Robust Yet Efficient Conformal Prediction Sets

Read original: arXiv:2407.09165 - Published 7/15/2024 by Soroush H. Zargarbashi, Mohammad Sadegh Akhondzadeh, Aleksandar Bojchevski

🔮

Overview

Conformal prediction (CP) can convert any model's output into prediction sets guaranteed to include the true label with any user-specified probability.
However, CP is vulnerable to adversarial test examples (evasion) and perturbed calibration data (poisoning), just like the underlying model.
The researchers derive provably robust sets by bounding the worst-case change in conformity scores.
Their tighter bounds lead to more efficient sets.
They cover both continuous and discrete (sparse) data, and their guarantees work for both evasion and poisoning attacks (on both features and labels).

Plain English Explanation

Conformal prediction is a technique that can take any machine learning model and convert its output into a set of predictions that are guaranteed to contain the true label a certain percentage of the time, such as 95% of the time. This is useful for building trustworthy classification systems and making predictions more understandable to humans.

However, just like the underlying machine learning model, conformal prediction is also vulnerable to adversarial attacks. Adversaries can craft test examples that trick the model (evasion) or perturb the data used to calibrate the conformal prediction (poisoning), causing the prediction sets to become unreliable.

To address this, the researchers have developed a new method for producing conformal prediction sets that are provably robust to these types of attacks. They do this by carefully bounding the worst-case changes in the scores used to determine the prediction sets. This results in tighter, more efficient prediction sets that maintain their reliability even under attack.

Importantly, their approach works for both continuous and discrete (sparse) data, and it provides guarantees against both evasion and poisoning attacks, including attacks that target both the features and the labels of the data.

Technical Explanation

The key innovation in this work is the derivation of tighter bounds on the worst-case change in conformity scores under adversarial perturbations. Conformity scores are the values used to determine which examples should be included in the conformal prediction sets.

For continuous data, the researchers use Lipschitz continuity to bound the change in conformity scores. For discrete (sparse) data, they leverage the structure of the conformity scores to derive even tighter bounds.

These tighter bounds translate directly into more efficient conformal prediction sets - sets that are smaller in size while still maintaining the desired reliability (e.g., 95% coverage). The authors show through theoretical analysis and experiments that their approach outperforms previous methods for constructing robust conformal prediction.

Importantly, their guarantees hold for both evasion attacks (adversarial test examples) and poisoning attacks (perturbed calibration data), and they handle attacks on both the features and the labels of the data.

Critical Analysis

The researchers have made a compelling case for the importance of robust conformal prediction and have provided a technical solution that appears to be a significant advancement over previous work.

However, a few potential limitations and areas for further research are worth noting:

The analysis and experiments are focused on relatively simple machine learning models and datasets. It would be valuable to see how the approach scales to more complex, real-world machine learning systems.
The paper does not discuss the computational overhead of computing the tighter conformity score bounds. Depending on the application, this added complexity could be a practical concern.
While the robustness guarantees are impressive, there may still be room for further improvements in efficiency and tightness of the prediction sets, particularly for high-dimensional or structured data.

Exploring these areas could lead to even more powerful and trustworthy conformal prediction systems. Nonetheless, this work represents an important step forward in making machine learning models more reliable and interpretable, especially in high-stakes applications.

Conclusion

In summary, this research has developed a new method for constructing provably robust conformal prediction sets that maintain their reliability even under adversarial attacks. By deriving tighter bounds on the worst-case changes in conformity scores, the researchers have been able to produce more efficient prediction sets that can be used to build more trustworthy and interpretable machine learning systems. This work has significant implications for a wide range of applications where the reliability and transparency of AI-powered decisions are critical.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

🔮

Robust Yet Efficient Conformal Prediction Sets

Soroush H. Zargarbashi, Mohammad Sadegh Akhondzadeh, Aleksandar Bojchevski

Conformal prediction (CP) can convert any model's output into prediction sets guaranteed to include the true label with any user-specified probability. However, same as the model itself, CP is vulnerable to adversarial test examples (evasion) and perturbed calibration data (poisoning). We derive provably robust sets by bounding the worst-case change in conformity scores. Our tighter bounds lead to more efficient sets. We cover both continuous and discrete (sparse) data and our guarantees work both for evasion and poisoning attacks (on both features and labels).

7/15/2024

A Conformal Prediction Score that is Robust to Label Noise

Coby Penso, Jacob Goldberger

Conformal Prediction (CP) quantifies network uncertainty by building a small prediction set with a pre-defined probability that the correct class is within this set. In this study we tackle the problem of CP calibration based on a validation set with noisy labels. We introduce a conformal score that is robust to label noise. The noise-free conformal score is estimated using the noisy labeled data and the noise level. In the test phase the noise-free score is used to form the prediction set. We applied the proposed algorithm to several standard medical imaging classification datasets. We show that our method outperforms current methods by a large margin, in terms of the average size of the prediction set, while maintaining the required coverage.

5/22/2024

Verifiably Robust Conformal Prediction

Linus Jeary, Tom Kuipers, Mehran Hosseini, Nicola Paoletti

Conformal Prediction (CP) is a popular uncertainty quantification method that provides distribution-free, statistically valid prediction sets, assuming that training and test data are exchangeable. In such a case, CP's prediction sets are guaranteed to cover the (unknown) true test output with a user-specified probability. Nevertheless, this guarantee is violated when the data is subjected to adversarial attacks, which often result in a significant loss of coverage. Recently, several approaches have been put forward to recover CP guarantees in this setting. These approaches leverage variations of randomised smoothing to produce conservative sets which account for the effect of the adversarial perturbations. They are, however, limited in that they only support $ell^2$-bounded perturbations and classification tasks. This paper introduces VRCP (Verifiably Robust Conformal Prediction), a new framework that leverages recent neural network verification methods to recover coverage guarantees under adversarial attacks. Our VRCP method is the first to support perturbations bounded by arbitrary norms including $ell^1$, $ell^2$, and $ell^infty$, as well as regression tasks. We evaluate and compare our approach on image classification tasks (CIFAR10, CIFAR100, and TinyImageNet) and regression tasks for deep reinforcement learning environments. In every case, VRCP achieves above nominal coverage and yields significantly more efficient and informative prediction regions than the SotA.

6/7/2024

Towards Human-AI Complementarity with Predictions Sets

Giovanni De Toni, Nastaran Okati, Suhas Thejaswi, Eleni Straitouri, Manuel Gomez-Rodriguez

Decision support systems based on prediction sets have proven to be effective at helping human experts solve classification tasks. Rather than providing single-label predictions, these systems provide sets of label predictions constructed using conformal prediction, namely prediction sets, and ask human experts to predict label values from these sets. In this paper, we first show that the prediction sets constructed using conformal prediction are, in general, suboptimal in terms of average accuracy. Then, we show that the problem of finding the optimal prediction sets under which the human experts achieve the highest average accuracy is NP-hard. More strongly, unless P = NP, we show that the problem is hard to approximate to any factor less than the size of the label set. However, we introduce a simple and efficient greedy algorithm that, for a large class of expert models and non-conformity scores, is guaranteed to find prediction sets that provably offer equal or greater performance than those constructed using conformal prediction. Further, using a simulation study with both synthetic and real expert predictions, we demonstrate that, in practice, our greedy algorithm finds near-optimal prediction sets offering greater performance than conformal prediction.

5/29/2024