You Only Need a Good Embeddings Extractor to Fix Spurious Correlations

Spurious correlations in training data often lead to robustness issues since models learn to use them as shortcuts. For example, when predicting whether an object is a cow, a model might learn to rely on its green background, so it would do poorly on a cow on a sandy background. A standard dataset for measuring state-of-the-art on methods mitigating this problem is Waterbirds. The best method (Group Distributionally Robust Optimization - GroupDRO) currently achieves 89\% worst group accuracy and standard training from scratch on raw images only gets 72\%. GroupDRO requires training a model in an end-to-end manner with subgroup labels. In this paper, we show that we can achieve up to 90\% accuracy without using any sub-group information in the training set by simply using embeddings from a large pre-trained vision model extractor and training a linear classifier on top of it. With experiments on a wide range of pre-trained models and pre-training datasets, we show that the capacity of the pre-training model and the size of the pre-training dataset matters. Our experiments reveal that high capacity vision transformers perform better compared to high capacity convolutional neural networks, and larger pre-training dataset leads to better worst-group accuracy on the spurious correlation dataset.Comment: Accepted at ECCV 2022 workshop on Responsible Computer Vision (RCV

A Whac-A-Mole Dilemma: Shortcuts Come in Multiples Where Mitigating One Amplifies Others

Machine learning models have been found to learn shortcuts -- unintended decision rules that are unable to generalize -- undermining models' reliability. Previous works address this problem under the tenuous assumption that only a single shortcut exists in the training data. Real-world images are rife with multiple visual cues from background to texture. Key to advancing the reliability of vision systems is understanding whether existing methods can overcome multiple shortcuts or struggle in a Whac-A-Mole game, i.e., where mitigating one shortcut amplifies reliance on others. To address this shortcoming, we propose two benchmarks: 1) UrbanCars, a dataset with precisely controlled spurious cues, and 2) ImageNet-W, an evaluation set based on ImageNet for watermark, a shortcut we discovered affects nearly every modern vision model. Along with texture and background, ImageNet-W allows us to study multiple shortcuts emerging from training on natural images. We find computer vision models, including large foundation models -- regardless of training set, architecture, and supervision -- struggle when multiple shortcuts are present. Even methods explicitly designed to combat shortcuts struggle in a Whac-A-Mole dilemma. To tackle this challenge, we propose Last Layer Ensemble, a simple-yet-effective method to mitigate multiple shortcuts without Whac-A-Mole behavior. Our results surface multi-shortcut mitigation as an overlooked challenge critical to advancing the reliability of vision systems. The datasets and code are released: https://github.com/facebookresearch/Whac-A-Mole.git.Comment: Code is available at https://github.com/facebookresearch/Whac-A-Mole.gi

Code Llama: Open Foundation Models for Code

We release Code Llama, a family of large language models for code based on Llama 2 providing state-of-the-art performance among open models, infilling capabilities, support for large input contexts, and zero-shot instruction following ability for programming tasks. We provide multiple flavors to cover a wide range of applications: foundation models (Code Llama), Python specializations (Code Llama - Python), and instruction-following models (Code Llama - Instruct) with 7B, 13B and 34B parameters each. All models are trained on sequences of 16k tokens and show improvements on inputs with up to 100k tokens. 7B and 13B Code Llama and Code Llama - Instruct variants support infilling based on surrounding content. Code Llama reaches state-of-the-art performance among open models on several code benchmarks, with scores of up to 53% and 55% on HumanEval and MBPP, respectively. Notably, Code Llama - Python 7B outperforms Llama 2 70B on HumanEval and MBPP, and all our models outperform every other publicly available model on MultiPL-E. We release Code Llama under a permissive license that allows for both research and commercial use

Disrupting Machine Learning: Emerging Threats and Applications for Privacy and Dataset Ownership

Thesis (Ph.D.)--University of Washington, 2021Convolutional neural networks (CNNs) can be trained with machine learning techniques by using large datasets of images to solve a multitude of useful computer vision tasks. However, CNNs also suffer from a set of vulnerabilities that allow maliciously crafted inputs to affect both their inference and training. A central premise of this dissertation is that these vulnerabilities exhibit a duality when it comes to security and privacy. On the one hand, when computer vision models are applied in safety-critical settings such as autonomous driving, it is important to identify failures that can be exploited by malicious parties early on so that system designers can plan for novel threat models. On the other hand, when machine learning models themselves are being used in a malicious or unauthorized manner, such vulnerabilities can be leveraged to protect data creators from harmful effects of these models (such as privacy degradation) and enforce finer-grained “access” controls over the data. This work studies security and privacy issues in three scenarios where machine learning is applied for visual tasks. The first contribution of this work is to identify a vulnerability in models that are likely to be deployed to identify road signs in autonomous vehicles. It demonstrates that an attacker with no digital access to a self-driving car’s computers can nevertheless cause dangerous behavior by modifying the appearance of physical objects. Next, this dissertation considers scenarios where machine learning models are applied in a way that degrades individual privacy. The dissertation proposes a scheme -- nicknamed FoggySight -- in which a community of users volunteer adversarial modified photos (“decoys”) that poison the facial search database and throw off searches in it. Finally, machine learning models may be trained on data without authorization to do so. This dissertation considers scenarios where image owners might wish to share their visual data widely for human consumption but do not wish to enable its use for machine learning purposes. It develops a protective mechanism that can be applied to datasets before they are released so that unauthorized parties cannot train their models on them