基于梯度的解释算法何时提供有意义的解释？我们提出了一个必要的标准：它们的特征归因需要与数据歧管的切线空间保持一致。为了提供这一假设的证据，我们介绍了一个基于变异自动编码器的框架，该框架允许估计和生成图像歧管。通过跨各种不同数据集的实验 - MNIST，EMNIST，CIFAR10，X射线肺炎和糖尿病性视网膜病变检测 - 我们证明，功能归因与数据的切线相符，结构化和解释性越多倾向于。特别是，由流行的事后方法（例如集成梯度，SmoothGrad和Input $ \ times $梯度）提供的归因往往比原始梯度更与数据歧管更强烈。结果，我们建议解释算法应积极努力将其解释与数据歧管保持一致。在某种程度上，这可以通过对抗训练来实现，从而可以使所有数据集更好地对齐。必须对模型架构或训练算法进行某种形式的调整，因为我们表明单独的神经网络的概括并不意味着模型梯度与数据歧管的一致性。

反事实可以以人类的可解释方式解释神经网络的分类决策。我们提出了一种简单但有效的方法来产生这种反事实。更具体地说，我们执行合适的差异坐标转换，然后在这些坐标中执行梯度上升，以查找反事实，这些反事实是由置信度良好的指定目标类别分类的。我们提出了两种方法来利用生成模型来构建完全或大约差异的合适坐标系。我们使用Riemannian差异几何形状分析了生成过程，并使用各种定性和定量测量方法验证了生成的反事实质量。

可解释的人工智能（XAI）的新兴领域旨在为当今强大但不透明的深度学习模型带来透明度。尽管本地XAI方法以归因图的形式解释了个体预测，从而确定了重要特征的发生位置（但没有提供有关其代表的信息），但全局解释技术可视化模型通常学会的编码的概念。因此，两种方法仅提供部分见解，并留下将模型推理解释的负担。只有少数当代技术旨在将本地和全球XAI背后的原则结合起来，以获取更多信息的解释。但是，这些方法通常仅限于特定的模型体系结构，或对培训制度或数据和标签可用性施加其他要求，这实际上使事后应用程序成为任意预训练的模型。在这项工作中，我们介绍了概念相关性传播方法（CRP）方法，该方法结合了XAI的本地和全球观点，因此允许回答“何处”和“ where”和“什么”问题，而没有其他约束。我们进一步介绍了相关性最大化的原则，以根据模型对模型的有用性找到代表性的示例。因此，我们提高了对激活最大化及其局限性的共同实践的依赖。我们证明了我们方法在各种环境中的能力，展示了概念相关性传播和相关性最大化导致了更加可解释的解释，并通过概念图表，概念组成分析和概念集合和概念子区和概念子区和概念子集和定量研究对模型的表示和推理提供了深刻的见解。它们在细粒度决策中的作用。

Explainability has been widely stated as a cornerstone of the responsible and trustworthy use of machine learning models. With the ubiquitous use of Deep Neural Network (DNN) models expanding to risk-sensitive and safety-critical domains, many methods have been proposed to explain the decisions of these models. Recent years have also seen concerted efforts that have shown how such explanations can be distorted (attacked) by minor input perturbations. While there have been many surveys that review explainability methods themselves, there has been no effort hitherto to assimilate the different methods and metrics proposed to study the robustness of explanations of DNN models. In this work, we present a comprehensive survey of methods that study, understand, attack, and defend explanations of DNN models. We also present a detailed review of different metrics used to evaluate explanation methods, as well as describe attributional attack and defense methods. We conclude with lessons and take-aways for the community towards ensuring robust explanations of DNN model predictions.

这本数字本书包含在物理模拟的背景下与深度学习相关的一切实际和全面的一切。尽可能多，所有主题都带有Jupyter笔记本的形式的动手代码示例，以便快速入门。除了标准的受监督学习的数据中，我们将看看物理丢失约束，更紧密耦合的学习算法，具有可微分的模拟，以及加强学习和不确定性建模。我们生活在令人兴奋的时期：这些方法具有从根本上改变计算机模拟可以实现的巨大潜力。

Adversarial examples have attracted significant attention in machine learning, but the reasons for their existence and pervasiveness remain unclear. We demonstrate that adversarial examples can be directly attributed to the presence of non-robust features: features (derived from patterns in the data distribution) that are highly predictive, yet brittle and (thus) incomprehensible to humans. After capturing these features within a theoretical framework, we establish their widespread existence in standard datasets. Finally, we present a simple setting where we can rigorously tie the phenomena we observe in practice to a misalignment between the (human-specified) notion of robustness and the inherent geometry of the data.

Neural network interpretation methods, particularly feature attribution methods, are known to be fragile with respect to adversarial input perturbations. To address this, several methods for enhancing the local smoothness of the gradient while training have been proposed for attaining \textit{robust} feature attributions. However, the lack of considering the normalization of the attributions, which is essential in their visualizations, has been an obstacle to understanding and improving the robustness of feature attribution methods. In this paper, we provide new insights by taking such normalization into account. First, we show that for every non-negative homogeneous neural network, a naive $\ell_2$-robust criterion for gradients is \textit{not} normalization invariant, which means that two functions with the same normalized gradient can have different values. Second, we formulate a normalization invariant cosine distance-based criterion and derive its upper bound, which gives insight for why simply minimizing the Hessian norm at the input, as has been done in previous work, is not sufficient for attaining robust feature attribution. Finally, we propose to combine both $\ell_2$ and cosine distance-based criteria as regularization terms to leverage the advantages of both in aligning the local gradient. As a result, we experimentally show that models trained with our method produce much more robust interpretations on CIFAR-10 and ImageNet-100 without significantly hurting the accuracy, compared to the recent baselines. To the best of our knowledge, this is the first work to verify the robustness of interpretation on a larger-scale dataset beyond CIFAR-10, thanks to the computational efficiency of our method.

Deep neural networks can approximate functions on different types of data, from images to graphs, with varied underlying structure. This underlying structure can be viewed as the geometry of the data manifold. By extending recent advances in the theoretical understanding of neural networks, we study how a randomly initialized neural network with piece-wise linear activation splits the data manifold into regions where the neural network behaves as a linear function. We derive bounds on the density of boundary of linear regions and the distance to these boundaries on the data manifold. This leads to insights into the expressivity of randomly initialized deep neural networks on non-Euclidean data sets. We empirically corroborate our theoretical results using a toy supervised learning problem. Our experiments demonstrate that number of linear regions varies across manifolds and the results hold with changing neural network architectures. We further demonstrate how the complexity of linear regions is different on the low dimensional manifold of images as compared to the Euclidean space, using the MetFaces dataset.

Explainable AI transforms opaque decision strategies of ML models into explanations that are interpretable by the user, for example, identifying the contribution of each input feature to the prediction at hand. Such explanations, however, entangle the potentially multiple factors that enter into the overall complex decision strategy. We propose to disentangle explanations by finding relevant subspaces in activation space that can be mapped to more abstract human-understandable concepts and enable a joint attribution on concepts and input features. To automatically extract the desired representation, we propose new subspace analysis formulations that extend the principle of PCA and subspace analysis to explanations. These novel analyses, which we call principal relevant component analysis (PRCA) and disentangled relevant subspace analysis (DRSA), optimize relevance of projected activations rather than the more traditional variance or kurtosis. This enables a much stronger focus on subspaces that are truly relevant for the prediction and the explanation, in particular, ignoring activations or concepts to which the prediction model is invariant. Our approach is general enough to work alongside common attribution techniques such as Shapley Value, Integrated Gradients, or LRP. Our proposed methods show to be practically useful and compare favorably to the state of the art as demonstrated on benchmarks and three use cases.

这是一门专门针对STEM学生开发的介绍性机器学习课程。我们的目标是为有兴趣的读者提供基础知识，以在自己的项目中使用机器学习，并将自己熟悉术语作为进一步阅读相关文献的基础。在这些讲义中，我们讨论受监督，无监督和强化学习。注释从没有神经网络的机器学习方法的说明开始，例如原理分析，T-SNE，聚类以及线性回归和线性分类器。我们继续介绍基本和先进的神经网络结构，例如密集的进料和常规神经网络，经常性的神经网络，受限的玻尔兹曼机器，（变性）自动编码器，生成的对抗性网络。讨论了潜在空间表示的解释性问题，并使用梦和对抗性攻击的例子。最后一部分致力于加强学习，我们在其中介绍了价值功能和政策学习的基本概念。

歧管假说（现实世界数据集中在低维流形附近）被认为是在非常高的维度问题中，在诸如视觉和言语等领域常见的非常高的维度问题中，机器学习算法的有效性。已经提出了多种方法将歧管假设纳入现代深度神经网络（DNNS）的先验，并取得了不同的成功。在本文中，我们提出了一种新方法，即远程学习者，以将基于DNN的分类器提前整合。对距离学习者进行了训练，以预测一个点与每个类别的基础歧管的距离，而不是类标签。对于分类，远程学习者然后选择与最接近预测类歧管相对应的类。距离学习者还可以将点识别为超出分布（属于两类），如果与最接近的歧管的距离高于阈值。我们在多个合成数据集上评估了我们的方法，并表明距离学习者与标准分类器相比学习了更有意义的分类边界。我们还评估了我们的方法对对抗性鲁棒性的任务，并发现它不仅要优于标准分类器，而且还可以与通过最先进的对抗训练进行培训的分类器相当。

与CNN的分类，分割或对象检测相比，生成网络的目标和方法根本不同。最初，它们不是作为图像分析工具，而是生成自然看起来的图像。已经提出了对抗性训练范式来稳定生成方法，并已被证明是非常成功的 - 尽管绝不是第一次尝试。本章对生成对抗网络（GAN）的动机进行了基本介绍，并通​​过抽象基本任务和工作机制并得出了早期实用方法的困难来追溯其成功的道路。将显示进行更稳定的训练方法，也将显示出不良收敛及其原因的典型迹象。尽管本章侧重于用于图像生成和图像分析的gan，但对抗性训练范式本身并非特定于图像，并且在图像分析中也概括了任务。在将GAN与最近进入场景的进一步生成建模方法进行对比之前，将闻名图像语义分割和异常检测的架构示例。这将允许对限制的上下文化观点，但也可以对gans有好处。

对于使用高性能机器学习算法通常不透明的决策，人们越来越担心。用特定于领域的术语对推理过程的解释对于在医疗保健等风险敏感领域中采用至关重要。我们认为，机器学习算法应该可以通过设计来解释，并且表达这些解释的语言应与域和任务有关。因此，我们将模型的预测基于数据的用户定义和特定于任务的二进制函数，每个都对最终用户有明确的解释。然后，我们最大程度地减少了在任何给定输入上准确预测所需的预期查询数。由于解决方案通常是棘手的，因此在事先工作之后，我们根据信息增益顺序选择查询。但是，与以前的工作相反，我们不必假设查询在有条件地独立。取而代之的是，我们利用随机生成模型（VAE）和MCMC算法（未经调整的Langevin）来选择基于先前的查询 - 答案的输入的最有用的查询。这使得在线确定要解决预测歧义所需的任何深度的查询链。最后，关于视觉和NLP任务的实验证明了我们的方法的功效及其优越性比事后解释的优势。

We investigate whether three types of post hoc model explanations--feature attribution, concept activation, and training point ranking--are effective for detecting a model's reliance on spurious signals in the training data. Specifically, we consider the scenario where the spurious signal to be detected is unknown, at test-time, to the user of the explanation method. We design an empirical methodology that uses semi-synthetic datasets along with pre-specified spurious artifacts to obtain models that verifiably rely on these spurious training signals. We then provide a suite of metrics that assess an explanation method's reliability for spurious signal detection under various conditions. We find that the post hoc explanation methods tested are ineffective when the spurious artifact is unknown at test-time especially for non-visible artifacts like a background blur. Further, we find that feature attribution methods are susceptible to erroneously indicating dependence on spurious signals even when the model being explained does not rely on spurious artifacts. This finding casts doubt on the utility of these approaches, in the hands of a practitioner, for detecting a model's reliance on spurious signals.

Classifiers used in the wild, in particular for safetycritical systems, should not only have good generalization properties but also should know when they don't know, in particular make low confidence predictions far away from the training data. We show that ReLU type neural networks which yield a piecewise linear classifier function fail in this regard as they produce almost always high confidence predictions far away from the training data. For bounded domains like images we propose a new robust optimization technique similar to adversarial training which enforces low confidence predictions far away from the training data. We show that this technique is surprisingly effective in reducing the confidence of predictions far away from the training data while maintaining high confidence predictions and test error on the original classification task compared to standard training.

图像空间中的视觉反事实解释（VCE）是了解图像分类器的决策的重要工具，因为它们显示了图像的更改，分类器的决策将会改变。他们在图像空间中的产生具有挑战性，由于对抗性例子的问题，需要强大的模型。在图像空间中生成VCE的现有技术遭受背景虚假变化的影响。我们对VCE的新型扰动模型以及通过我们的新型自动 - 弗兰克 - 摩 - 摩托方案的有效优化产生了稀疏的VCE，从而导致了针对目标类别的细微变化。此外，我们表明，由于Imagenet数据集中的虚假特征，VCE可用于检测Imagenet分类器的不希望的行为。

我们研究了回归中神经网络（NNS）的模型不确定性的方法。为了隔离模型不确定性的效果，我们专注于稀缺训练数据的无噪声环境。我们介绍了关于任何方法都应满足的模型不确定性的五个重要的逃亡者。但是，我们发现，建立的基准通常无法可靠地捕获其中一些逃避者，即使是贝叶斯理论要求的基准。为了解决这个问题，我们介绍了一种新方法来捕获NNS的模型不确定性，我们称之为基于神经优化的模型不确定性（NOMU）。 NOMU的主要思想是设计一个由两个连接的子NN组成的网络体系结构，一个用于模型预测，一个用于模型不确定性，并使用精心设计的损耗函数进行训练。重要的是，我们的设计执行NOMU满足我们的五个Desiderata。由于其模块化体系结构，NOMU可以为任何给定（先前训练）NN提供模型不确定性，如果访问其培训数据。我们在各种回归任务和无嘈杂的贝叶斯优化（BO）中评估NOMU，并具有昂贵的评估。在回归中，NOMU至少和最先进的方法。在BO中，Nomu甚至胜过所有考虑的基准。

机器学习模型通常会遇到与训练分布不同的样本。无法识别分布（OOD）样本，因此将该样本分配给课堂标签会显着损害模​​型的可靠性。由于其对在开放世界中的安全部署模型的重要性，该问题引起了重大关注。由于对所有可能的未知分布进行建模的棘手性，检测OOD样品是具有挑战性的。迄今为止，一些研究领域解决了检测陌生样本的问题，包括异常检测，新颖性检测，一级学习，开放式识别识别和分布外检测。尽管有相似和共同的概念，但分别分布，开放式检测和异常检测已被独立研究。因此，这些研究途径尚未交叉授粉，创造了研究障碍。尽管某些调查打算概述这些方法，但它们似乎仅关注特定领域，而无需检查不同领域之间的关系。这项调查旨在在确定其共同点的同时，对各个领域的众多著名作品进行跨域和全面的审查。研究人员可以从不同领域的研究进展概述中受益，并协同发展未来的方法。此外，据我们所知，虽然进行异常检测或单级学习进行了调查，但没有关于分布外检测的全面或最新的调查，我们的调查可广泛涵盖。最后，有了统一的跨域视角，我们讨论并阐明了未来的研究线，打算将这些领域更加紧密地融为一体。

Deep neural networks excel at learning the training data, but often provide incorrect and confident predictions when evaluated on slightly different test examples. This includes distribution shifts, outliers, and adversarial examples. To address these issues, we propose Manifold Mixup, a simple regularizer that encourages neural networks to predict less confidently on interpolations of hidden representations. Manifold Mixup leverages semantic interpolations as additional training signal, obtaining neural networks with smoother decision boundaries at multiple levels of representation. As a result, neural networks trained with Manifold Mixup learn class-representations with fewer directions of variance. We prove theory on why this flattening happens under ideal conditions, validate it on practical situations, and connect it to previous works on information theory and generalization. In spite of incurring no significant computation and being implemented in a few lines of code, Manifold Mixup improves strong baselines in supervised learning, robustness to single-step adversarial attacks, and test log-likelihood.

无监督的黑盒模型要挑战。实际上，大多数现有的解释性方法都要求标签来选择要解释的黑框输出的组件。在没有标签的情况下，黑框输出通常是表示向量，其组件的分量与任何有意义的数量不符。因此，选择哪些组件在无标签的无监督/自我监督的设置中是一个重要但未解决的问题。为了弥合文献中的这一差距，我们介绍了事后解释技术的两个关键扩展：（1）无标签的功能重要性以及（2）无标签的示例分别重要的示例，这些示例分别强调了黑盒的有影响力的特征和训练示例在推理时间构建表示。我们证明，我们的扩展可以成功实现，以围绕许多现有功能和示例重要性方法的简单包装器实现。我们通过定性和定量的比较来说明我们无标记的解释性范式的实用性，该范式对经过不同无监督任务的各种自动编码器学到的表示空间进行了定量比较。