How can we explain the predictions of a blackbox model? In this paper, we use influence functions -a classic technique from robust statistics -to trace a model's prediction through the learning algorithm and back to its training data, thereby identifying training points most responsible for a given prediction. To scale up influence functions to modern machine learning settings, we develop a simple, efficient implementation that requires only oracle access to gradients and Hessian-vector products. We show that even on non-convex and non-differentiable models where the theory breaks down, approximations to influence functions can still provide valuable information. On linear models and convolutional neural networks, we demonstrate that influence functions are useful for multiple purposes: understanding model behavior, debugging models, detecting dataset errors, and even creating visuallyindistinguishable training-set attacks.

从外界培训的机器学习模型可能会被数据中毒攻击损坏，将恶意指向到模型的培训集中。对这些攻击的常见防御是数据消毒：在培训模型之前首先过滤出异常培训点。在本文中，我们开发了三次攻击，可以绕过广泛的常见数据消毒防御，包括基于最近邻居，训练损失和奇异值分解的异常探测器。通过增加3％的中毒数据，我们的攻击成功地将Enron垃圾邮件检测数据集的测试错误从3％增加到24％，并且IMDB情绪分类数据集从12％到29％。相比之下，没有明确占据这些数据消毒防御的现有攻击被他们击败。我们的攻击基于两个想法：（i）我们协调我们的攻击将中毒点彼此放置在彼此附近，（ii）我们将每个攻击制定为受限制的优化问题，限制旨在确保中毒点逃避检测。随着这种优化涉及解决昂贵的Bilevel问题，我们的三个攻击对应于基于影响功能的近似近似这个问题的方式; minimax二元性;和karush-kuhn-tucker（kkt）条件。我们的结果强调了对数据中毒攻击产生更强大的防御的必要性。

影响功能有效地估计了删除单个训练数据点对模型学习参数的影响。尽管影响估计值与线性模型的剩余重新进行了良好的重新对齐，但最近的作品表明，在神经网络中，这种比对通常很差。在这项工作中，我们通过将其分解为五个单独的术语来研究导致这种差异的特定因素。我们研究每个术语对各种架构和数据集的贡献，以及它们如何随网络宽度和培训时间等因素而变化。尽管实际影响函数估计值可能是非线性网络中保留对方的重新培训的差异，但我们表明它们通常是对不同对象的良好近似值，我们称其为近端Bregman响应函数（PBRF）。由于PBRF仍然可以用来回答许多激励影响功能的问题，例如识别有影响力或标记的示例，因此我们的结果表明，影响功能估计的当前算法比以前的错误分析所暗示的更有用的结果。

Good models require good training data. For overparameterized deep models, the causal relationship between training data and model predictions is increasingly opaque and poorly understood. Influence analysis partially demystifies training's underlying interactions by quantifying the amount each training instance alters the final model. Measuring the training data's influence exactly can be provably hard in the worst case; this has led to the development and use of influence estimators, which only approximate the true influence. This paper provides the first comprehensive survey of training data influence analysis and estimation. We begin by formalizing the various, and in places orthogonal, definitions of training data influence. We then organize state-of-the-art influence analysis methods into a taxonomy; we describe each of these methods in detail and compare their underlying assumptions, asymptotic complexities, and overall strengths and weaknesses. Finally, we propose future research directions to make influence analysis more useful in practice as well as more theoretically and empirically sound. A curated, up-to-date list of resources related to influence analysis is available at https://github.com/ZaydH/influence_analysis_papers.

有针对性的训练集攻击将恶意实例注入训练集中，以导致训练有素的模型错误地标记一个或多个特定的测试实例。这项工作提出了目标识别的任务，该任务决定了特定的测试实例是否是训练集攻击的目标。目标识别可以与对抗性识别相结合，以查找（并删除）攻击实例，从而减轻对其他预测的影响，从而减轻攻击。我们没有专注于单个攻击方法或数据模式，而是基于影响力估计，这量化了每个培训实例对模型预测的贡献。我们表明，现有的影响估计量的不良实际表现通常来自于他们对训练实例和迭代次数的过度依赖。我们重新归一化的影响估计器解决了这一弱点。他们的表现远远超过了原始估计量，可以在对抗和非对抗环境中识别有影响力的训练示例群体，甚至发现多达100％的对抗训练实例，没有清洁数据误报。然后，目标识别简化以检测具有异常影响值的测试实例。我们证明了我们的方法对各种数据域的后门和中毒攻击的有效性，包括文本，视觉和语音，以及针对灰色盒子的自适应攻击者，该攻击者专门优化了逃避我们方法的对抗性实例。我们的源代码可在https://github.com/zaydh/target_indistification中找到。

Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input x and any target classification t, it is possible to find a new input x that is similar to x but classified as t. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from 95% to 0.5%.In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

Deep learning algorithms have been shown to perform extremely well on many classical machine learning problems. However, recent studies have shown that deep learning, like other machine learning techniques, is vulnerable to adversarial samples: inputs crafted to force a deep neural network (DNN) to provide adversary-selected outputs. Such attacks can seriously undermine the security of the system supported by the DNN, sometimes with devastating consequences. For example, autonomous vehicles can be crashed, illicit or illegal content can bypass content filters, or biometric authentication systems can be manipulated to allow improper access. In this work, we introduce a defensive mechanism called defensive distillation to reduce the effectiveness of adversarial samples on DNNs. We analytically investigate the generalizability and robustness properties granted by the use of defensive distillation when training DNNs. We also empirically study the effectiveness of our defense mechanisms on two DNNs placed in adversarial settings. The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN. Such dramatic gains can be explained by the fact that distillation leads gradients used in adversarial sample creation to be reduced by a factor of 10 30 . We also find that distillation increases the average minimum number of features that need to be modified to create adversarial samples by about 800% on one of the DNNs we tested.

数十年来，计算机系统持有大量个人数据。一方面，这种数据丰度允许在人工智能（AI），尤其是机器学习（ML）模型中突破。另一方面，它可能威胁用户的隐私并削弱人类与人工智能之间的信任。最近的法规要求，可以从一般情况下从计算机系统中删除有关用户的私人信息，特别是根据要求从ML模型中删除（例如，“被遗忘的权利”）。虽然从后端数据库中删除数据应该很简单，但在AI上下文中，它不够，因为ML模型经常“记住”旧数据。现有的对抗攻击证明，我们可以从训练有素的模型中学习私人会员或培训数据的属性。这种现象要求采用新的范式，即机器学习，以使ML模型忘记了特定的数据。事实证明，由于缺乏共同的框架和资源，最近在机器上学习的工作无法完全解决问题。在本调查文件中，我们试图在其定义，场景，机制和应用中对机器进行彻底的研究。具体而言，作为最先进的研究的类别集合，我们希望为那些寻求机器未学习的入门及其各种表述，设计要求，删除请求，算法和用途的人提供广泛的参考。 ML申请。此外，我们希望概述范式中的关键发现和趋势，并突出显示尚未看到机器无法使用的新研究领域，但仍可以受益匪浅。我们希望这项调查为ML研究人员以及寻求创新隐私技术的研究人员提供宝贵的参考。我们的资源是在https://github.com/tamlhp/awesome-machine-unlearning上。

我们解决了对追踪预测的影响函数的高效计算，回到培训数据。我们提出并分析了一种新方法来加速基于Arnoldi迭代的反向Hessian计算。通过这种改进，我们实现了我们的知识，首次成功实施了影响功能，该函数的尺寸为全尺寸（语言和愿景）变压器模型，具有数十亿个参数。我们评估我们对图像分类和序列任务的方法，以百万次训练示例。我们的代码将在https://github.com/google-research/jax-influence上获得。

本文评价用机器学习问题的数值优化方法。由于机器学习模型是高度参数化的，我们专注于适合高维优化的方法。我们在二次模型上构建直觉，以确定哪种方法适用于非凸优化，并在凸函数上开发用于这种方法的凸起函数。随着随机梯度下降和动量方法的这种理论基础，我们试图解释为什么机器学习领域通常使用的方法非常成功。除了解释成功的启发式之外，最后一章还提供了对更多理论方法的广泛审查，这在实践中并不像惯例。所以在某些情况下，这项工作试图回答这个问题：为什么默认值中包含的默认TensorFlow优化器？

这是一门专门针对STEM学生开发的介绍性机器学习课程。我们的目标是为有兴趣的读者提供基础知识，以在自己的项目中使用机器学习，并将自己熟悉术语作为进一步阅读相关文献的基础。在这些讲义中，我们讨论受监督，无监督和强化学习。注释从没有神经网络的机器学习方法的说明开始，例如原理分析，T-SNE，聚类以及线性回归和线性分类器。我们继续介绍基本和先进的神经网络结构，例如密集的进料和常规神经网络，经常性的神经网络，受限的玻尔兹曼机器，（变性）自动编码器，生成的对抗性网络。讨论了潜在空间表示的解释性问题，并使用梦和对抗性攻击的例子。最后一部分致力于加强学习，我们在其中介绍了价值功能和政策学习的基本概念。

最近的立法导致对机器学习的兴趣，即从预测模型中删除特定的培训样本，就好像它们在培训数据集中从未存在。由于损坏/对抗性数据或仅仅是用户的更新隐私要求，也可能需要进行学习。对于不需要培训的模型（K-NN），只需删除最近的原始样品即可有效。但是，这个想法不适合学习更丰富的表示的模型。由于模型维度D的趋势，最新的想法利用了基于优化的更新，因为损失函数的Hessian颠倒了。我们使用新的条件独立系数L-CODEC的变体来识别模型参数的子集，其语义重叠在单个样本级别上。我们的方法完全避免了将（可能）巨大矩阵倒置的必要性。通过利用马尔可夫毯子的选择，我们前提是l-codec也适合深度学习以及视觉中的其他应用。与替代方案相比，L-Codec在原本是不可行的设置中可以实现近似学习，包括用于面部识别的视觉模型，人重新识别和可能需要未经学习的样品进行排除的NLP模型。代码可以在https://github.com/vsingh-group/lcodec-deep-unlearning/

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

Explainability has been widely stated as a cornerstone of the responsible and trustworthy use of machine learning models. With the ubiquitous use of Deep Neural Network (DNN) models expanding to risk-sensitive and safety-critical domains, many methods have been proposed to explain the decisions of these models. Recent years have also seen concerted efforts that have shown how such explanations can be distorted (attacked) by minor input perturbations. While there have been many surveys that review explainability methods themselves, there has been no effort hitherto to assimilate the different methods and metrics proposed to study the robustness of explanations of DNN models. In this work, we present a comprehensive survey of methods that study, understand, attack, and defend explanations of DNN models. We also present a detailed review of different metrics used to evaluate explanation methods, as well as describe attributional attack and defense methods. We conclude with lessons and take-aways for the community towards ensuring robust explanations of DNN model predictions.

机器学习模型的预测失败通常来自训练数据中的缺陷，例如不正确的标签，离群值和选择偏见。但是，这些负责给定失败模式的数据点通常不知道先验，更不用说修复故障的机制了。这项工作借鉴了贝叶斯对持续学习的看法，并为两者开发了一个通用框架，确定了导致目标失败的培训示例，并通过删除有关它们的信息来修复模型。该框架自然允许将最近学习的最新进展解决这一新的模型维修问题，同时将现有的作品集成了影响功能和数据删除作为特定实例。在实验上，提出的方法优于基准，既可以识别有害训练数据，又要以可普遍的方式固定模型失败。

In order for machine learning to be trusted in many applications, it is critical to be able to reliably explain why the machine learning algorithm makes certain predictions. For this reason, a variety of methods have been developed recently to interpret neural network predictions by providing, for example, feature importance maps. For both scientific robustness and security reasons, it is important to know to what extent can the interpretations be altered by small systematic perturbations to the input data, which might be generated by adversaries or by measurement biases. In this paper, we demonstrate how to generate adversarial perturbations that produce perceptively indistinguishable inputs that are assigned the same predicted label, yet have very different interpretations. We systematically characterize the robustness of interpretations generated by several widely-used feature importance interpretation methods (feature importance maps, integrated gradients, and DeepLIFT) on ImageNet and CIFAR-10. In all cases, our experiments show that systematic perturbations can lead to dramatically different interpretations without changing the label. We extend these results to show that interpretations based on exemplars (e.g. influence functions) are similarly susceptible to adversarial attack. Our analysis of the geometry of the Hessian matrix gives insight on why robustness is a general challenge to current interpretation approaches.

Influence diagnostics such as influence functions and approximate maximum influence perturbations are popular in machine learning and in AI domain applications. Influence diagnostics are powerful statistical tools to identify influential datapoints or subsets of datapoints. We establish finite-sample statistical bounds, as well as computational complexity bounds, for influence functions and approximate maximum influence perturbations using efficient inverse-Hessian-vector product implementations. We illustrate our results with generalized linear models and large attention based models on synthetic and real data.

在文献中提出了各种各样的公平度量和可解释的人工智能（XAI）方法，以确定在关键现实环境中使用的机器学习模型中的偏差。但是，仅报告模型的偏差，或使用现有XAI技术生成解释不足以定位并最终减轻偏差源。在这项工作中，我们通过识别对这种行为的根本原因的训练数据的连贯子集来引入Gopher，该系统产生紧凑，可解释和意外模型行为的偏差或意外模型行为。具体而言，我们介绍了因果责任的概念，这些责任通过删除或更新其数据集来解决培训数据的程度可以解决偏差。建立在这一概念上，我们开发了一种有效的方法，用于生成解释模型偏差的顶级模式，该模型偏置利用来自ML社区的技术来实现因果责任，并使用修剪规则来管理模式的大搜索空间。我们的实验评估表明了Gopher在为识别和调试偏置来源产生可解释解释时的有效性。

随着机器学习（ML）模型越来越多地被部署在高风险应用程序中，决策者提出了更严格的数据保护法规（例如GDPR，CCPA）。一个关键原则是``被遗忘的权利''，它使用户有权删除其数据。另一个关键原则是实现可操作的解释的权利，也称为算法追索权，使用户可以逆转不利的决定。迄今为止，尚不清楚这两个原则是否可以同时进行操作。因此，我们在数据删除请求的背景下介绍和研究追索权无效的问题。更具体地说，我们从理论上和经验上分析流行的最先进算法的行为，并证明如果这些算法产生的记录可能会无效，如果少数数据删除请求（例如1或2）保证书（例如1或2）预测模型的更新。对于线性模型和过度参数化的神经网络的设置 - 通过神经切线内核（NTK）进行了研究 - 我们建议一个框架来识别最小的关键训练点的最小值，当删除时，它将导致最大程度地提高其最大程度的分数。无效的回流。使用我们的框架，我们从经验上确定，从训练集中删除2个数据实例可以使流行的最先进算法最多无效所有回报的95％。因此，我们的工作提出了有关``被遗忘的权利''的背景下``可行解释权''的兼容性的基本问题。