我们认为，当学习一个具有最佳运输问题双重损失的1- lipschitz神经网络时，模型的梯度既是运输计划的方向，又是与最接近的对抗性攻击的方向。沿着梯度前往决策边界不再是对抗性攻击，而是反事实的解释，明确地从一个班级运输到另一个班级。通过对XAI指标进行的广泛实验，我们发现应用于此类网络的简单显着性图方法成为可靠的解释，并且在不受约束的模型上胜过最新的解释方法。所提出的网络已经众所周知，可以证明它们也可以通过快速而简单的方法来证明它们也可以解释。

Explainability has been widely stated as a cornerstone of the responsible and trustworthy use of machine learning models. With the ubiquitous use of Deep Neural Network (DNN) models expanding to risk-sensitive and safety-critical domains, many methods have been proposed to explain the decisions of these models. Recent years have also seen concerted efforts that have shown how such explanations can be distorted (attacked) by minor input perturbations. While there have been many surveys that review explainability methods themselves, there has been no effort hitherto to assimilate the different methods and metrics proposed to study the robustness of explanations of DNN models. In this work, we present a comprehensive survey of methods that study, understand, attack, and defend explanations of DNN models. We also present a detailed review of different metrics used to evaluate explanation methods, as well as describe attributional attack and defense methods. We conclude with lessons and take-aways for the community towards ensuring robust explanations of DNN model predictions.

近年来，可解释的人工智能（XAI）已成为一个非常适合的框架，可以生成人类对“黑盒”模型的可理解解释。在本文中，一种新颖的XAI视觉解释算法称为相似性差异和唯一性（SIDU）方法，该方法可以有效地定位负责预测的整个对象区域。通过各种计算和人类主题实验分析了SIDU算法的鲁棒性和有效性。特别是，使用三种不同类型的评估（应用，人类和功能地面）评估SIDU算法以证明其出色的性能。在对“黑匣子”模型的对抗性攻击的情况下，进一步研究了Sidu的鲁棒性，以更好地了解其性能。我们的代码可在：https：//github.com/satyamahesh84/sidu_xai_code上找到。

已经提出了一种夸张的方法来解释深度神经网络如何达到他们的决策，但相比之下，已经做出了很少的努力，以确保这些方法产生的解释是客观相关的。虽然制定了一些可信赖的解释的若干理想的性质，但客观措施越来越难以得出。在这里，我们提出了两项​​新措施来评估从算法稳定性领域借来的解释：意味着普通象征性和相对一致性的重读。我们对不同的网络架构，常见解释性方法和几个图像数据集进行广泛的实验，以证明提出措施的好处。与我们的策略相比，流行的保真度措施不足以保证值得信赖的解释。最后，我们发现1-Lipschitz网络在达到类似的准确度的同时，具有比普通神经网络更高的象征和重新遗传的解释。这表明1-lipschitz网络是朝着更可解释和值得信赖的预测器的相关方向。

In order for machine learning to be trusted in many applications, it is critical to be able to reliably explain why the machine learning algorithm makes certain predictions. For this reason, a variety of methods have been developed recently to interpret neural network predictions by providing, for example, feature importance maps. For both scientific robustness and security reasons, it is important to know to what extent can the interpretations be altered by small systematic perturbations to the input data, which might be generated by adversaries or by measurement biases. In this paper, we demonstrate how to generate adversarial perturbations that produce perceptively indistinguishable inputs that are assigned the same predicted label, yet have very different interpretations. We systematically characterize the robustness of interpretations generated by several widely-used feature importance interpretation methods (feature importance maps, integrated gradients, and DeepLIFT) on ImageNet and CIFAR-10. In all cases, our experiments show that systematic perturbations can lead to dramatically different interpretations without changing the label. We extend these results to show that interpretations based on exemplars (e.g. influence functions) are similarly susceptible to adversarial attack. Our analysis of the geometry of the Hessian matrix gives insight on why robustness is a general challenge to current interpretation approaches.

随着深度神经网络的兴起，解释这些网络预测的挑战已经越来越识别。虽然存在许多用于解释深度神经网络的决策的方法，但目前没有关于如何评估它们的共识。另一方面，鲁棒性是深度学习研究的热门话题;但是，在最近，几乎没有谈论解释性。在本教程中，我们首先呈现基于梯度的可解释性方法。这些技术使用梯度信号来分配对输入特征的决定的负担。后来，我们讨论如何为其鲁棒性和对抗性的鲁棒性在具有有意义的解释中扮演的作用来评估基于梯度的方法。我们还讨论了基于梯度的方法的局限性。最后，我们提出了在选择解释性方法之前应检查的最佳实践和属性。我们结束了未来在稳健性和解释性融合的地区研究的研究。

深度神经网络（DNNS）最近在许多分类任务中取得了巨大的成功。不幸的是，它们容易受到对抗性攻击的影响，这些攻击会产生对抗性示例，这些示例具有很小的扰动，以欺骗DNN模型，尤其是在模型共享方案中。事实证明，对抗性训练是最有效的策略，它将对抗性示例注入模型训练中，以提高DNN模型的稳健性，以对对抗性攻击。但是，基于现有的对抗性示例的对抗训练无法很好地推广到标准，不受干扰的测试数据。为了在标准准确性和对抗性鲁棒性之间取得更好的权衡，我们提出了一个新型的对抗训练框架，称为潜在边界引导的对抗训练（梯子），该训练（梯子）在潜在的边界引导的对抗性示例上对对手进行对手训练DNN模型。与大多数在输入空间中生成对抗示例的现有方法相反，梯子通过增加对潜在特征的扰动而产生了无数的高质量对抗示例。扰动是沿SVM构建的具有注意机制的决策边界的正常情况进行的。我们从边界场的角度和可视化视图分析了生成的边界引导的对抗示例的优点。与Vanilla DNN和竞争性底线相比，对MNIST，SVHN，CELEBA和CIFAR-10的广泛实验和详细分析验证了梯子在标准准确性和对抗性鲁棒性之间取得更好的权衡方面的有效性。

本文提出了一种基于Hilbert-Schmidt独立标准（HSIC）的新有效的黑盒归因方法，这是一种基于再现核Hilbert Spaces（RKHS）的依赖度量。 HSIC测量了基于分布的内核的输入图像区域之间的依赖性和模型的输出。因此，它提供了由RKHS表示功能丰富的解释。可以非常有效地估计HSIC，与其他黑盒归因方法相比，大大降低了计算成本。我们的实验表明，HSIC的速度比以前的最佳黑盒归因方法快8倍，同时忠实。确实，我们改进或匹配了黑盒和白框归因方法的最新方法，用于具有各种最近的模型体系结构的Imagenet上的几个保真度指标。重要的是，我们表明这些进步可以被转化为有效而忠实地解释诸如Yolov4之类的对象检测模型。最后，我们通过提出一种新的内核来扩展传统的归因方法，从而实现基于HSIC的重要性分数的正交分解，从而使我们不仅可以评估每个图像贴片的重要性，还可以评估其成对相互作用的重要性。

无法解释的黑框模型创建场景，使异常引起有害响应，从而造成不可接受的风险。这些风险促使可解释的人工智能（XAI）领域通过评估黑盒神经网络中的局部解释性来改善信任。不幸的是，基本真理对于模型的决定不可用，因此评估仅限于定性评估。此外，可解释性可能导致有关模型或错误信任感的不准确结论。我们建议通过探索Black-Box模型的潜在特征空间来从用户信任的有利位置提高XAI。我们提出了一种使用典型的几弹网络的Protoshotxai方法，该方法探索了不同类别的非线性特征之间的对比歧管。用户通过扰动查询示例的输入功能并记录任何类的示例子集的响应来探索多种多样。我们的方法是第一个可以将其扩展到很少的网络的本地解释的XAI模型。我们将ProtoShotxai与MNIST，Omniglot和Imagenet的最新XAI方法进行了比较，以进行定量和定性，Protoshotxai为模型探索提供了更大的灵活性。最后，Protoshotxai还展示了对抗样品的新颖解释和检测。

Post-hoc explanation methods are used with the intent of providing insights about neural networks and are sometimes said to help engender trust in their outputs. However, popular explanations methods have been found to be fragile to minor perturbations of input features or model parameters. Relying on constraint relaxation techniques from non-convex optimization, we develop a method that upper-bounds the largest change an adversary can make to a gradient-based explanation via bounded manipulation of either the input features or model parameters. By propagating a compact input or parameter set as symbolic intervals through the forwards and backwards computations of the neural network we can formally certify the robustness of gradient-based explanations. Our bounds are differentiable, hence we can incorporate provable explanation robustness into neural network training. Empirically, our method surpasses the robustness provided by previous heuristic approaches. We find that our training method is the only method able to learn neural networks with certificates of explanation robustness across all six datasets tested.

我们描述了一种新颖的归因方法，它基于敏感性分析并使用Sobol指数。除了模拟图像区域的个人贡献之外，索尔索尔指标提供了一种有效的方法来通过方差镜头捕获图像区域与其对神经网络的预测的贡献之间的高阶相互作用。我们描述了一种通过使用扰动掩模与有效估计器耦合的扰动掩模来计算用于高维问题的这些指标的方法，以处理图像的高维度。重要的是，我们表明，与其他黑盒方法相比，该方法对视觉（和语言模型）的标准基准测试的标准基准有利地导致了有利的分数 - 甚至超过最先进的白色的准确性 - 需要访问内部表示的箱方法。我们的代码是免费的：https://github.com/fel-thomas/sobol-attribution-method

The most popular methods and algorithms for AI are, for the vast majority, black boxes. Black boxes can be an acceptable solution to unimportant problems (in the sense of the degree of impact) but have a fatal flaw for the rest. Therefore the explanation tools for them have been quickly developed. The evaluation of their quality remains an open research question. In this technical report, we remind recently proposed post-hoc explainers FEM and MLFEM which have been designed for explanations of CNNs in image and video classification tasks. We also propose their evaluation with reference-based and no-reference metrics. The reference-based metrics are Pearson Correlation coefficient and Similarity computed between the explanation maps and the ground truth, which is represented by Gaze Fixation Density Maps obtained due to a psycho-visual experiment. As a no-reference metric we use "stability" metric, proposed by Alvarez-Melis and Jaakkola. We study its behaviour, consensus with reference-based metrics and show that in case of several kind of degradations on input images, this metric is in agreement with reference-based ones. Therefore it can be used for evaluation of the quality of explainers when the ground truth is not available.

Gradient-based explanation is the cornerstone of explainable deep networks, but it has been shown to be vulnerable to adversarial attacks. However, existing works measure the explanation robustness based on $\ell_p$-norm, which can be counter-intuitive to humans, who only pay attention to the top few salient features. We propose explanation ranking thickness as a more suitable explanation robustness metric. We then present a new practical adversarial attacking goal for manipulating explanation rankings. To mitigate the ranking-based attacks while maintaining computational feasibility, we derive surrogate bounds of the thickness that involve expensive sampling and integration. We use a multi-objective approach to analyze the convergence of a gradient-based attack to confirm that the explanation robustness can be measured by the thickness metric. We conduct experiments on various network architectures and diverse datasets to prove the superiority of the proposed methods, while the widely accepted Hessian-based curvature smoothing approaches are not as robust as our method.

许多最先进的ML模型在各种任务中具有优于图像分类的人类。具有如此出色的性能，ML模型今天被广泛使用。然而，存在对抗性攻击和数据中毒攻击的真正符合ML模型的稳健性。例如，Engstrom等人。证明了最先进的图像分类器可以容易地被任意图像上的小旋转欺骗。由于ML系统越来越纳入安全性和安全敏感的应用，对抗攻击和数据中毒攻击构成了相当大的威胁。本章侧重于ML安全的两个广泛和重要的领域：对抗攻击和数据中毒攻击。

Neural network interpretation methods, particularly feature attribution methods, are known to be fragile with respect to adversarial input perturbations. To address this, several methods for enhancing the local smoothness of the gradient while training have been proposed for attaining \textit{robust} feature attributions. However, the lack of considering the normalization of the attributions, which is essential in their visualizations, has been an obstacle to understanding and improving the robustness of feature attribution methods. In this paper, we provide new insights by taking such normalization into account. First, we show that for every non-negative homogeneous neural network, a naive $\ell_2$-robust criterion for gradients is \textit{not} normalization invariant, which means that two functions with the same normalized gradient can have different values. Second, we formulate a normalization invariant cosine distance-based criterion and derive its upper bound, which gives insight for why simply minimizing the Hessian norm at the input, as has been done in previous work, is not sufficient for attaining robust feature attribution. Finally, we propose to combine both $\ell_2$ and cosine distance-based criteria as regularization terms to leverage the advantages of both in aligning the local gradient. As a result, we experimentally show that models trained with our method produce much more robust interpretations on CIFAR-10 and ImageNet-100 without significantly hurting the accuracy, compared to the recent baselines. To the best of our knowledge, this is the first work to verify the robustness of interpretation on a larger-scale dataset beyond CIFAR-10, thanks to the computational efficiency of our method.

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

Deep learning methods have gained increased attention in various applications due to their outstanding performance. For exploring how this high performance relates to the proper use of data artifacts and the accurate problem formulation of a given task, interpretation models have become a crucial component in developing deep learning-based systems. Interpretation models enable the understanding of the inner workings of deep learning models and offer a sense of security in detecting the misuse of artifacts in the input data. Similar to prediction models, interpretation models are also susceptible to adversarial inputs. This work introduces two attacks, AdvEdge and AdvEdge$^{+}$, that deceive both the target deep learning model and the coupled interpretation model. We assess the effectiveness of proposed attacks against two deep learning model architectures coupled with four interpretation models that represent different categories of interpretation models. Our experiments include the attack implementation using various attack frameworks. We also explore the potential countermeasures against such attacks. Our analysis shows the effectiveness of our attacks in terms of deceiving the deep learning models and their interpreters, and highlights insights to improve and circumvent the attacks.

Although deep learning has made remarkable progress in processing various types of data such as images, text and speech, they are known to be susceptible to adversarial perturbations: perturbations specifically designed and added to the input to make the target model produce erroneous output. Most of the existing studies on generating adversarial perturbations attempt to perturb the entire input indiscriminately. In this paper, we propose ExploreADV, a general and flexible adversarial attack system that is capable of modeling regional and imperceptible attacks, allowing users to explore various kinds of adversarial examples as needed. We adapt and combine two existing boundary attack methods, DeepFool and Brendel\&Bethge Attack, and propose a mask-constrained adversarial attack system, which generates minimal adversarial perturbations under the pixel-level constraints, namely ``mask-constraints''. We study different ways of generating such mask-constraints considering the variance and importance of the input features, and show that our adversarial attack system offers users good flexibility to focus on sub-regions of inputs, explore imperceptible perturbations and understand the vulnerability of pixels/regions to adversarial attacks. We demonstrate our system to be effective based on extensive experiments and user study.

随着神经网络的命题点云，深入学习已经开始在3D对象识别领域发光，而研究人员则对普遍攻击进行了增长的兴趣来调查点云网络的可靠性。然而，大多数现有研究旨在欺骗人类或防御算法，而少数几个地解决了模型本身的操作原理就在关键点选择方面保持缺陷。在这项工作中，我们提出了两个对抗方法：一个点攻击（OPA）和临界遍历攻击（CTA），它包含可解释的技术，并旨在探讨点云网络的内在工作原理及其对关键点扰动的敏感性。我们的结果表明，流行点云网络可以通过从输入实例转换一个点来欺骗近100美元的成功率。此外，我们展示了不同点归因分布对点云网络的对抗鲁棒性的有趣影响。最后，我们讨论了我们的方法如何促进点云网络的解释性研究。据我们所知，这是一个关于解释性的第一个基于云的对抗方法。我们的代码可在https://github.com/explain3d/exp-one-point-atk-pc上获得。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1