20 research outputs found
You Only Need a Good Embeddings Extractor to Fix Spurious Correlations
Spurious correlations in training data often lead to robustness issues since
models learn to use them as shortcuts. For example, when predicting whether an
object is a cow, a model might learn to rely on its green background, so it
would do poorly on a cow on a sandy background. A standard dataset for
measuring state-of-the-art on methods mitigating this problem is Waterbirds.
The best method (Group Distributionally Robust Optimization - GroupDRO)
currently achieves 89\% worst group accuracy and standard training from scratch
on raw images only gets 72\%. GroupDRO requires training a model in an
end-to-end manner with subgroup labels. In this paper, we show that we can
achieve up to 90\% accuracy without using any sub-group information in the
training set by simply using embeddings from a large pre-trained vision model
extractor and training a linear classifier on top of it. With experiments on a
wide range of pre-trained models and pre-training datasets, we show that the
capacity of the pre-training model and the size of the pre-training dataset
matters. Our experiments reveal that high capacity vision transformers perform
better compared to high capacity convolutional neural networks, and larger
pre-training dataset leads to better worst-group accuracy on the spurious
correlation dataset.Comment: Accepted at ECCV 2022 workshop on Responsible Computer Vision (RCV
A Whac-A-Mole Dilemma: Shortcuts Come in Multiples Where Mitigating One Amplifies Others
Machine learning models have been found to learn shortcuts -- unintended
decision rules that are unable to generalize -- undermining models'
reliability. Previous works address this problem under the tenuous assumption
that only a single shortcut exists in the training data. Real-world images are
rife with multiple visual cues from background to texture. Key to advancing the
reliability of vision systems is understanding whether existing methods can
overcome multiple shortcuts or struggle in a Whac-A-Mole game, i.e., where
mitigating one shortcut amplifies reliance on others. To address this
shortcoming, we propose two benchmarks: 1) UrbanCars, a dataset with precisely
controlled spurious cues, and 2) ImageNet-W, an evaluation set based on
ImageNet for watermark, a shortcut we discovered affects nearly every modern
vision model. Along with texture and background, ImageNet-W allows us to study
multiple shortcuts emerging from training on natural images. We find computer
vision models, including large foundation models -- regardless of training set,
architecture, and supervision -- struggle when multiple shortcuts are present.
Even methods explicitly designed to combat shortcuts struggle in a Whac-A-Mole
dilemma. To tackle this challenge, we propose Last Layer Ensemble, a
simple-yet-effective method to mitigate multiple shortcuts without Whac-A-Mole
behavior. Our results surface multi-shortcut mitigation as an overlooked
challenge critical to advancing the reliability of vision systems. The datasets
and code are released: https://github.com/facebookresearch/Whac-A-Mole.git.Comment: Code is available at
https://github.com/facebookresearch/Whac-A-Mole.gi
Code Llama: Open Foundation Models for Code
We release Code Llama, a family of large language models for code based on
Llama 2 providing state-of-the-art performance among open models, infilling
capabilities, support for large input contexts, and zero-shot instruction
following ability for programming tasks. We provide multiple flavors to cover a
wide range of applications: foundation models (Code Llama), Python
specializations (Code Llama - Python), and instruction-following models (Code
Llama - Instruct) with 7B, 13B and 34B parameters each. All models are trained
on sequences of 16k tokens and show improvements on inputs with up to 100k
tokens. 7B and 13B Code Llama and Code Llama - Instruct variants support
infilling based on surrounding content. Code Llama reaches state-of-the-art
performance among open models on several code benchmarks, with scores of up to
53% and 55% on HumanEval and MBPP, respectively. Notably, Code Llama - Python
7B outperforms Llama 2 70B on HumanEval and MBPP, and all our models outperform
every other publicly available model on MultiPL-E. We release Code Llama under
a permissive license that allows for both research and commercial use
Disrupting Machine Learning: Emerging Threats and Applications for Privacy and Dataset Ownership
Thesis (Ph.D.)--University of Washington, 2021Convolutional neural networks (CNNs) can be trained with machine learning techniques by using large datasets of images to solve a multitude of useful computer vision tasks. However, CNNs also suffer from a set of vulnerabilities that allow maliciously crafted inputs to affect both their inference and training. A central premise of this dissertation is that these vulnerabilities exhibit a duality when it comes to security and privacy. On the one hand, when computer vision models are applied in safety-critical settings such as autonomous driving, it is important to identify failures that can be exploited by malicious parties early on so that system designers can plan for novel threat models. On the other hand, when machine learning models themselves are being used in a malicious or unauthorized manner, such vulnerabilities can be leveraged to protect data creators from harmful effects of these models (such as privacy degradation) and enforce finer-grained “access” controls over the data. This work studies security and privacy issues in three scenarios where machine learning is applied for visual tasks. The first contribution of this work is to identify a vulnerability in models that are likely to be deployed to identify road signs in autonomous vehicles. It demonstrates that an attacker with no digital access to a self-driving car’s computers can nevertheless cause dangerous behavior by modifying the appearance of physical objects. Next, this dissertation considers scenarios where machine learning models are applied in a way that degrades individual privacy. The dissertation proposes a scheme -- nicknamed FoggySight -- in which a community of users volunteer adversarial modified photos (“decoys”) that poison the facial search database and throw off searches in it. Finally, machine learning models may be trained on data without authorization to do so. This dissertation considers scenarios where image owners might wish to share their visual data widely for human consumption but do not wish to enable its use for machine learning purposes. It develops a protective mechanism that can be applied to datasets before they are released so that unauthorized parties cannot train their models on them