神经网络缺乏对抗性鲁棒性，即，它们容易受到对抗的例子，通过对输入的小扰动导致错误的预测。此外，当模型给出错误的预测时，信任被破坏，即，预测的概率不是我们应该相信我们模型的良好指标。在本文中，我们研究了对抗性鲁棒性和校准之间的联系，发现模型对小扰动敏感的输入（很容易攻击）更有可能具有较差的预测。基于这种洞察力，我们通过解决这些对抗的缺陷输入来研究校准。为此，我们提出了基于对抗基于对抗的自适应标签平滑（AR-AD），其通过适应性软化标签，通过适应性软化标签来整合对抗性鲁棒性和校准到训练中的相关性，这是基于对敌人可以攻击的容易攻击。我们发现我们的方法，考虑了分销数据的对抗性稳健性，即使在分布班次下也能够更好地校准模型。此外，还可以应用于集合模型，以进一步提高模型校准。

Modern machine learning methods including deep learning have achieved great success in predictive accuracy for supervised learning tasks, but may still fall short in giving useful estimates of their predictive uncertainty. Quantifying uncertainty is especially critical in real-world settings, which often involve input distributions that are shifted from the training distribution due to a variety of factors including sample bias and non-stationarity. In such settings, well calibrated uncertainty estimates convey information about when a model's output should (or should not) be trusted. Many probabilistic deep learning methods, including Bayesian-and non-Bayesian methods, have been proposed in the literature for quantifying predictive uncertainty, but to our knowledge there has not previously been a rigorous largescale empirical comparison of these methods under dataset shift. We present a largescale benchmark of existing state-of-the-art methods on classification problems and investigate the effect of dataset shift on accuracy and calibration. We find that traditional post-hoc calibration does indeed fall short, as do several other previous methods. However, some methods that marginalize over models give surprisingly strong results across a broad spectrum of tasks.

我们表明，著名的混音的有效性[Zhang等，2018]，如果而不是将其用作唯一的学习目标，就可以进一步改善它，而是将其用作标准跨侧面损失的附加规则器。这种简单的变化不仅提供了太大的准确性，而且在大多数情况下，在各种形式的协变量转移和分布外检测实验下，在大多数情况下，混合量的预测不确定性估计质量都显着提高了。实际上，我们观察到混合物在检测出分布样本时可能会产生大量退化的性能，因为我们在经验上表现出来，因为它倾向于学习在整个过程中表现出高渗透率的模型。很难区分分布样本与近分离样本。为了显示我们的方法的功效（RegMixup），我们在视觉数据集（Imagenet＆Cifar-10/100）上提供了详尽的分析和实验，并将其与最新方法进行比较，以进行可靠的不确定性估计。

深度神经网络具有令人印象深刻的性能，但是他们无法可靠地估计其预测信心，从而限制了其在高风险领域中的适用性。我们表明，应用多标签的一VS损失揭示了分类的歧义并降低了模型的过度自信。引入的Slova（单标签One-Vs-All）模型重新定义了单个标签情况的典型单VS-ALL预测概率，其中只有一个类是正确的答案。仅当单个类具有很高的概率并且其他概率可忽略不计时，提议的分类器才有信心。与典型的SoftMax函数不同，如果所有其他类的概率都很小，Slova自然会检测到分布的样本。该模型还通过指数校准进行了微调，这使我们能够与模型精度准确地对齐置信分数。我们在三个任务上验证我们的方法。首先，我们证明了斯洛伐克与最先进的分布校准具有竞争力。其次，在数据集偏移下，斯洛伐克的性能很强。最后，我们的方法在检测到分布样品的检测方面表现出色。因此，斯洛伐克是一种工具，可以在需要不确定性建模的各种应用中使用。

随机平滑是目前是最先进的方法，用于构建来自Neural Networks的可认真稳健的分类器，以防止$ \ ell_2 $ - vitersarial扰动。在范例下，分类器的稳健性与预测置信度对齐，即，对平滑分类器的较高的置信性意味着更好的鲁棒性。这使我们能够在校准平滑分类器的信仰方面重新思考准确性和鲁棒性之间的基本权衡。在本文中，我们提出了一种简单的训练方案，Coined Spiremix，通过自我混合来控制平滑分类器的鲁棒性：它沿着每个输入对逆势扰动方向进行样品的凸起组合。该提出的程序有效地识别过度自信，在平滑分类器的情况下，作为有限的稳健性的原因，并提供了一种直观的方法来自适应地在这些样本之间设置新的决策边界，以实现更好的鲁棒性。我们的实验结果表明，与现有的最先进的强大培训方法相比，该方法可以显着提高平滑分类器的认证$ \ ell_2 $ -toSpustness。

作为研究界，我们仍然缺乏对对抗性稳健性的进展的系统理解，这通常使得难以识别训练强大模型中最有前途的想法。基准稳健性的关键挑战是，其评估往往是出错的导致鲁棒性高估。我们的目标是建立对抗性稳健性的标准化基准，尽可能准确地反映出考虑在合理的计算预算范围内所考虑的模型的稳健性。为此，我们首先考虑图像分类任务并在允许的型号上引入限制（可能在将来宽松）。我们评估了与AutoAtrack的对抗鲁棒性，白和黑箱攻击的集合，最近在大规模研究中显示，与原始出版物相比，改善了几乎所有稳健性评估。为防止对自动攻击进行新防御的过度适应，我们欢迎基于自适应攻击的外部评估，特别是在自动攻击稳健性潜在高估的地方。我们的排行榜，托管在https://robustbench.github.io/，包含120多个模型的评估，并旨在反映在$ \ ell_ \ infty $的一套明确的任务上的图像分类中的当前状态 - 和$ \ ell_2 $ -Threat模型和共同腐败，未来可能的扩展。此外，我们开源源是图书馆https://github.com/robustbench/robustbench，可以提供对80多个强大模型的统一访问，以方便他们的下游应用程序。最后，根据收集的模型，我们分析了稳健性对分布换档，校准，分配检测，公平性，隐私泄漏，平滑度和可转移性的影响。

Despite the success of convolutional neural networks (CNNs) in many academic benchmarks for computer vision tasks, their application in the real-world is still facing fundamental challenges. One of these open problems is the inherent lack of robustness, unveiled by the striking effectiveness of adversarial attacks. Current attack methods are able to manipulate the network's prediction by adding specific but small amounts of noise to the input. In turn, adversarial training (AT) aims to achieve robustness against such attacks and ideally a better model generalization ability by including adversarial samples in the trainingset. However, an in-depth analysis of the resulting robust models beyond adversarial robustness is still pending. In this paper, we empirically analyze a variety of adversarially trained models that achieve high robust accuracies when facing state-of-the-art attacks and we show that AT has an interesting side-effect: it leads to models that are significantly less overconfident with their decisions, even on clean data than non-robust models. Further, our analysis of robust models shows that not only AT but also the model's building blocks (like activation functions and pooling) have a strong influence on the models' prediction confidences. Data & Project website: https://github.com/GeJulia/robustness_confidences_evaluation

已知现代深度神经网络模型将错误地将分布式（OOD）测试数据分类为具有很高信心的分数（ID）培训课程之一。这可能会对关键安全应用产生灾难性的后果。一种流行的缓解策略是训练单独的分类器，该分类器可以在测试时间检测此类OOD样本。在大多数实际设置中，在火车时间尚不清楚OOD的示例，因此，一个关键问题是：如何使用合成OOD样品来增加ID数据以训练这样的OOD检测器？在本文中，我们为称为CNC的OOD数据增强提出了一种新颖的复合腐败技术。 CNC的主要优点之一是，除了培训集外，它不需要任何固定数据。此外，与当前的最新技术（SOTA）技术不同，CNC不需要在测试时间进行反向传播或结合，从而使我们的方法在推断时更快。我们与过去4年中主要会议的20种方法进行了广泛的比较，表明，在OOD检测准确性和推理时间方面，使用基于CNC的数据增强训练的模型都胜过SOTA。我们包括详细的事后分析，以研究我们方法成功的原因，并确定CNC样本的较高相对熵和多样性是可能的原因。我们还通过对二维数据集进行零件分解分析提供理论见解，以揭示（视觉和定量），我们的方法导致ID类别周围的边界更紧密，从而更好地检测了OOD样品。源代码链接：https：//github.com/cnc-ood

Deep neural networks achieve high prediction accuracy when the train and test distributions coincide. In practice though, various types of corruptions occur which deviate from this setup and cause severe performance degradations. Few methods have been proposed to address generalization in the presence of unforeseen domain shifts. In particular, digital noise corruptions arise commonly in practice during the image acquisition stage and present a significant challenge for current robustness approaches. In this paper, we propose a diverse Gaussian noise consistency regularization method for improving robustness of image classifiers under a variety of noise corruptions while still maintaining high clean accuracy. We derive bounds to motivate and understand the behavior of our Gaussian noise consistency regularization using a local loss landscape analysis. We show that this simple approach improves robustness against various unforeseen noise corruptions by 4.2-18.4% over adversarial training and other strong diverse data augmentation baselines across several benchmarks. Furthermore, when combined with state-of-the-art diverse data augmentation techniques, experiments against state-of-the-art show our method further improves robustness accuracy by 3.7% and uncertainty calibration by 5.5% for all common corruptions on several image classification benchmarks.

到目前为止对抗训练是抵御对抗例子的最有效的策略。然而，由于每个训练步骤中的迭代对抗性攻击，它遭受了高的计算成本。最近的研究表明，通过随机初始化执行单步攻击，可以实现快速的对抗训练。然而，这种方法仍然落后于稳定性和模型稳健性的最先进的对手训练算法。在这项工作中，我们通过观察随机平滑的随机初始化来更好地优化内部最大化问题，对快速对抗培训进行新的理解。在这种新的视角之后，我们还提出了一种新的初始化策略，向后平滑，进一步提高单步强大培训方法的稳定性和模型稳健性。多个基准测试的实验表明，我们的方法在使用更少的训练时间（使用相同的培训计划时，使用更少的培训时间（$ \ sim $ 3x改进）时，我们的方法达到了类似的模型稳健性。

Modern deep neural networks can achieve high accuracy when the training distribution and test distribution are identically distributed, but this assumption is frequently violated in practice. When the train and test distributions are mismatched, accuracy can plummet. Currently there are few techniques that improve robustness to unforeseen data shifts encountered during deployment. In this work, we propose a technique to improve the robustness and uncertainty estimates of image classifiers. We propose AUGMIX, a data processing technique that is simple to implement, adds limited computational overhead, and helps models withstand unforeseen corruptions. AUGMIX significantly improves robustness and uncertainty measures on challenging image classification benchmarks, closing the gap between previous methods and the best possible performance in some cases by more than half.

Model calibration, which is concerned with how frequently the model predicts correctly, not only plays a vital part in statistical model design, but also has substantial practical applications, such as optimal decision-making in the real world. However, it has been discovered that modern deep neural networks are generally poorly calibrated due to the overestimation (or underestimation) of predictive confidence, which is closely related to overfitting. In this paper, we propose Annealing Double-Head, a simple-to-implement but highly effective architecture for calibrating the DNN during training. To be precise, we construct an additional calibration head-a shallow neural network that typically has one latent layer-on top of the last latent layer in the normal model to map the logits to the aligned confidence. Furthermore, a simple Annealing technique that dynamically scales the logits by calibration head in training procedure is developed to improve its performance. Under both the in-distribution and distributional shift circumstances, we exhaustively evaluate our Annealing Double-Head architecture on multiple pairs of contemporary DNN architectures and vision and speech datasets. We demonstrate that our method achieves state-of-the-art model calibration performance without post-processing while simultaneously providing comparable predictive accuracy in comparison to other recently proposed calibration methods on a range of learning tasks.

现在众所周知，神经网络对其预测的信心很高，导致校准不良。弥补这一点的最常见的事后方法是执行温度缩放，这可以通过将逻辑缩放为固定值来调整任何输入的预测的信心。尽管这种方法通常会改善整个测试数据集中的平均校准，但无论给定输入的分类是否正确还是不正确，这种改进通常会降低预测的个人信心。有了这种见解，我们将方法基于这样的观察结果，即不同的样品通过不同的量导致校准误差，有些人需要提高其信心，而另一些则需要减少它。因此，对于每个输入，我们建议预测不同的温度值，从而使我们能够调整较细性的置信度和准确性之间的不匹配。此外，我们观察到了OOD检测结果的改善，还可以提取数据点的硬度概念。我们的方法是在事后应用的，因此使用很少的计算时间和可忽略不计的记忆足迹，并应用于现成的预训练的分类器。我们使用CIFAR10/100和TINY-IMAGENET数据集对RESNET50和WIDERESNET28-10架构进行测试，这表明在整个测试集中产生每数据点温度也有益于预期的校准误差。代码可在以下网址获得：https：//github.com/thwjoy/adats。

现代神经网络Excel在图像分类中，但它们仍然容易受到常见图像损坏，如模糊，斑点噪音或雾。最近的方法关注这个问题，例如Augmix和Deepaulment，引入了在预期运行的防御，以期望图像损坏分布。相比之下，$ \ ell_p $ -norm界限扰动的文献侧重于针对最坏情况损坏的防御。在这项工作中，我们通过提出防范内人来调和两种方法，这是一种优化图像到图像模型的参数来产生对外损坏的增强图像的技术。我们理论上激发了我们的方法，并为其理想化版本的一致性以及大纲领提供了足够的条件。我们的分类机器在预期对CiFar-10-C进行的常见图像腐败基准上提高了最先进的，并改善了CIFAR-10和ImageNet上的$ \ ell_p $ -norm有界扰动的最坏情况性能。

Any classifier can be "smoothed out" under Gaussian noise to build a new classifier that is provably robust to $\ell_2$-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using "accuracy under Gaussian noise" as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions.

在真实世界的机器学习应用中，可靠和安全的系统必须考虑超出标准测试设置精度的性能测量。这些其他目标包括分销（OOD）鲁棒性，预测一致性，对敌人的抵御能力，校准的不确定性估计，以及检测异常投入的能力。然而，提高这些目标的绩效通常是一种平衡行为，即今天的方法无法在不牺牲其他安全轴上的性能的情况下实现。例如，对抗性培训改善了对抗性鲁棒性，但急剧降低了其他分类器性能度量。同样，强大的数据增强和正则化技术往往提高鲁棒性，但损害异常检测，提出了对所有现有安全措施的帕累托改进是可能的。为满足这一挑战，我们设计了利用诸如分数形的图片的自然结构复杂性设计新的数据增强策略，这优于众多基线，靠近帕累托 - 最佳，并圆形提高安全措施。

最近的工作引入了该日期，作为深度学习中不确定性建模的一种新方法。Epatet是一个添加到传统神经网络中的小神经网络，它可以共同产生预测分布。尤其是，使用音调可以大大提高多个输入的联合预测的质量，这是神经网络了解其不知道的程度的衡量标准。在本文中，我们检查了在分配变化下是否可以提供类似的优势。我们发现，在ImageNet-A/O/C中，谐调通常可以改善稳健性指标。此外，这些改进比非常大的合奏所提供的改进更为重要，即计算成本较低的数量级。但是，与分配稳定深度学习的杰出问题相比，这些改进相对较小。播集可能是工具箱中的有用工具，但它们远非完整的解决方案。

对抗性训练遭受了稳健的过度装备，这是一种现象，在训练期间鲁棒测试精度开始减少。在本文中，我们专注于通过使用常见的数据增强方案来减少强大的过度装备。我们证明，与先前的发现相反，当与模型重量平均结合时，数据增强可以显着提高鲁棒精度。此外，我们比较各种增强技术，并观察到空间组合技术适用于对抗性培训。最后，我们评估了我们在Cifar-10上的方法，而不是$ \ ell_ indty $和$ \ ell_2 $ norm-indeded扰动分别为尺寸$ \ epsilon = 8/255 $和$ \ epsilon = 128/255 $。与以前的最先进的方法相比，我们表现出+ 2.93％的绝对改善+ 2.93％，+ 2.16％。特别是，反对$ \ ell_ infty $ norm-indeded扰动尺寸$ \ epsilon = 8/255 $，我们的模型达到60.07％的强劲准确性而不使用任何外部数据。我们还通过这种方法实现了显着的性能提升，同时使用其他架构和数据集如CiFar-100，SVHN和TinyimageNet。

Deep neural networks excel at learning the training data, but often provide incorrect and confident predictions when evaluated on slightly different test examples. This includes distribution shifts, outliers, and adversarial examples. To address these issues, we propose Manifold Mixup, a simple regularizer that encourages neural networks to predict less confidently on interpolations of hidden representations. Manifold Mixup leverages semantic interpolations as additional training signal, obtaining neural networks with smoother decision boundaries at multiple levels of representation. As a result, neural networks trained with Manifold Mixup learn class-representations with fewer directions of variance. We prove theory on why this flattening happens under ideal conditions, validate it on practical situations, and connect it to previous works on information theory and generalization. In spite of incurring no significant computation and being implemented in a few lines of code, Manifold Mixup improves strong baselines in supervised learning, robustness to single-step adversarial attacks, and test log-likelihood.

Calibration strengthens the trustworthiness of black-box models by producing better accurate confidence estimates on given examples. However, little is known about if model explanations can help confidence calibration. Intuitively, humans look at important features attributions and decide whether the model is trustworthy. Similarly, the explanations can tell us when the model may or may not know. Inspired by this, we propose a method named CME that leverages model explanations to make the model less confident with non-inductive attributions. The idea is that when the model is not highly confident, it is difficult to identify strong indications of any class, and the tokens accordingly do not have high attribution scores for any class and vice versa. We conduct extensive experiments on six datasets with two popular pre-trained language models in the in-domain and out-of-domain settings. The results show that CME improves calibration performance in all settings. The expected calibration errors are further reduced when combined with temperature scaling. Our findings highlight that model explanations can help calibrate posterior estimates.