Concept bottleneck models perform classification by first predicting which of a list of human provided concepts are true about a datapoint. Then a downstream model uses these predicted concept labels to predict the target label. The predicted concepts act as a rationale for the target prediction. Model trust issues emerge in this paradigm when soft concept labels are used: it has previously been observed that extra information about the data distribution leaks into the concept predictions. In this work we show how Monte-Carlo Dropout can be used to attain soft concept predictions that do not contain leaked information.

The Concept Bottleneck Models (CBMs) of Koh et al. [2020] provide a means to ensure that a neural network based classifier bases its predictions solely on human understandable concepts. The concept labels, or rationales as we refer to them, are learned by the concept labeling component of the CBM. Another component learns to predict the target classification label from these predicted concept labels. Unfortunately, these models are heavily reliant on human provided concept labels for each datapoint. To enable CBMs to behave robustly when these labels are not readily available, we show how to equip them with the ability to abstain from predicting concepts when the concept labeling component is uncertain. In other words, our model learns to provide rationales for its predictions, but only whenever it is sure the rationale is correct.

Rising usage of deep neural networks to perform decision making in critical applications like medical diagnosis and financial analysis have raised concerns regarding their reliability and trustworthiness. As automated systems become more mainstream, it is important their decisions be transparent, reliable and understandable by humans for better trust and confidence. To this effect, concept-based models such as Concept Bottleneck Models (CBMs) and Self-Explaining Neural Networks (SENN) have been proposed which constrain the latent space of a model to represent high level concepts easily understood by domain experts in the field. Although concept-based models promise a good approach to both increasing explainability and reliability, it is yet to be shown if they demonstrate robustness and output consistent concepts under systematic perturbations to their inputs. To better understand performance of concept-based models on curated malicious samples, in this paper, we aim to study their robustness to adversarial perturbations, which are also known as the imperceptible changes to the input data that are crafted by an attacker to fool a well-learned concept-based model. Specifically, we first propose and analyze different malicious attacks to evaluate the security vulnerability of concept based models. Subsequently, we propose a potential general adversarial training-based defense mechanism to increase robustness of these systems to the proposed malicious attacks. Extensive experiments on one synthetic and two real-world datasets demonstrate the effectiveness of the proposed attacks and the defense approach.

缺乏精心校准的置信度估计值使神经网络在安全至关重要的领域（例如自动驾驶或医疗保健）中不足。在这些设置中，有能力放弃对分布（OOD）数据进行预测的能力，就像正确分类分布数据一样重要。我们介绍了$ P $ -DKNN，这是一种新颖的推理程序，该过程采用了经过训练的深神经网络，并分析了其中间隐藏表示形式的相似性结构，以计算与端到端模型预测相关的$ p $值。直觉是，在潜在表示方面执行的统计测试不仅可以用作分类器，还可以提供统计上有充分根据的不确定性估计。 $ P $ -DKNN是可扩展的，并利用隐藏层学到的表示形式的组成，这使深度表示学习成功。我们的理论分析基于Neyman-Pearson的分类，并将其与选择性分类的最新进展（拒绝选项）联系起来。我们证明了在放弃预测OOD输入和保持分布输入的高精度之间的有利权衡。我们发现，$ p $ -DKNN强迫自适应攻击者制作对抗性示例（一种最差的OOD输入形式），以对输入引入语义上有意义的更改。

不确定性估计（UE）技术 - 例如高斯过程（GP），贝叶斯神经网络（BNN），蒙特卡罗辍学（MCDropout） - 旨在通过为每个分配估计的不确定性值来提高机器学习模型的可解释性他们的预测输出。然而，由于过高的不确定性估计可以在实践中具有致命的后果，因此本文分析了上述技术。首先，我们表明GP方法始终会产生高不确定性估计（OOD）数据。其次，我们在2D玩具示例中显示了BNN和MCDRopout在OOD样品上没有提供高不确定性估计。最后，我们凭经验展示了这种BNNS和MCDRopout的陷阱也在现实世界数据集中持有。我们的见解（i）提高了对深度学习中目前流行的UE方法更加谨慎使用的认识，（ii）鼓励开发UE方法，这些方法近似于基于GP的方法 - 而不是BNN和MCDROPOUT，以及我们的经验设置可用于验证任何其他UE方法的ood性能。源代码在https://github.com/epfml/unctemationsiapity-娱乐中获得。

Deep neural networks (NNs) are powerful black box predictors that have recently achieved impressive performance on a wide spectrum of tasks. Quantifying predictive uncertainty in NNs is a challenging and yet unsolved problem. Bayesian NNs, which learn a distribution over weights, are currently the state-of-the-art for estimating predictive uncertainty; however these require significant modifications to the training procedure and are computationally expensive compared to standard (non-Bayesian) NNs. We propose an alternative to Bayesian NNs that is simple to implement, readily parallelizable, requires very little hyperparameter tuning, and yields high quality predictive uncertainty estimates. Through a series of experiments on classification and regression benchmarks, we demonstrate that our method produces well-calibrated uncertainty estimates which are as good or better than approximate Bayesian NNs. To assess robustness to dataset shift, we evaluate the predictive uncertainty on test examples from known and unknown distributions, and show that our method is able to express higher uncertainty on out-of-distribution examples. We demonstrate the scalability of our method by evaluating predictive uncertainty estimates on ImageNet.

部署AI驱动的系统需要支持有效人类互动的值得信赖的模型，超出了原始预测准确性。概念瓶颈模型通过在类似人类的概念的中间级别调节分类任务来促进可信度。这使得人类干预措施可以纠正错误预测的概念以改善模型的性能。但是，现有的概念瓶颈模型无法在高任务准确性，基于概念的强大解释和对概念的有效干预措施之间找到最佳的妥协，尤其是在稀缺完整和准确的概念主管的现实情况下。为了解决这个问题，我们提出了概念嵌入模型，这是一种新型的概念瓶颈模型，它通过学习可解释的高维概念表示形式而超出了当前的准确性-VS解关性权衡。我们的实验表明，嵌入模型（1）达到更好或竞争性的任务准确性W.R.T. W.R.T.没有概念的标准神经模型，（2）提供概念表示，以捕获有意义的语义，包括其地面真相标签，（3）支持测试时间概念干预措施，其在测试准确性中的影响超过了标准概念瓶颈模型，以及（4）规模对于稀缺的完整概念监督的现实条件。

Deep learning tools have gained tremendous attention in applied machine learning. However such tools for regression and classification do not capture model uncertainty. In comparison, Bayesian models offer a mathematically grounded framework to reason about model uncertainty, but usually come with a prohibitive computational cost. In this paper we develop a new theoretical framework casting dropout training in deep neural networks (NNs) as approximate Bayesian inference in deep Gaussian processes. A direct result of this theory gives us tools to model uncertainty with dropout NNsextracting information from existing models that has been thrown away so far. This mitigates the problem of representing uncertainty in deep learning without sacrificing either computational complexity or test accuracy. We perform an extensive study of the properties of dropout's uncertainty. Various network architectures and nonlinearities are assessed on tasks of regression and classification, using MNIST as an example. We show a considerable improvement in predictive log-likelihood and RMSE compared to existing state-of-the-art methods, and finish by using dropout's uncertainty in deep reinforcement learning.

对于使用高性能机器学习算法通常不透明的决策，人们越来越担心。用特定于领域的术语对推理过程的解释对于在医疗保健等风险敏感领域中采用至关重要。我们认为，机器学习算法应该可以通过设计来解释，并且表达这些解释的语言应与域和任务有关。因此，我们将模型的预测基于数据的用户定义和特定于任务的二进制函数，每个都对最终用户有明确的解释。然后，我们最大程度地减少了在任何给定输入上准确预测所需的预期查询数。由于解决方案通常是棘手的，因此在事先工作之后，我们根据信息增益顺序选择查询。但是，与以前的工作相反，我们不必假设查询在有条件地独立。取而代之的是，我们利用随机生成模型（VAE）和MCMC算法（未经调整的Langevin）来选择基于先前的查询 - 答案的输入的最有用的查询。这使得在线确定要解决预测歧义所需的任何深度的查询链。最后，关于视觉和NLP任务的实验证明了我们的方法的功效及其优越性比事后解释的优势。

The interpretation of deep learning models is a challenge due to their size, complexity, and often opaque internal state. In addition, many systems, such as image classifiers, operate on low-level features rather than high-level concepts. To address these challenges, we introduce Concept Activation Vectors (CAVs), which provide an interpretation of a neural net's internal state in terms of human-friendly concepts. The key idea is to view the high-dimensional internal state of a neural net as an aid, not an obstacle. We show how to use CAVs as part of a technique, Testing with CAVs (TCAV), that uses directional derivatives to quantify the degree to which a user-defined concept is important to a classification result-for example, how sensitive a prediction of zebra is to the presence of stripes. Using the domain of image classification as a testing ground, we describe how CAVs may be used to explore hypotheses and generate insights for a standard image classification network as well as a medical application.

这是一门专门针对STEM学生开发的介绍性机器学习课程。我们的目标是为有兴趣的读者提供基础知识，以在自己的项目中使用机器学习，并将自己熟悉术语作为进一步阅读相关文献的基础。在这些讲义中，我们讨论受监督，无监督和强化学习。注释从没有神经网络的机器学习方法的说明开始，例如原理分析，T-SNE，聚类以及线性回归和线性分类器。我们继续介绍基本和先进的神经网络结构，例如密集的进料和常规神经网络，经常性的神经网络，受限的玻尔兹曼机器，（变性）自动编码器，生成的对抗性网络。讨论了潜在空间表示的解释性问题，并使用梦和对抗性攻击的例子。最后一部分致力于加强学习，我们在其中介绍了价值功能和政策学习的基本概念。

会员推理攻击是机器学习模型中最简单的隐私泄漏形式之一：给定数据点和模型，确定该点是否用于培训模型。当查询其培训数据时，现有会员推理攻击利用模型的异常置信度。如果对手访问模型的预测标签，则不会申请这些攻击，而不会置信度。在本文中，我们介绍了仅限标签的会员资格推理攻击。我们的攻击而不是依赖置信分数，而是评估模型预测标签在扰动下的稳健性，以获得细粒度的隶属信号。这些扰动包括常见的数据增强或对抗例。我们经验表明，我们的标签占会员推理攻击与先前攻击相符，以便需要访问模型信心。我们进一步证明，仅限标签攻击违反了（隐含或明确）依赖于我们呼叫信心屏蔽的现象的员工推论攻击的多种防御。这些防御修改了模型的置信度分数以挫败攻击，但留下模型的预测标签不变。我们的标签攻击展示了置信性掩蔽不是抵御会员推理的可行的防御策略。最后，我们调查唯一的案例标签攻击，该攻击推断为少量异常值数据点。我们显示仅标签攻击也匹配此设置中基于置信的攻击。我们发现具有差异隐私和（强）L2正则化的培训模型是唯一已知的防御策略，成功地防止所有攻击。即使差异隐私预算太高而无法提供有意义的可证明担保，这仍然存在。

标记数据可以是昂贵的任务，因为它通常由域专家手动执行。对于深度学习而言，这是繁琐的，因为它取决于大型标记的数据集。主动学习（AL）是一种范式，旨在通过仅使用二手车型认为最具信息丰富的数据来减少标签努力。在文本分类设置中，在AL上完成了很少的研究，旁边没有涉及最近的最先进的自然语言处理（NLP）模型。在这里，我们介绍了一个实证研究，可以将基于不确定性的基于不确定性的算法与Bert $ _ {base} $相比，作为使用的分类器。我们评估两个NLP分类数据集的算法：斯坦福情绪树木银行和kvk-Front页面。此外，我们探讨了旨在解决不确定性的al的预定问题的启发式;即，它是不可规范的，并且易于选择异常值。此外，我们探讨了查询池大小对al的性能的影响。虽然发现，AL的拟议启发式没有提高AL的表现;我们的结果表明，使用BERT $ _ {Base} $概率使用不确定性的AL。随着查询池大小变大，性能的这种差异可以减少。

在许多情况下，基于一些高级概念来解释人为的决定。在这项工作中，我们通过检查其内部代表或神经元对概念的激活来迈出神经网络的可解释性。一个概念的特征在于一组具有共同特征的样本。我们提出了一个框架来检查概念（或其否定）和任务类之间存在因果关系的存在。虽然以前的方法专注于概念对任务类的重要性，但我们进一步进一步介绍了四项措施来定量地确定因果关系的顺序。此外，我们提出了一种以基于概念的决策树的形式构建一种概念的层次结构，其可以阐明各种概念如何在神经网络内交互朝向预测输出类。通过实验，我们展示了提出方法在解释神经网络的概念与预测行为之间的因果关系中的有效性以及通过构建概念层次结构来确定不同概念之间的相互作用。

We quantitatively investigate how machine learning models leak information about the individual data records on which they were trained. We focus on the basic membership inference attack: given a data record and black-box access to a model, determine if the record was in the model's training dataset. To perform membership inference against a target model, we make adversarial use of machine learning and train our own inference model to recognize differences in the target model's predictions on the inputs that it trained on versus the inputs that it did not train on.We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.

部署在医学成像任务上的机器学习模型必须配备分布外检测功能，以避免错误的预测。不确定依赖于深神经网络的分布外检测模型是否适合检测医学成像中的域移位。高斯流程可以通过其数学结构可靠地与分布数据点可靠地分开分发数据点。因此，我们为分层卷积高斯工艺提出了一个参数有效的贝叶斯层，该过程融合了在Wasserstein-2空间中运行的高斯过程，以可靠地传播不确定性。这直接用远距离的仿射操作员在分布中直接取代了高斯流程。我们对脑组织分割的实验表明，所得的架构接近了确定性分割算法（U-NET）的性能，而先前的层次高斯过程尚未实现。此外，通过将相同的分割模型应用于分布外数据（即具有病理学（例如脑肿瘤）的图像），我们表明我们的不确定性估计导致分布外检测，以优于以前的贝叶斯网络和以前的贝叶斯网络的功能基于重建的方法学习规范分布。为了促进未来的工作，我们的代码公开可用。

主动学习是减少训练深神经网络模型中数据量的流行方法。它的成功取决于选择有效的采集函数，该功能尚未根据其预期的信息进行排名。在不确定性抽样中，当前模型具有关于点类标签的不确定性是这种类型排名的主要标准。本文提出了一种在培训卷积神经网络（CNN）中进行不确定性采样的新方法。主要思想是使用CNN提取提取的特征表示作为培训总产品网络（SPN）的数据。由于SPN通常用于估计数据集的分布，因此它们非常适合估算类概率的任务，这些概率可以直接由标准采集函数（例如最大熵和变异比率）使用。此外，我们通过在SPN模型的帮助下通过权重增强了这些采集函数。这些权重使采集功能对数据点的可疑类标签的多样性更加敏感。我们的方法的有效性在对MNIST，时尚持续和CIFAR-10数据集的实验研究中得到了证明，我们将其与最先进的方法MC辍学和贝叶斯批次进行了比较。

Concept bottleneck models (CBMs) (Koh et al. 2020) are interpretable neural networks that first predict labels for human-interpretable concepts relevant to the prediction task, and then predict the final label based on the concept label predictions.We extend CBMs to interactive prediction settings where the model can query a human collaborator for the label to some concepts. We develop an interaction policy that, at prediction time, chooses which concepts to request a label for so as to maximally improve the final prediction. We demonstrate thata simple policy combining concept prediction uncertainty and influence of the concept on the final prediction achieves strong performance and outperforms a static approach proposed in Koh et al. (2020) as well as active feature acquisition methods proposed in the literature. We show that the interactiveCBM can achieve accuracy gains of 5-10% with only 5 interactions over competitive baselines on the Caltech-UCSDBirds, CheXpert and OAI datasets.

由于对神经网络的运行推断的计算成本，因此通常需要在第三方的计算环境或硬件上部署推论步骤。如果第三方不完全信任，则需要混淆输入和输出的性质，以便第三方无法轻易确定正在执行哪些特定任务。事实证明，存在利用不受信任的政党的协议，但在实践中运行的计算要求太高了。相反，我们探索了一种不同的快速启发式安全策略，我们称之为连接主义符号伪造秘密。通过利用全息降低表示（HRR），我们创建了一个具有伪加密风格的防御的神经网络，从经验上表现出强大的攻击性，即使在不切实际地偏爱对手的威胁模型下也是如此。

We present a variational approximation to the information bottleneck of Tishby et al. (1999). This variational approach allows us to parameterize the information bottleneck model using a neural network and leverage the reparameterization trick for efficient training. We call this method "Deep Variational Information Bottleneck", or Deep VIB. We show that models trained with the VIB objective outperform those that are trained with other forms of regularization, in terms of generalization performance and robustness to adversarial attack.