Certifiably robust interpretation via Rényi differential privacy

作者:

Highlights:

摘要

Motivated by the recent discovery that the interpretation maps of CNNs could easily be manipulated by adversarial attacks against network interpretability, we study the problem of interpretation robustness from a new perspective of Rényi differential privacy (RDP). The advantages of our Rényi-Robust-Smooth (RDP-based interpretation method) are three-folds. First, it can offer provable and certifiable top-k robustness. That is, the top-k important attributions of the interpretation map are provably robust under any input perturbation with bounded ℓd-norm (for any d≥1, including d=∞). Second, our proposed method offers ∼12% better experimental robustness than existing approaches in terms of the top-k attributions. Remarkably, the accuracy of Rényi-Robust-Smooth also outperforms existing approaches. Third, our method can provide a smooth tradeoff between robustness and computational efficiency. Experimentally, its top-k attributions are twice more robust than existing approaches when the computational resources are highly constrained.

论文关键词:Differential privacy,Machine learning,Robustness,Interpretation,Neural networks

论文评审过程:Received 28 June 2021, Revised 13 September 2022, Accepted 15 September 2022, Available online 21 September 2022, Version of Record 28 September 2022.

论文官网地址:https://doi.org/10.1016/j.artint.2022.103787