当模型向人们提供决定时，分销转移可能会造成不当差异。但是，由于模型及其训练集通常是专有的，因此外部实体很难检查分配变化。在本文中，我们介绍并研究了一种黑盒审计方法，以检测分配转移案例，从而导致跨人口组的模型差异。通过扩展在成员资格和属性推理攻击中使用的技术（旨在暴露于学习模型中的私人信息），我们证明了外部审核员可以仅通过查询模型来获取这些分配所需的信息，以识别这些分布的变化。我们对现实世界数据集的实验结果表明，这种方法是有效的，在检测培训集中人口统计组不足的转移方面达到了80--100％的AUC-ROC。研究人员和调查记者可以使用我们的工具对专有模型进行非授权审核，并在培训数据集中暴露出不足的案例。

最近的工作表明，培训的型号训练在相同的目标，并实现了对一致的测试数据的类似准确度的措施，尽管如此，仍可能对个体预测中的表现非常不同。这种不一致在高赌注环境中是不可取的，例如医学诊断和金融。我们表明，这种不一致的行为超出了对特征归因的预测，这同样对模型的可懂度具有负面影响，以及一个能够找到对象的追索权的能力。然后，我们将通过应用假设测试对使用随机选择的起始条件训练的一组模型的预测来减轻这些不一致的选择性合并来减轻这种不一致;重要的是，选择性集合可以在无法实现一致结果无法实现指定的置信水平的情况下弃权。我们证明了选择性集合之间的预测分歧是有界的，并且经验证明了选择性集合在保持低弃权率的同时实现一致的预测和特征归因。在几个基准数据集中，选择性集合达到零不一致预测点，额外的速率低1.5％。

从数据中学到的分类器越来越多地用作安全是关键问题的系统中的组件。在这项工作中，我们通过称为安全订购约束的约束来提出针对分类器的正式安全概念。这些限制条件将分类器输出的类输出的顺序与输入的条件有关，并且表达足以编码文献中分类器安全规范的各种有趣的示例。对于使用神经网络实施的分类器，我们还提出了一种运行时机制，用于执行安全订购约束。我们的方法基于一个自我校正层，该层可证明，无论分类器输入的特征如何，它都可以产生安全的输出。我们将此层与现有的神经网络分类器组成，以构建自我校正网络（SC-NET），并证明除了提供安全的输出外，SC-NET还可以保证尽可能保留原始网络的分类精度。我们的方法独立于用于分类的神经网络的大小和体系结构，仅取决于指定的属性和网络输出的尺寸；因此，它可扩展到大型最新网络。我们表明，我们的方法可以针对GPU进行优化，从而在当前硬件上引入了少于1ms的运行时开销 - 即使在包含数十万个神经元和数百万参数的大型，广泛使用的网络上。

Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak specific private information in the training data to an attacker, either through the models' structure or their observable behavior. However, the underlying cause of this privacy risk is not well understood beyond a handful of anecdotal accounts that suggest overfitting and influence might play a role.This paper examines the effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We find that overfitting is sufficient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its influence, attribute inference attacks. Interestingly, our formal analysis also shows that overfitting is not necessary for these attacks and begins to shed light on what other factors may be in play. Finally, we explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks.

Deep learning takes advantage of large datasets and computationally efficient training algorithms to outperform other approaches at various machine learning tasks. However, imperfections in the training phase of deep neural networks make them vulnerable to adversarial samples: inputs crafted by adversaries with the intent of causing deep neural networks to misclassify. In this work, we formalize the space of adversaries against deep neural networks (DNNs) and introduce a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs. In an application to computer vision, we show that our algorithms can reliably produce samples correctly classified by human subjects but misclassified in specific targets by a DNN with a 97% adversarial success rate while only modifying on average 4.02% of the input features per sample. We then evaluate the vulnerability of different sample classes to adversarial perturbations by defining a hardness measure. Finally, we describe preliminary work outlining defenses against adversarial samples by defining a predictive measure of distance between a benign input and a target classification.

Remote sensing imagery provides comprehensive views of the Earth, where different sensors collect complementary data at different spatial scales. Large, pretrained models are commonly finetuned with imagery that is heavily augmented to mimic different conditions and scales, with the resulting models used for various tasks with imagery from a range of spatial scales. Such models overlook scale-specific information in the data. In this paper, we present Scale-MAE, a pretraining method that explicitly learns relationships between data at different, known scales throughout the pretraining process. Scale-MAE pretrains a network by masking an input image at a known input scale, where the area of the Earth covered by the image determines the scale of the ViT positional encoding, not the image resolution. Scale-MAE encodes the masked image with a standard ViT backbone, and then decodes the masked image through a bandpass filter to reconstruct low/high frequency images at lower/higher scales. We find that tasking the network with reconstructing both low/high frequency images leads to robust multiscale representations for remote sensing imagery. Scale-MAE achieves an average of a $5.0\%$ non-parametric kNN classification improvement across eight remote sensing datasets compared to current state-of-the-art and obtains a $0.9$ mIoU to $3.8$ mIoU improvement on the SpaceNet building segmentation transfer task for a range of evaluation scales.

We address the problem of unsupervised domain adaptation when the source domain differs from the target domain because of a shift in the distribution of a latent subgroup. When this subgroup confounds all observed data, neither covariate shift nor label shift assumptions apply. We show that the optimal target predictor can be non-parametrically identified with the help of concept and proxy variables available only in the source domain, and unlabeled data from the target. The identification results are constructive, immediately suggesting an algorithm for estimating the optimal predictor in the target. For continuous observations, when this algorithm becomes impractical, we propose a latent variable model specific to the data generation process at hand. We show how the approach degrades as the size of the shift changes, and verify that it outperforms both covariate and label shift adjustment.

With the rise in high resolution remote sensing technologies there has been an explosion in the amount of data available for forest monitoring, and an accompanying growth in artificial intelligence applications to automatically derive forest properties of interest from these datasets. Many studies use their own data at small spatio-temporal scales, and demonstrate an application of an existing or adapted data science method for a particular task. This approach often involves intensive and time-consuming data collection and processing, but generates results restricted to specific ecosystems and sensor types. There is a lack of widespread acknowledgement of how the types and structures of data used affects performance and accuracy of analysis algorithms. To accelerate progress in the field more efficiently, benchmarking datasets upon which methods can be tested and compared are sorely needed. Here, we discuss how lack of standardisation impacts confidence in estimation of key forest properties, and how considerations of data collection need to be accounted for in assessing method performance. We present pragmatic requirements and considerations for the creation of rigorous, useful benchmarking datasets for forest monitoring applications, and discuss how tools from modern data science can improve use of existing data. We list a set of example large-scale datasets that could contribute to benchmarking, and present a vision for how community-driven, representative benchmarking initiatives could benefit the field.

Massive data corpora like WebText, Wikipedia, Conceptual Captions, WebImageText, and LAION have propelled recent dramatic progress in AI. Large neural models trained on such datasets produce impressive results and top many of today's benchmarks. A notable omission within this family of large-scale datasets is 3D data. Despite considerable interest and potential applications in 3D vision, datasets of high-fidelity 3D models continue to be mid-sized with limited diversity of object categories. Addressing this gap, we present Objaverse 1.0, a large dataset of objects with 800K+ (and growing) 3D models with descriptive captions, tags, and animations. Objaverse improves upon present day 3D repositories in terms of scale, number of categories, and in the visual diversity of instances within a category. We demonstrate the large potential of Objaverse via four diverse applications: training generative 3D models, improving tail category segmentation on the LVIS benchmark, training open-vocabulary object-navigation models for Embodied AI, and creating a new benchmark for robustness analysis of vision models. Objaverse can open new directions for research and enable new applications across the field of AI.

The Graph Protocol indexes historical blockchain transaction data and makes it available for querying. As the protocol is decentralized, there are many independent Indexers that index and compete with each other for serving queries to the Consumers. One dimension along which Indexers compete is pricing. In this paper, we propose a bandit-based algorithm for maximization of Indexers' revenue via Consumer budget discovery. We present the design and the considerations we had to make for a dynamic pricing algorithm being used by multiple agents simultaneously. We discuss the results achieved by our dynamic pricing bandits both in simulation and deployed into production on one of the Indexers operating on Ethereum. We have open-sourced both the simulation framework and tools we created, which other Indexers have since started to adapt into their own workflows.