我们介绍了Sparrow，这是一个寻求信息的对话代理，与提示的语言模型基线相比，训练有素，更有帮助，正确和无害。我们使用从人类反馈中的强化学习来培训我们的模型，以帮助人类评估者判断代理人的行为。首先，为了使我们的代理人更有帮助和无害，我们将良好对话的要求分解为代理人应遵循的自然语言规则，并分别向评估者询问每个规则。我们证明，这种崩溃使我们能够收集对代理行为的更多针对性的人类判断，并允许更有效的规则条件奖励模型。其次，我们的代理商在收集对模型声明的偏好判决时提供了支持事实主张的来源的证据。对于事实问题，麻雀提供的证据支持了78％的时间。比基线比基线更享受麻雀，同时对人类的对抗性探测更具弹性，在探测时只有8％的时间违反了我们的规则。最后，我们进行了广泛的分析，表明尽管我们的模型学会遵守我们的规则，但它可以表现出分布偏见。

大型语言模型会产生类似人类的文本，这些文本推动了越来越多的应用。但是，最近的文献以及越来越多的现实世界观察表明，这些模型可以产生有毒，有偏见，不真实或其他有害的语言。尽管正在进行评估语言模型危害的工作，但要远见卓识转换出可能出现的危害可能会引起严格的基准。为了促进这种翻译，我们概述了六种表征有害文本的方式，这些方法在设计新基准时值得明确考虑。然后，我们将这些特征用作镜头来识别现有基准中的趋势和差距。最后，我们将它们应用于视角API的案例研究，这是一种毒性分类器，被广泛用于HARS基准。我们的特征提供了一块桥梁，可以在远见和有效评估之间转化。

本文旨在帮助构建与大规模语言模型（LMS）相关的风险景观。为了促进负责任的创新的进步，需要深入了解这些模型提出的潜在风险。详细分析了广泛的建立和预期的风险，借鉴了计算机科学，语言学和社会科学的多学科专业知识和文学。我们概述了六个具体风险领域：I.歧视，排除和毒性，II。信息危害，III。误导危害，V.恶意用途，V.人机互动危害，vi。自动化，访问和环境危害。第一个领域涉及陈规定型，不公平歧视，排他性规范，有毒语言和LMS社会群体的绩效。第二个重点侧重于私有数据泄漏或LMS正确推断敏感信息的风险。第三次解决贫困，虚假或误导性信息的风险，包括在敏感域中，以及敲门式风险，如共享信息的信任侵蚀。第四次考虑了试图使用LMS造成伤害的行动者的风险。第五部分侧重于用于支持与人类用户互动的会话代理的LLMS特异性的风险，包括不安全使用，操纵或欺骗。第六六探讨了对不同社会群体或社区可能产生不同影响的环境危害，工作自动化和其他挑战的风险。总的来说，我们审查了21个风险。我们讨论了不同风险的起源点和指向潜在的缓解方法。最后，我们讨论在实施减轻的组织职责，以及协作和参与的作用。我们强调了进一步研究的方向，特别是在扩展工具包时，用于评估和评估LMS中的概述风险。

大多数现实世界的应用需要处理传感器噪声或预测性不确定性等旋能性，其中正式规格的所需行为是固有的概率。尽管正式核查确保神经网络的可靠性，但概率规格方向的进展受到限制。在这个方向上，我们首先介绍神经网络的概率规范的一般性，它捕获了概率网络（例如，贝叶斯神经网络，MC-Dropout Networks）和不确定输入（通过传感器噪声或其他扰动而产生的输入）。然后，我们提出了一种通过概括拉格朗日二元性的概念来验证这些规范的一般技术，替换具有“功能乘法器”的标准拉格朗日乘法器，其可以是给定层上激活的任意功能。我们表明，功能乘法器的最佳选择导致精确的验证（即，声音和完全验证），以及特定形式的乘法器，我们开发了易诊的实际验证算法。我们通过将它们应用于贝叶斯神经网络（BNNS）和MC差动网络，以及认证属性，以及诸如对分发超出（OOD）数据的抗逆性鲁棒性和鲁棒检测的认证性能来验证我们的算法。在这些任务中，与现有工作相比，我们能够提供明显更强烈的保证 - 例如，对于在CiFar-10上培训的VGG-64 MC-Tropout CNN，我们改进了认证的AUC（真实AUC的验证的下限）对于鲁棒的OOD检测（在CIFAR-100上）起价$ 0 \％\ lightarrow 29 \％$。同样，对于在MNIST培训的BNN，我们从60.2美元\％\ lightarrow 74.6 \％$提高了强大的准确性。此外，在一种新颖的规范 - 分布稳健的检测 - 我们从5 \％\ lightarrow 23 \％$的5 \％$。

State-of-the-art classifiers have been shown to be largely vulnerable to adversarial perturbations. One of the most effective strategies to improve robustness is adversarial training. In this paper, we investigate the effect of adversarial training on the geometry of the classification landscape and decision boundaries. We show in particular that adversarial training leads to a significant decrease in the curvature of the loss surface with respect to inputs, leading to a drastically more "linear" behaviour of the network. Using a locally quadratic approximation, we provide theoretical evidence on the existence of a strong relation between large robustness and small curvature. To further show the importance of reduced curvature for improving the robustness, we propose a new regularizer that directly minimizes curvature of the loss surface, and leads to adversarial robustness that is on par with adversarial training. Besides being a more efficient and principled alternative to adversarial training, the proposed regularizer confirms our claims on the importance of exhibiting quasi-linear behavior in the vicinity of data points in order to achieve robustness.

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

Accurate determination of a small molecule candidate (ligand) binding pose in its target protein pocket is important for computer-aided drug discovery. Typical rigid-body docking methods ignore the pocket flexibility of protein, while the more accurate pose generation using molecular dynamics is hindered by slow protein dynamics. We develop a tiered tensor transform (3T) algorithm to rapidly generate diverse protein-ligand complex conformations for both pose and affinity estimation in drug screening, requiring neither machine learning training nor lengthy dynamics computation, while maintaining both coarse-grain-like coordinated protein dynamics and atomistic-level details of the complex pocket. The 3T conformation structures we generate are closer to experimental co-crystal structures than those generated by docking software, and more importantly achieve significantly higher accuracy in active ligand classification than traditional ensemble docking using hundreds of experimental protein conformations. 3T structure transformation is decoupled from the system physics, making future usage in other computational scientific domains possible.

Adversarial imitation learning (AIL) has become a popular alternative to supervised imitation learning that reduces the distribution shift suffered by the latter. However, AIL requires effective exploration during an online reinforcement learning phase. In this work, we show that the standard, naive approach to exploration can manifest as a suboptimal local maximum if a policy learned with AIL sufficiently matches the expert distribution without fully learning the desired task. This can be particularly catastrophic for manipulation tasks, where the difference between an expert and a non-expert state-action pair is often subtle. We present Learning from Guided Play (LfGP), a framework in which we leverage expert demonstrations of multiple exploratory, auxiliary tasks in addition to a main task. The addition of these auxiliary tasks forces the agent to explore states and actions that standard AIL may learn to ignore. Additionally, this particular formulation allows for the reusability of expert data between main tasks. Our experimental results in a challenging multitask robotic manipulation domain indicate that LfGP significantly outperforms both AIL and behaviour cloning, while also being more expert sample efficient than these baselines. To explain this performance gap, we provide further analysis of a toy problem that highlights the coupling between a local maximum and poor exploration, and also visualize the differences between the learned models from AIL and LfGP.

Many problems in machine learning involve bilevel optimization (BLO), including hyperparameter optimization, meta-learning, and dataset distillation. Bilevel problems consist of two nested sub-problems, called the outer and inner problems, respectively. In practice, often at least one of these sub-problems is overparameterized. In this case, there are many ways to choose among optima that achieve equivalent objective values. Inspired by recent studies of the implicit bias induced by optimization algorithms in single-level optimization, we investigate the implicit bias of gradient-based algorithms for bilevel optimization. We delineate two standard BLO methods -- cold-start and warm-start -- and show that the converged solution or long-run behavior depends to a large degree on these and other algorithmic choices, such as the hypergradient approximation. We also show that the inner solutions obtained by warm-start BLO can encode a surprising amount of information about the outer objective, even when the outer parameters are low-dimensional. We believe that implicit bias deserves as central a role in the study of bilevel optimization as it has attained in the study of single-level neural net optimization.

The Covid-19 pandemic induced a vast increase in adolescents diagnosed with eating disorders and hospitalized due to eating disorders. This immense growth stemmed partially from the stress of the pandemic but also from increased exposure to content that promotes eating disorders via social media, which, within the last decade, has become plagued by pro-eating disorder content. This study aimed to create a deep learning model capable of determining whether a given social media post promotes eating disorders based solely on image data. Tweets from hashtags that have been documented to promote eating disorders along with tweets from unrelated hashtags were collected. After prepossessing, these images were labeled as either pro-eating disorder or not based on which Twitter hashtag they were scraped from. Several deep-learning models were trained on the scraped dataset and were evaluated based on their accuracy, F1 score, precision, and recall. Ultimately, the vision transformer model was determined to be the most accurate, attaining an F1 score of 0.877 and an accuracy of 86.7% on the test set. The model, which was applied to unlabeled Twitter image data scraped from "#selfie", uncovered seasonal fluctuations in the relative abundance of pro-eating disorder content, which reached its peak in the summertime. These fluctuations correspond not only to the seasons, but also to stressors, such as the Covid-19 pandemic. Moreover, the Twitter image data indicated that the relative amount of pro-eating disorder content has been steadily rising over the last five years and is likely to continue increasing in the future.