Yanjiao Chen,Xiaotian Zhu,Xueluan Gong,Xinjing Yi,Shuyang Li

DOI: https://doi.org/10.1109/tii.2022.3198481

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the unprecedented development of deep learning, autonomous vehicles (AVs) have achieved tremendous progress nowadays. However, AV supported by DNN models is vulnerable to data poisoning attacks, hindering the large-scale application of autonomous driving. For example, by injecting carefully designed poisons into the training dataset of the DNN model in the traffic sign recognition system, the attacker can mislead the system to make targeted misclassification or cause a reduction in model classification accuracy. In this article, we conduct a thorough investigation of the state-of-the-art data poisoning attacks and defenses against AVs. According to whether the attacker needs to manipulate the data labeling process, we divide the state-of-the-art attack approaches into two categories, i.e., dirty-label attacks and clean-label attacks. We also differentiate the existing defense methods into two categories based on whether to modify the training data or the models, i.e., data-based defenses and model-based defenses. In addition to a detailed review of attacks and defenses in each category, we also give a qualitative comparison of the existing attacks and defenses. Besides, we provide a quantitative comparison of the existing attack and defense methods through experiments. Last but not least, we pinpoint several future directions for data poisoning attacks and defenses in AVs, providing possible ways for further research.

Yiwei Lu,Gautam Kamath,Yaoliang Yu

DOI: https://doi.org/10.48550/arXiv.2204.09092

2024-02-16

Abstract:Data poisoning attacks, in which a malicious adversary aims to influence a model by injecting "poisoned" data into the training process, have attracted significant recent attention. In this work, we take a closer look at existing poisoning attacks and connect them with old and new algorithms for solving sequential Stackelberg games. By choosing an appropriate loss function for the attacker and optimizing with algorithms that exploit second-order information, we design poisoning attacks that are effective on neural networks. We present efficient implementations that exploit modern auto-differentiation packages and allow simultaneous and coordinated generation of tens of thousands of poisoned points, in contrast to existing methods that generate poisoned points one by one. We further perform extensive experiments that empirically explore the effect of data poisoning attacks on deep neural networks.

Machine Learning,Cryptography and Security

Cristina Improta

DOI: https://doi.org/10.1109/ISSREW60843.2023.00060

2024-03-11

Abstract:AI-based code generators have gained a fundamental role in assisting developers in writing software starting from natural language (NL). However, since these large language models are trained on massive volumes of data collected from unreliable online sources (e.g., GitHub, Hugging Face), AI models become an easy target for data poisoning attacks, in which an attacker corrupts the training data by injecting a small amount of poison into it, i.e., astutely crafted malicious samples. In this position paper, we address the security of AI code generators by identifying a novel data poisoning attack that results in the generation of vulnerable code. Next, we devise an extensive evaluation of how these attacks impact state-of-the-art models for code generation. Lastly, we discuss potential solutions to overcome this threat.

Cryptography and Security,Artificial Intelligence,Software Engineering

Jia Li,Zhuo Li,Huangzhao Zhang,Ge Li,Zhi Jin,Xing Hu,Xin Xia

DOI: https://doi.org/10.48550/arXiv.2210.17029

2022-10-31

Abstract:In the software engineering community, deep learning (DL) has recently been applied to many source code processing tasks. Due to the poor interpretability of DL models, their security vulnerabilities require scrutiny. Recently, researchers have identified an emergent security threat, namely poison attack. The attackers aim to inject insidious backdoors into models by poisoning the training data with poison samples. Poisoned models work normally with clean inputs but produce targeted erroneous results with poisoned inputs embedded with triggers. By activating backdoors, attackers can manipulate the poisoned models in security-related scenarios. To verify the vulnerability of existing deep source code processing models to the poison attack, we present a poison attack framework for source code named CodePoisoner as a strong imaginary enemy. CodePoisoner can produce compilable even human-imperceptible poison samples and attack models by poisoning the training data with poison samples. To defend against the poison attack, we further propose an effective defense approach named CodeDetector to detect poison samples in the training data. CodeDetector can be applied to many model architectures and effectively defend against multiple poison attack approaches. We apply our CodePoisoner and CodeDetector to three tasks, including defect detection, clone detection, and code repair. The results show that (1) CodePoisoner achieves a high attack success rate (max: 100%) in misleading models to targeted erroneous behaviors. It validates that existing deep source code processing models have a strong vulnerability to the poison attack. (2) CodeDetector effectively defends against multiple poison attack approaches by detecting (max: 100%) poison samples in the training data. We hope this work can help practitioners notice the poison attack and inspire the design of more advanced defense techniques.

Software Engineering,Artificial Intelligence

Domenico Cotroneo,Cristina Improta,Pietro Liguori,Roberto Natella

DOI: https://doi.org/10.1145/3643916.3644416

2024-02-10

Abstract:AI-based code generators have become pivotal in assisting developers in writing software starting from natural language (NL). However, they are trained on large amounts of data, often collected from unsanitized online sources (e.g., GitHub, HuggingFace). As a consequence, AI models become an easy target for data poisoning, i.e., an attack that injects malicious samples into the training data to generate vulnerable code. To address this threat, this work investigates the security of AI code generators by devising a targeted data poisoning strategy. We poison the training data by injecting increasing amounts of code containing security vulnerabilities and assess the attack's success on different state-of-the-art models for code generation. Our study shows that AI code generators are vulnerable to even a small amount of poison. Notably, the attack success strongly depends on the model architecture and poisoning rate, whereas it is not influenced by the type of vulnerabilities. Moreover, since the attack does not impact the correctness of code generated by pre-trained models, it is hard to detect. Lastly, our work offers practical insights into understanding and potentially mitigating this threat.

Cryptography and Security,Artificial Intelligence

Yanxu Zhu,Hong Wen,Jinsong Wu,Runhui Zhao

DOI: https://doi.org/10.3934/mbe.2023788

2023-09-15

Abstract:The deep integration of edge computing and Artificial Intelligence (AI) in IoT (Internet of Things)-enabled smart cities has given rise to new edge AI paradigms that are more vulnerable to attacks such as data and model poisoning and evasion of attacks. This work proposes an online poisoning attack framework based on the edge AI environment of IoT-enabled smart cities, which takes into account the limited storage space and proposes a rehearsal-based buffer mechanism to manipulate the model by incrementally polluting the sample data stream that arrives at the appropriately sized cache. A maximum-gradient-based sample selection strategy is presented, which converts the operation of traversing historical sample gradients into an online iterative computation method to overcome the problem of periodic overwriting of the sample data cache after training. Additionally, a maximum-loss-based sample pollution strategy is proposed to solve the problem of each poisoning sample being updated only once in basic online attacks, transforming the bi-level optimization problem from offline mode to online mode. Finally, the proposed online gray-box poisoning attack algorithms are implemented and evaluated on edge devices of IoT-enabled smart cities using an online data stream simulated with offline open-grid datasets. The results show that the proposed method outperforms the existing baseline methods in both attack effectiveness and overhead.

Jinyin Chen,Haibin Zheng,Mengmeng Su,Tianyu Du,Changting Lin,Shouling Ji

DOI: https://doi.org/10.1007/978-3-030-42921-8_10

2020-01-01

Abstract:Deep learning is widely applied to various areas for its great performance. However, it is vulnerable to adversarial attacks and poisoning attacks, which arouses a lot of concerns. A number of attack methods and defense strategies have been proposed, most of which focus on adversarial attacks that happen in the testing process. Poisoning attacks, using poisoned-training data to attack deep learning models, are more difficult to defend since the models heavily depend on the training data and strategies to guarantee their performances. Generally, poisoning attacks are conducted by leveraging benign examples with poisoned labels or poison-training examples with benign labels. Both cases are easy to detect. In this paper, we propose a novel poisoning attack named Invisible Poisoning Attack (IPA). In IPA, we use highly stealthy poison-training examples with benign labels, perceptually similar to their benign counterparts, to train the deep learning model. During the testing process, the poisoned model will handle the benign examples correctly, while output erroneous results when fed by the target benign examples (poisoning-trigger examples). We adopt the Non-dominated Sorting Genetic Algorithm (NSGA-II) as the optimizer for evolving the highly stealthy poison-training examples. The generated approximate optimal examples are promised to be both invisible and effective in attacking the target model. We verify the effectiveness of IPA against face recognition systems on different face datasets, including attack ability, stealthiness, and transferability performance.

Jingfeng Zhang,Bo Song,Bo Han,Lei Liu,Gang Niu,Masashi Sugiyama

2023-04-30

Abstract:Adversarial training (AT) is a robust learning algorithm that can defend against adversarial attacks in the inference phase and mitigate the side effects of corrupted data in the training phase. As such, it has become an indispensable component of many artificial intelligence (AI) systems. However, in high-stake AI applications, it is crucial to understand AT's vulnerabilities to ensure reliable deployment. In this paper, we investigate AT's susceptibility to poisoning attacks, a type of malicious attack that manipulates training data to compromise the performance of the trained model. Previous work has focused on poisoning attacks against standard training, but little research has been done on their effectiveness against AT. To fill this gap, we design and test effective poisoning attacks against AT. Specifically, we investigate and design clean-label poisoning attacks, allowing attackers to imperceptibly modify a small fraction of training data to control the algorithm's behavior on a specific target data point. Additionally, we propose the clean-label untargeted attack, enabling attackers can attach tiny stickers on training data to degrade the algorithm's performance on all test data, where the stickers could serve as a signal against unauthorized data collection. Our experiments demonstrate that AT can still be poisoned, highlighting the need for caution when using vanilla AT algorithms in security-related applications. The code is at <a class="link-external link-https" href="https://github.com/zjfheart/Poison-adv-training.git" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Xinyun Chen,Chang Liu,Bo Li,Kimberly Lu,Dawn Song

DOI: https://doi.org/10.48550/arXiv.1712.05526

2017-12-15

Abstract:Deep learning models have achieved high performance on many tasks, and thus have been applied to many security-critical scenarios. For example, deep learning-based face recognition systems have been used to authenticate users to access many security-sensitive applications like payment apps. Such usages of deep learning systems provide the adversaries with sufficient incentives to perform attacks against these systems for their adversarial purposes. In this work, we consider a new type of attacks, called backdoor attacks, where the attacker's goal is to create a backdoor into a learning-based authentication system, so that he can easily circumvent the system by leveraging the backdoor. Specifically, the adversary aims at creating backdoor instances, so that the victim learning system will be misled to classify the backdoor instances as a target label specified by the adversary. In particular, we study backdoor poisoning attacks, which achieve backdoor attacks using poisoning strategies. Different from all existing work, our studied poisoning strategies can apply under a very weak threat model: (1) the adversary has no knowledge of the model and the training set used by the victim system; (2) the attacker is allowed to inject only a small amount of poisoning samples; (3) the backdoor key is hard to notice even by human beings to achieve stealthiness. We conduct evaluation to demonstrate that a backdoor adversary can inject only around 50 poisoning samples, while achieving an attack success rate of above 90%. We are also the first work to show that a data poisoning attack can create physically implementable backdoors without touching the training process. Our work demonstrates that backdoor poisoning attacks pose real threats to a learning system, and thus highlights the importance of further investigation and proposing defense strategies against them.

Cryptography and Security,Machine Learning

Nicholas Carlini,Matthew Jagielski,Christopher A. Choquette-Choo,Daniel Paleka,Will Pearce,Hyrum Anderson,Andreas Terzis,Kurt Thomas,Florian Tramèr

2024-05-06

Abstract:Deep learning models are often trained on distributed, web-scale datasets crawled from the internet. In this paper, we introduce two new dataset poisoning attacks that intentionally introduce malicious examples to a model's performance. Our attacks are immediately practical and could, today, poison 10 popular datasets. Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator's initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01% of the LAION-400M or COYO-700M datasets for just $60 USD. Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content -- such as Wikipedia -- where an attacker only needs a time-limited window to inject malicious examples. In light of both attacks, we notify the maintainers of each affected dataset and recommended several low-overhead defenses.

Cryptography and Security,Machine Learning

W. Ronny Huang,Jonas Geiping,Liam Fowl,Gavin Taylor,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2004.00225

2021-02-21

Abstract:Data poisoning -- the process by which an attacker takes control of a model by making imperceptible changes to a subset of the training data -- is an emerging threat in the context of neural networks. Existing attacks for data poisoning neural networks have relied on hand-crafted heuristics, because solving the poisoning problem directly via bilevel optimization is generally thought of as intractable for deep models. We propose MetaPoison, a first-order method that approximates the bilevel problem via meta-learning and crafts poisons that fool neural networks. MetaPoison is effective: it outperforms previous clean-label poisoning methods by a large margin. MetaPoison is robust: poisoned data made for one model transfer to a variety of victim models with unknown training settings and architectures. MetaPoison is general-purpose, it works not only in fine-tuning scenarios, but also for end-to-end training from scratch, which till now hasn't been feasible for clean-label attacks with deep nets. MetaPoison can achieve arbitrary adversary goals -- like using poisons of one class to make a target image don the label of another arbitrarily chosen class. Finally, MetaPoison works in the real-world. We demonstrate for the first time successful data poisoning of models trained on the black-box Google Cloud AutoML API. Code and premade poisons are provided at <a class="link-external link-https" href="https://github.com/wronnyhuang/metapoison" rel="external noopener nofollow">this https URL</a>

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Shaohua Ding,Yulong Tian,Fengyuan Xu,Qun Li,Sheng Zhong

2019-01-01

Abstract:Deep generative models (DGMs) have empowered unprecedented innovations in many application domains. However, their security has not been thoroughly assessed when deploying such models in practice, especially in those mission-critical tasks like autonomous driving. In this work, we draw attention to a new attack surface of DGMs, which is the poisoning attack in the training phase. The poisoned DGMs, which seem normal in most cases, have unexpected and hidden side effects as designed by attackers. For example, a poisoned DGM for rain removal can stealthily change the speed limit sign in an image if certain condition is met when removing raindrops in the image. Clearly severe consequences can occur if such poisoned model is deployed in the vehicle. Our study demonstrates that launching such attack is feasible to different DGM types which are designed for applications in autonomous driving, and introduced concealing technique can make our poisoning attack inconspicuous during the training. Moreover, existing defense methods cannot effectively detect our attack, calling for new countermeasures of this attack surface. In the end, we propose some potential defense strategies inspiring future explorations.

Shaohua Ding,Yulong Tian,Fengyuan Xu,Qun Li,Sheng Zhong

DOI: https://doi.org/10.1007/978-3-030-37228-6_15

2019-01-01

Abstract:Deep generative models (DGMs) have empowered unprecedented innovations in many application domains. However, their security has not been thoroughly assessed when deploying such models in practice, especially in those mission-critical tasks like autonomous driving. In this work, we draw attention to a new attack surface of DGMs, which is the data used in the training phase. We demonstrate that the training data poisoning, the injection of specially-crafted data, are able to teach Trojan behaviors to a DGM without influencing the original training goal. Such Trojan attack will be activated after model deployment only if certain rare triggers are present in an input. For example, a rain-removal DGM after poisoning can, while removing raindrops in input images, change a traffic light from red to green if this traffic light has a specific appearance (i.e. a trigger). Clearly severe consequences can occur if such poisoned model is deployed on vehicle. Our study shows that launching our Trojan attack is feasible on different DGM categories designed for the autonomous driving scenario, and existing defense methods cannot effectively defeat it. We also introduce a concealing technique to make our data poisoning more inconspicuous during the training. In the end, we propose some potential defense strategies inspiring future explorations.

Jia Li,Zhuo Li,Huangzhao Zhang,Ge Li,Zhi Jin,Xing Hu,Xin Xia,HuangZhao Zhang

DOI: https://doi.org/10.1145/3630008

IF: 3.685

2023-11-01

ACM Transactions on Software Engineering and Methodology

Abstract:In the software engineering (SE) community, deep learning (DL) has recently been applied to many source code processing tasks, achieving state-of-the-art results. Due to the poor interpretability of DL models, their security vulnerabilities require scrutiny. Recently, researchers have identified an emergent security threat to DL models, namely poison attacks . The attackers aim to inject insidious backdoors into DL models by poisoning the training data with poison samples. The backdoors mean that poisoned models work normally with clean inputs but produce targeted erroneous results with inputs embedded with specific triggers. By using triggers to activate backdoors, attackers can manipulate poisoned models in security-related scenarios ( e.g., defect detection) and lead to severe consequences. To verify the vulnerability of deep source code processing models to poison attacks, we present a poison attack approach for source code named CodePoisoner as a strong imaginary enemy. CodePoisoner can produce compilable and functionality-preserving poison samples and effectively attack deep source code processing models by poisoning the training data with poison samples. To defend against poison attacks, we further propose an effective poison detection approach named CodeDetector . CodeDetector can automatically identify poison samples in the training data. We apply CodePoisoner and CodeDetector to six deep source code processing models, including defect detection, clone detection, and code repair models. The results show that 1 CodePoisoner conducts successful poison attacks with a high attack success rate (avg: 98.3%, max: 100%). It validates that existing deep source code processing models have a strong vulnerability to poison attacks. 2 CodeDetector effectively defends against multiple poison attack approaches by detecting (max: 100%) poison samples in the training data. We hope this work can help SE researchers and practitioners notice poison attacks and inspire the design of more advanced defense techniques.

computer science, software engineering

Chen Wang,Jian Chen,Yang Yang,Xiaoqiang Ma,Jiangchuan Liu

DOI: https://doi.org/10.1016/j.dcan.2021.07.009

IF: 6.348

2022-04-01

Digital Communications and Networks

Abstract:Over the past years, the emergence of intelligent networks empowered by machine learning techniques has brought great facilitates to different aspects of human life. However, using machine learning in intelligent networks also presents potential security and privacy threats. A common practice is the so-called poisoning attacks where malicious users inject fake training data with the aim of corrupting the learned model. In this survey, we comprehensively review existing poisoning attacks as well as the countermeasures in intelligent networks for the first time. We emphasize and compare the principles of the formal poisoning attacks employed in different categories of learning algorithms, and analyze the strengths and limitations of corresponding defense methods in a compact form. We also highlight some remaining challenges and future directions in the attack-defense confrontation to promote further research in this emerging yet promising area.

telecommunications

Jing Lin,Ryan Luley,Kaiqi Xiong

DOI: https://doi.org/10.1109/icc45855.2022.9839219

2022-01-01

Abstract:Despite the wide-ranging applicability of machine learning methods, they are vulnerable to security attacks, such as evasion attacks and triggerless data poisoning attacks. An evasion attack occurs at the inference time when an attacker feeds in an adversarial example, a malicious perturbed input that appears the same as its untampered copy to a human oracle. In contrast, a triggerless data poisoning attack occurs at training time. An attacker tries to subvert learning with injected poisoned instances. In this research, we focus on a special sub-category of data poisoning attacks, namely triggerless clean-label targeted data poisoning attacks. This type of attacks is more realistic in the sense that it does not require an attacker to have the ability to change the label of any training instance. That is, attackers can successfully attack the training process with a poison instance that is correctly labeled by a human oracle. We propose a simple but effective way to alter an adversarial attack method into a triggerless clean-label targeted data poisoning attack method with a remarkable attack success rate. Furthermore, our proposed method only requires the injection of a single poison instance to manipulate a transfer learning model to misclassify an untampered targeted instance. We compare our method with a popular one-shot attack and show that our method is easier to be used as we do not need to tune for a hyperparameter such as a similarity coefficient.

Yunjie Ge,Qian Wang,Jiayuan Yu,Chao Shen,Qi Li

DOI: https://doi.org/10.1109/mcom.012.2200596

IF: 9.03

2023-01-01

IEEE Communications Magazine

Abstract:Training high-performance audio models requires a large corpus of training samples, expensive computational resources, and expert knowledge. These costs are computationally intensive for individuals with limited resources. Consequently, users may turn to third-party resources, for example, outsourcing the training to powerful cloud servers or automatically scraping data from the Internet. While these available resources provide a playground for developing audio models, a concerning fact is that malicious third parties may render users vulnerable to data poisoning and backdoor attacks. These attacks can seriously undermine the security and usability of the system supported by the audio model, sometimes with catastrophic consequences. In this article, we review the existing schemes of the backdoor and data poisoning attacks on audio intelligence systems. We classify the state-of-the-art attack schemes into three categories based on their goals, that is, untargeted poisoning attacks, triggerless attacks, and backdoor attacks. We briefly introduce the state-of-the-art solutions, followed by a comprehensive comparison. Moreover, we quantitatively compare several attack methods in terms of the performance of the attacks and the inaudibility of the poisoned examples. Finally, we highlight some promising future research directions in this field.

Xianglong Zhang,Feng Li,Huanle Zhang,Haoxin Zhang,Zhijian Huang,Lisheng Fan,Xiuzhen Cheng,Pengfei Hu

DOI: https://doi.org/10.1109/tmc.2024.3486218

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Neural network models have become integral to Internet of Things (IoT) systems, with applications spanning from industrial automation to critical infrastructure management. Despite their prevalence, the deployment of these models within IoT systems introduces distinctive security vulnerabilities. In particular, adversaries may execute model poisoning attacks, which aim to alter the decision-making processes of embedded models, leading to erroneous outcomes. Existing model poisoning attacks necessitate access to extensive auxiliary datasets, such as the training dataset itself or one with same distribution. These requirements often render such attacks impractical in IoT contexts, given the constrained storage and computational resources of IoT devices. This paper proposes the first model poisoning attack against interpreters without auxiliary datasets to manipulate the model's behavior. We evaluate the attack on three real-world datasets, and results indicate that this attack can successfully coerce the targeted interpreters to produce outcomes aligned with an adversary's intentions, while maintaining nearly indistinguishable performance from the original model, thereby ensuring its stealthiness. Furthermore, beyond directly affected interpreters, our experiments reveal that four additional interpreters coupled to the poisoned model are indirectly influenced, underscoring the attack's transferability.

Sanghak Oh,Kiho Lee,Seonhye Park,Doowon Kim,Hyoungshick Kim

DOI: https://doi.org/10.48550/arXiv.2312.06227

2023-12-11

Abstract:AI-powered coding assistant tools have revolutionized the software engineering ecosystem. However, prior work has demonstrated that these tools are vulnerable to poisoning attacks. In a poisoning attack, an attacker intentionally injects maliciously crafted insecure code snippets into training datasets to manipulate these tools. The poisoned tools can suggest insecure code to developers, resulting in vulnerabilities in their products that attackers can exploit. However, it is still little understood whether such poisoning attacks against the tools would be practical in real-world settings and how developers address the poisoning attacks during software development. To understand the real-world impact of poisoning attacks on developers who rely on AI-powered coding assistants, we conducted two user studies: an online survey and an in-lab study. The online survey involved 238 participants, including software developers and computer science students. The survey results revealed widespread adoption of these tools among participants, primarily to enhance coding speed, eliminate repetition, and gain boilerplate code. However, the survey also found that developers may misplace trust in these tools because they overlooked the risk of poisoning attacks. The in-lab study was conducted with 30 professional developers. The developers were asked to complete three programming tasks with a representative type of AI-powered coding assistant tool, running on Visual Studio Code. The in-lab study results showed that developers using a poisoned ChatGPT-like tool were more prone to including insecure code than those using an IntelliCode-like tool or no tool. This demonstrates the strong influence of these tools on the security of generated code. Our study results highlight the need for education and improved coding practices to address new security issues introduced by AI-powered coding assistant tools.

Cryptography and Security

Tony T. Wang,Adam Gleave,Tom Tseng,Kellin Pelrine,Nora Belrose,Joseph Miller,Michael D. Dennis,Yawen Duan,Viktor Pogrebniak,Sergey Levine,Stuart Russell

2023-07-13

Abstract:We attack the state-of-the-art Go-playing AI system KataGo by training adversarial policies against it, achieving a >97% win rate against KataGo running at superhuman settings. Our adversaries do not win by playing Go well. Instead, they trick KataGo into making serious blunders. Our attack transfers zero-shot to other superhuman Go-playing AIs, and is comprehensible to the extent that human experts can implement it without algorithmic assistance to consistently beat superhuman AIs. The core vulnerability uncovered by our attack persists even in KataGo agents adversarially trained to defend against our attack. Our results demonstrate that even superhuman AI systems may harbor surprising failure modes. Example games are available <a class="link-external link-https" href="https://goattack.far.ai/" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence,Cryptography and Security