最近的工作表明，培训的型号训练在相同的目标，并实现了对一致的测试数据的类似准确度的措施，尽管如此，仍可能对个体预测中的表现非常不同。这种不一致在高赌注环境中是不可取的，例如医学诊断和金融。我们表明，这种不一致的行为超出了对特征归因的预测，这同样对模型的可懂度具有负面影响，以及一个能够找到对象的追索权的能力。然后，我们将通过应用假设测试对使用随机选择的起始条件训练的一组模型的预测来减轻这些不一致的选择性合并来减轻这种不一致;重要的是，选择性集合可以在无法实现一致结果无法实现指定的置信水平的情况下弃权。我们证明了选择性集合之间的预测分歧是有界的，并且经验证明了选择性集合在保持低弃权率的同时实现一致的预测和特征归因。在几个基准数据集中，选择性集合达到零不一致预测点，额外的速率低1.5％。

The ability to quickly and accurately identify covariate shift at test time is a critical and often overlooked component of safe machine learning systems deployed in high-risk domains. While methods exist for detecting when predictions should not be made on out-of-distribution test examples, identifying distributional level differences between training and test time can help determine when a model should be removed from the deployment setting and retrained. In this work, we define harmful covariate shift (HCS) as a change in distribution that may weaken the generalization of a predictive model. To detect HCS, we use the discordance between an ensemble of classifiers trained to agree on training data and disagree on test data. We derive a loss function for training this ensemble and show that the disagreement rate and entropy represent powerful discriminative statistics for HCS. Empirically, we demonstrate the ability of our method to detect harmful covariate shift with statistical certainty on a variety of high-dimensional datasets. Across numerous domains and modalities, we show state-of-the-art performance compared to existing methods, particularly when the number of observed test samples is small.

Explainability has been widely stated as a cornerstone of the responsible and trustworthy use of machine learning models. With the ubiquitous use of Deep Neural Network (DNN) models expanding to risk-sensitive and safety-critical domains, many methods have been proposed to explain the decisions of these models. Recent years have also seen concerted efforts that have shown how such explanations can be distorted (attacked) by minor input perturbations. While there have been many surveys that review explainability methods themselves, there has been no effort hitherto to assimilate the different methods and metrics proposed to study the robustness of explanations of DNN models. In this work, we present a comprehensive survey of methods that study, understand, attack, and defend explanations of DNN models. We also present a detailed review of different metrics used to evaluate explanation methods, as well as describe attributional attack and defense methods. We conclude with lessons and take-aways for the community towards ensuring robust explanations of DNN model predictions.

State-of-the-art results on image recognition tasks are achieved using over-parameterized learning algorithms that (nearly) perfectly fit the training set and are known to fit well even random labels. This tendency to memorize the labels of the training data is not explained by existing theoretical analyses. Memorization of the training data also presents significant privacy risks when the training data contains sensitive personal information and thus it is important to understand whether such memorization is necessary for accurate learning.We provide the first conceptual explanation and a theoretical model for this phenomenon. Specifically, we demonstrate that for natural data distributions memorization of labels is necessary for achieving closeto-optimal generalization error. Crucially, even labels of outliers and noisy labels need to be memorized. The model is motivated and supported by the results of several recent empirical works. In our model, data is sampled from a mixture of subpopulations and our results show that memorization is necessary whenever the distribution of subpopulation frequencies is long-tailed. Image and text data is known to be long-tailed and therefore our results establish a formal link between these empirical phenomena. Our results allow to quantify the cost of limiting memorization in learning and explain the disparate effects that privacy and model compression have on different subgroups.

Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak specific private information in the training data to an attacker, either through the models' structure or their observable behavior. However, the underlying cause of this privacy risk is not well understood beyond a handful of anecdotal accounts that suggest overfitting and influence might play a role.This paper examines the effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We find that overfitting is sufficient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its influence, attribute inference attacks. Interestingly, our formal analysis also shows that overfitting is not necessary for these attacks and begins to shed light on what other factors may be in play. Finally, we explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks.

由于事后解释方法越来越多地被利用以在高风险环境中解释复杂的模型，因此确保在包括少数群体在内的各个种群亚组中，所得解释的质量始终高。例如，与与其他性别相关的实例（例如，女性）相关的实例（例如，女性）的说明不应该是与其他性别相关的解释。但是，几乎没有研究能够评估通过最先进的解释方法在输出的解释质量上是否存在这种基于群体的差异。在这项工作中，我们通过启动确定基于群体的解释质量差异的研究来解决上述差距。为此，我们首先概述了构成解释质量以及差异尤其有问题的关键属性。然后，我们利用这些属性提出了一个新的评估框架，该框架可以通过最新方法定量测量解释质量的差异。使用此框架，我们进行了严格的经验分析，以了解是否出现了解释质量的基于小组的差异。我们的结果表明，当所解释的模型复杂且高度非线性时，这种差异更可能发生。此外，我们还观察到某些事后解释方法（例如，综合梯度，外形）更有可能表现出上述差异。据我们所知，这项工作是第一个强调和研究解释质量差异的问题。通过这样做，我们的工作阐明了以前未开发的方式，其中解释方法可能在现实世界决策中引入不公平。

尽管在最近的文献中提出了几种类型的事后解释方法（例如，特征归因方法），但在系统地以有效且透明的方式进行系统基准测试这些方法几乎没有工作。在这里，我们介绍了OpenXai，这是一个全面且可扩展的开源框架，用于评估和基准测试事后解释方法。 OpenXAI由以下关键组件组成：（i）灵活的合成数据生成器以及各种现实世界数据集，预训练的模型和最新功能属性方法的集合，（ii）开源实现22个定量指标，用于评估忠诚，稳定性（稳健性）和解释方法的公平性，以及（iii）有史以来第一个公共XAI XAI排行榜对基准解释。 OpenXAI很容易扩展，因为用户可以轻松地评估自定义说明方法并将其纳入我们的排行榜。总体而言，OpenXAI提供了一种自动化的端到端管道，该管道不仅简化并标准化了事后解释方法的评估，而且还促进了基准这些方法的透明度和可重复性。 OpenXAI数据集和数据加载程序，最先进的解释方法的实现和评估指标以及排行榜，可在https://open-xai.github.io/上公开获得。

Despite a sea of interpretability methods that can produce plausible explanations, the field has also empirically seen many failure cases of such methods. In light of these results, it remains unclear for practitioners how to use these methods and choose between them in a principled way. In this paper, we show that for even moderately rich model classes (easily satisfied by neural networks), any feature attribution method that is complete and linear--for example, Integrated Gradients and SHAP--can provably fail to improve on random guessing for inferring model behaviour. Our results apply to common end-tasks such as identifying local model behaviour, spurious feature identification, and algorithmic recourse. One takeaway from our work is the importance of concretely defining end-tasks. In particular, we show that once such an end-task is defined, a simple and direct approach of repeated model evaluations can outperform many other complex feature attribution methods.

Post-hoc explanation methods have become increasingly depended upon for understanding black-box classifiers in high-stakes applications, precipitating a need for reliable explanations. While numerous explanation methods have been proposed, recent works have shown that many existing methods can be inconsistent or unstable. In addition, high-performing classifiers are often highly nonlinear and can exhibit complex behavior around the decision boundary, leading to brittle or misleading local explanations. Therefore, there is an impending need to quantify the uncertainty of such explanation methods in order to understand when explanations are trustworthy. We introduce a novel uncertainty quantification method parameterized by a Gaussian Process model, which combines the uncertainty approximation of existing methods with a novel geodesic-based similarity which captures the complexity of the target black-box decision boundary. The proposed framework is highly flexible; it can be used with any black-box classifier and feature attribution method to amortize uncertainty estimates for explanations. We show theoretically that our proposed geodesic-based kernel similarity increases with the complexity of the decision boundary. Empirical results on multiple tabular and image datasets show that our decision boundary-aware uncertainty estimate improves understanding of explanations as compared to existing methods.

Interpretability provides a means for humans to verify aspects of machine learning (ML) models and empower human+ML teaming in situations where the task cannot be fully automated. Different contexts require explanations with different properties. For example, the kind of explanation required to determine if an early cardiac arrest warning system is ready to be integrated into a care setting is very different from the type of explanation required for a loan applicant to help determine the actions they might need to take to make their application successful. Unfortunately, there is a lack of standardization when it comes to properties of explanations: different papers may use the same term to mean different quantities, and different terms to mean the same quantity. This lack of a standardized terminology and categorization of the properties of ML explanations prevents us from both rigorously comparing interpretable machine learning methods and identifying what properties are needed in what contexts. In this work, we survey properties defined in interpretable machine learning papers, synthesize them based on what they actually measure, and describe the trade-offs between different formulations of these properties. In doing so, we enable more informed selection of task-appropriate formulations of explanation properties as well as standardization for future work in interpretable machine learning.

As predictive models are increasingly being employed to make consequential decisions, there is a growing emphasis on developing techniques that can provide algorithmic recourse to affected individuals. While such recourses can be immensely beneficial to affected individuals, potential adversaries could also exploit these recourses to compromise privacy. In this work, we make the first attempt at investigating if and how an adversary can leverage recourses to infer private information about the underlying model's training data. To this end, we propose a series of novel membership inference attacks which leverage algorithmic recourse. More specifically, we extend the prior literature on membership inference attacks to the recourse setting by leveraging the distances between data instances and their corresponding counterfactuals output by state-of-the-art recourse methods. Extensive experimentation with real world and synthetic datasets demonstrates significant privacy leakage through recourses. Our work establishes unintended privacy leakage as an important risk in the widespread adoption of recourse methods.

个人概率是指仅实现一次的结果的概率：明天下雨的可能性，爱丽丝在未来12个月内死亡的可能性，鲍勃在未来18个月内因暴力犯罪而被捕的可能性等等。个人概率从根本上是不可知的。但是，我们表明，有两个在数据分发中的数据或如何从数据分发中进行采样的当事方不同意在如何建模个人概率上不同意。这是因为实质上不同意的任何两个模型的个人概率模型都可以用来凭经验伪造和改善两个模型之一。在“和解”过程中，这可以有效地迭代，该过程导致双方同意的模型优于他们开始的模型，并且（几乎）本身（几乎）都同意了各个概率（几乎）到处的预测。我们得出的结论是，尽管个人概率是不可知的，但它们是通过必须导致共识的计算和数据有效过程来竞争的。因此，我们无法发现自己​​有两个同样准确且不可解决的模型，这些模型在其预测中基本上不同意 - 为有时所谓的预测性或模型多样性问题提供答案。

最近的研究表明，看似公平的机器学习模型在为对人们的生活或福祉产生影响的决策提供信息（例如，涉及教育，就业和贷款的申请）可能会在长期内无意中增加社会不平等。这是因为先前的公平意识算法仅考虑静态公平限制，例如机会均等或人口统计奇偶。但是，强制执行这种类型的限制可能会导致模型对处境不利的个人和社区产生负面影响。我们介绍ELF（执行长期公平性），这是第一个分类算法，可提供高信任公平保证，以长期或延迟影响。我们证明，ELF返回不公平解决方案的概率小于用户指定的公差，并且（在轻度假设下），如果有足够的培训数据，ELF能够找到并返回公平的解决方案，如果存在一个公平的解决方案。我们通过实验表明，我们的算法可以成功缓解长期不公平。

这项研究研究了在美国国税局（IRS）为税收审计选择的系统中，算法公平性问题。尽管算法公平的领域主要围绕着像个人一样对待的概念发展，但我们却探索了垂直平等的概念 - 适当地考虑到个人之间的相关差异 - 这在许多公共政策环境中都是公平性的核心组成部分。应用于美国个人所得税体系的设计，垂直权益与不同收入水平的纳税人之间的税收和执法负担的公平分配有关。通过与财政部和国税局的独特合作，我们使用匿名个人纳税人微型数据，风险选择的审计以及2010 - 14年度的随机审计来研究税务管理的垂直平等。特别是，我们评估了现代机器学习方法选择审核的使用如何影响垂直权益。首先，我们展示了更灵活的机器学习（分类）方法（而不是简单的模型）如何将审计负担从高收入纳税人转移到中等收入纳税人。其次，我们表明，尽管现有的算法公平技术可以减轻跨收入的某些差异，但它们可能会造成巨大的绩效成本。第三，我们表明，是否将低报告的风险视为分类或回归问题的选择是高度的。从分类转变为回归模型，以预测不足的审计转变会大大向高收入个人转移，同时增加收入。最后，我们探讨了差异审计成本在塑造审计分配中的作用。我们表明，对回报的狭窄关注会破坏垂直权益。我们的结果对整个公共部门的算法工具的设计具有影响。

鉴于神经网络有区别，公平性改善的问题是系统地减少歧视，而不会显着削弱其性能（即准确性）。已经提出了针对神经网络的多种公平改进方法，包括预处理，处理和后处理。然而，我们的实证研究表明，这些方法并不总是有效的（例如，它们可以通过支付巨大准确性下降的价格来提高公平性），甚至没有帮助（例如，它们甚至可能使公平性和准确性都恶化）。在这项工作中，我们提出了一种基于因果分析的公平性改进方法的方法。也就是说，我们根据如何在输入属性和隐藏的神经元之间分布的神经元和属性如何选择方法。我们的实验评估表明，我们的方法是有效的（即，始终确定最佳的公平改善方法）和有效的效率（即，平均时间开销为5分钟）。

当前，随机平滑被认为是获得确切可靠分类器的最新方法。尽管其表现出色，但该方法仍与各种严重问题有关，例如``认证准确性瀑布''，认证与准确性权衡甚至公平性问题。已经提出了依赖输入的平滑方法，目的是克服这些缺陷。但是，我们证明了这些方法缺乏正式的保证，因此所产生的证书是没有道理的。我们表明，一般而言，输入依赖性平滑度遭受了维数的诅咒，迫使方差函数具有低半弹性。另一方面，我们提供了一个理论和实用的框架，即使在严格的限制下，即使在有维度的诅咒的情况下，即使在存在维度的诅咒的情况下，也可以使用依赖输入的平滑。我们提供平滑方差功能的一种混凝土设计，并在CIFAR10和MNIST上进行测试。我们的设计减轻了经典平滑的一些问题，并正式下划线，但仍需要进一步改进设计。

我们在禁用的对手存在下研究公平分类，允许获得$ \ eta $，选择培训样本的任意$ \ eta $ -flaction，并任意扰乱受保护的属性。由于战略误报，恶意演员或归责的错误，受保护属性可能不正确的设定。和现有的方法，使随机或独立假设对错误可能不满足其在这种对抗环境中的保证。我们的主要贡献是在这种对抗的环境中学习公平分类器的优化框架，这些普遍存在的准确性和公平性提供了可证明的保证。我们的框架适用于多个和非二进制保护属性，专为大类线性分数公平度量设计，并且还可以处理除了受保护的属性之外的扰动。我们证明了我们框架的近密性，对自然假设类别的保证：没有算法可以具有明显更好的准确性，并且任何具有更好公平性的算法必须具有较低的准确性。凭经验，我们评估了我们对统计率的统计税务统计税率为一个对手的统计税率产生的分类机。

Post-hoc explanation methods are used with the intent of providing insights about neural networks and are sometimes said to help engender trust in their outputs. However, popular explanations methods have been found to be fragile to minor perturbations of input features or model parameters. Relying on constraint relaxation techniques from non-convex optimization, we develop a method that upper-bounds the largest change an adversary can make to a gradient-based explanation via bounded manipulation of either the input features or model parameters. By propagating a compact input or parameter set as symbolic intervals through the forwards and backwards computations of the neural network we can formally certify the robustness of gradient-based explanations. Our bounds are differentiable, hence we can incorporate provable explanation robustness into neural network training. Empirically, our method surpasses the robustness provided by previous heuristic approaches. We find that our training method is the only method able to learn neural networks with certificates of explanation robustness across all six datasets tested.

当疑问以获得更好的有效精度时，选择性分类允许模型放弃预测（例如，说“我不知道”）。尽管典型的选择性模型平均可以有效地产生更准确的预测，但它们仍可能允许具有很高置信度的错误预测，或者跳过置信度较低的正确预测。提供校准的不确定性估计以及预测（与真实频率相对应的概率）以及具有平均准确的预测一样重要。但是，不确定性估计对于某些输入可能不可靠。在本文中，我们开发了一种新的选择性分类方法，其中我们提出了一种拒绝“不确定”不确定性的示例的方法。通过这样做，我们旨在通过对所接受示例的分布进行{良好校准}的不确定性估计进行预测，这是我们称为选择性校准的属性。我们提出了一个用于学习选择性校准模型的框架，其中训练了单独的选择器网络以改善给定基本模型的选择性校准误差。特别是，我们的工作重点是实现强大的校准，该校准有意地设计为在室外数据上进行测试。我们通过受分配强大的优化启发的训练策略实现了这一目标，在该策略中，我们将模拟输入扰动应用于已知的，内域培训数据。我们证明了方法对多个图像分类和肺癌风险评估任务的经验有效性。

Saliency methods compute heat maps that highlight portions of an input that were most {\em important} for the label assigned to it by a deep net. Evaluations of saliency methods convert this heat map into a new {\em masked input} by retaining the $k$ highest-ranked pixels of the original input and replacing the rest with \textquotedblleft uninformative\textquotedblright\ pixels, and checking if the net's output is mostly unchanged. This is usually seen as an {\em explanation} of the output, but the current paper highlights reasons why this inference of causality may be suspect. Inspired by logic concepts of {\em completeness \& soundness}, it observes that the above type of evaluation focuses on completeness of the explanation, but ignores soundness. New evaluation metrics are introduced to capture both notions, while staying in an {\em intrinsic} framework -- i.e., using the dataset and the net, but no separately trained nets, human evaluations, etc. A simple saliency method is described that matches or outperforms prior methods in the evaluations. Experiments also suggest new intrinsic justifications, based on soundness, for popular heuristic tricks such as TV regularization and upsampling.