186 research outputs found
Robust Recommender System: A Survey and Future Directions
With the rapid growth of information, recommender systems have become
integral for providing personalized suggestions and overcoming information
overload. However, their practical deployment often encounters "dirty" data,
where noise or malicious information can lead to abnormal recommendations.
Research on improving recommender systems' robustness against such dirty data
has thus gained significant attention. This survey provides a comprehensive
review of recent work on recommender systems' robustness. We first present a
taxonomy to organize current techniques for withstanding malicious attacks and
natural noise. We then explore state-of-the-art methods in each category,
including fraudster detection, adversarial training, certifiable robust
training against malicious attacks, and regularization, purification,
self-supervised learning against natural noise. Additionally, we summarize
evaluation metrics and common datasets used to assess robustness. We discuss
robustness across varying recommendation scenarios and its interplay with other
properties like accuracy, interpretability, privacy, and fairness. Finally, we
delve into open issues and future research directions in this emerging field.
Our goal is to equip readers with a holistic understanding of robust
recommender systems and spotlight pathways for future research and development
from heuristic methods to certified methods
νμλ
Όλ¬Έ(λ°μ¬) -- μμΈλνκ΅λνμ : μμ°κ³Όνλν μ리과νλΆ, 2021.8. μ΄μ¬μ±.Deep learning has shown successful results in many applications. However, it has been demonstrated that deep neural networks are vulnerable to small but adversarially designed perturbations in the input which can fool the neural network. There have been many studies on such adversarial attacks and defenses against them. However, Athalye et al. [1] have shown that most defenses rely on specific predefined adversarial attacks and can be completely broken by stronger adaptive attacks. Thus, certified methods are proposed to guarantee stable prediction of input within a perturbation set. We present this transition from heuristic defense to certified defense, and investigate key features of certified defenses, tightness and smoothness.λ₯λ¬λμ λ€μν λΆμΌμμ μ±κ³΅μ μΈ μ±λ₯λ₯Ό 보μ¬μ£Όκ³ μλ€. κ·Έλ¬λ μ¬μΈ΅μ κ²½λ§μ μ λμ 곡격μ΄λΌ λΆλ¦¬μ°λ, μ
λ ₯κ°μ μμ μλμ μ£Όμ΄ μ κ²½λ§μ μ¬μ©μκ° μμΉ μλ λ°©ν₯μΌλ‘ νλνλλ‘ νλ 곡격μ μ·¨μ½νλ€. μ λμ 곡격μ λ°κ²¬ μ΄νλ‘, λ€μν μ λμ 곡격과 μ΄μ λν λ°©μ΄ λ°©λ²λ‘ κ³Ό κ΄λ ¨νμ¬ λ§μ μ°κ΅¬λ€μ΄ μ§νλμλ€. κ·Έλ¬λ Athalye et al. [1] μμ λλΆλΆμ κΈ°μ‘΄ λ°©μ΄ λ°©λ²λ‘ λ€μ΄ νΉμ μ λμ 곡격λ§μ κ°μ νκ³ μ€κ³λμ΄ λ κ°ν μ μκ°λ₯ν μ λμ 곡격μ μν΄ κ³΅κ²© κ°λ₯νλ€λ λ¬Έμ μ μ΄ λ°νμ‘λ€. λ°λΌμ μ
λ ₯κ°μ λν΄ μλκ°λ₯ν μμλ΄μμ μμ μ μΈ νλμ 보μ¦ν μ μλ κ²μ¦κ°λ₯ν λ°©λ²λ‘ μ΄ μ μλμ΄μλ€. λ³Έ νμ λ
Όλ¬Έμμλ, ν΄λ¦¬μ€ν± λ°©λ²λ‘ κ³Ό κ²μ¦κ°λ₯ν λ°©λ²λ‘ μ λν΄ μμλ³΄κ³ , κ²μ¦κ°λ₯ν λ°©λ²λ‘ μμ μ€μν μμμΈ μνμ λ°μ°©μ±κ³Ό λͺ©μ ν¨μμ 맀λλ¬μμ λν΄μ λΆμνλ€.1 Introduction 1
2 Heuristic Defense 3
2.1 Heuristic Defense 3
2.1.1 Background 3
2.2 Gradient diversity regularization 5
2.2.1 Randomized neural network 5
2.2.2 Expectation over Transformation (EOT) 5
2.2.3 GradDiv 6
2.2.4 Experiments 11
3 Certified Defense 21
3.1 Certified Defense 21
3.1.1 Background 21
3.2 Tightness of the upper bound 24
3.2.1 Lipschitz-certifiable training with tight outer bound 24
3.2.2 Experiments 31
3.3 Smoothness of the objective 36
3.3.1 Background 36
3.3.2 What factors influence the performance of certifiable training? 39
3.3.3 Tightness and smoothness 46
3.3.4 Experiments 47
4 Conclusion and Open Problems 58
Appendix A Appendix for 2.2 60
A.1 Experimental Settings 60
A.1.1 Network Architectures 60
A.1.2 Batch-size, Training Epoch, Learning rate decay,Warmup, and Ramp-up periods 61
A.2 Variants of GradDiv-mean (2.2.17) 61
A.3 Additional Results on "Effects of GradDiv during Training" 61
A.4 Additional Results on Table 2.1 62
A.5 In the case of n > 20 in Figure 2.7 62
A.6 RSE [48] as a baseline 62
Appendix B Appendix for 3.2 68
B.1 The proof of the proposition 3.1.1 68
B.2 Outer Bound Propagation 69
B.2.1 Intuition behind BCP 69
B.2.2 Power iteration algorithm 69
B.2.3 The circumscribed box 71
B.2.4 BCP through residual layers 71
B.2.5 Complexity Analysis 72
B.3 Experimental Settings 72
B.3.1 Data Description 72
B.3.2 Hyper-parameters 73
B.3.3 Network architectures 73
B.3.4 Additional Experiments 74
Appendix C Appendix for 3.3 81
C.1 Experimental Settings 81
C.1.1 Settings in Section 3.3.2 82
C.1.2 Settings in Table 3.4 83
C.2 Interval Bound Propagation (IBP) 84
C.3 Details on Linear Relaxation 84
C.3.1 Linear relaxation explained in CROWN [79] 84
C.3.2 Dual Optimization View 85
C.4 Learning curves for variants of CROWN-IBP 87
C.5 Mode Connectivity 87
C.6 ReLU 91
C.7 - and -schedulings 91
C.8 one-step vs multi-step 92
C.9 Train with 92
C.9.1 on MNIST 92
C.9.2 on CIFAR-10 93
C.10 Training time 94
C.11 Loss and Tightness violin plots 95
C.12 Comparison with CAP-IBP 95
C.13 ReLU Stability 95
Bibliography 103
Abstract (in Korean) 113λ°
A Comprehensive Survey on Trustworthy Graph Neural Networks: Privacy, Robustness, Fairness, and Explainability
Graph Neural Networks (GNNs) have made rapid developments in the recent
years. Due to their great ability in modeling graph-structured data, GNNs are
vastly used in various applications, including high-stakes scenarios such as
financial analysis, traffic predictions, and drug discovery. Despite their
great potential in benefiting humans in the real world, recent study shows that
GNNs can leak private information, are vulnerable to adversarial attacks, can
inherit and magnify societal bias from training data and lack interpretability,
which have risk of causing unintentional harm to the users and society. For
example, existing works demonstrate that attackers can fool the GNNs to give
the outcome they desire with unnoticeable perturbation on training graph. GNNs
trained on social networks may embed the discrimination in their decision
process, strengthening the undesirable societal bias. Consequently, trustworthy
GNNs in various aspects are emerging to prevent the harm from GNN models and
increase the users' trust in GNNs. In this paper, we give a comprehensive
survey of GNNs in the computational aspects of privacy, robustness, fairness,
and explainability. For each aspect, we give the taxonomy of the related
methods and formulate the general frameworks for the multiple categories of
trustworthy GNNs. We also discuss the future research directions of each aspect
and connections between these aspects to help achieve trustworthiness
Efficient Robustness Certificates for Discrete Data: Sparsity-Aware Randomized Smoothing for Graphs, Images and More
Existing techniques for certifying the robustness of models for discrete data
either work only for a small class of models or are general at the expense of
efficiency or tightness. Moreover, they do not account for sparsity in the
input which, as our findings show, is often essential for obtaining non-trivial
guarantees. We propose a model-agnostic certificate based on the randomized
smoothing framework which subsumes earlier work and is tight, efficient, and
sparsity-aware. Its computational complexity does not depend on the number of
discrete categories or the dimension of the input (e.g. the graph size), making
it highly scalable. We show the effectiveness of our approach on a wide variety
of models, datasets, and tasks -- specifically highlighting its use for Graph
Neural Networks. So far, obtaining provable guarantees for GNNs has been
difficult due to the discrete and non-i.i.d. nature of graph data. Our method
can certify any GNN and handles perturbations to both the graph structure and
the node attributes.Comment: Proceedings of the 37th International Conference on Machine Learning
(ICML 2020
- β¦