The security of artificial intelligence (AI) is an important research area towards safe, reliable, and trustworthy AI systems. To accelerate the research on AI security, the Artificial Intelligence Security Competition (AISC) was organized by the Zhongguancun Laboratory, China Industrial Control Systems Cyber Emergency Response Team, Institute for Artificial Intelligence, Tsinghua University, and RealAI as part of the Zhongguancun International Frontier Technology Innovation Competition (https://www.zgc-aisc.com/en). The competition consists of three tracks, including Deepfake Security Competition, Autonomous Driving Security Competition, and Face Recognition Security Competition. This report will introduce the competition rules of these three tracks and the solutions of top-ranking teams in each track.

Speech representation learning has improved both speech understanding and speech synthesis tasks for single language. However, its ability in cross-lingual scenarios has not been explored. In this paper, we extend the pretraining method for cross-lingual multi-speaker speech synthesis tasks, including cross-lingual multi-speaker voice cloning and cross-lingual multi-speaker speech editing. We propose a speech-text joint pretraining framework, where we randomly mask the spectrogram and the phonemes given a speech example and its transcription. By learning to reconstruct the masked parts of the input in different languages, our model shows great improvements over speaker-embedding-based multi-speaker TTS methods. Moreover, our framework is end-to-end for both the training and the inference without any finetuning effort. In cross-lingual multi-speaker voice cloning and cross-lingual multi-speaker speech editing tasks, our experiments show that our model outperforms speaker-embedding-based multi-speaker TTS methods. The code and model are publicly available at PaddleSpeech.

非滑动非概念优化问题在机器学习和业务决策中广泛出现，而两个核心挑战阻碍了具有有限时间收敛保证的有效解决方案方法的开发：缺乏计算可触及的最佳标准和缺乏计算功能强大的口腔。本文的贡献是两个方面。首先，我们建立了著名的Goldstein Subdferential〜 \ Citep {Goldstein-1977-Optimization}与均匀平滑之间的关系，从而为设计有限时间融合到一组无梯度的方法的基础和直觉提供了基础和直觉戈德斯坦固定点。其次，我们提出了无梯度方法（GFM）和随机GFM，用于解决一类非平滑非凸优化问题，并证明它们两个都可以返回$（\ delta，\ epsilon）$ - Lipschitz函数的Goldstein Sentary Point $ f $以$ o（d^{3/2} \ delta^{ - 1} \ epsilon^{ - 4}）$的预期收敛速率为$ o（d^{3/2} \ delta^{ - 1} \ epsilon^{ - 4}）$，其中$ d $是问题维度。还提出了两阶段版本的GFM和SGFM，并被证明可以改善大泄漏结果。最后，我们证明了2-SGFM使用\ textsc {minst}数据集对训练Relu神经网络的有效性。

创伤性脑损伤（TBI）患者的脑网络分析对于其意识水平评估和预后评估至关重要，这需要分割某些意识相关的大脑区域。但是，由于很难收集TBI患者的手动注释的MR扫描，因此很难构建TBI分割模型。数据增强技术可用于缓解数据稀缺问题。但是，常规数据增强策略（例如空间和强度转化）无法模仿创伤性大脑中的变形和病变，这限制了后续分割任务的性能。为了解决这些问题，我们提出了一种名为TBIGA的新型医学图像授课模型，以通过配对的脑标签图合成TBI MR扫描。我们的TBIGAN方法的主要优势在于，它可以同时生成TBI图像和相应的标签映射，这在以前的医学图像的先前涂上方法中尚未实现。我们首先按照粗到细节的方式在边缘信息的指导下生成成分的图像，然后将合成强度图像用作标签上填充的先验。此外，我们引入了基于注册的模板增强管道，以增加合成图像对的多样性并增强数据增强能力。实验结果表明，提出的TBIGAN方法可以产生具有高质量和有效标签图的足够合成的TBI图像，这可以大大改善与替代方案相比的2D和3D创伤性脑部分割性能。

我们设计了简单，最佳的政策，以确保在经典的多武器匪徒问题中确保对重尾风险的安全。最近，\ cite {fan2021偏差}表明，信息理论优化的匪徒算法患有严重的重尾风险；也就是说，最糟糕的案例可能会以$ 1/t $的速度慢慢衰减，其中$ t $是时间范围。受其结果的启发，我们进一步表明，广泛使用的政策，例如标准的上限约束政策和汤普森采样政策也会产生重型风险。实际上，对于所有“依赖实例依赖的一致”政策，这种重型风险实际上存在。为了确保对这种重型风险的安全性，对于两臂强盗设置，我们提供了一种简单的政策设计，即（i）具有最差的最佳性能，可用于预期的遗憾$ \ tilde o（\ sqrt {t} ）$和（ii）具有最坏的尾巴概率，即以指数率$ \ exp（ - \ omega（\ sqrt {t}））$产生线性遗憾衰减。我们进一步证明，尾巴概率的这种指数衰减率在所有具有最差最佳最优性的政策中都是最佳的，这些损失率是预期的。最后，我们使用任意$ k $的武器数量将政策设计和分析改进了一般环境。我们为在政策设计下的任何遗憾阈值中提供详细的尾巴概率表征。也就是说，产生大于$ x $的遗憾的最坏情况是由$ \ exp（ - \ omega（x/\ sqrt {kt}））$上限。进行数值实验以说明理论发现。我们的结果揭示了对一致性和轻尾风险之间不兼容的见解，而这表明对预期的遗憾和轻尾风险的最佳最佳性是兼容的。

我们制定最佳优化系统（SBOS）问题，并为这些问题提供解决方案。在SBOS问题中，有限数量的系统是竞争者。在每个系统中，一个连续的决策变量会影响系统的预期性能。 SBOS问题将根据其自身最佳选择的决定根据其预期的性能进行比较不同的系统，以便在没有提前了解系统的预期性能的情况下，也不是每个系统内的优化决策。我们设计易于实现的算法，可自适应地选择系统和决定选择嘈杂的系统性能，顺序地消除劣质系统，最终建议在花费用户指定的预算后最佳系统。所提出的算法集成了随机梯度下降方法和顺序消除方法，同时利用每个系统内的结构并在系统上进行比较。对于所提出的算法，我们将指数率的收敛率为零进行假选择的概率，因为预算生长到无穷大。我们进行三个数值例子，代表了三种实际情况的SBOS问题。我们所提出的算法在一系列问题设置和采样预算下，在基准算法的概率方面表现出一致和更强的性能。

通过新兴应用程序，如现场媒体电子商务，促销和建议，我们介绍和解决了一般的非静止多武装强盗问题，具有以下两个特征：（i）决策者可以拉动和收集每次期间，从最多$ k \，（\ ge 1）美元的奖励; （ii）手臂拉动后的预期奖励立即下降，然后随着ARM空闲时间的增加，非参数恢复。目的是最大化预期累计奖励超过$ T $时间段，我们设计了一类“纯粹的周期性政策”，共同设置了拉动每个臂的时间。对于拟议的政策，我们证明了离线问题和在线问题的性能保证。对于脱机问题，当已知所有型号参数时，所提出的周期性策略获得1- \ Mathcal O（1 / \ Sqrt {k}）$的近似率，当$ k $生长时是渐近的最佳状态到无穷远。对于在线问题时，当模型参数未知并且需要动态学习时，我们将脱机周期性策略与在线策略上的上部置信程序进行集成。拟议的在线策略被证明是对脱机基准的近似拥有$ \ widetilde {\ mathcal o}（n \ sqrt {t}）。我们的框架和政策设计可能在更广泛的离线规划和在线学习应用程序中阐明，具有非静止和恢复奖励。

我们在这项工作中的主要贡献是一个实证发现随机通用价值函数（GVF），即深度动作条件预测 - 随机观察到他们预测的观察的特征以及预测的操作顺序中 - 为强化学习（RL）问题形成良好的辅助任务。特别是，我们表明当用作辅助任务时，随机深度动作条件预测产生了产生控制性能的状态表示，其具有与最先进的手工制作的辅助任务相同的辅助辅助任务，如atari中的值预测，像素控制和卷曲和DeepMind实验室任务。在另一组实验中，我们将梯度从网络的RL部分停止到网络的状态代表性学习部分，也许令人惊讶的是，单独的辅助任务足以学习州表示足以超过最终的状态 - 训练的演员 - 评论家基线。我们在https://github.com/hwhitetooth/random_gvs ovensourced我们的代码。

Masked image modeling (MIM) performs strongly in pre-training large vision Transformers (ViTs). However, small models that are critical for real-world applications cannot or only marginally benefit from this pre-training approach. In this paper, we explore distillation techniques to transfer the success of large MIM-based pre-trained models to smaller ones. We systematically study different options in the distillation framework, including distilling targets, losses, input, network regularization, sequential distillation, etc, revealing that: 1) Distilling token relations is more effective than CLS token- and feature-based distillation; 2) An intermediate layer of the teacher network as target perform better than that using the last layer when the depth of the student mismatches that of the teacher; 3) Weak regularization is preferred; etc. With these findings, we achieve significant fine-tuning accuracy improvements over the scratch MIM pre-training on ImageNet-1K classification, using all the ViT-Tiny, ViT-Small, and ViT-base models, with +4.2%/+2.4%/+1.4% gains, respectively. Our TinyMIM model of base size achieves 52.2 mIoU in AE20K semantic segmentation, which is +4.1 higher than the MAE baseline. Our TinyMIM model of tiny size achieves 79.6% top-1 accuracy on ImageNet-1K image classification, which sets a new record for small vision models of the same size and computation budget. This strong performance suggests an alternative way for developing small vision Transformer models, that is, by exploring better training methods rather than introducing inductive biases into architectures as in most previous works. Code is available at https://github.com/OliverRensu/TinyMIM.

Dataset distillation has emerged as a prominent technique to improve data efficiency when training machine learning models. It encapsulates the knowledge from a large dataset into a smaller synthetic dataset. A model trained on this smaller distilled dataset can attain comparable performance to a model trained on the original training dataset. However, the existing dataset distillation techniques mainly aim at achieving the best trade-off between resource usage efficiency and model utility. The security risks stemming from them have not been explored. This study performs the first backdoor attack against the models trained on the data distilled by dataset distillation models in the image domain. Concretely, we inject triggers into the synthetic data during the distillation procedure rather than during the model training stage, where all previous attacks are performed. We propose two types of backdoor attacks, namely NAIVEATTACK and DOORPING. NAIVEATTACK simply adds triggers to the raw data at the initial distillation phase, while DOORPING iteratively updates the triggers during the entire distillation procedure. We conduct extensive evaluations on multiple datasets, architectures, and dataset distillation techniques. Empirical evaluation shows that NAIVEATTACK achieves decent attack success rate (ASR) scores in some cases, while DOORPING reaches higher ASR scores (close to 1.0) in all cases. Furthermore, we conduct a comprehensive ablation study to analyze the factors that may affect the attack performance. Finally, we evaluate multiple defense mechanisms against our backdoor attacks and show that our attacks can practically circumvent these defense mechanisms.