Deep neural networks are normally executed in the forward direction. However,
in this work, we identify a vulnerability that enables models to be trained in
both directions and on different tasks. Adversaries can exploit this capability
to hide rogue models within seemingly legitimate models. In addition, in this
work we show that neural networks can be taught to systematically memorize and
retrieve specific samples from datasets. Together, these findings expose a
novel method in which adversaries can exfiltrate datasets from protected
learning environments under the guise of legitimate models. We focus on the
data exfiltration attack and show that modern architectures can be used to
secretly exfiltrate tens of thousands of samples with high fidelity, high
enough to compromise data privacy and even train new models. Moreover, to
mitigate this threat we propose a novel approach for detecting infected models.

神经网络存在漏洞可在双向上执行不同任务的训练，导致对抗者能够将恶意模型隐藏在表面上合法的模型中，此外神经网络还能被教导有系统地记忆和检索特定样本，这些发现展示了一种对抗者能够在受保护的学习环境中以合法模型的假象下窃取数据集的新方法，我们通过重点研究数据窃取攻击表明现代架构可以偷偷窃取数以万计的高保真样本，足以危害数据隐私甚至训练新模型，为了减轻这一威胁，我们提出了一种检测感染模型的新方法。

转置攻击：通过双向训练窃取数据集

Transpose Attack: Stealing Datasets with Bidirectional Training

Exfiltration of data via email is a serious cybersecurity threat for many
organizations. Detecting data exfiltration (anomaly) patterns typically
requires labeling, most often done by a human annotator, to reduce the high
number of false alarms. Active Learning (AL) is a promising approach for
labeling data efficiently, but it needs to choose an efficient order in which
cases are to be labeled, and there are uncertainties as to what scoring
procedure should be used to prioritize cases for labeling, especially when
detecting rare cases of interest is crucial. We propose an adaptive AL sampling
strategy that leverages the underlying prior data distribution, as well as
model uncertainty, to produce batches of cases to be labeled that contain
instances of rare anomalies. We show that (1) the classifier benefits from a
batch of representative and informative instances of both normal and anomalous
examples, (2) unsupervised anomaly detection plays a useful role in building
the classifier in the early stages of training when relatively little labeling
has been done thus far. Our approach to AL for anomaly detection outperformed
existing AL approaches on three highly unbalanced UCI benchmarks and on one
real-world redacted email data set.

通过自适应主动学习采样策略，利用数据先验分布和模型不确定性，我们的方法在检测异常时的主动学习中胜过现有方法，并在三个高度不平衡的 UCI 基准数据集和一个真实世界的已编辑电子邮件数据集上取得了好的结果。