清晰度感知最小化（SAM）是一种最近的训练方法，它依赖于最严重的重量扰动，可显着改善各种环境中的概括。我们认为，基于pac-bayes概括结合的SAM成功的现有理由，而收敛到平面最小值的想法是不完整的。此外，没有解释说在SAM中使用$ m $ sharpness的成功，这对于概括而言至关重要。为了更好地理解SAM的这一方面，我们理论上分析了其对角线性网络的隐式偏差。我们证明，SAM总是选择一种比标准梯度下降更好的解决方案，用于某些类别的问题，并且通过使用$ m $ -sharpness可以放大这种效果。我们进一步研究了隐性偏见在非线性网络上的特性，在经验上，我们表明使用SAM进行微调的标准模型可以导致显着的概括改进。最后，当与随机梯度一起使用时，我们为非凸目标提供了SAM的收敛结果。我们从经验上说明了深层网络的这些结果，并讨论了它们与SAM的概括行为的关系。我们的实验代码可在https://github.com/tml-epfl/understanding-sam上获得。

对共同腐败的稳健性的文献表明对逆势培训是否可以提高这种环境的性能，没有达成共识。 First, we show that, when used with an appropriately selected perturbation radius, $\ell_p$ adversarial training can serve as a strong baseline against common corruptions improving both accuracy and calibration.然后，我们解释了为什么对抗性训练比具有简单高斯噪声的数据增强更好地表现，这被观察到是对共同腐败的有意义的基线。与此相关，我们确定了高斯增强过度适用于用于培训的特定标准偏差的$ \ sigma $ -oviting现象，这对培训具有显着不利影响的普通腐败精度。我们讨论如何缓解这一问题，然后如何通过学习的感知图像贴片相似度引入对抗性训练的有效放松来进一步增强$ \ ell_p $普发的培训。通过对CiFar-10和Imagenet-100的实验，我们表明我们的方法不仅改善了$ \ ell_p $普发的培训基线，而且还有累积的收益与Augmix，Deepaulment，Ant和Sin等数据增强方法，导致普通腐败的最先进的表现。我们的实验代码在HTTPS://github.com/tml-epfl/adv-training - 窗子上公开使用。

作为研究界，我们仍然缺乏对对抗性稳健性的进展的系统理解，这通常使得难以识别训练强大模型中最有前途的想法。基准稳健性的关键挑战是，其评估往往是出错的导致鲁棒性高估。我们的目标是建立对抗性稳健性的标准化基准，尽可能准确地反映出考虑在合理的计算预算范围内所考虑的模型的稳健性。为此，我们首先考虑图像分类任务并在允许的型号上引入限制（可能在将来宽松）。我们评估了与AutoAtrack的对抗鲁棒性，白和黑箱攻击的集合，最近在大规模研究中显示，与原始出版物相比，改善了几乎所有稳健性评估。为防止对自动攻击进行新防御的过度适应，我们欢迎基于自适应攻击的外部评估，特别是在自动攻击稳健性潜在高估的地方。我们的排行榜，托管在https://robustbench.github.io/，包含120多个模型的评估，并旨在反映在$ \ ell_ \ infty $的一套明确的任务上的图像分类中的当前状态 - 和$ \ ell_2 $ -Threat模型和共同腐败，未来可能的扩展。此外，我们开源源是图书馆https://github.com/robustbench/robustbench，可以提供对80多个强大模型的统一访问，以方便他们的下游应用程序。最后，根据收集的模型，我们分析了稳健性对分布换档，校准，分配检测，公平性，隐私泄漏，平滑度和可转移性的影响。

We propose the Square Attack, a score-based black-box l2and l∞-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized squareshaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least 1.8 and up to 3 compared to the recent state-ofthe-art l∞-attack of Al-Dujaili & OReilly (2020). Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at https://github.com/max-andr/square-attack.

Classifiers used in the wild, in particular for safetycritical systems, should not only have good generalization properties but also should know when they don't know, in particular make low confidence predictions far away from the training data. We show that ReLU type neural networks which yield a piecewise linear classifier function fail in this regard as they produce almost always high confidence predictions far away from the training data. For bounded domains like images we propose a new robust optimization technique similar to adversarial training which enforces low confidence predictions far away from the training data. We show that this technique is surprisingly effective in reducing the confidence of predictions far away from the training data while maintaining high confidence predictions and test error on the original classification task compared to standard training.

Large language models (LLMs) have demonstrated strong performance in zero-shot reasoning tasks, including abductive reasoning. This is reflected in their ability to perform well on current benchmarks in this area. However, to truly test the limits of LLMs in abductive reasoning, a more challenging benchmark is needed. In this paper, we present such a benchmark, consisting of 191 long-form mystery stories, each approximately 1200 words in length and presented in the form of detective puzzles. Each puzzle includes a multiple-choice question for evaluation sourced from the "5 Minute Mystery" platform. Our results show that state-of-the-art GPT models perform significantly worse than human solvers on this benchmark, with an accuracy of 28\% compared to 47\% for humans. This indicates that there is still a significant gap in the abductive reasoning abilities of LLMs and highlights the need for further research in this area. Our work provides a challenging benchmark for future studies on reasoning in language models and contributes to a better understanding of the limits of LLMs' abilities.

Related works used indexes like CKA and variants of CCA to measure the similarity of cross-lingual representations in multilingual language models. In this paper, we argue that assumptions of CKA/CCA align poorly with one of the motivating goals of cross-lingual learning analysis, i.e., explaining zero-shot cross-lingual transfer. We highlight what valuable aspects of cross-lingual similarity these indexes fail to capture and provide a motivating case study \textit{demonstrating the problem empirically}. Then, we introduce \textit{Average Neuron-Wise Correlation (ANC)} as a straightforward alternative that is exempt from the difficulties of CKA/CCA and is good specifically in a cross-lingual context. Finally, we use ANC to construct evidence that the previously introduced ``first align, then predict'' pattern takes place not only in masked language models (MLMs) but also in multilingual models with \textit{causal language modeling} objectives (CLMs). Moreover, we show that the pattern extends to the \textit{scaled versions} of the MLMs and CLMs (up to 85x original mBERT).\footnote{Our code is publicly available at \url{https://github.com/TartuNLP/xsim}}

生成流动网络（GFLOWNETS）是一种算法家族，用于训练在非均衡目标密度下离散对象的顺序采样器，并已成功用于各种概率建模任务。现有的Gflownets培训目标是国家本地的，或者是过渡的本地，或者在整个采样轨迹上传播奖励信号。我们认为，这些替代方案代表了梯度偏见变化权衡的相反目的，并提出了一种利用这种权衡以减轻其有害影响的方法。受到强化学习的TD（$ \ lambda $）算法的启发，我们介绍了一个subtrajectory Balance或subtb（$ \ lambda $），这是一个GFLOWNET培训目标，可以从不同长度的部分动作子序列中学习。我们表明，SubTB（$ \ lambda $）会在先前研究和新环境中加速采样器的收敛，并在具有更长的动作序列和比以前的可能性更长的环境中培训Gflownets。我们还对随机梯度动力学进行了比较分析，阐明了GFLOWNET训练中的偏差变化权衡以及亚条件平衡的优势。

对抗性补丁攻击是现实世界深度学习应用程序的新兴安全威胁。我们提出了戴定的平滑，这是第一种（符合我们的知识），以证明语义分割模型与此威胁模型的鲁棒性。以前关于防御补丁攻击的辩护的工作主要集中在图像分类任务上，并且经常需要更改模型体系结构和其他培训，而这些培训是不受欢迎且计算上昂贵的。在被删除的平滑度中，可以在没有特定培训，微调或限制体系结构的情况下应用任何分割模型。使用不同的掩盖策略，可以将拔掉的平滑措施应用于认证检测和认证恢复。在广泛的实验中，我们表明，在检测任务中，平均可以证明1％补丁的像素预测的64％，而在ADE20K数据集中恢复任务的0.5％贴片为48％。

我们介绍了两个块坐标下降算法，以解决使用普通微分方程（ODE）作为动态约束的优化问题。该算法无需实施直接或伴随的灵敏度分析方法来评估损失功能梯度。它们是由对原始问题重新制作的重新制作，作为与平等约束的等效优化问题。该算法自然遵循旨在根据ODE求解器恢复梯度定位算法的步骤，该算法明确解释了ODE溶液的灵敏度。在我们的第一个提出的算法中，我们避免通过将ODE求解器集成为隐式约束序列来明确求解ODE。在我们的第二个算法中，我们使用ODE求解器重置ODE解决方案，但没有直接使用伴随灵敏度分析方法。这两种算法都接受微型批量实施，并从基于GPU的并行化中显示出显着的效率优势。当应用于学习Cucker-Smale模型的参数时，我们演示了该算法的性能。将算法与基于具有敏感性分析能力的ODE求解器的梯度下降算法进行比较，使用Pytorch和JAX实现，具有各种状态数量的敏感性分析能力。实验结果表明，所提出的算法至少比Pytorch实现快4倍，并且比JAX实现快至少16倍。对于大版本的Cucker-Smale模型，JAX实现的速度比基于灵敏度分析的实现快数千倍。此外，我们的算法在培训和测试数据上都会产生更准确的结果。对于实施实时参数估计（例如诊断算法）的算法，计算效率的这种提高至关重要。