In order for machine learning to be trusted in many applications, it is critical to be able to reliably explain why the machine learning algorithm makes certain predictions. For this reason, a variety of methods have been developed recently to interpret neural network predictions by providing, for example, feature importance maps. For both scientific robustness and security reasons, it is important to know to what extent can the interpretations be altered by small systematic perturbations to the input data, which might be generated by adversaries or by measurement biases. In this paper, we demonstrate how to generate adversarial perturbations that produce perceptively indistinguishable inputs that are assigned the same predicted label, yet have very different interpretations. We systematically characterize the robustness of interpretations generated by several widely-used feature importance interpretation methods (feature importance maps, integrated gradients, and DeepLIFT) on ImageNet and CIFAR-10. In all cases, our experiments show that systematic perturbations can lead to dramatically different interpretations without changing the label. We extend these results to show that interpretations based on exemplars (e.g. influence functions) are similarly susceptible to adversarial attack. Our analysis of the geometry of the Hessian matrix gives insight on why robustness is a general challenge to current interpretation approaches.

Explainability has been widely stated as a cornerstone of the responsible and trustworthy use of machine learning models. With the ubiquitous use of Deep Neural Network (DNN) models expanding to risk-sensitive and safety-critical domains, many methods have been proposed to explain the decisions of these models. Recent years have also seen concerted efforts that have shown how such explanations can be distorted (attacked) by minor input perturbations. While there have been many surveys that review explainability methods themselves, there has been no effort hitherto to assimilate the different methods and metrics proposed to study the robustness of explanations of DNN models. In this work, we present a comprehensive survey of methods that study, understand, attack, and defend explanations of DNN models. We also present a detailed review of different metrics used to evaluate explanation methods, as well as describe attributional attack and defense methods. We conclude with lessons and take-aways for the community towards ensuring robust explanations of DNN model predictions.

Although deep learning has made remarkable progress in processing various types of data such as images, text and speech, they are known to be susceptible to adversarial perturbations: perturbations specifically designed and added to the input to make the target model produce erroneous output. Most of the existing studies on generating adversarial perturbations attempt to perturb the entire input indiscriminately. In this paper, we propose ExploreADV, a general and flexible adversarial attack system that is capable of modeling regional and imperceptible attacks, allowing users to explore various kinds of adversarial examples as needed. We adapt and combine two existing boundary attack methods, DeepFool and Brendel\&Bethge Attack, and propose a mask-constrained adversarial attack system, which generates minimal adversarial perturbations under the pixel-level constraints, namely ``mask-constraints''. We study different ways of generating such mask-constraints considering the variance and importance of the input features, and show that our adversarial attack system offers users good flexibility to focus on sub-regions of inputs, explore imperceptible perturbations and understand the vulnerability of pixels/regions to adversarial attacks. We demonstrate our system to be effective based on extensive experiments and user study.

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

模型解释性的方法对于测试深度学习的公平性和健全性变得越来越重要。基于概念的可解释性技术使用了一系列人类解剖概念典范，以衡量概念对模型的内部输入表示的影响，这是这一研究中的重要线索。在这项工作中，我们表明，这些解释性方法可能会遭受对抗攻击的脆弱性，与他们要分析的模型相同。我们在两种著名的基于概念的可解释性方法上证明了这种现象：TCAV和刻面特征可视化。我们表明，通过仔细扰动正在研究的概念的示例，我们可以从根本上更改可解释性方法的输出。我们提出的攻击可以诱导积极的解释（对斑马进行分类时，圆点是模型的重要概念）或负面解释（条纹不是识别斑马图像的重要因素）。我们的工作强调了这样一个事实，即在安全至关重要的应用中，不仅需要机器学习管道，而且需要模型解释过程。

随着深度神经网络的兴起，解释这些网络预测的挑战已经越来越识别。虽然存在许多用于解释深度神经网络的决策的方法，但目前没有关于如何评估它们的共识。另一方面，鲁棒性是深度学习研究的热门话题;但是，在最近，几乎没有谈论解释性。在本教程中，我们首先呈现基于梯度的可解释性方法。这些技术使用梯度信号来分配对输入特征的决定的负担。后来，我们讨论如何为其鲁棒性和对抗性的鲁棒性在具有有意义的解释中扮演的作用来评估基于梯度的方法。我们还讨论了基于梯度的方法的局限性。最后，我们提出了在选择解释性方法之前应检查的最佳实践和属性。我们结束了未来在稳健性和解释性融合的地区研究的研究。

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

可说明的机器学习吸引了越来越多的关注，因为它提高了模型的透明度，这有助于机器学习在真实应用中受到信任。然而，最近证明了解释方法易于操纵，在那里我们可以在保持其预测常数的同时轻松改变模型的解释。为了解决这个问题，已经支付了一些努力来使用更稳定的解释方法或更改模型配置。在这项工作中，我们从训练角度解决了问题，并提出了一种称为对抗的解释培训的新培训计划（ATEX），以改善模型的内部解释稳定性，无论应用的具体解释方法如何。而不是直接指定数据实例上的解释值，而是仅为模型预测提供了要求，该预测避免了涉及在优化中的二阶导数。作为进一步的讨论，我们还发现解释稳定性与模型的另一个性质密切相关，即暴露于对抗性攻击的风险。通过实验，除了表明ATEX改善了针对操纵靶向解释的模型鲁棒性，它还带来了额外的益处，包括平滑解释，并在应用于模型时提高对抗性训练的功效。

近年来，可解释的人工智能（XAI）已成为一个非常适合的框架，可以生成人类对“黑盒”模型的可理解解释。在本文中，一种新颖的XAI视觉解释算法称为相似性差异和唯一性（SIDU）方法，该方法可以有效地定位负责预测的整个对象区域。通过各种计算和人类主题实验分析了SIDU算法的鲁棒性和有效性。特别是，使用三种不同类型的评估（应用，人类和功能地面）评估SIDU算法以证明其出色的性能。在对“黑匣子”模型的对抗性攻击的情况下，进一步研究了Sidu的鲁棒性，以更好地了解其性能。我们的代码可在：https：//github.com/satyamahesh84/sidu_xai_code上找到。

对卷积神经网络（CNN）的对抗性攻击的存在质疑这种模型对严重应用的适合度。攻击操纵输入图像，使得错误分类是在对人类观察者看上去正常的同时唤起的 - 因此它们不容易被检测到。在不同的上下文中，CNN隐藏层的反向传播激活（对给定输入的“特征响应”）有助于可视化人类“调试器” CNN“在计算其输出时对CNN”的看法。在这项工作中，我们提出了一种新颖的检测方法，以防止攻击。我们通过在特征响应中跟踪对抗扰动来做到这一点，从而可以使用平均局部空间熵自动检测。该方法不会改变原始的网络体系结构，并且完全可以解释。实验证实了我们对在Imagenet训练的大规模模型的最新攻击方法的有效性。

Deep neural networks (DNNs) are one of the most prominent technologies of our time, as they achieve state-of-the-art performance in many machine learning tasks, including but not limited to image classification, text mining, and speech processing. However, recent research on DNNs has indicated ever-increasing concern on the robustness to adversarial examples, especially for security-critical tasks such as traffic sign identification for autonomous driving. Studies have unveiled the vulnerability of a well-trained DNN by demonstrating the ability of generating barely noticeable (to both human and machines) adversarial images that lead to misclassification. Furthermore, researchers have shown that these adversarial images are highly transferable by simply training and attacking a substitute model built upon the target model, known as a black-box attack to DNNs.Similar to the setting of training substitute models, in this paper we propose an effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose zeroth order optimization (ZOO) based attacks to directly estimate the gradients of the targeted DNN for generating adversarial examples. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to * Pin-Yu Chen and Huan Zhang contribute equally to this work.

深层神经网络以其对各种机器学习和人工智能任务的精湛处理而闻名。但是，由于其过度参数化的黑盒性质，通常很难理解深层模型的预测结果。近年来，已经提出了许多解释工具来解释或揭示模型如何做出决策。在本文中，我们回顾了这一研究，并尝试进行全面的调查。具体来说，我们首先介绍并阐明了人们通常会感到困惑的两个基本概念 - 解释和解释性。为了解决解释中的研究工作，我们通过提出新的分类法来阐述许多解释算法的设计。然后，为了了解解释结果，我们还调查了评估解释算法的性能指标。此外，我们总结了使用“可信赖”解释算法评估模型的解释性的当前工作。最后，我们审查并讨论了深层模型的解释与其他因素之间的联系，例如对抗性鲁棒性和从解释中学习，并介绍了一些开源库，以解释算法和评估方法。

许多最先进的ML模型在各种任务中具有优于图像分类的人类。具有如此出色的性能，ML模型今天被广泛使用。然而，存在对抗性攻击和数据中毒攻击的真正符合ML模型的稳健性。例如，Engstrom等人。证明了最先进的图像分类器可以容易地被任意图像上的小旋转欺骗。由于ML系统越来越纳入安全性和安全敏感的应用，对抗攻击和数据中毒攻击构成了相当大的威胁。本章侧重于ML安全的两个广泛和重要的领域：对抗攻击和数据中毒攻击。

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

Rising usage of deep neural networks to perform decision making in critical applications like medical diagnosis and financial analysis have raised concerns regarding their reliability and trustworthiness. As automated systems become more mainstream, it is important their decisions be transparent, reliable and understandable by humans for better trust and confidence. To this effect, concept-based models such as Concept Bottleneck Models (CBMs) and Self-Explaining Neural Networks (SENN) have been proposed which constrain the latent space of a model to represent high level concepts easily understood by domain experts in the field. Although concept-based models promise a good approach to both increasing explainability and reliability, it is yet to be shown if they demonstrate robustness and output consistent concepts under systematic perturbations to their inputs. To better understand performance of concept-based models on curated malicious samples, in this paper, we aim to study their robustness to adversarial perturbations, which are also known as the imperceptible changes to the input data that are crafted by an attacker to fool a well-learned concept-based model. Specifically, we first propose and analyze different malicious attacks to evaluate the security vulnerability of concept based models. Subsequently, we propose a potential general adversarial training-based defense mechanism to increase robustness of these systems to the proposed malicious attacks. Extensive experiments on one synthetic and two real-world datasets demonstrate the effectiveness of the proposed attacks and the defense approach.

深度学习（DL）系统的安全性是一个极为重要的研究领域，因为它们正在部署在多个应用程序中，因为它们不断改善，以解决具有挑战性的任务。尽管有压倒性的承诺，但深度学习系统容易受到制作的对抗性例子的影响，这可能是人眼无法察觉的，但可能会导致模型错误分类。对基于整体技术的对抗性扰动的保护已被证明很容易受到更强大的对手的影响，或者证明缺乏端到端评估。在本文中，我们试图开发一种新的基于整体的解决方案，该解决方案构建具有不同决策边界的防御者模型相对于原始模型。通过（1）通过一种称为拆分和剃须的方法转换输入的分类器的合奏，以及（2）通过一种称为对比度功能的方法限制重要特征，显示出相对于相对于不同的梯度对抗性攻击，这减少了将对抗性示例从原始示例转移到针对同一类的防御者模型的机会。我们使用标准图像分类数据集（即MNIST，CIFAR-10和CIFAR-100）进行了广泛的实验，以实现最新的对抗攻击，以证明基于合奏的防御的鲁棒性。我们还在存在更强大的对手的情况下评估稳健性，该对手同时靶向合奏中的所有模型。已经提供了整体假阳性和误报的结果，以估计提出的方法的总体性能。

Recent research has revealed that the output of Deep Neural Networks (DNN) can be easily altered by adding relatively small perturbations to the input vector. In this paper, we analyze an attack in an extremely limited scenario where only one pixel can be modified. For that we propose a novel method for generating one-pixel adversarial perturbations based on differential evolution (DE). It requires less adversarial information (a blackbox attack) and can fool more types of networks due to the inherent features of DE. The results show that 67.97% of the natural images in Kaggle CIFAR-10 test dataset and 16.04% of the ImageNet (ILSVRC 2012) test images can be perturbed to at least one target class by modifying just one pixel with 74.03% and 22.91% confidence on average. We also show the same vulnerability on the original CIFAR-10 dataset. Thus, the proposed attack explores a different take on adversarial machine learning in an extreme limited scenario, showing that current DNNs are also vulnerable to such low dimension attacks. Besides, we also illustrate an important application of DE (or broadly speaking, evolutionary computation) in the domain of adversarial machine learning: creating tools that can effectively generate lowcost adversarial attacks against neural networks for evaluating robustness.

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

我们认为，当学习一个具有最佳运输问题双重损失的1- lipschitz神经网络时，模型的梯度既是运输计划的方向，又是与最接近的对抗性攻击的方向。沿着梯度前往决策边界不再是对抗性攻击，而是反事实的解释，明确地从一个班级运输到另一个班级。通过对XAI指标进行的广泛实验，我们发现应用于此类网络的简单显着性图方法成为可靠的解释，并且在不受约束的模型上胜过最新的解释方法。所提出的网络已经众所周知，可以证明它们也可以通过快速而简单的方法来证明它们也可以解释。

Interpretability provides a means for humans to verify aspects of machine learning (ML) models and empower human+ML teaming in situations where the task cannot be fully automated. Different contexts require explanations with different properties. For example, the kind of explanation required to determine if an early cardiac arrest warning system is ready to be integrated into a care setting is very different from the type of explanation required for a loan applicant to help determine the actions they might need to take to make their application successful. Unfortunately, there is a lack of standardization when it comes to properties of explanations: different papers may use the same term to mean different quantities, and different terms to mean the same quantity. This lack of a standardized terminology and categorization of the properties of ML explanations prevents us from both rigorously comparing interpretable machine learning methods and identifying what properties are needed in what contexts. In this work, we survey properties defined in interpretable machine learning papers, synthesize them based on what they actually measure, and describe the trade-offs between different formulations of these properties. In doing so, we enable more informed selection of task-appropriate formulations of explanation properties as well as standardization for future work in interpretable machine learning.