ImageNet pre-training has enabled state-of-the-art results on many tasks. In spite of its recognized contribution to generalization, we observed in this study that ImageNet pre-training also transfers adversarial non-robustness from pre-trained model into fine-tuned model in the downstream classification tasks. We first conducted experiments on various datasets and network backbones to uncover the adversarial non-robustness in fine-tuned model. Further analysis was conducted on examining the learned knowledge of fine-tuned model and standard model, and revealed that the reason leading to the non-robustness is the non-robust features transferred from ImageNet pre-trained model. Finally, we analyzed the preference for feature learning of the pre-trained model, explored the factors influencing robustness, and introduced a simple robust ImageNet pre-training solution. Our code is available at \url{https://github.com/jiamingzhang94/ImageNet-Pretraining-transfers-non-robustness}.

As acquiring manual labels on data could be costly, unsupervised domain adaptation (UDA), which transfers knowledge learned from a rich-label dataset to the unlabeled target dataset, is gaining increasing popularity. While extensive studies have been devoted to improving the model accuracy on target domain, an important issue of model robustness is neglected. To make things worse, conventional adversarial training (AT) methods for improving model robustness are inapplicable under UDA scenario since they train models on adversarial examples that are generated by supervised loss function. In this paper, we present a new meta self-training pipeline, named SRoUDA, for improving adversarial robustness of UDA models. Based on self-training paradigm, SRoUDA starts with pre-training a source model by applying UDA baseline on source labeled data and taraget unlabeled data with a developed random masked augmentation (RMA), and then alternates between adversarial target model training on pseudo-labeled target data and finetuning source model by a meta step. While self-training allows the direct incorporation of AT in UDA, the meta step in SRoUDA further helps in mitigating error propagation from noisy pseudo labels. Extensive experiments on various benchmark datasets demonstrate the state-of-the-art performance of SRoUDA where it achieves significant model robustness improvement without harming clean accuracy. Code is available at https://github.com/Vision.

Deep transfer learning has been widely used for knowledge transmission in recent years. The standard approach of pre-training and subsequently fine-tuning, or linear probing, has shown itself to be effective in many down-stream tasks. Therefore, a challenging and ongoing question arises: how to quantify cross-task transferability that is compatible with transferred results while keeping self-consistency? Existing transferability metrics are estimated on the particular model by conversing source and target tasks. They must be recalculated with all existing source tasks whenever a novel unknown target task is encountered, which is extremely computationally expensive. In this work, we highlight what properties should be satisfied and evaluate existing metrics in light of these characteristics. Building upon this, we propose Principal Gradient Expectation (PGE), a simple yet effective method for assessing transferability across tasks. Specifically, we use a restart scheme to calculate every batch gradient over each weight unit more than once, and then we take the average of all the gradients to get the expectation. Thus, the transferability between the source and target task is estimated by computing the distance of normalized principal gradients. Extensive experiments show that the proposed transferability metric is more stable, reliable and efficient than SOTA methods.

微调可能容易受到对抗攻击的影响。现有有关对微调模型（BAFT）的黑盒攻击的作品受到强有力的假设的限制。为了填补空白，我们提出了两个新型的BAFT设置，即跨域和跨域交叉结构BAFT，这仅假设（1）攻击的目标模型是微调模型，以及（2）源域数据是已知和可访问的。为了成功攻击两种设置下的微调模型，我们建议先训练针对源模型的对抗发电机，该模型采用编码器架构体系结构并将干净的输入映射到对抗性示例。然后，我们在对抗发电机的编码器产生的低维潜在空间中搜索。搜索是根据从源模型获得的替代梯度的指导进行的。对不同域和不同网络体系结构的实验结果表明，提出的攻击方法可以有效，有效地攻击微调模型。

在本文中，我们询问视觉变形金刚（VIT）是否可以作为改善机器学习模型对抗逃避攻击的对抗性鲁棒性的基础结构。尽管较早的作品集中在改善卷积神经网络上，但我们表明VIT也非常适合对抗训练以实现竞争性能。我们使用自定义的对抗训练配方实现了这一目标，该配方是在Imagenet数据集的一部分上使用严格的消融研究发现的。与卷积相比，VIT的规范培训配方建议强大的数据增强，部分是为了补偿注意力模块的视力归纳偏置。我们表明，该食谱在用于对抗训练时可实现次优性能。相比之下，我们发现省略所有重型数据增强，并添加一些额外的零件（$ \ varepsilon $ -Warmup和更大的重量衰减），从而大大提高了健壮的Vits的性能。我们表明，我们的配方在完整的Imagenet-1k上概括了不同类别的VIT体系结构和大规模模型。此外，调查了模型鲁棒性的原因，我们表明，在使用我们的食谱时，在训练过程中产生强烈的攻击更加容易，这会在测试时提高鲁棒性。最后，我们通过提出一种量化对抗性扰动的语义性质并强调其与模型的鲁棒性的相关性来进一步研究对抗训练的结果。总体而言，我们建议社区应避免将VIT的规范培训食谱转换为在对抗培训的背景下进行强大的培训和重新思考常见的培训选择。

最近的一些研究表明，使用额外的分配数据可能会导致高水平的对抗性鲁棒性。但是，不能保证始终可以为所选数据集获得足够的额外数据。在本文中，我们提出了一种有偏见的多域对抗训练（BIAMAT）方法，该方法可以使用公开可用的辅助数据集诱导训练数据放大，而无需在主要和辅助数据集之间进行类分配匹配。提出的方法可以通过多域学习利用辅助数据集来实现主数据集上的对抗性鲁棒性。具体而言，可以通过使用Biamat的应用来实现对鲁棒和非鲁棒特征的数据扩增，如通过理论和经验分析所证明的。此外，我们证明，尽管由于辅助和主要数据之间的分布差异，现有方法容易受到负转移的影响，但提出的方法使神经网络能够通过应用程序通过应用程序来成功处理域差异来灵活地利用各种图像数据集来进行对抗训练基于置信的选择策略。预先训练的模型和代码可在：\ url {https://github.com/saehyung-lee/biamat}中获得。

With the ever-growing model size and the limited availability of labeled training data, transfer learning has become an increasingly popular approach in many science and engineering domains. For classification problems, this work delves into the mystery of transfer learning through an intriguing phenomenon termed neural collapse (NC), where the last-layer features and classifiers of learned deep networks satisfy: (i) the within-class variability of the features collapses to zero, and (ii) the between-class feature means are maximally and equally separated. Through the lens of NC, our findings for transfer learning are the following: (i) when pre-training models, preventing intra-class variability collapse (to a certain extent) better preserves the intrinsic structures of the input data, so that it leads to better model transferability; (ii) when fine-tuning models on downstream tasks, obtaining features with more NC on downstream data results in better test accuracy on the given task. The above results not only demystify many widely used heuristics in model pre-training (e.g., data augmentation, projection head, self-supervised learning), but also leads to more efficient and principled fine-tuning method on downstream tasks that we demonstrate through extensive experimental results.

对手示例是一些可以扰乱深度神经网络的输出的一些特殊输入，以便在生产环境中产生有意的误差。用于产生对抗性示例的大多数方法需要梯度信息。甚至是与生成模型无关的普遍扰动依赖于梯度信息的一定程度。程序噪声对手示例是对普发的示例生成的一种新方法，它使用计算机图形噪声快速生成通用的对抗扰动，同时不依赖于梯度信息。结合对抗的防御训练，我们使用Perlin噪声训练神经网络以获得可以防御程序噪声对抗的模型。结合使用基于预先训练的模型的模型微调方法，我们获得更快的培训以及更高的准确性。我们的研究表明，程序噪声对抗性实例是可辩护的，但为什么程序噪声可以产生对抗性实例，以及如何防御可能在未来出现的其他过程噪声对抗性示例仍有待调查。

最近，对抗性训练已被纳入自我监督的对比预训练中，以增强标签效率，并具有令人兴奋的对抗性鲁棒性。但是，鲁棒性是经过昂贵的对抗训练的代价。在本文中，我们表明了一个令人惊讶的事实，即对比的预训练与稳健性具有有趣而隐含的联系，并且在经过训练的代表中如此自然的鲁棒性使我们能够设计出一种强大的鲁棒算法，以防止对抗性攻击，Rush，将标准组合在一起。对比的预训练和随机平滑。它提高了标准准确性和强大的精度，并且与对抗训练相比，培训成本大大降低了。我们使用广泛的经验研究表明，拟议中的Rush在一阶攻击下的共同基准（CIFAR-10，CIFAR-100和STL-10）的大幅度优于对抗性训练的强大分类器。特别是，在$ \ ell _ {\ infty} $下 - 大小为8/255 PGD攻击CIFAR-10的标准扰动，我们使用RESNET-18作为骨架达到77.8％的型号达到77.8％稳健精度和87.9％的标准精度。与最先进的工作相比，我们的工作的鲁棒精度提高了15％以上，标准准确性略有提高。

This study provides a new understanding of the adversarial attack problem by examining the correlation between adversarial attack and visual attention change. In particular, we observed that: (1) images with incomplete attention regions are more vulnerable to adversarial attacks; and (2) successful adversarial attacks lead to deviated and scattered attention map. Accordingly, an attention-based adversarial defense framework is designed to simultaneously rectify the attention map for prediction and preserve the attention area between adversarial and original images. The problem of adding iteratively attacked samples is also discussed in the context of visual attention change. We hope the attention-related data analysis and defense solution in this study will shed some light on the mechanism behind the adversarial attack and also facilitate future adversarial defense/attack model design.

Backdoor attacks represent one of the major threats to machine learning models. Various efforts have been made to mitigate backdoors. However, existing defenses have become increasingly complex and often require high computational resources or may also jeopardize models' utility. In this work, we show that fine-tuning, one of the most common and easy-to-adopt machine learning training operations, can effectively remove backdoors from machine learning models while maintaining high model utility. Extensive experiments over three machine learning paradigms show that fine-tuning and our newly proposed super-fine-tuning achieve strong defense performance. Furthermore, we coin a new term, namely backdoor sequela, to measure the changes in model vulnerabilities to other attacks before and after the backdoor has been removed. Empirical evaluation shows that, compared to other defense methods, super-fine-tuning leaves limited backdoor sequela. We hope our results can help machine learning model owners better protect their models from backdoor threats. Also, it calls for the design of more advanced attacks in order to comprehensively assess machine learning models' backdoor vulnerabilities.

预训练是在各种下游任务上转移学习的广泛采用的起点。对彩票假说（LTH）的最新研究表明，这种巨大的预训练模型可以用极稀疏的子网（又称匹配子网络）代替，而无需牺牲可传递性。但是，实际的安全 - 重要应用程序通常在标准转移之外提出了更具挑战性的要求，这也要求这些子网克服对抗性脆弱性。在本文中，我们制定了一个更严格的概念，双赢彩票，其中预训练模型的位置可以在各种下游任务上独立传输，以在两个标准下达到相同的标准和可靠的概括正如完整的预培训模型可以做到的那样，对抗性训练制度。我们全面检查了各种训练机制，发现强大的预训练倾向于制作出更少的双赢彩票，其性能优于标准对应物。例如，在下游CIFAR-10/100数据集上，我们识别出具有标准的，快速的对抗性和对抗性预训练的双赢匹配子网，以89.26％/73.79％，89.26％/79.03％和91.41％的匹配培训。 /83.22%稀疏。此外，我们观察到获得的双赢彩票票可以在实用数据限制（例如1％和10％）下游方案下传输的数据效率更高。我们的结果表明，彩票票务方案以及数据限制的转移设置可以扩大稳健的预训练的好处。代码可在https://github.com/vita-group/double-win-lth上找到。

最近的智能故障诊断（IFD）的进展大大依赖于深度代表学习和大量标记数据。然而，机器通常以各种工作条件操作，或者目标任务具有不同的分布，其中包含用于训练的收集数据（域移位问题）。此外，目标域中的新收集的测试数据通常是未标记的，导致基于无监督的深度转移学习（基于UDTL为基础的）IFD问题。虽然它已经实现了巨大的发展，但标准和开放的源代码框架以及基于UDTL的IFD的比较研究尚未建立。在本文中，我们根据不同的任务，构建新的分类系统并对基于UDTL的IFD进行全面审查。对一些典型方法和数据集的比较分析显示了基于UDTL的IFD中的一些开放和基本问题，这很少研究，包括特征，骨干，负转移，物理前导等的可转移性，强调UDTL的重要性和再现性 - 基于IFD，整个测试框架将发布给研究界以促进未来的研究。总之，发布的框架和比较研究可以作为扩展界面和基本结果，以便对基于UDTL的IFD进行新的研究。代码框架可用于\ url {https:/github.com/zhaozhibin/udtl}。

Recent increases in the computational demands of deep neural networks (DNNs) have sparked interest in efficient deep learning mechanisms, e.g., quantization or pruning. These mechanisms enable the construction of a small, efficient version of commercial-scale models with comparable accuracy, accelerating their deployment to resource-constrained devices. In this paper, we study the security considerations of publishing on-device variants of large-scale models. We first show that an adversary can exploit on-device models to make attacking the large models easier. In evaluations across 19 DNNs, by exploiting the published on-device models as a transfer prior, the adversarial vulnerability of the original commercial-scale models increases by up to 100x. We then show that the vulnerability increases as the similarity between a full-scale and its efficient model increase. Based on the insights, we propose a defense, $similarity$-$unpairing$, that fine-tunes on-device models with the objective of reducing the similarity. We evaluated our defense on all the 19 DNNs and found that it reduces the transferability up to 90% and the number of queries required by a factor of 10-100x. Our results suggest that further research is needed on the security (or even privacy) threats caused by publishing those efficient siblings.

尽管在许多领域都有成功的应用，但如今的机器学习模型遭受了臭名昭著的问题，例如脆弱性，对对抗性例子。除了陷入对抗攻击和防御之间的猫与小鼠游戏之外，本文还提供了替代观点来考虑对抗性示例，并探索我们是否可以在良性应用中利用它。我们首先将对抗性示例归因于使用非语义特征的人类模型差异。尽管在经典的机器学习机制中很大程度上被忽略了，但非语义功能具有三个有趣的特征，因为（1）模型独有，（2）对推理至关重要，以及（3）可利用的功能。受到这一点的启发，我们提出了良性的对抗性攻击的新想法，以利用三个方向的对抗性示例以善良：（1）对抗性图灵测试，（2）拒绝恶意模型应用，以及（3）对抗性数据扩增。每个方向都以动机详细说明，理由分析和原型应用来展示其潜力。

为了应对对抗性实例的威胁，对抗性培训提供了一种有吸引力的选择，可以通过在线增强的对抗示例中的培训模型提高模型稳健性。然而，大多数现有的对抗训练方法通过强化对抗性示例来侧重于提高鲁棒的准确性，但忽略了天然数据和对抗性实施例之间的增加，导致自然精度急剧下降。为了维持自然和强大的准确性之间的权衡，我们从特征适应的角度缓解了转变，并提出了一种特征自适应对抗训练（FAAT），这些培训（FAAT）跨越自然数据和对抗示例优化类条件特征适应。具体而言，我们建议纳入一类条件鉴别者，以鼓励特征成为（1）类鉴别的和（2）不变导致对抗性攻击的变化。新型的FAAT框架通过在天然和对抗数据中产生具有类似分布的特征来实现自然和强大的准确性之间的权衡，并实现从类鉴别特征特征中受益的更高的整体鲁棒性。在各种数据集上的实验表明，FAAT产生更多辨别特征，并对最先进的方法表现有利。代码在https://github.com/visionflow/faat中获得。

基础模型不是模型生产管道的最后一章。以少数数据以少数数据传输到数千个下游任务正在成为基础模型的应用的趋势。在本文中，我们提出了一个通用转移框架：一个传输所有（OTA），将任何视觉基础模型（VFM）转移到具有少数下游数据的下游任务。我们首先通过图像重新表示微调（IRF）将VFM传输到特定于任务特定模型，然后将知识从特定于任务的模型蒸馏到部署的模型，其中包含由下游图像引导的生成（DIGG）产生的数据。OTA在传输时没有对上游数据，VFM和下游任务的依赖性。它还为VFM研究人员提供了一种方法，以释放其上游信息，以便更好地转移，但由于隐私要求而没有泄漏数据。大规模实验在少数数据设置中验证我们方法的有效性和优越性。我们的代码将被释放。

对抗性培训是生产模型的行业标准，对小对抗扰动具有鲁棒性。然而，机器学习从业者需要对自然发生的其他类型的变化具有强大的模型，例如输入图像的样式或照明的变化。输入分布的这种变化已经有效地建模为深度图像特征的平均值和方差的变化。我们通过直接扰动特征统计而不是图像像素来调整对抗性训练，以生产对各种看不见分布偏移的稳健的模型。通过可视化对抗特征，我们探讨了这些扰动和分布转变之间的关系。我们提出的方法，对抗批量归一化（ADVBN）是一种网络层，在训练期间产生最坏情况的扰动。通过微调对抗性特征分布的神经网络，我们观察到对各种看不见的分布转移的网络的改进的鲁棒性，包括风格变化和图像损坏。此外，我们表明，我们提出的对抗特征扰动可以与现有的图像空间数据增强方法互补，从而提高性能。源代码和预先训练的型号在\ url {https://github.com/azshue/advbn}释放。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

几个数据增强方法部署了未标记的分配（UID）数据，以弥合神经网络的培训和推理之间的差距。然而，这些方法在UID数据的可用性方面具有明确的限制和伪标签上的算法的依赖性。在此，我们提出了一种数据增强方法，通过使用缺乏上述问题的分发（OOD）数据来改善对抗和标准学习的泛化。我们展示了如何在理论上使用每个学习场景中的数据来改进泛化，并通过Cifar-10，CiFar-100和ImageNet的子集进行化学理论分析。结果表明，即使在似乎与人类角度几乎没有相关的图像数据中也是不希望的特征。我们还通过与其他数据增强方法进行比较，介绍了所提出的方法的优点，这些方法可以在没有UID数据的情况下使用。此外，我们证明该方法可以进一步改善现有的最先进的对抗培训。