9 research outputs found
Efficient Certification of Spatial Robustness
Recent work has exposed the vulnerability of computer vision models to vector
field attacks. Due to the widespread usage of such models in safety-critical
applications, it is crucial to quantify their robustness against such spatial
transformations. However, existing work only provides empirical robustness
quantification against vector field deformations via adversarial attacks, which
lack provable guarantees. In this work, we propose novel convex relaxations,
enabling us, for the first time, to provide a certificate of robustness against
vector field transformations. Our relaxations are model-agnostic and can be
leveraged by a wide range of neural network verifiers. Experiments on various
network architectures and different datasets demonstrate the effectiveness and
scalability of our method.Comment: Conference Paper at AAAI 202
Learning Certified Individually Fair Representations
Fair representation learning provides an effective way of enforcing fairness
constraints without compromising utility for downstream users. A desirable
family of such fairness constraints, each requiring similar treatment for
similar individuals, is known as individual fairness. In this work, we
introduce the first method that enables data consumers to obtain certificates
of individual fairness for existing and new data points. The key idea is to map
similar individuals to close latent representations and leverage this latent
proximity to certify individual fairness. That is, our method enables the data
producer to learn and certify a representation where for a data point all
similar individuals are at -distance at most , thus
allowing data consumers to certify individual fairness by proving
-robustness of their classifier. Our experimental evaluation on five
real-world datasets and several fairness constraints demonstrates the
expressivity and scalability of our approach.Comment: Conference Paper at NeurIPS 202
Robustness Certification for Point Cloud Models
The use of deep 3D point cloud models in safety-critical applications, such
as autonomous driving, dictates the need to certify the robustness of these
models to real-world transformations. This is technically challenging, as it
requires a scalable verifier tailored to point cloud models that handles a wide
range of semantic 3D transformations. In this work, we address this challenge
and introduce 3DCertify, the first verifier able to certify the robustness of
point cloud models. 3DCertify is based on two key insights: (i) a generic
relaxation based on first-order Taylor approximations, applicable to any
differentiable transformation, and (ii) a precise relaxation for global feature
pooling, which is more complex than pointwise activations (e.g., ReLU or
sigmoid) but commonly employed in point cloud models. We demonstrate the
effectiveness of 3DCertify by performing an extensive evaluation on a wide
range of 3D transformations (e.g., rotation, twisting) for both classification
and part segmentation tasks. For example, we can certify robustness against
rotations by 60{\deg} for 95.7% of point clouds, and our max pool
relaxation increases certification by up to 15.6%.Comment: International Conference on Computer Vision (ICCV) 202
Latent Space Smoothing for Individually Fair Representations
Fair representation learning encodes user data to ensure fairness and
utility, regardless of the downstream application. However, learning
individually fair representations, i.e., guaranteeing that similar individuals
are treated similarly, remains challenging in high-dimensional settings such as
computer vision. In this work, we introduce LASSI, the first representation
learning method for certifying individual fairness of high-dimensional data.
Our key insight is to leverage recent advances in generative modeling to
capture the set of similar individuals in the generative latent space. This
allows learning individually fair representations where similar individuals are
mapped close together, by using adversarial training to minimize the distance
between their representations. Finally, we employ randomized smoothing to
provably map similar individuals close together, in turn ensuring that local
robustness verification of the downstream application results in end-to-end
fairness certification. Our experimental evaluation on challenging real-world
image data demonstrates that our method increases certified individual fairness
by up to 60%, without significantly affecting task utility
Language Modeling Is Compression
It has long been established that predictive models can be transformed into
lossless compressors and vice versa. Incidentally, in recent years, the machine
learning community has focused on training increasingly large and powerful
self-supervised (language) models. Since these large language models exhibit
impressive predictive capabilities, they are well-positioned to be strong
compressors. In this work, we advocate for viewing the prediction problem
through the lens of compression and evaluate the compression capabilities of
large (foundation) models. We show that large language models are powerful
general-purpose predictors and that the compression viewpoint provides novel
insights into scaling laws, tokenization, and in-context learning. For example,
Chinchilla 70B, while trained primarily on text, compresses ImageNet patches to
43.4% and LibriSpeech samples to 16.4% of their raw size, beating
domain-specific compressors like PNG (58.5%) or FLAC (30.3%), respectively.
Finally, we show that the prediction-compression equivalence allows us to use
any compressor (like gzip) to build a conditional generative model
Evaluation of Adversarial Attack Methods on Neural Networks
Although deep neural networks have proven to be successful across a large variety of machine learning tasks, recent work has demonstrated that they are at the same time vulnerable to so-called adversarial examples: inputs that are almost indistinguishable from natural data but misclassified by the network. In the case of image classifiers, such adversarial examples have traditionally been constructed by perturbing the original images, but more recently algorithms have been proposed that apply small deformations to the images in order to fool the networks. Simultaneously, defense methods have been proposed that promise to increase the robustness of neural networks against such adversarial attacks. In this work, we compare two state-of-the-art deformation attacks on MNIST and ImageNet data. Furthermore, we extend current defense methods to the setting of adversarial deformations and we demonstrate that these defenses can be combined with existing methods to train networks that are robust against both adversarial deformations and perturbations
Learning Certified Individually Fair Representations
Fair representation learning provides an effective way of enforcing fairness constraints without compromising utility for downstream users. A desirable family of such fairness constraints, each requiring similar treatment for similar individuals, is known as individual fairness. In this work, we introduce the first method that enables data consumers to obtain certificates of individual fairness for existing and new data points. The key idea is to map similar individuals to close latent representations and leverage this latent proximity to certify individual fairness. That is, our method enables the data producer to learn and certify a representation where for a data point all similar individuals are at l-infinity distance at most epsilon, thus allowing data consumers to certify individual fairness by proving epsilon-robustness of their classifier. Our experimental evaluation on five real-world datasets and several fairness constraints demonstrates the expressivity and scalability of our approach
Neural Networks and the Chomsky Hierarchy
Reliable generalization lies at the heart of safe ML and AI. However,
understanding when and how neural networks generalize remains one of the most
important unsolved problems in the field. In this work, we conduct an extensive
empirical study (2200 models, 16 tasks) to investigate whether insights from
the theory of computation can predict the limits of neural network
generalization in practice. We demonstrate that grouping tasks according to the
Chomsky hierarchy allows us to forecast whether certain architectures will be
able to generalize to out-of-distribution inputs. This includes negative
results where even extensive amounts of data and training time never led to any
non-trivial generalization, despite models having sufficient capacity to
perfectly fit the training data. Our results show that, for our subset of
tasks, RNNs and Transformers fail to generalize on non-regular tasks, LSTMs can
solve regular and counter-language tasks, and only networks augmented with
structured memory (such as a stack or memory tape) can successfully generalize
on context-free and context-sensitive tasks