机器学习、物联网和云计算的进步极大地推动了无数下游应用的稳步繁荣，这使 得各种新的应用可以通过分析和处理私人数据从而为用户提供定制的服务。然而，这 些私人数据往往包含不希望被泄露的敏感信息，但是被外部应用处理的过程会让用 户丧失对私有数据的控制，从而造成隐私泄露的问题。近年来，许多国家和地区关注 数据隐私保护工作，但这也一定程度上影响了数据的可用性。因此，如何在保护数据 隐私的同时，发挥数据的效用成为亟待解决的问题。 本文致力于保证数据隐私的同时发挥数据的效用，面向神经网络的推理阶段展 开研究，主要研究内容和创新点总结如下：

1. 通过实例分析，我们发现激活函数是神经网络推理密文的效率瓶颈。因此，通 过分析激活函数的发挥作用的机制，设计了适用于密文推理的神经网络架构 SieveNet。在这项工作中，正向传播中的激活函数被等效为一组自适应参数，并 提出 Sieve Layer 作为替代方案。在 Sieve Layer 的帮助下，SieveNet 实现了神经 网络中非线性计算过程与其他线性组件的解耦。在此基础上，结合加性秘密共 享和对抗训练，提出了一种基于 SieveNet 的安全神经网络推理框架。评估结果表明，该框架的推理速度与以往的工作相比具有优势。

2. 研究了安全神经网络推理场景中激活函数所带来的高延迟问题。通过比较主流 激活函数和多项式激活函数，本文提出一个新的观点，即激活函数为模型引入 了一种归纳偏置。而 ReLU 等主流的激活函数成功的原因是其引入的归纳偏置 是面向余弦相似度的。本文提出了一种新的激活函数 S-cos，它可以在推理阶段 重新参数化为一个线性层，这对于安全神经网络推理是友好的。接下来，通过 分析深层特征相对于浅层特征的优势，并提出了一种随机特征提取模块，用于 监督具有单激活层的模型学习多尺度特征。最后，基于 S-cos 设计了一个称为 超线性神经网络 (B-LNN) 的模型，并将其与算术秘密共享 (A-SS) 相结合，提出 了一个安全推理框架。

3. 提出了一个保护与目标任务无关信息的安全推理框架。机器学习即服务的范式 处理预测请求会导致用户公开与任务无关的敏感信息。这是因为用户上传的数 据包含一部分信息，这部分信息无助于目标任务，但会暴露用户敏感信息。一 种直观的方法是过滤掉与任务无关的信息，以保护数据隐私。这种做法对于具 有自然独立条目的结构化数据来说，这是可行的，但对于非结构化数据来说是 一个挑战。为此，本文提出了一个部分保护隐私的框架，目的是为非结构化数据学习一个匿名转换，只保留与目标任务相关的属性。具体来说，本文引入了 解纠缠表征学习来将非结构化数据表达到隐空间，并设计了一个任务适应模型 来标记目标任务所需的信息。

Advances in machine learning, the Internet of Things, and cloud computing have greatly promoted the steady prosperity of countless downstream applications, which enables various new applications to provide users with customized services by analyzing and processing private data. However, these private data often contain sensitive information that is not expected to be disclosed, but the process of being processed by external applications will cause users to lose control of private data, thus causing the problem of privacy leakage. In recent years, many countries and regions have paid attention to data privacy protection, but this has also affected the availability of data to a certain extent. Therefore, how to make full use of data while protecting data privacy has become an urgent problem to be solved. This paper is committed to ensuring data privacy while giving full play to the utility of data, and conducts research on the inference stage of neural networks. The main research contents and innovations are summarized as follows:

1. Through case analysis, we found that the activation function is the efficiency bottleneck of neural network inferring ciphertext. Therefore, by analyzing the mechanism of the activation function, a neural network architecture SieveNet suitable for ciphertext inferring is designed. In this work, the activation function in forward propagation is equivalent to a set of adaptive parameters, and Sieve Layer is proposed as an alternative. With the help of Sieve Layer, SieveNet realizes the decoupling of nonlinear computing process and other linear components in neural network. On this basis, combined with additive secret sharing and adversarial training, a secure neural network inference framework based on SieveNet is proposed. The evaluation results show that the inference speed of the proposed framework is superior to previous work.

2. The problem of high latency introduced by activation functions in secure neural network inference scenarios is studied. By comparing the mainstream activation function and the polynomial activation function, this paper proposes a new point of view, that is, the activation function introduces an inductive bias to the model. The reason why mainstream activation functions such as ReLU are successful is that the inductive bias introduced by them is oriented to cosine similarity. This paper proposes a new activation function S-cos, which can be reparameterized as a linear layer in the inference stage, which is friendly for secure neural network inference. Next, by analyzing the advantages of deep features over shallow features, a random feature extraction module is proposed to supervise models with a single activation layer to learn multi-scale features. Finally, a model called Beyond Linear Neural Network (B-LNN) is designed based on S-cos and combined with Arithmetic Secret Sharing (A-SS), a secure inference framework is proposed.

3. A secure inference framework for protecting information irrelevant to the target task is proposed. The ML-as-a-service paradigm of processing prediction requests can result in users exposing sensitive information that is irrelevant to the task. This is because the data uploaded by users contains a part of information that is not helpful to the target task but exposes sensitive information of users. An intuitive approach is to  filter out task-irrelevant information to preserve data privacy. This approach works for  structured data with naturally independent entries, but is a challenge for unstructured  data. To this end, this paper proposes a partially privacy-preserving framework that  aims to learn an anonymous transformation for unstructured data that preserves only  attributes relevant to the target task. Specifically, this paper introduces disentangled  representation learning to represent unstructured data into the latent space, and designs a task adaptation model to label the information required for the target task.

[1] GRAY J. What next? a few remaining problems in information technology[C/OL]//1998. https: //www.microsoft.com/en-us/research/publication/what-next-a-few-remaining-problems-in-infor
mation-technology/.
[2] MURPHY, J, F, et al. The general data protection regulation (gdpr)[J]. Irish Medical Journal, 2018.
[3] OSBORN S L. Role-based access control[J]. Network Security Technology & Application, 2007.
[4] GRANDO A, SOTTARA D, SINGH R, et al. Pilot evaluation of sensitive data segmentation
technology for privacy[J/OL]. International Journal of Medical Informatics, 2020, 138: 104121.
https://www.sciencedirect.com/science/article/pii/S1386505619313681. DOI: https:
//doi.org/10.1016/j.ijmedinf.2020.104121.
[5] JIE L, CONG W, YANHUI G. Agent-based access control security in grid computing environment[C/OL]//Proceedings. 2005 IEEE Networking, Sensing and Control, 2005. 2005: 159-162. DOI: 10.1109/ICNSC.2005.1461179.
[6] BAKKEN D, RARAMESWARAN R, BLOUGH D, et al. Data obfuscation: anonymity and
desensitization of usable data sets[J/OL]. IEEE Security & Privacy, 2004, 2(6): 34-41. DOI:
10.1109/MSP.2004.97.
[7] 隐私计算白皮书 (2021 年)[Z]. 2021.
[8] MOHASSEL P, ZHANG Y. Secureml: A system for scalable privacy-preserving machine learning[C/OL]//2017 IEEE Symposium on Security and Privacy (SP). 2017: 19-38. DOI: 10.1109/SP.2017.12.
[9] LIU J, JUUTI M, LU Y, et al. Oblivious neural network predictions via minionn transformations [C/OL]//CCS ’17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2017: 619–631. https://doi.org/10.1145/3133956.3134056.
[10] JUVEKAR C, VAIKUNTANATHAN V, CHANDRAKASAN A. Gazelle: A low latency framework for secure neural network inference[C]//SEC’18: Proceedings of the 27th USENIX Conference on Security Symposium. USA: USENIX Association, 2018: 1651–1668.
[11] ROUHANI B D, RIAZI M S, KOUSHANFAR F. Deepsecure: Scalable provably-secure deep learning.[J]. IACR Cryptology ePrint Archive, 2017, 2017: 502.
[12] RIAZI M S, SAMRAGH M, CHEN H, et al. Xonn: Xnor-based oblivious deep neural network inference[A]. 2019.
[13] HUANG Z, JIE LU W, HONG C, et al. Cheetah: Lean and fast secure two-party deep neural
network inference[EB/OL]. 2022. https://eprint.iacr.org/2022/207.
[14] CHEON J H, KIM M, KIM M. Search-and-compute on encrypted data[C/OL]//BRENNER M, CHRISTIN N, JOHNSON B, et al. Lecture Notes in Computer Science: volume 8976 Finan
cial Cryptography and Data Security - FC 2015 International Workshops, BITCOIN, WAHC, and
Wearable, San Juan, Puerto Rico, January 30, 2015, Revised Selected Papers. Springer, 2015:
142-159. https://doi.org/10.1007/978-3-662-48051-9_11.
[15] SMART N P, VERCAUTEREN F. Fully homomorphic SIMD operations[J/OL]. Des. Codes
Cryptogr., 2014, 71(1): 57-81. https://doi.org/10.1007/s10623-012-9720-4.
[16] LIU X, DENG R H, CHOO K R, et al. Privacy-preserving outsourced calculation toolkit in the cloud[J/OL]. IEEE Trans. Dependable Secur. Comput., 2020, 17(5): 898-911. https://doi.org/10.1109/TDSC.2018.2816656.
[17] GILAD-BACHRACH R, DOWLIN N, LAINE K, et al. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy[C/OL]//BALCAN M, WEINBERGER K Q. JMLR Workshop and Conference Proceedings: volume 48 Proceedings of the 33nd International Conference on Machine Learning, ICML 2016, New York City, NY, USA, June 19-24, 2016. JMLR.org, 2016: 201-210. http://proceedings.mlr.press/v48/gilad-bachrach16.html.
[18] JIANG X, KIM M, LAUTER K E, et al. Secure outsourced matrix computation and application to neural networks[C/OL]//LIE D, MANNAN M, BACKES M, et al. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018. ACM, 2018: 1209-1222. https://doi.org/10.1145/3243734.3243837.
[19] BRUTZKUS A, GILAD-BACHRACH R, ELISHA O. Low latency privacy preserving inference
[C/OL]//CHAUDHURI K, SALAKHUTDINOV R. Proceedings of Machine Learning Research:
volume 97 Proceedings of the 36th International Conference on Machine Learning, ICML 2019,
9-15 June 2019, Long Beach, California, USA. PMLR, 2019: 812-821. http://proceedings.mlr.pr
ess/v97/brutzkus19a.html.
[20] CHAO J, BADAWI A A, UNNIKRISHNAN B, et al. Carenets: Compact and resource
efficient CNN for homomorphic inference on encrypted medical images[J/OL]. CoRR, 2019,
abs/1901.10074. http://arxiv.org/abs/1901.10074.
[21] BOURSE F, MINELLI M, MINIHOLD M, et al. Fast homomorphic evaluation of deep discretized neural networks[C/OL]//SHACHAM H, BOLDYREVA A. Lecture Notes in Computer Science: volume 10993 Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part III. Springer, 2018: 483-512. https://doi.org/10.1007/978-3-319-96878-0_17.
[22] COURBARIAUX M, BENGIO Y. Binarynet: Training deep neural networks with weights and activations constrained to +1 or -1[J/OL]. CoRR, 2016, abs/1602.02830. http://arxiv.org/abs/16 02.02830.
[23] CHILLOTTI I, GAMA N, GEORGIEVA M, et al. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds[C/OL]//CHEON J H, TAKAGI T. Lecture Notes in Computer Science: volume 10031 Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I. 2016: 3-33. https://doi.org/10.1007/978-3-662-53887 -6_1.
[24] LOU Q, JIANG L. She: A fast and accurate deep neural network for encrypted data[M]. Red
Hook, NY, USA: Curran Associates Inc., 2019.
[25] NAIR V, HINTON G E. Rectified linear units improve restricted boltzmann machines[C/OL]// FÜRNKRANZ J, JOACHIMS T. Proceedings of the 27th International Conference on Machine Learning (ICML-10), June 21-24, 2010, Haifa, Israel. Omnipress, 2010: 807-814. https://icml.cc/Conferences/2010/papers/432.pdf.
[26] ZHOU A, YAO A, GUO Y, et al. Incremental network quantization: Towards lossless cnns with low-precision weights[C/OL]//5th International Conference on Learning Representations, ICLR
2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings. OpenReview.net, 2017.
https://openreview.net/forum?id=HyQJ-mclg.
[27] ZHANG X, ZHOU X, LIN M, et al. Shufflenet: An extremely efficient convolutional neural network for mobile devices[C/OL]//2018 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2018, Salt Lake City, UT, USA, June 18-22, 2018. Computer Vision Foundation / IEEE Computer Society, 2018: 6848-6856. http://openaccess.thecvf.com/content_cvpr_2018/html/Zha ng_ShuffleNet_An_Extremely_CVPR_2018_paper.html. DOI: 10.1109/CVPR.2018.00716.
[28] MEFTAH S, TAN B H M, MUN C F, et al. Doren: Toward efficient deep convolutional neural networks with fully homomorphic encryption[J/OL]. IEEE Transactions on Information Forensics and Security, 2021, 16: 3740-3752. DOI: 10.1109/TIFS.2021.3090959.
[29] TRAMÈR F, BONEH D. Slalom: Fast, verifiable and private execution of neural networks in
trusted hardware[C/OL]//7th International Conference on Learning Representations, ICLR 2019,
New Orleans, LA, USA, May 6-9, 2019. OpenReview.net, 2019. https://openreview.net/forum?i
d=rJVorjCcKQ.
[30] TOPLE S, GROVER K, SHINDE S, et al. Privado: Practical and secure DNN inference[J/OL]. CoRR, 2018, abs/1810.00602. http://arxiv.org/abs/1810.00602.
[31] MCKEEN F, ALEXANDROVICH I, BERENZON A, et al. Innovative instructions and software model for isolated execution[C/OL]//LEE R B, SHI W. HASP 2013, The Second Workshop on Hardware and Architectural Support for Security and Privacy, Tel-Aviv, Israel, June 23-24, 2013. ACM, 2013: 10. https://doi.org/10.1145/2487726.2488368.
[32] HANZLIK L, ZHANG Y, GROSSE K, et al. Mlcapsule: Guarded offline deployment of machine learning as a service[C/OL]//IEEE Conference on Computer Vision and Pattern Recognition Workshops, CVPR Workshops 2021, virtual, June 19-25, 2021. Computer Vision Foundation / IEEE, 2021: 3300-3309.https://openaccess.thecvf.com/content/CVPR2021W/TCV/html/Hanzlik_M LCapsule_Guarded_Offline_Deployment_of_Machine_Learning_as_a_Service_CVPRW_2021_
paper.html. DOI: 10.1109/CVPRW53098.2021.00368.
[33] MISHRA P, LEHMKUHL R, SRINIVASAN A, et al. Delphi: A cryptographic inference ser
vice for neural networks[C/OL]//CAPKUN S, ROESNER F. 29th USENIX Security Sympo
sium, USENIX Security 2020, August 12-14, 2020. USENIX Association, 2020: 2505-2522.
https://www.usenix.org/conference/usenixsecurity20/presentation/mishra.
[34] TIAN Y, NJILLA L, YUAN J, et al. Low-latency privacy-preserving outsourcing of deep neural network inference[J/OL]. IEEE Internet Things J., 2021, 8(5): 3300-3309. https://doi.org/10.1109/JIOT.2020.3003468.
[35] WANG Q, MA W, LIU G. Sievenet: Decoupling activation function neural network for privacypreserving deep learning[J/OL]. Inf. Sci., 2021, 573: 262-278. https://doi.org/10.1016/j.ins.2021 .05.054.
[36] XIANG L, ZHANG H, MA H, et al. Interpretable complex-valued neural networks for privacy protection[C/OL]//8th International Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, April 26-30, 2020. OpenReview.net, 2020. https://openreview.net/forum?id=S1xFl64tDr.
[37] GOODFELLOW I J, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets[C/OL]// GHAHRAMANI Z, WELLING M, CORTES C, et al. Advances in Neural Information Processing Systems 27: Annual Conference on Neural Information Processing Systems 2014, December 8-13 2014, Montreal, Quebec, Canada. 2014: 2672-2680. https://proceedings.neurips.cc/paper/2014/hash/5ca3e9b122f61f8f06494c97b1afccf3-Abstract.html.
[38] SWEENEY L. k-anonymity: A model for protecting privacy[J/OL]. Int. J. Uncertain. Fuzziness Knowl. Based Syst., 2002, 10(5): 557-570. https://doi.org/10.1142/S0218488502001648.
[39] MACHANAVAJJHALA A, GEHRKE J, KIFER D, et al. L-diversity: privacy beyond k-anonymity [C/OL]//22nd International Conference on Data Engineering (ICDE’06). 2006: 24-24. DOI: 10.1109/ICDE.2006.1.
[40] LI N, LI T, VENKATASUBRAMANIAN S. t-closeness: Privacy beyond k-anonymity and l-
diversity[C/OL]//2007 IEEE 23rd International Conference on Data Engineering. 2007: 106-115.
DOI: 10.1109/ICDE.2007.367856.
[41] DWORK C, ROTH A. The algorithmic foundations of differential privacy[J/OL]. Found. Trends Theor. Comput. Sci., 2014, 9(3–4): 211–407. https://doi.org/10.1561/0400000042.
[42] MIRONOV I. Rényi differential privacy[C/OL]//2017 IEEE 30th Computer Security Foundations Symposium (CSF). 2017: 263-275. DOI: 10.1109/CSF.2017.11.
[43] ABADI M, CHU A, GOODFELLOW I, et al. Deep learning with differential privacy[C/OL]//CCS ’16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2016: 308–318. https: //doi.org/10.1145/2976749.2978318.
[44] PAPERNOT N, SONG S, MIRONOV I, et al. Scalable private learning with PATE[C/OL]//6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net, 2018. https://openreview.net/forum?id=rkZB1XbRZ.
[45] OH S J, BENENSON R, FRITZ M, et al. Faceless person recognition: Privacy implications in social media[C]//LEIBE B, MATAS J, SEBE N, et al. Computer Vision – ECCV 2016. Cham:
Springer International Publishing, 2016: 19-35.
[46]DOWLIN N, GILAD-BACHRACH R, LAINE K, et al. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy[C]//ICML’16: Proceedings of the 33rd International Conference on International Conference on Machine Learning - Volume 48. New York, NY, USA: JMLR.org, 2016: 201–210.
[47]LI J, KUANG X, LIN S, et al. Privacy preservation for machine learning training and classification based on homomorphic encryption schemes[J/OL]. Information Sciences, 2020, 526: 166 - 179. http://www.sciencedirect.com/science/article/pii/S0020025520302218. DOI: https://doi.org/10.1
016/j.ins.2020.03.041.
[48]RIAZI M S, WEINERT C, TKACHENKO O, et al. Chameleon: A hybrid secure computation
framework for machine learning applications[C/OL]//ASIACCS ’18: Proceedings of the 2018 on
Asia Conference on Computer and Communications Security. New York, NY, USA: Association
for Computing Machinery, 2018: 707–721. DOI: 10.1145/3196494.3196522.
[49] YU J, ZHANG B, KUANG Z, et al. iprivacy: Image privacy protection by identifying sensitive objects via deep multi-task learning[J/OL]. IEEE Transactions on Information Forensics and Security, 2017, 12(5): 1005-1016. DOI: 10.1109/TIFS.2016.2636090.
[50] MALEKZADEH M, CLEGG R G, HADDADI H. Replacement autoencoder: A privacy
preserving algorithm for sensory data analysis[C/OL]//2018 IEEE/ACM Third International Con-
ference on Internet-of-Things Design and Implementation (IoTDI). 2018: 165-176. DOI: 10.110
9/IoTDI.2018.00025.
[51] ALOUFI R, HADDADI H, BOYLE D. Privacy-preserving voice analysis via disentangled representations[C/OL]//CCSW’20: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop. New York, NY, USA: Association for Computing Machinery, 2020: 1–14. https://doi.org/10.1145/3411495.3421355.
[52] VAN DEN OORD A, VINYALS O, KAVUKCUOGLU K. Neural discrete representation learning[C/OL]//GUYON I, LUXBURG U V, BENGIO S, et al. Advances in Neural Information Processing Systems: volume 30. Curran Associates, Inc., 2017.https://proceedings.neurips.cc/paper/2017/file/7a98af17e63a0ac09ce2e96d03992fbc-Paper.pdf.
[53] KALCHBRENNER N, ELSEN E, SIMONYAN K, et al. Efficient neural audio synthesis[C/OL]//DY J G, KRAUSE A. Proceedings of Machine Learning Research: volume 80 Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018. PMLR, 2018: 2415-2424. http://proceedings.mlr.press/v80/kalchbrenner18a.html.
[54] GONG M, LIU J, LI H, et al. Disentangled representation learning for multiple attributes preserving face deidentification[J/OL]. IEEE Transactions on Neural Networks and Learning Systems, 2020:
1-13. DOI: 10.1109/TNNLS.2020.3027617.
[55] WU H, TIAN X, LI M, et al. Pecam: Privacy-enhanced video streaming and analytics via securelyreversible transformation[C/OL]//MobiCom ’21: Proceedings of the 27th Annual International Conference on Mobile Computing and Networking. New York, NY, USA: Association for Computing Machinery, 2021: 229–241. https://doi.org/10.1145/3447993.3448618.
[56] JIA J, GONG N Z. Attriguard: A practical defense against attribute inference attacks via adversarial machine learning[C]//SEC’18: Proceedings of the 27th USENIX Conference on Security Symposium. USA: USENIX Association, 2018: 513–529.
[57] WU Z, WANG Z, WANG Z, et al. Towards privacy-preserving visual recognition via adversarial training: A pilot study[C]//FERRARI V, HEBERT M, SMINCHISESCU C, et al. Computer Vision – ECCV 2018. Cham: Springer International Publishing, 2018: 627-645.
[58] TOLSTIKHIN I O, HOULSBY N, KOLESNIKOV A, et al. Mlp-mixer: An all-mlp architec
ture for vision[C/OL]//RANZATO M, BEYGELZIMER A, DAUPHIN Y N, et al. Advances in
Neural Information Processing Systems 34: Annual Conference on Neural Information Process
ing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual. 2021: 24261-24272. https:
//proceedings.neurips.cc/paper/2021/hash/cba0a4ee5ccd02fda0fe3f9a3e7b89fe-Abstract.html.
[59] LIU P, QIU X, HUANG X. Recurrent neural network for text classification with multi-task learning[C/OL]//KAMBHAMPATI S. Proceedings of the Twenty-Fifth International Joint Conference on Artificial Intelligence, IJCAI 2016, New York, NY, USA, 9-15 July 2016. IJCAI/AAAI Press, 2016: 2873-2879. http://www.ijcai.org/Abstract/16/408.
[60] ACKLEY D H, HINTON G E, SEJNOWSKI T J. A learning algorithm for boltzmann machines[J/OL]. Cogn. Sci., 1985, 9(1): 147-169. https://doi.org/10.1207/s15516709cog0901_7.
[61] KRIZHEVSKY A, SUTSKEVER I, HINTON G E. Imagenet classification with deep convolutional neural networks[C/OL]//BARTLETT P L, PEREIRA F C N, BURGES C J C, et al. Advances in Neural Information Processing Systems 25: 26th Annual Conference on Neural Information Processing Systems 2012. Proceedings of a meeting held December 3-6, 2012, Lake Tahoe, Nevada, United States. 2012: 1106-1114. https://proceedings.neurips.cc/paper/2012/hash/c399862d3b9 d6b76c8436e924a68c45b-Abstract.html.
[62] VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[C/OL]//GUYON I, VON LUXBURG U, BENGIO S, et al. Advances in Neural Information Processing Systems 30:
Annual Conference on Neural Information Processing Systems 2017, December 4-9, 2017, Long
Beach, CA, USA. 2017: 5998-6008. https://proceedings.neurips.cc/paper/2017/hash/3f5ee2435
47dee91fbd053c1c4a845aa-Abstract.html.
[63] YU D, WANG H, CHEN P, et al. Mixed pooling for convolutional neural networks[C/OL]//2014: 364-375. DOI: 10.1007/978-3-319-11740-9_34.
[64] LIU K, LIU X, YANG A, et al. A robust adversarial training approach to machine reading comprehension[C/OL]//The Thirty-Fourth AAAI Conference on Artificial Intelligence, AAAI 2020, The Thirty-Second Innovative Applications of Artificial Intelligence Conference, IAAI 2020, The Tenth AAAI Symposium on Educational Advances in Artificial Intelligence, EAAI 2020, New York, NY, USA, February 7-12, 2020. AAAI Press, 2020: 8392-8400. https://ojs.aaai.org/index.php/AAAI/article/view/6357.
[65] REN Q, CHEN Y, MO Y, et al. Dice: Domain-attack invariant causal learning for improved data privacy protection and adversarial robustness[C/OL]//KDD ’22: Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. New York, NY, USA: Association for Computing Machinery, 2022: 1483–1492. https://doi.org/10.1145/3534678.3539242.
[66] LI A, YANG H, CHEN Y. Task-agnostic privacy-preserving representation learning via federated learning[M/OL]//YANG Q, FAN L, YU H. Lecture Notes in Computer Science: volume 12500 Federated Learning - Privacy and Incentive. Springer, 2020: 51-65.https://doi.org/10.1007/978-3-030-63076-8_4.
[67] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples [C/OL]//BENGIO Y, LECUN Y. 3rd International Conference on Learning Representations, ICLR
2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings. 2015. http://arxiv.or
g/abs/1412.6572.
[68] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C/OL]//6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net,
2018. https://openreview.net/forum?id=rJzIBfZAb.
[69] DONG Y, LIAO F, PANG T, et al. Boosting adversarial attacks with momentum[C/OL]//2018 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2018, Salt Lake City, UT, USA, June 18-22, 2018. Computer Vision Foundation / IEEE Computer Society, 2018: 9185-9193. http://openaccess.thecvf.com/content_cvpr_2018/html/Dong_Boosting_Adversarial_Attacks_C
VPR_2018_paper.html. DOI: 10.1109/CVPR.2018.00957.
[70] ZHANG H, YU Y, JIAO J, et al. Theoretically principled trade-off between robustness and
accuracy[C/OL]//CHAUDHURI K, SALAKHUTDINOV R. Proceedings of Machine Learning
Research: volume 97 Proceedings of the 36th International Conference on Machine Learn
ing, ICML 2019, 9-15 June 2019, Long Beach, California, USA. PMLR, 2019: 7472-7482.
http://proceedings.mlr.press/v97/zhang19p.html.
[71] RL R, LM A, ML D. On data banks and privacy homomorphisms[J]. Foundations of Secure
Computation, 1978, 4.
[72] RIVEST R L, SHAMIR A, ADLEMAN L M. A method for obtaining digital signatures and public key cryptosystems (reprint)[J/OL]. Commun. ACM, 1983, 26(1): 96-99. https://doi.org/10.1145/
357980.358017.
[73] GAMAL T E. A public key cryptosystem and a signature scheme based on discrete logarithms[J/OL]. IEEE Trans. Inf. Theory, 1985, 31(4): 469-472. https://doi.org/10.1109/TIT.1985.10570
74.
[74] CHEON J H, KIM J. A hybrid scheme of public-key encryption and somewhat homomorphic
encryption[J/OL]. IEEE Transactions on Information Forensics and Security, 2015, 10(5): 1052-
1063. DOI: 10.1109/TIFS.2015.2398359.
[75] GENTRY C. Fully homomorphic encryption using ideal lattices[C/OL]//MITZENMACHER M. Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009. ACM, 2009: 169-178. https://doi.org/10.1145/1536414.1536440.
[76] VAN DIJK M, GENTRY C, HALEVI S, et al. Fully homomorphic encryption over the integers [J/OL]. IACR Cryptol. ePrint Arch., 2009: 616. http://eprint.iacr.org/2009/616.
[77] BRAKERSKI Z, VAIKUNTANATHAN V. Fully homomorphic encryption from ring-lwe and security for key dependent messages[C/OL]//ROGAWAY P. Lecture Notes in Computer Sci
ence: volume 6841 Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Con
ference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings. Springer, 2011: 505-524.
https://doi.org/10.1007/978-3-642-22792-9_29.
[78] BRAKERSKI Z, GENTRY C, VAIKUNTANATHAN V. (leveled) fully homomorphic encryption without bootstrapping[J/OL]. ACM Trans. Comput. Theory, 2014, 6(3): 13:1-13:36. https://doi. org/10.1145/2633600.
[79] DEMMLER D, SCHNEIDER T, ZOHNER M. ABY - A framework for efficient mixed-protocol secure two-party computation[C/OL]//22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015. The Internet Society, 2015. https://www.ndss-symposium.org/ndss2015/aby-framework-efficient-mixed-protocol-secure-two-party-computation.
[80] RABIN M O. How to exchange secrets with oblivious transfer[M/OL]//IACR Eprint archive.
2005. http://eprint.iacr.org/2005/187.
[81] HUANG Y, EVANS D, KATZ J, et al. Faster secure two-party computation using garbled circuits [C]//SEC’11: Proceedings of the 20th USENIX Conference on Security. USA: USENIX Association, 2011: 35.
[82] FEIGE U, FIAT A, SHAMIR A. Zero-knowledge proofs of identity[J/OL]. J. Cryptol., 1988, 1 (2): 77–94. https://doi.org/10.1007/BF02351717.
[83] DEMMLER D, SCHNEIDER T, ZOHNER M. Aby - a framework for efficient mixed-protocol secure two-party computation[C/OL]//22. Annual Network and Distributed System Security Symposium (NDSS’15). Internet Society, 2015. http://tubiblio.ulb.tu-darmstadt.de/101761/.
[84] DWORK C. Differential privacy: A survey of results[C/OL]//AGRAWAL M, DU D, DUAN Z, et al. Lecture Notes in Computer Science: volume 4978 Theory and Applications of Models of
Computation, 5th International Conference, TAMC 2008, Xi’an, China, April 25-29, 2008. Pro
ceedings. Springer, 2008: 1-19. https://doi.org/10.1007/978-3-540-79228-4_1.
[85] MORÁN A, FRASSER C F, ROCA M, et al. Energy-efficient pattern recognition hardware with elementary cellular automata[J/OL]. IEEE Trans. Computers, 2020, 69(3): 392-401. https://doi. org/10.1109/TC.2019.2949300.
[86] GHAZVININEJAD M, KARPUKHIN V, ZETTLEMOYER L, et al. Aligned cross entropy for non-autoregressive machine translation[C/OL]//Proceedings of Machine Learning Research: volume 119 Proceedings of the 37th International Conference on Machine Learning, ICML 2020,
13-18 July 2020, Virtual Event. PMLR, 2020: 3515-3523. http://proceedings.mlr.press/v119/gha
zvininejad20a.html.
[87] MAHESWARANATHAN N, SUSSILLO D. How recurrent networks implement contextual processing in sentiment analysis[C/OL]//Proceedings of Machine Learning Research: volume 119 Proceedings of the 37th International Conference on Machine Learning, ICML 2020, 13-18 July 2020, Virtual Event. PMLR, 2020: 6608-6619. http://proceedings.mlr.press/v119/maheswaranathan20a.html.
[88] RIBEIRO M, GROLINGER K, CAPRETZ M A M. Mlaas: Machine learning as a service[C/OL]// LI T, KURGAN L A, PALADE V, et al. 14th IEEE International Conference on Machine Learning and Applications, ICMLA 2015, Miami, FL, USA, December 9-11, 2015. IEEE, 2015: 896-902.
https://doi.org/10.1109/ICMLA.2015.152.
[89] HAYKIN S. Neural networks: A comprehensive foundation (3rd edition)[M]. Macmillan, 1994.
[90] FREDRIKSON M, LANTZ E, JHA S, et al. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing[C]//SEC’14: Proceedings of the 23rd USENIX Conference on Security Symposium. USA: USENIX Association, 2014: 17–32.
[91] FREDRIKSON M, JHA S, RISTENPART T. Model inversion attacks that exploit confidence information and basic countermeasures[C/OL]//2015: 1322-1333. DOI:10.1145/2810103.2813677.
[92] SHARIF M, BHAGAVATULA S, BAUER L, et al. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition[C/OL]//CCS ’16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2016: 1528–1540. https://doi.org/10.1145/2976749.2978392.
[93] GROSSE K, PAPERNOT N, MANOHARAN P, et al. Adversarial perturbations against deep neural networks for malware classification[J/OL]. CoRR, 2016, abs/1606.04435. http://arxiv.org/abs/1606.04435.
[94] DENG J, DONG W, SOCHER R, et al. Imagenet: A large-scale hierarchical image database
[C/OL]//2009 IEEE Computer Society Conference on Computer Vision and Pattern Recognition
(CVPR 2009), 20-25 June 2009, Miami, Florida, USA. IEEE Computer Society, 2009: 248-255.
https://doi.org/10.1109/CVPR.2009.5206848.
[95] LIU S, DU J, SHRIVASTAVA A, et al. Privacy adversarial network: Representation learning for mobile data privacy[J/OL]. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., 2019, 3(4). https://doi.org/10.1145/3369816.
[96] LI A, GUO J, YANG H, et al. Deepobfuscator: Adversarial training framework for privacy
preserving image classification: abs/1909.04126[A]. 2019.
[97] LI A, DUAN Y, YANG H, et al. Tiprdc: Task-independent privacy-respecting data crowdsourcing framework for deep learning with anonymized intermediate representations[C/OL]//KDD ’20: Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery .&; Data Mining. New York, NY, USA: Association for Computing Machinery, 2020: 824–832. https://doi.org/10.1145/3394486.3403125.
[98] HJELM R D, FEDOROV A, LAVOIE-MARCHILDON S, et al. Learning deep representations by mutual information estimation and maximization[C/OL]//7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, May 6-9, 2019. OpenReview.net, 2019. https://openreview.net/forum?id=Bklr3j0cKX.
[99] YAU W C, HENG S H, GOI B M. Off-line keyword guessing attacks on recent public key encryption with keyword search schemes[C]//RONG C, JAATUN M G, SANDNES F E, et al. Autonomic and Trusted Computing. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008: 100-105.
[100] WANG J, SUN K, CHENG T, et al. Deep high-resolution representation learning for visual recognition[J/OL]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021, 43(10): 3349-3364. DOI: 10.1109/TPAMI.2020.2983686.
[101] LIU Z, LIN Y, CAO Y, et al. Swin transformer: Hierarchical vision transformer using shifted windows[C/OL]//2021 IEEE/CVF International Conference on Computer Vision, ICCV 2021, Montreal, QC, Canada, October 10-17, 2021. IEEE, 2021: 9992-10002. https://doi.org/10.1109/ICCV 48922.2021.00986.
[102] KIM K, YE J C. Noise2score: Tweedie’s approach to self-supervised image denoising without clean images[C/OL]//RANZATO M, BEYGELZIMER A, DAUPHIN Y N, et al. Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual. 2021: 864-874. https://proceedings.neurips.cc/paper/2021/hash/077b83af57538aa183971a2fe0971ec1-Abstract.html.
[103] JIN D, GAO S, KIM S, et al. Towards textual out-of-domain detection without in-domain labels [J/OL]. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 2022, 30: 1386- 1395. DOI: 10.1109/TASLP.2022.3162081.
[104] CHEN W, JIANG H, WU Q, et al. Advpicker: Effectively leveraging unlabeled data via adversarial discriminator for cross-lingual NER[C/OL]//ZONG C, XIA F, LI W, et al. Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing, ACL/IJCNLP 2021, (Volume 1: Long Papers), Virtual Event, August 1-6, 2021. Association for Computational Linguistics, 2021: 743-753. https: //doi.org/10.18653/v1/2021.acl-long.61.
[105] BRAGG J, COHAN A, LO K, et al. FLEX: unifying evaluation for few-shot NLP[C/OL]//
RANZATO M, BEYGELZIMER A, DAUPHIN Y N, et al. Advances in Neural Information Pro
cessing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual. 2021: 15787-15800. https://proceedings.neurips.cc/paper/2
021/hash/8493eeaccb772c0878f99d60a0bd2bb3-Abstract.html.
[106] RATHEE D, RATHEE M, KUMAR N, et al. Cryptflow2: Practical 2-party secure inference
[C/OL]//27th Annual Conference on Computer and Communications Security (ACM CCS 2020).
ACM, 2020. https://www.microsoft.com/en-us/research/publication/cryptflow2-practical-2-par
ty-secure-inference/.
[107] WAGH S, GUPTA D, CHANDRAN N. Securenn: 3-party secure computation for neural network training[J/OL]. Proceedings on Privacy Enhancing Technologies, 2019, 2019(3): 26-49. https: //doi.org/10.2478/popets-2019-0035. DOI: doi:10.2478/popets-2019-0035.
[108] AGRAWAL N, SHAMSABADI A S, KUSNER M J, et al. QUOTIENT: two-party secure neural network training and prediction[C/OL]//CAVALLARO L, KINDER J, WANG X, et al. Proceed
ings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS
2019, London, UK, November 11-15, 2019. ACM, 2019: 1231-1247. https://doi.org/10.1145/33
19535.3339819.
[109] DATHATHRI R, SAARIKIVI O, CHEN H, et al. Chet: An optimizing compiler for fully
homomorphic neural-network inferencing[C/OL]//PLDI 2019: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, NY, USA: Association for Computing Machinery, 2019: 142–156. https://doi.org/10.1145/3314221.3314628.
[110] BOEMER F, COSTACHE A, CAMMAROTA R, et al. ngraph-he2: A high-throughput framework for neural network inference on encrypted data[C/OL]//BRENNER M, LEPOINT T, ROHLOFF K. Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography, WAHC@CCS 2019, London, UK, November 11-15, 2019. ACM, 2019: 45-56. https://doi.org/10.1145/3338469.3358944.
[111] YAO A C. Protocols for secure computations[C]//Proc. of the 23rd Annual IEEE Symposium on Foundations of Computer Science, 1982. 1982.
[112] YANG K, WENG C, LAN X, et al. Ferret: Fast extension for correlated OT with small communication[C/OL]//LIGATTI J, OU X, KATZ J, et al. CCS ’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020. ACM, 2020: 1607-1626. https://doi.org/10.1145/3372297.3417276.
[113] COUTEAU G, RINDAL P, RAGHURAMAN S. Silver: Silent VOLE and oblivious transfer from hardness of decoding structured LDPC codes[C/OL]//MALKIN T, PEIKERT C. Lecture Notes in Computer Science: volume 12827 Advances in Cryptology - CRYPTO 2021 - 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16-20, 2021, Proceedings, Part III. Springer, 2021: 502-534. https://doi.org/10.1007/978-3-030-84252-9_17.
[114] BATTAGLIA P W, HAMRICK J B, BAPST V, et al. Relational inductive biases, deep learning, and graph networks[J/OL]. CoRR, 2018, abs/1806.01261. http://arxiv.org/abs/1806.01261.
[115] PARK N, KIM S. How do vision transformers work?[J/OL]. CoRR, 2022, abs/2202.06709. https: //arxiv.org/abs/2202.06709.
[116] HU M, FENG J, HUA J, et al. Online convolutional re-parameterization[J/OL]. CoRR, 2022, abs/2204.00826. https://doi.org/10.48550/arXiv.2204.00826.
[117] DEVLIN J, CHANG M, LEE K, et al. BERT: pre-training of deep bidirectional transformers for language understanding[C/OL]//BURSTEIN J, DORAN C, SOLORIO T. Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2019, Minneapolis, MN, USA, June 2-7, 2019, Volume 1 (Long and Short Papers). Association for Computational Linguistics, 2019: 4171-4186. https://doi.org/10.18653/v1/n19-1423.
[118] DOSOVITSKIY A, BEYER L, KOLESNIKOV A, et al. An image is worth 16x16 words: Transformers for image recognition at scale[J/OL]. CoRR, 2020, abs/2010.11929. https://arxiv.org/abs/2010.11929.
[119] LI A, GUO J, YANG H, et al. Deepobfuscator: Obfuscating intermediate representations with privacy-preserving adversarial learning on smartphones[C/OL]//IoTDI ’21: International Conference on Internet-of-Things Design and Implementation, Virtual Event / Charlottesville, VA, USA, May 18-21, 2021. ACM, 2021: 28-39. https://doi.org/10.1145/3450268.3453519.
[120] ACHILLE A, SOATTO S. Emergence of invariance and disentanglement in deep representations[J]. J. Mach. Learn. Res., 2018, 19(1): 1947–1980.
[121] GOOGLE. Google now launcher.[EB/OL]. 2018. https://en.wikipedia.org/wiki/Google_Now.
[122] GOOGLE. Data preparation[EB/OL]. 2018.https://cloud.google.com/ml-engine/docs/tensorflo w/data-prep.
[123] FREDRIKSON M, JHA S, RISTENPART T. Model inversion attacks that exploit confidence information and basic countermeasures[C/OL]//CCS ’15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA:Association for Computing Machinery, 2015: 1322–1333. https://doi.org/10.1145/2810103.2813677.
[124] MAHENDRAN A, VEDALDI A. Understanding deep image representations by inverting them[C/OL]//2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2015:
5188-5196. DOI: 10.1109/CVPR.2015.7299155.
[125] HIDANO S, MURAKAMI T, KATSUMATA S, et al. Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes[C/OL]//2017 15th Annual Conference on Privacy, Security and Trust (PST). 2017: 115-11509. DOI: 10.1109/PST.2017.00023.
[126] OSIA S A, SHAHIN SHAMSABADI A, SAJADMANESH S, et al. A hybrid deep learning architecture for privacy-preserving mobile analytics[J/OL]. IEEE Internet of Things Journal, 2020,
7(5): 4505-4518. DOI: 10.1109/JIOT.2020.2967734.
[127] GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets[C/OL]//GHAHRAMANI Z, WELLING M, CORTES C, et al. Advances in Neural Information Processing Systems: volume 27. Curran Associates, Inc., 2014. https://proceedings.neurips.cc/paper/2014/file/5ca3e9b122f61f8f06494c97b1afccf3-Paper.pdf.
[128] ZHOU B, KHOSLA A, LAPEDRIZA A, et al. Learning deep features for discriminative localization[C/OL]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2016: 2921-2929. DOI: 10.1109/CVPR.2016.319.
[129] CHATTOPADHAY A, SARKAR A, HOWLADER P, et al. Grad-cam++: Generalized gradientbased visual explanations for deep convolutional networks[C/OL]//2018 IEEE Winter Conference on Applications of Computer Vision (WACV). 2018: 839-847. DOI: 10.1109/WACV.2018.0009 7.
[130] ZHANG Q, RAO L, YANG Y. Group-cam: Group score-weighted visual explanations for deep convolutional networks[A]. 2021. arXiv: 2103.13859.
[131] ZHANG Q, WANG X, WU Y N, et al. Interpretable cnns for object classification[J/OL]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021, 43(10): 3416-3431. DOI: 10.1
109/TPAMI.2020.2982882.
[132] HIGGINS I, MATTHEY L, PAL A, et al. beta-vae: Learning basic visual concepts with a constrained variational framework[C/OL]//5th International Conference on Learning Representations,ICLR 2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings. OpenReview.net, 2017. https://openreview.net/forum?id=Sy2fzU9gl.
[133] KIM H, MNIH A. Disentangling by factorising[C/OL]//DY J G, KRAUSE A. Proceedings of Machine Learning Research: volume 80 Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018. PMLR, 2018: 2654-2663. http://proceedings.mlr.press/v80/kim18b.html.
[134] CHEN T Q, LI X, GROSSE R B, et al. Isolating sources of disentanglement in variational autoencoders[C/OL]//BENGIO S, WALLACH H M, LAROCHELLE H, et al. Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018, December 3-8, 2018, Montréal, Canada. 2018: 2615-2625. https:
//proceedings.neurips.cc/paper/2018/hash/1ee3dfcd8a0645a25a35977997223d22-Abstract.html.
[135] CHEN X, DUAN Y, HOUTHOOFT R, et al. Infogan: Interpretable representation learning by information maximizing generative adversarial nets[C/OL]//LEE D D, SUGIYAMA M, VON
LUXBURG U, et al. Advances in Neural Information Processing Systems 29: Annual Confer
ence on Neural Information Processing Systems 2016, December 5-10, 2016, Barcelona, Spain.
2016: 2172-2180. https://proceedings.neurips.cc/paper/2016/hash/7c9d0b1f96aebd7b5eca8c3ed
aa19ebb-Abstract.html.
[136] KINGMA D P, DHARIWAL P. Glow: Generative flow with invertible 1x1 convolutions[C/OL]//BENGIO S, WALLACH H M, LAROCHELLE H, et al. Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS
2018, December 3-8, 2018, Montréal, Canada. 2018: 10236-10245. https://proceedings.neurips.
cc/paper/2018/hash/d139db6a236200b21cc7f752979132d0-Abstract.html.
[137] LARSEN A B L, SØNDERBY S K, LAROCHELLE H, et al. Autoencoding beyond pixels using a learned similarity metric[C]//ICML’16: Proceedings of the 33rd International Conference on International Conference on Machine Learning - Volume 48. New York, NY, USA: JMLR.org,
2016: 1558–1566.
[138] MATTHEY L, HIGGINS I, HASSABIS D, et al. dsprites: Disentanglement testing sprites dataset [Z]. 2017.
[139] Lecun Y, Bottou L, Bengio Y, et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324.
[140] LIU Z, LUO P, WANG X, et al. Deep learning face attributes in the wild[C]//Proceedings of International Conference on Computer Vision (ICCV). 2015.
[141] TRUEX S, BARACALDO N, ANWAR A, et al. A hybrid approach to privacy-preserving federated learning[J]. Informatik Spektrum, 2019: 1 - 2.
[142] VAN DER MAATEN L, HINTON G. Visualizing data using t-sne.[J]. Journal of machine learning research, 2008, 9(11)