Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer perturbations computed on undefended models, as well as to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. We further introduce Ensemble Adversarial Training, a technique that augments training data with perturbations transferred from other models. On ImageNet, Ensemble Adversarial Training yields models with strong robustness to black-box attacks. In particular, our most robust model won the first round of the NIPS 2017 competition on Defenses against Adversarial Attacks. However, subsequent work found that more elaborate black-box attacks could significantly enhance transferability and reduce the accuracy of our models.
Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples---inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. Code and pre-trained models are available at https://github.com/MadryLab/mnist_challenge and https://github.com/MadryLab/cifar10_challenge.
A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including interacting bad measurements introduced by arbitrary, nonrandom causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers. In this article, we expose an unknown vulnerability of existing bad measurement detection algorithms by presenting and analyzing a new class of attacks, called false data injection attacks , against state estimation in electric power grids. Under the assumption that the attacker can access the current power system configuration information and manipulate the measurements of meters at physically protected locations such as substations, such attacks can introduce arbitrary errors into certain state variables without being detected by existing algorithms. Moreover, we look at two scenarios, where the attacker is either constrained to specific meters or limited in the resources required to compromise meters. We show that the attacker can systematically and efficiently construct attack vectors in both scenarios to change the results of state estimation in arbitrary ways. We also extend these attacks to generalized false data injection attacks , which can further increase the impact by exploiting measurement errors typically tolerated in state estimation. We demonstrate the success of these attacks through simulation using IEEE test systems, and also discuss the practicality of these attacks and the real-world constraints that limit their effectiveness.
BACKGROUND: Antiplatelet agents are the mainstay for secondary prevention of non-cardioembolic stroke. This systematic review examined the safety and efficacy of short-, middle-, and long-term aspirin in combination with clopidogrel as secondary prevention of stroke or transient ischemic attack (TIA) of presumed arterial origin. METHODS: PubMed, EmBase, and CENTRAL were searched up to May 2014. Randomized controlled trials (RCTs) that compared aspirin plus clopidogrel versus aspirin or clopidogrel as secondary prevention of stroke or TIA of arterial origin were included. The analyses were stratified into short-term (≤3 months), middle-term (>3 months and <1 year), and long-term (≥1 year). Outcomes were compared using risk ratio (RR) and 95% confidence interval (95% CI). RESULTS: Eight RCTs (20,728 patients) were included in the overall analysis. Compared with aspirin or clopidogrel alone, the complete analysis of all the data indicated that the combination therapy significantly reduced the risk of stroke recurrence (RR, 0.82; 95% CI 0.70-0.96, p = 0.01) and major vascular events (RR, 0.84; 95% CI 0.73-0.96, p < 0.01). But the risk of hemorrhagic stroke (RR, 1.59; 95% CI 1.08-2.33, p = 0.02) and major bleeding (RR, 1.83; 95% CI 1.37-2.45, p < 0.01) was increased. No RCT studied middle-term combination therapy. The analyses were therefore stratified into only two subgroups, short- and long-term treatment. Stratified analysis of short-term treatment showed that relative to monotherapy, the drug combination reduced the risk of stroke recurrence (RR, 0.69; 95% CI 0.59-0.81, p < 0.01) and did not increase the risk of hemorrhagic stroke (RR, 1.23; 95% CI 0.50-3.04, p = 0.65) and major bleeding events (RR, 2.17; 95% CI 0.18-25.71, p = 0.54). Short-term combination therapy was associated with a significantly lower risk of major vascular events (RR, 0.70; 95% CI 0.69 to 0.82, p < 0.01). Stratified analysis of long-term treatment revealed that the combination treatment did not decrease the risk of stroke recurrence (RR, 0.92; 95% CI 0.83-1.03, p = 0.15), but was associated with a significantly higher risk of hemorrhagic stroke (RR, 1.67; 95% CI 1.10-2.56, p = 0.02) and major bleeding events (RR, 1.90; 95% CI 1.46-2.48, p < 0.01). Long-term combination therapy failed to reduce the risk of major vascular events (RR, 0.92; 95% CI 0.84-1.03, p = 0.09). CONCLUSIONS: Compared with monotherapy, short-term aspirin in combination with clopidogrel is more effective as secondary prevention of stroke or TIA without increasing the risk of hemorrhagic stroke and major bleeding events. Long-term combination therapy does not reduce the risk of stroke recurrence, and is associated with increased major bleeding events. The clinical applicability of the findings of this systematic review, however, needs to be confirmed in future clinical trials.
暂无摘要(点击查看原文获取完整内容)
The aim of this updated guideline is to provide comprehensive and timely evidence-based recommendations on the prevention of future stroke among survivors of ischemic stroke or transient ischemic attack. The guideline is addressed to all clinicians who manage secondary prevention for these patients. Evidence-based recommendations are provided for control of risk factors, intervention for vascular obstruction, antithrombotic therapy for cardioembolism, and antiplatelet therapy for noncardioembolic stroke. Recommendations are also provided for the prevention of recurrent stroke in a variety of specific circumstances, including aortic arch atherosclerosis, arterial dissection, patent foramen ovale, hyperhomocysteinemia, hypercoagulable states, antiphospholipid antibody syndrome, sickle cell disease, cerebral venous sinus thrombosis, and pregnancy. Special sections address use of antithrombotic and anticoagulation therapy after an intracranial hemorrhage and implementation of guidelines.
暂无摘要(点击查看原文获取完整内容)
We quantitatively investigate how machine learning models leak information about the individual data records on which they were trained. We focus on the basic membership inference attack: given a data record and black-box access to a model, determine if the record was in the model's training dataset. To perform membership inference against a target model, we make adversarial use of machine learning and train our own inference model to recognize differences in the target model's predictions on the inputs that it trained on versus the inputs that it did not train on. We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.
Machine learning (ML) models, e.g., deep neural networks (DNNs), are vulnerable to adversarial examples: malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Potential attacks include having malicious content like malware identified as legitimate or controlling vehicle behavior. Yet, all existing adversarial example attacks require knowledge of either the model internals or its training data. We introduce the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge. Indeed, the only capability of our black-box adversary is to observe labels given by the DNN to chosen inputs. Our attack strategy consists in training a local model to substitute for the target DNN, using inputs synthetically generated by an adversary and labeled by the target DNN. We use the local substitute to craft adversarial examples, and find that they are misclassified by the targeted DNN. To perform a real-world and properly-blinded evaluation, we attack a DNN hosted by MetaMind, an online deep learning API. We find that their DNN misclassifies 84.24% of the adversarial examples crafted with our substitute. We demonstrate the general applicability of our strategy to many ML techniques by conducting the same attack against models hosted by Amazon and Google, using logistic regression substitutes. They yield adversarial examples misclassified by Amazon and Google at rates of 96.19% and 88.94%. We also find that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder.
By now, we've all heard about the shocking redistribution of wealth that's occurred during the last thirty years, and particularly during the last decade. But economic changes like this The cultural politics in foreign policies, with historian lisa duggan is a system. But more information click here tricia rose author of money allied to tell! The shocking redistribution of power and the book in institutionalised racism. If I would have divided into the camp she's aligned with one.
暂无摘要(点击查看原文获取完整内容)
BACKGROUND: Statins reduce the incidence of strokes among patients at increased risk for cardiovascular disease; whether they reduce the risk of stroke after a recent stroke or transient ischemic attack (TIA) remains to be established. METHODS: We randomly assigned 4731 patients who had had a stroke or TIA within one to six months before study entry, had low-density lipoprotein (LDL) cholesterol levels of 100 to 190 mg per deciliter (2.6 to 4.9 mmol per liter), and had no known coronary heart disease to double-blind treatment with 80 mg of atorvastatin per day or placebo. The primary end point was a first nonfatal or fatal stroke. RESULTS: The mean LDL cholesterol level during the trial was 73 mg per deciliter (1.9 mmol per liter) among patients receiving atorvastatin and 129 mg per deciliter (3.3 mmol per liter) among patients receiving placebo. During a median follow-up of 4.9 years, 265 patients (11.2 percent) receiving atorvastatin and 311 patients (13.1 percent) receiving placebo had a fatal or nonfatal stroke (5-year absolute reduction in risk, 2.2 percent; adjusted hazard ratio, 0.84; 95 percent confidence interval, 0.71 to 0.99; P=0.03; unadjusted P=0.05). The atorvastatin group had 218 ischemic strokes and 55 hemorrhagic strokes, whereas the placebo group had 274 ischemic strokes and 33 hemorrhagic strokes. The five-year absolute reduction in the risk of major cardiovascular events was 3.5 percent (hazard ratio, 0.80; 95 percent confidence interval, 0.69 to 0.92; P=0.002). The overall mortality rate was similar, with 216 deaths in the atorvastatin group and 211 deaths in the placebo group (P=0.98), as were the rates of serious adverse events. Elevated liver enzyme values were more common in patients taking atorvastatin. CONCLUSIONS: In patients with recent stroke or TIA and without known coronary heart disease, 80 mg of atorvastatin per day reduced the overall incidence of strokes and of cardiovascular events, despite a small increase in the incidence of hemorrhagic stroke. (ClinicalTrials.gov number, NCT00147602 [ClinicalTrials.gov].).
We present a digital signature scheme based on the computational difficulty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) cannot later forge the signature of even a single additional message. This may be somewhat surprising, since in the folklore the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a “claw-free” pair of permutations—a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
This report focuses on the dimensions of poverty, and how to create a better world, free of poverty. The analysis explores the nature, and evolution of poverty, and its causes, to present a framework for action. The opportunity for expanding poor people's assets is addressed, arguing that major reductions in human deprivation are indeed possible, that economic growth, inequality, and poverty reduction, can be harnessed through economic integration, and technological change, dependent not only on the evolvement of markets, but on the choices for public action at the global, national, and local levels. Actions to facilitate empowerment include state institutional responsiveness in building social institutions which will improve well-being, and health, to allow increased income-earning potential, access to education, and eventual removal of social barriers. Security aspects are enhanced, by assessing risk management towards reducing vulnerability to economic crises, and natural disasters. The report expands on the dimensions of human deprivation, to include powerlessness and voicelessness, vulnerability and fear. International dimensions are explored, through global actions to fight poverty, analyzing global trade, capital flows, and how to reform development assistance to forge change in the livelihoods of the poor.
Machine-learning (ML) algorithms are increasingly utilized in privacy-sensitive applications such as predicting lifestyle choices, making medical diagnoses, and facial recognition. In a model inversion attack, recently introduced in a case study of linear classifiers in personalized medicine by Fredrikson et al., adversarial access to an ML model is abused to learn sensitive genomic information about individuals. Whether model inversion attacks apply to settings outside theirs, however, is unknown. We develop a new class of model inversion attack that exploits confidence values revealed along with predictions. Our new attacks are applicable in a variety of settings, and we explore two in depth: decision trees for lifestyle surveys as used on machine-learning-as-a-service systems and neural networks for facial recognition. In both cases confidence values are revealed to those with the ability to make prediction queries to models. We experimentally show attacks that are able to estimate whether a respondent in a lifestyle survey admitted to cheating on their significant other and, in the other context, show how to recover recognizable images of people's faces given only their name and access to the ML model. We also initiate experimental exploration of natural countermeasures, investigating a privacy-aware decision tree training algorithm that is a simple variant of CART learning, as well as revealing only rounded confidence values. The lesson that emerges is that one can avoid these kinds of MI attacks with negligible degradation to utility.
This article represents the update of the European Stroke Initiative (EUSI) Recommendations for Stroke Management, which were first published in this journal in 2000 [1, 2] , and subsequently translated into a number of languages including Spanish, Portuguese, Italian, German, Greek, Turkish, Lithuanian, Polish, Russian and Mandarin Chinese. The first update of the recommendations was published in 2003 [2] . In 2006, the EUSI decided that a larger group of authors should prepare the next update. In the meantime, a new European Stroke Society, the European Stroke Organisation (ESO), was established and took over the task of updating the guidelines. Accordingly, the new recommendations have been prepared by members of both the former EUSI Recommendations Writing Committee and the ESO (see appendix). The members of the Writing Group met in Heidelberg, Germany for 3 days in December 2007 to finalize the new
暂无摘要(点击查看原文获取完整内容)
暂无摘要(点击查看原文获取完整内容)