Rowhammer is a serious security problem of contemporary dynamic random-access memory (DRAM) where reads or writes of bits can flip other bits. DRAM manufacturers add mitigations, but don't disclose details, making it difficult for customers to evaluate their efficacy. We present a tool, based on active learning, that automatically infers parameter of Rowhammer mitigations against synthetic models of modern DRAM.

深度神经网络（DNN）的最新进步已经看到多个安全敏感域中的广泛部署。需要资源密集型培训和使用有价值的域特定培训数据，使这些模型成为模型所有者的顶级知识产权（IP）。 DNN隐私的主要威胁之一是模型提取攻击，前提是在DNN模型中试图窃取敏感信息。最近的研究表明，基于硬件的侧信道攻击可以揭示关于DNN模型的内部知识（例如，模型架构）但到目前为止，现有攻击不能提取详细的模型参数（例如，权重/偏置）。在这项工作中，我们首次提出了一种先进的模型提取攻击框架，借助记忆侧通道攻击有效地窃取了DNN权重。我们建议的深度包括两个关键阶段。首先，我们通过采用基于Rowhammer的硬件故障技术作为信息泄漏向量，开发一种名为HammerLeak的新重量位信息提取方法。 Hammerleak利用了用于DNN应用的几种新的系统级技术，以实现快速高效的重量窃取。其次，我们提出了一种具有平均聚类重量惩罚的新型替代模型训练算法，其利用部分泄漏的位信息有效地利用了目标受害者模型的替代原型。我们在三个流行的图像数据集（例如，CiFar-10/100 / GTSRB）和四个DNN架构上评估该替代模型提取方法（例如，Reset-18/34 / Wide-Reset / Vgg-11）。提取的替代模型在CiFar-10数据集的深度剩余网络上成功实现了超过90％的测试精度。此外，我们提取的替代模型也可能产生有效的对抗性输入样本来欺骗受害者模型。

我们将减少创建AI的任务，以找到适当的语言来描述世界的任务。这不是编程语言，因为编程语言仅描述可计算的函数，而我们的语言将描述更广泛的函数类别。该语言的另一个特异性将是描述将包含单独的模块。这将使我们能够自动寻找世界的描述，以便我们在模块后发现它。我们创建这种新语言的方法将是从一个特定的世界开始，并写出特定世界的描述。关键是，可以描述这个特定世界的语言将适合描述任何世界。

背景信息：在过去几年中，机器学习（ML）一直是许多创新的核心。然而，包括在所谓的“安全关键”系统中，例如汽车或航空的系统已经被证明是非常具有挑战性的，因为ML的范式转变为ML带来完全改变传统认证方法。目的：本文旨在阐明与ML为基础的安全关键系统认证有关的挑战，以及文献中提出的解决方案，以解决它们，回答问题的问题如何证明基于机器学习的安全关键系统？'方法：我们开展2015年至2020年至2020年之间发布的研究论文的系统文献综述（SLR），涵盖了与ML系统认证有关的主题。总共确定了217篇论文涵盖了主题，被认为是ML认证的主要支柱：鲁棒性，不确定性，解释性，验证，安全强化学习和直接认证。我们分析了每个子场的主要趋势和问题，并提取了提取的论文的总结。结果：单反结果突出了社区对该主题的热情，以及在数据集和模型类型方面缺乏多样性。它还强调需要进一步发展学术界和行业之间的联系，以加深域名研究。最后，它还说明了必须在上面提到的主要支柱之间建立连接的必要性，这些主要柱主要主要研究。结论：我们强调了目前部署的努力，以实现ML基于ML的软件系统，并讨论了一些未来的研究方向。

Curiosity for machine agents has been a focus of lively research activity. The study of human and animal curiosity, particularly specific curiosity, has unearthed several properties that would offer important benefits for machine learners, but that have not yet been well-explored in machine intelligence. In this work, we conduct a comprehensive, multidisciplinary survey of the field of animal and machine curiosity. As a principal contribution of this work, we use this survey as a foundation to introduce and define what we consider to be five of the most important properties of specific curiosity: 1) directedness towards inostensible referents, 2) cessation when satisfied, 3) voluntary exposure, 4) transience, and 5) coherent long-term learning. As a second main contribution of this work, we show how these properties may be implemented together in a proof-of-concept reinforcement learning agent: we demonstrate how the properties manifest in the behaviour of this agent in a simple non-episodic grid-world environment that includes curiosity-inducing locations and induced targets of curiosity. As we would hope, our example of a computational specific curiosity agent exhibits short-term directed behaviour while updating long-term preferences to adaptively seek out curiosity-inducing situations. This work, therefore, presents a landmark synthesis and translation of specific curiosity to the domain of machine learning and reinforcement learning and provides a novel view into how specific curiosity operates and in the future might be integrated into the behaviour of goal-seeking, decision-making computational agents in complex environments.

Alphazero，Leela Chess Zero和Stockfish Nnue革新了计算机国际象棋。本书对此类引擎的技术内部工作进行了完整的介绍。该书分为四个主要章节 - 不包括第1章（简介）和第6章（结论）：第2章引入神经网络，涵盖了所有用于构建深层网络的基本构建块，例如Alphazero使用的网络。内容包括感知器，后传播和梯度下降，分类，回归，多层感知器，矢量化技术，卷积网络，挤压网络，挤压和激发网络，完全连接的网络，批处理归一化和横向归一化和跨性线性单位，残留层，剩余层，过度效果和底漆。第3章介绍了用于国际象棋发动机以及Alphazero使用的经典搜索技术。内容包括minimax，alpha-beta搜索和蒙特卡洛树搜索。第4章展示了现代国际象棋发动机的设计。除了开创性的Alphago，Alphago Zero和Alphazero我们涵盖Leela Chess Zero，Fat Fritz，Fat Fritz 2以及有效更新的神经网络（NNUE）以及MAIA。第5章是关于实施微型α。 Shexapawn是国际象棋的简约版本，被用作为此的示例。 Minimax搜索可以解决六ap峰，并产生了监督学习的培训位置。然后，作为比较，实施了类似Alphazero的训练回路，其中通过自我游戏进行训练与强化学习结合在一起。最后，比较了类似α的培训和监督培训。

机器学习与服务（MLAAS）已成为广泛的范式，即使是通过例如，也是客户可用的最复杂的机器学习模型。一个按要求的原则。这使用户避免了数据收集，超参数调整和模型培训的耗时过程。但是，通过让客户访问（预测）模型，MLAAS提供商危害其知识产权，例如敏感培训数据，优化的超参数或学到的模型参数。对手可以仅使用预测标签创建模型的副本，并以（几乎）相同的行为。尽管已经描述了这种攻击的许多变体，但仅提出了零星的防御策略，以解决孤立的威胁。这增加了对模型窃取领域进行彻底系统化的必要性，以全面了解这些攻击是成功的原因，以及如何全面地捍卫它们。我们通过对模型窃取攻击，评估其性能以及探索不同设置中相应的防御技术来解决这一问题。我们为攻击和防御方法提出了分类法，并提供有关如何根据目标和可用资源选择正确的攻击或防御策略的准则。最后，我们分析了当前攻击策略使哪些防御能力降低。

复杂的事件识别（CER）系统在过去二十年中变得流行，因为它们能够“立即”检测在实时事件流上的模式。然而，缺乏预测模式可能发生在例如由Cer发动机实际检测到这种发生之前的模式。我们提出了一项正式的框架，试图解决复杂事件预测（CEF）的问题。我们的框架结合了两个形式主义：a）用于编码复杂事件模式的符号自动机; b）预测后缀树，可以提供自动机构的行为的简洁概率描述。我们比较我们提出的方法，以防止最先进的方法，并在准确性和效率方面展示其优势。特别地，预测后缀树是可变的马尔可夫模型，可以通过仅记住足够的信息的过去序列来捕获流中的长期依赖性。我们的实验结果表明了能够捕获这种长期依赖性的准确性的益处。这是通过增加我们模型的顺序来实现的，以满足需要执行给定顺序的所有可能的过去序列的所有可能的过去序列的详尽枚举的全阶马尔可夫模型。我们还广泛讨论CEF解决方案如何最佳地评估其预测的质量。

数字化和远程连接扩大了攻击面，使网络系统更脆弱。由于攻击者变得越来越复杂和资源丰富，仅仅依赖传统网络保护，如入侵检测，防火墙和加密，不足以保护网络系统。网络弹性提供了一种新的安全范式，可以使用弹性机制来补充保护不足。一种网络弹性机制（CRM）适应了已知的或零日威胁和实际威胁和不确定性，并对他们进行战略性地响应，以便在成功攻击时保持网络系统的关键功能。反馈架构在启用CRM的在线感应，推理和致动过程中发挥关键作用。强化学习（RL）是一个重要的工具，对网络弹性的反馈架构构成。它允许CRM提供有限或没有事先知识和攻击者的有限攻击的顺序响应。在这项工作中，我们审查了Cyber​​恢复力的RL的文献，并讨论了对三种主要类型的漏洞，即姿势有关，与信息相关的脆弱性的网络恢复力。我们介绍了三个CRM的应用领域：移动目标防御，防守网络欺骗和辅助人类安全技术。 RL算法也有漏洞。我们解释了RL的三个漏洞和目前的攻击模型，其中攻击者针对环境与代理商之间交换的信息：奖励，国家观察和行动命令。我们展示攻击者可以通过最低攻击努力来欺骗RL代理商学习邪恶的政策。最后，我们讨论了RL为基于RL的CRM的网络安全和恢复力和新兴应用的未来挑战。

Monte Carlo Tree Search (MCTS) is a recently proposed search method that combines the precision of tree search with the generality of random sampling. It has received considerable interest due to its spectacular success in the difficult problem of computer Go, but has also proved beneficial in a range of other domains. This paper is a survey of the literature to date, intended to provide a snapshot of the state of the art after the first five years of MCTS research. We outline the core algorithm's derivation, impart some structure on the many variations and enhancements that have been proposed, and summarise the results from the key game and non-game domains to which MCTS methods have been applied. A number of open research questions indicate that the field is ripe for future work.

当前独立于域的经典计划者需要问题域和实例作为输入的符号模型，从而导致知识采集瓶颈。同时，尽管深度学习在许多领域都取得了重大成功，但知识是在与符号系统（例如计划者）不兼容的亚符号表示中编码的。我们提出了Latplan，这是一种无监督的建筑，结合了深度学习和经典计划。只有一组未标记的图像对，显示了环境中允许的过渡子集（训练输入），Latplan学习了环境的完整命题PDDL动作模型。稍后，当给出代表初始状态和目标状态（计划输入）的一对图像时，Latplan在符号潜在空间中找到了目标状态的计划，并返回可视化的计划执行。我们使用6个计划域的基于图像的版本来评估LATPLAN：8个插头，15个式嘴，Blockworld，Sokoban和两个LightsOut的变体。

A learned system uses machine learning (ML) internally to improve performance. We can expect such systems to be vulnerable to some adversarial-ML attacks. Often, the learned component is shared between mutually-distrusting users or processes, much like microarchitectural resources such as caches, potentially giving rise to highly-realistic attacker models. However, compared to attacks on other ML-based systems, attackers face a level of indirection as they cannot interact directly with the learned model. Additionally, the difference between the attack surface of learned and non-learned versions of the same system is often subtle. These factors obfuscate the de-facto risks that the incorporation of ML carries. We analyze the root causes of potentially-increased attack surface in learned systems and develop a framework for identifying vulnerabilities that stem from the use of ML. We apply our framework to a broad set of learned systems under active development. To empirically validate the many vulnerabilities surfaced by our framework, we choose 3 of them and implement and evaluate exploits against prominent learned-system instances. We show that the use of ML caused leakage of past queries in a database, enabled a poisoning attack that causes exponential memory blowup in an index structure and crashes it in seconds, and enabled index users to snoop on each others' key distributions by timing queries over their own keys. We find that adversarial ML is a universal threat against learned systems, point to open research gaps in our understanding of learned-systems security, and conclude by discussing mitigations, while noting that data leakage is inherent in systems whose learned component is shared between multiple parties.

Reinforcement learning allows machines to learn from their own experience. Nowadays, it is used in safety-critical applications, such as autonomous driving, despite being vulnerable to attacks carefully crafted to either prevent that the reinforcement learning algorithm learns an effective and reliable policy, or to induce the trained agent to make a wrong decision. The literature about the security of reinforcement learning is rapidly growing, and some surveys have been proposed to shed light on this field. However, their categorizations are insufficient for choosing an appropriate defense given the kind of system at hand. In our survey, we do not only overcome this limitation by considering a different perspective, but we also discuss the applicability of state-of-the-art attacks and defenses when reinforcement learning algorithms are used in the context of autonomous driving.

机器学习（ML）代表了当前和未来信息系统的关键技术，许多域已经利用了ML的功能。但是，网络安全中ML的部署仍处于早期阶段，揭示了研究和实践之间的显着差异。这种差异在当前的最新目的中具有其根本原因，该原因不允许识别ML在网络安全中的作用。除非广泛的受众理解其利弊，否则ML的全部潜力将永远不会释放。本文是对ML在整个网络安全领域中的作用的首次尝试 - 对任何对此主题感兴趣的潜在读者。我们强调了ML在人类驱动的检测方法方面的优势，以及ML在网络安全方面可以解决的其他任务。此外，我们阐明了影响网络安全部署实际ML部署的各种固有问题。最后，我们介绍了各种利益相关者如何为网络安全中ML的未来发展做出贡献，这对于该领域的进一步进步至关重要。我们的贡献补充了两项实际案例研究，这些案例研究描述了ML作为对网络威胁的辩护的工业应用。

即使机器学习算法已经在数据科学中发挥了重要作用，但许多当前方法对输入数据提出了不现实的假设。由于不兼容的数据格式，或数据集中的异质，分层或完全缺少的数据片段，因此很难应用此类方法。作为解决方案，我们提出了一个用于样本表示，模型定义和培训的多功能，统一的框架，称为“ Hmill”。我们深入审查框架构建和扩展的机器学习的多个范围范式。从理论上讲，为HMILL的关键组件的设计合理，我们将通用近似定理的扩展显示到框架中实现的模型所实现的所有功能的集合。本文还包含有关我们实施中技术和绩效改进的详细讨论，该讨论将在MIT许可下发布供下载。该框架的主要资产是其灵活性，它可以通过相同的工具对不同的现实世界数据源进行建模。除了单独观察到每个对象的一组属性的标准设置外，我们解释了如何在框架中实现表示整个对象系统的图表中的消息推断。为了支持我们的主张，我们使用框架解决了网络安全域的三个不同问题。第一种用例涉及来自原始网络观察结果的IoT设备识别。在第二个问题中，我们研究了如何使用以有向图表示的操作系统的快照可以对恶意二进制文件进行分类。最后提供的示例是通过网络中实体之间建模域黑名单扩展的任务。在所有三个问题中，基于建议的框架的解决方案可实现与专业方法相当的性能。

行为树（BT）是一种在自主代理中（例如机器人或计算机游戏中的虚拟实体）之间在不同任务之间进行切换的方法。 BT是创建模块化和反应性的复杂系统的一种非常有效的方法。这些属性在许多应用中至关重要，这导致BT从计算机游戏编程到AI和机器人技术的许多分支。在本书中，我们将首先对BTS进行介绍，然后我们描述BTS与早期切换结构的关系，并且在许多情况下如何概括。然后，这些想法被用作一套高效且易于使用的设计原理的基础。安全性，鲁棒性和效率等属性对于自主系统很重要，我们描述了一套使用BTS的状态空间描述正式分析这些系统的工具。借助新的分析工具，我们可以对BTS如何推广早期方法的形式形式化。我们还显示了BTS在自动化计划和机器学习中的使用。最后，我们描述了一组扩展的工具，以捕获随机BT的行为，其中动作的结果由概率描述。这些工具可以计算成功概率和完成时间。

The literature on machine learning in the context of data streams is vast and growing. However, many of the defining assumptions regarding data-stream learning tasks are too strong to hold in practice, or are even contradictory such that they cannot be met in the contexts of supervised learning. Algorithms are chosen and designed based on criteria which are often not clearly stated, for problem settings not clearly defined, tested in unrealistic settings, and/or in isolation from related approaches in the wider literature. This puts into question the potential for real-world impact of many approaches conceived in such contexts, and risks propagating a misguided research focus. We propose to tackle these issues by reformulating the fundamental definitions and settings of supervised data-stream learning with regard to contemporary considerations of concept drift and temporal dependence; and we take a fresh look at what constitutes a supervised data-stream learning task, and a reconsideration of algorithms that may be applied to tackle such tasks. Through and in reflection of this formulation and overview, helped by an informal survey of industrial players dealing with real-world data streams, we provide recommendations. Our main emphasis is that learning from data streams does not impose a single-pass or online-learning approach, or any particular learning regime; and any constraints on memory and time are not specific to streaming. Meanwhile, there exist established techniques for dealing with temporal dependence and concept drift, in other areas of the literature. For the data streams community, we thus encourage a shift in research focus, from dealing with often-artificial constraints and assumptions on the learning mode, to issues such as robustness, privacy, and interpretability which are increasingly relevant to learning in data streams in academic and industrial settings.

This paper surveys the eld of reinforcement learning from a computer-science perspective. It is written to be accessible to researchers familiar with machine learning. Both the historical basis of the eld and a broad selection of current work are summarized. Reinforcement learning is the problem faced by an agent that learns behavior through trial-and-error interactions with a dynamic environment. The work described here has a resemblance to work in psychology, but di ers considerably in the details and in the use of the word \reinforcement." The paper discusses central issues of reinforcement learning, including trading o exploration and exploitation, establishing the foundations of the eld via Markov decision theory, learning from delayed reinforcement, constructing empirical models to accelerate learning, making use of generalization and hierarchy, and coping with hidden state. It concludes with a survey of some implemented systems and an assessment of the practical utility of current methods for reinforcement learning.

当环境稀疏和非马克维亚奖励时，使用标量奖励信号的训练加强学习（RL）代理通常是不可行的。此外，在训练之前对这些奖励功能进行手工制作很容易指定，尤其是当环境的动态仅部分知道时。本文提出了一条新型的管道，用于学习非马克维亚任务规格，作为简洁的有限状态“任务自动机”，从未知环境中的代理体验情节中。我们利用两种关键算法的见解。首先，我们通过将其视为部分可观察到的MDP并为隐藏的Markov模型使用现成的算法，从而学习了由规范的自动机和环境MDP组成的产品MDP，该模型是由规范的自动机和环境MDP组成的。其次，我们提出了一种从学习的产品MDP中提取任务自动机（假定为确定性有限自动机）的新方法。我们学到的任务自动机可以使任务分解为其组成子任务，从而提高了RL代理以后可以合成最佳策略的速率。它还提供了高级环境和任务功能的可解释编码，因此人可以轻松地验证代理商是否在没有错误的情况下学习了连贯的任务。此外，我们采取步骤确保学识渊博的自动机是环境不可静止的，使其非常适合用于转移学习。最后，我们提供实验结果，以说明我们在不同环境和任务中的算法的性能及其合并先前的领域知识以促进更有效学习的能力。

Recent years have seen a proliferation of research on adversarial machine learning. Numerous papers demonstrate powerful algorithmic attacks against a wide variety of machine learning (ML) models, and numerous other papers propose defenses that can withstand most attacks. However, abundant real-world evidence suggests that actual attackers use simple tactics to subvert ML-driven systems, and as a result security practitioners have not prioritized adversarial ML defenses. Motivated by the apparent gap between researchers and practitioners, this position paper aims to bridge the two domains. We first present three real-world case studies from which we can glean practical insights unknown or neglected in research. Next we analyze all adversarial ML papers recently published in top security conferences, highlighting positive trends and blind spots. Finally, we state positions on precise and cost-driven threat modeling, collaboration between industry and academia, and reproducible research. We believe that our positions, if adopted, will increase the real-world impact of future endeavours in adversarial ML, bringing both researchers and practitioners closer to their shared goal of improving the security of ML systems.