mathbf {51} \％$鲁棒准确性，反对强大的PGD-50攻击以半径8美元/ CiFar-10上的255美元，甚至超过了标准的多步PGD-10，具有巨大的计算优势。代码已释放$ \脚注{\ url {https://github.com/nblt/sub -at}} $。

在视觉和声音内利用时间同步和关联是朝向探测物体的强大定位的重要一步。为此，我们提出了一个节省空间内存网络，用于探测视频中的对象本地化。它可以同时通过音频和视觉方式的单模和跨模型表示来同时学习时空关注。我们在定量和定性地展示和分析了在本地化视听物体中结合时空学习的有效性。我们展示了我们的方法通过各种复杂的视听场景概括，最近最先进的方法概括。

深度神经网络（DNNS）的广泛应用要求越来越多的关注对其现实世界的鲁棒性，即DNN是否抵抗黑盒对抗性攻击，其中包括基于得分的查询攻击（SQA）是最威胁性的。由于它们的实用性和有效性：攻击者只需要在模型输出上进行数十个查询即可严重伤害受害者网络。针对SQA的防御需要对用户的服务目的而略有但巧妙的输出变化，这些用户与攻击者共享相同的输出信息。在本文中，我们提出了一种称为统一梯度（UNIG）的现实世界防御，以统一不同数据的梯度，以便攻击者只能探究不同样本相似的较弱的攻击方向。由于这种普遍的攻击扰动的验证与投入特定的扰动相比，Unig通过指示攻击者一个扭曲且信息不足的攻击方向来保护现实世界中的DNN。为了增强Unig在现实世界应用中的实际意义，我们将其实现为Hadamard产品模块，该模块具有计算效率且很容易插入任何模型。根据对5个SQA和4个防御基线的广泛实验，Unig显着改善了现实世界的鲁棒性，而不会伤害CIFAR10和Imagenet上的清洁准确性。例如，Unig在2500 Query Square攻击下保持了77.80％精度的CIFAR-10模型，而最先进的对手训练的模型仅在CIFAR10上具有67.34％的速度。同时，Unig在清洁精度和输出的修改程度上大大超过了所有基准。代码将发布。

The score-based query attacks (SQAs) pose practical threats to deep neural networks by crafting adversarial perturbations within dozens of queries, only using the model's output scores. Nonetheless, we note that if the loss trend of the outputs is slightly perturbed, SQAs could be easily misled and thereby become much less effective. Following this idea, we propose a novel defense, namely Adversarial Attack on Attackers (AAA), to confound SQAs towards incorrect attack directions by slightly modifying the output logits. In this way, (1) SQAs are prevented regardless of the model's worst-case robustness; (2) the original model predictions are hardly changed, i.e., no degradation on clean accuracy; (3) the calibration of confidence scores can be improved simultaneously. Extensive experiments are provided to verify the above advantages. For example, by setting $\ell_\infty=8/255$ on CIFAR-10, our proposed AAA helps WideResNet-28 secure 80.59% accuracy under Square attack (2500 queries), while the best prior defense (i.e., adversarial training) only attains 67.44%. Since AAA attacks SQA's general greedy strategy, such advantages of AAA over 8 defenses can be consistently observed on 8 CIFAR-10/ImageNet models under 6 SQAs, using different attack targets, bounds, norms, losses, and strategies. Moreover, AAA calibrates better without hurting the accuracy. Our code is available at https://github.com/Sizhe-Chen/AAA.

深度神经网络（DNN）被视为易受对抗性攻击的影响，而现有的黑匣子攻击需要广泛查询受害者DNN以实现高成功率。对于查询效率，由于它们的梯度相似度（GS），即代理的攻击梯度与受害者的攻击梯度类似，因此使用受害者的代理模型来生成可转移的对抗性示例（AES）。但是，通常忽略了它们对输出的相似性，即预测相似性（PS），以在不查询受害者的情况下通过代理过滤效率低效查询。要共同利用和还优化代理者的GS和PS，我们开发QueryNet，一个可以显着减少查询的统一攻击框架。 Querynet通过多识别代理人创造性地攻击，即通过不同的代理商为一个样本工艺几个AES，并且还使用代理人来决定查询最有前途的AE。之后，受害者的查询反馈累积以优化代理人的参数，还可以优化其架构，增强GS和PS。虽然Querynet无法获得预先接受预先训练的代理人，但根据我们的综合实验，它与可接受的时间内的替代方案相比，它会降低查询。 ImageNet，只允许8位图像查询，无法访问受害者的培训数据。代码可在https://github.com/allenchen1998/querynet上获得。

本文侧重于对探测器的高可转移的对抗性攻击，这很难以黑盒方式攻击，因为它们的多重输出特征和跨架构的多样性。为了追求高攻击可转让性，一种合理的方式是在探测器中找到一个共同的财产，这促进了常见弱点的发现。我们是第一个建议，来自探测器的解释器的相关性图是这样的财产。基于它，我们设计了对探测器（RAD）的相关性攻击，这实现了最先进的可转移性，超过了现有的结果超过20％。在MS Coco上，所有8个黑匣子架构的检测映射大于减半，并且分割地图也受到显着影响。鉴于RAD的巨大可转换性，我们生成用于对象检测和实例分割的第一个对抗性数据集，即对上下文（AOCO）的对手对象，这有助于快速评估和改进探测器的稳健性。

In this paper, we propose a robust 3D detector, named Cross Modal Transformer (CMT), for end-to-end 3D multi-modal detection. Without explicit view transformation, CMT takes the image and point clouds tokens as inputs and directly outputs accurate 3D bounding boxes. The spatial alignment of multi-modal tokens is performed implicitly, by encoding the 3D points into multi-modal features. The core design of CMT is quite simple while its performance is impressive. CMT obtains 73.0% NDS on nuScenes benchmark. Moreover, CMT has a strong robustness even if the LiDAR is missing. Code will be released at https://github.com/junjie18/CMT.

Dataset distillation has emerged as a prominent technique to improve data efficiency when training machine learning models. It encapsulates the knowledge from a large dataset into a smaller synthetic dataset. A model trained on this smaller distilled dataset can attain comparable performance to a model trained on the original training dataset. However, the existing dataset distillation techniques mainly aim at achieving the best trade-off between resource usage efficiency and model utility. The security risks stemming from them have not been explored. This study performs the first backdoor attack against the models trained on the data distilled by dataset distillation models in the image domain. Concretely, we inject triggers into the synthetic data during the distillation procedure rather than during the model training stage, where all previous attacks are performed. We propose two types of backdoor attacks, namely NAIVEATTACK and DOORPING. NAIVEATTACK simply adds triggers to the raw data at the initial distillation phase, while DOORPING iteratively updates the triggers during the entire distillation procedure. We conduct extensive evaluations on multiple datasets, architectures, and dataset distillation techniques. Empirical evaluation shows that NAIVEATTACK achieves decent attack success rate (ASR) scores in some cases, while DOORPING reaches higher ASR scores (close to 1.0) in all cases. Furthermore, we conduct a comprehensive ablation study to analyze the factors that may affect the attack performance. Finally, we evaluate multiple defense mechanisms against our backdoor attacks and show that our attacks can practically circumvent these defense mechanisms.

Automatic music generation with artificial intelligence typically requires a large amount of data which is hard to obtain for many less common genres and musical instruments. To tackle this issue, we present ongoing work and preliminary findings on the possibility for deep models to transfer knowledge from language to music, by finetuning large language models pre-trained on a massive text corpus on only hundreds of MIDI files of drum performances. We show that by doing so, one of the largest, state-of-the-art models (GPT3) is capable of generating reasonable drum grooves, while models that are not pre-trained (Transformer) shows no such ability beyond naive repetition. Evaluating generated music is a challenging task, more so is evaluating drum grooves with little precedence in literature. Hence, we propose a tailored structural evaluation method and analyze drum grooves produced by GPT3 compared to those played by human professionals, exposing the strengths and weaknesses of such generation by language-to-music transfer. Our findings suggest that language-to-music transfer learning with large language models is viable and promising.

Few Shot Instance Segmentation (FSIS) requires models to detect and segment novel classes with limited several support examples. In this work, we explore a simple yet unified solution for FSIS as well as its incremental variants, and introduce a new framework named Reference Twice (RefT) to fully explore the relationship between support/query features based on a Transformer-like framework. Our key insights are two folds: Firstly, with the aid of support masks, we can generate dynamic class centers more appropriately to re-weight query features. Secondly, we find that support object queries have already encoded key factors after base training. In this way, the query features can be enhanced twice from two aspects, i.e., feature-level and instance-level. In particular, we firstly design a mask-based dynamic weighting module to enhance support features and then propose to link object queries for better calibration via cross-attention. After the above steps, the novel classes can be improved significantly over our strong baseline. Additionally, our new framework can be easily extended to incremental FSIS with minor modification. When benchmarking results on the COCO dataset for FSIS, gFSIS, and iFSIS settings, our method achieves a competitive performance compared to existing approaches across different shots, e.g., we boost nAP by noticeable +8.2/+9.4 over the current state-of-the-art FSIS method for 10/30-shot. We further demonstrate the superiority of our approach on Few Shot Object Detection. Code and model will be available.