The security of artificial intelligence (AI) is an important research area towards safe, reliable, and trustworthy AI systems. To accelerate the research on AI security, the Artificial Intelligence Security Competition (AISC) was organized by the Zhongguancun Laboratory, China Industrial Control Systems Cyber Emergency Response Team, Institute for Artificial Intelligence, Tsinghua University, and RealAI as part of the Zhongguancun International Frontier Technology Innovation Competition (https://www.zgc-aisc.com/en). The competition consists of three tracks, including Deepfake Security Competition, Autonomous Driving Security Competition, and Face Recognition Security Competition. This report will introduce the competition rules of these three tracks and the solutions of top-ranking teams in each track.

Pre-trained language models (PLMs) achieve remarkable performance on many downstream tasks, but may fail in giving reliable estimates of their predictive uncertainty. Given the lack of a comprehensive understanding of PLMs calibration, we take a close look into this new research problem, aiming to answer two questions: (1) Do PLMs learn to become calibrated in the training process? (2) How effective are existing calibration methods? For the first question, we conduct fine-grained control experiments to study the dynamic change in PLMs' calibration performance in training. We consider six factors as control variables, including dataset difficulty, available training samples, training steps, the number of tunable parameters, model scale, and pretraining. In experiments, we observe a consistent change in calibration performance across six factors. We find that PLMs don't learn to become calibrated in training, evidenced by the continual increase in confidence, no matter the predictions are correct or not. We highlight that our finding presents some contradiction with two established conclusions: (a) Larger PLMs are more calibrated; (b) Pretraining improves model calibration. Next, we study the effectiveness of existing calibration methods in mitigating the overconfidence issue, in both in-distribution and various out-of-distribution settings. Besides unlearnable calibration methods, we adapt two recently proposed learnable methods that directly collect data to train models to have reasonable confidence estimations. Also, we propose extended learnable methods based on existing ones to further improve or maintain PLMs calibration without sacrificing the original task performance. Experimental results show that learnable methods significantly reduce PLMs' confidence in wrong predictions, and our methods exhibit superior performance compared with previous methods.

文本后门攻击是对NLP系统的实际威胁。通过在训练阶段注入后门，对手可以通过预定义的触发器控制模型预测。由于已经提出了各种攻击和防御模型，因此进行严格的评估至关重要。但是，我们在以前的后门学习评估中重点介绍了两个问题：（1）忽略了现实世界情景（例如释放中毒的数据集或模型）之间的差异，我们认为每种情况都有其自身的限制和关注点，因此需要特定的评估。协议； （2）评估指标仅考虑攻击是否可以翻转模型对中毒样品的预测并保留对良性样品的表演，但是忽略了中毒样品也应该是隐秘和语义上的。为了解决这些问题，我们将现有作品分为三种实际情况，在这种情况下，攻击者分别释放数据集，预培训模型和微调模型，然后讨论其独特的评估方法。关于指标，为了完全评估中毒样本，我们使用语法误差增加和隐形性差异以及有效性的文本相似性。对框架进行正式化后，我们开发了一个开源工具包openbackdoor，以促进文本后门学习的实现和评估。使用此工具包，我们在建议的范式下进行基准攻击和防御模型进行广泛的实验。为了促进针对中毒数据集的不充分的防御能力，我们进一步提出了Cube，这是一个简单而强大的基于聚类的防御基线。我们希望我们的框架和基准可以作为未来模型开发和评估的基石。

尽管在许多机器学习任务方面取得了巨大成功，但深度神经网络仍然易于对抗对抗样本。虽然基于梯度的对抗攻击方法在计算机视野领域探索，但由于文本的离散性质，直接应用于自然语言处理中，这是不切实际的。为了弥合这一差距，我们提出了一般框架，以适应现有的基于梯度的方法来制作文本对抗性样本。在该框架中，将基于梯度的连续扰动添加到嵌入层中，并在前向传播过程中被放大。然后用掩模语言模型头解码最终的扰动潜在表示以获得潜在的对抗性样本。在本文中，我们将我们的框架与\ textbf {t} Extual \ TextBF {P} ROJECTED \ TextBF {G} Radient \ TextBF {D} excent（\ TextBF {TPGD}）进行ronject \ textbf {p}。我们通过在三个基准数据集上执行转移黑匣子攻击来评估我们的框架来评估我们的框架。实验结果表明，与强基线方法相比，我们的方法达到了更好的性能，并产生更精细和语法的对抗性样本。所有代码和数据都将公开。

后门攻击是对深度神经网络（DNN）的一种紧急培训时间威胁。它们可以操纵DNN的输出并具有高度思虑。在自然语言处理领域，已经提出了一些攻击方法，并在多个流行型号上实现了非常高的攻击成功率。尽管如此，很少有关于捍卫文本后门攻击的研究。在本文中，我们提出了一个简单且有效的文本后门防御，名为洋葱，这是基于异常字检测，并据我们所知，是可以处理所有文本后门攻击情况的第一种方法。实验证明了我们模型在捍卫Bilstm和BERT的措施与五种不同的后门攻击的有效性。本文的所有代码和数据都可以在https://github.com/thunlp/onion获得。

Existing neural rendering methods for creating human avatars typically either require dense input signals such as video or multi-view images, or leverage a learned prior from large-scale specific 3D human datasets such that reconstruction can be performed with sparse-view inputs. Most of these methods fail to achieve realistic reconstruction when only a single image is available. To enable the data-efficient creation of realistic animatable 3D humans, we propose ELICIT, a novel method for learning human-specific neural radiance fields from a single image. Inspired by the fact that humans can easily reconstruct the body geometry and infer the full-body clothing from a single image, we leverage two priors in ELICIT: 3D geometry prior and visual semantic prior. Specifically, ELICIT introduces the 3D body shape geometry prior from a skinned vertex-based template model (i.e., SMPL) and implements the visual clothing semantic prior with the CLIP-based pre-trained models. Both priors are used to jointly guide the optimization for creating plausible content in the invisible areas. In order to further improve visual details, we propose a segmentation-based sampling strategy that locally refines different parts of the avatar. Comprehensive evaluations on multiple popular benchmarks, including ZJU-MoCAP, Human3.6M, and DeepFashion, show that ELICIT has outperformed current state-of-the-art avatar creation methods when only a single image is available. Code will be public for reseach purpose at https://elicit3d.github.io .

With a few exceptions, work in offline reinforcement learning (RL) has so far assumed that there is no confounding. In a classical regression setting, confounders introduce omitted variable bias and inhibit the identification of causal effects. In offline RL, they prevent the identification of a policy's value, and therefore make it impossible to perform policy improvement. Using conventional methods in offline RL in the presence of confounding can therefore not only lead to poor decisions and poor policies, but can also have disastrous effects in applications such as healthcare and education. We provide approaches for both off-policy evaluation (OPE) and local policy optimization in the settings of i.i.d. and global confounders. Theoretical and empirical results confirm the validity and viability of these methods.

在因果强盗问题中，动作集包括关于因果图的变量的干预。最近几位研究人员研究了这种强盗问题并指出了他们的实际应用。然而，所有现有的作品都依赖于限制性和不切实际的假设，即学习者将全面了解因果图结构前期。在本文中，我们在不知道因果图的情况下开发新的因果强盗算法。我们的算法适用于因果树，因果林和一般的因果图。我们的算法的遗憾保证大大提高了温和条件下标准多臂强盗（MAB）算法的遗传。最后，我们证明了我们的温和条件是必要的：如果没有它们，不能比标准MAB算法更好。

Deep learning models can achieve high accuracy when trained on large amounts of labeled data. However, real-world scenarios often involve several challenges: Training data may become available in installments, may originate from multiple different domains, and may not contain labels for training. Certain settings, for instance medical applications, often involve further restrictions that prohibit retention of previously seen data due to privacy regulations. In this work, to address such challenges, we study unsupervised segmentation in continual learning scenarios that involve domain shift. To that end, we introduce GarDA (Generative Appearance Replay for continual Domain Adaptation), a generative-replay based approach that can adapt a segmentation model sequentially to new domains with unlabeled data. In contrast to single-step unsupervised domain adaptation (UDA), continual adaptation to a sequence of domains enables leveraging and consolidation of information from multiple domains. Unlike previous approaches in incremental UDA, our method does not require access to previously seen data, making it applicable in many practical scenarios. We evaluate GarDA on two datasets with different organs and modalities, where it substantially outperforms existing techniques.

The development of social media user stance detection and bot detection methods rely heavily on large-scale and high-quality benchmarks. However, in addition to low annotation quality, existing benchmarks generally have incomplete user relationships, suppressing graph-based account detection research. To address these issues, we propose a Multi-Relational Graph-Based Twitter Account Detection Benchmark (MGTAB), the first standardized graph-based benchmark for account detection. To our knowledge, MGTAB was built based on the largest original data in the field, with over 1.55 million users and 130 million tweets. MGTAB contains 10,199 expert-annotated users and 7 types of relationships, ensuring high-quality annotation and diversified relations. In MGTAB, we extracted the 20 user property features with the greatest information gain and user tweet features as the user features. In addition, we performed a thorough evaluation of MGTAB and other public datasets. Our experiments found that graph-based approaches are generally more effective than feature-based approaches and perform better when introducing multiple relations. By analyzing experiment results, we identify effective approaches for account detection and provide potential future research directions in this field. Our benchmark and standardized evaluation procedures are freely available at: https://github.com/GraphDetec/MGTAB.