VTruST : Controllable value function based subset selection for Data-Centric Trustworthy AI

We thank the reviewer for their thoughtful feedback and good questions! We address them below.

The relationship between data selection and data augmentation within the proposed framework for robustness needs further elaboration.

It is a well-known fact that augmentation of training data leads to a robust model [1]. However, it also leads to a larger training dataset with possibly unnecessary datapoints. The data subset selection removes the redundant data points thereby improving the dataset quality and data-centric interpretability as described in the paper. We have also added a discussion for the same under Section 3.2 - second paragraph.

[1] Wang, Haotao, et al. "Augmax: Adversarial composition of random augmentations for robust training." NeurIPS 2021.

Does the trustworthy model have lower accuracy compared to the model trained on the original dataset?

The trustworthy model can be adapted to have a better accuracy/error rate compared to the model trained on the original dataset. We can vary the parameter $\lambda$ to achieve a balance between accuracy and fairness/robustness. We cite examples of instances where the trustworthy model performs better than the model trained on the original dataset.

Figure 1(b) $\lambda=0.5$ , VTrust achieves Label Robust ER = 0.19 and EO Disparity=0.11, which are better than the Wholedata-ST with Label Robust ER = 0.2 and EO Disparity = 0.19.

Figure 1(c) $\lambda=0.5$ , VTrust achieves Feature Robust ER = 0.2 and EO Disparity=0.102, which are better than the Wholedata-ST with Feature Robust ER = 0.213 and EO Disparity = 0.16.

How does the framework perform when both fairness and robustness are considered together?

We have added some results in Section 3.1 for the pareto curves in Figure 1, where we varied the $\lambda$ to show the tradeoff between fairness and robustness (label robust using label flipping and feature robust using SMOTE-generated samples). We can observe that the trend is followed as expected and also performs better than Wholedata-ST in terms of all pairwise metrics. We shall add the results of other baselines in the final version.

Analyze the framework’s complexity

VTruST has a complexity of $\mathcal{O}(kM(N-k))$ where $k$ = subset size, $M$ = size of the validation set, $N$ = size of training set, $M << N$. We had provided this complexity in Section 2.3 before “Conditions for Optimality of the Selected Subset”.

We thank the reviewer for their thoughtful feedback and good questions! We address them below.

Questions:

Are there no better ways for robustness?

Many notions of robustness (e.g. adversarial robustness, etc.), and their tradeoffs with accuracy have been studied in the literature. We follow the notion of robustness defined in [1], which is not adversarial but based on random perturbations leading to image corruptions. These notions of robustness have also been followed in many subsequent papers, e.g. Augmax [2].

[1] Hendrycks, Dan, and Thomas Dietterich. "Benchmarking neural network robustness to common corruptions and perturbations."ICLR 2019.

[2] Wang, Haotao, et al. "Augmax: Adversarial composition of random augmentations for robust training." NeurIPS 2021.

How do you apply augmentation to tabular data?

In case of tabular data, we showed the tradeoff between Robustness and Fairness using the label-flipping experiment taken from SSFR [3]. However, in the revised document, we have also introduced feature-robustness using SMOTE [4] for augmenting samples.

We show the tradeoff between error rate, fairness, label robustness, and feature robustness in Figure 1 of the revised document. These experiments show the generality of our framework and also motivate the problems of studying tradeoffs between the various trustworthiness metrics.

[3] Roh, Yuji, et al. "Sample selection for fair and robust training." NeurIPS 2021.

[4] Chawla, Nitesh V., et al. "SMOTE: synthetic minority over-sampling technique." Journal of artificial intelligence research 16 (2002).

but the main paper only provides the cases when they are separate.

In the revised version, we have provided pairwise tradeoffs between various trustworthiness metrics in Section 3.1, since the pairwise tradeoffs are easy to visualize. However, our method can also be used to improve multiple trustworthiness metrics at the same time, whenever it is possible from the problem point of view. For example,

Figure 1(b) $\lambda=0.5$ , VTrust achieves Label Robust ER = 0.19 and EO Disparity=0.11, which are better than the Wholedata-ST with Label Robust ER = 0.2 and EO Disparity = 0.19.

Figure 1(c) $\lambda=0.5$ , VTrust achieves Feature Robust ER = 0.202 and EO Disparity=0.102, which are better than the Wholedata-ST with Feature Robust ER = 0.213 and EODisparity = 0.16.

Weaknesses: We would also like to rebut some reviewer comments in the weakness section.

No comparison to other more up-to-date (when considering the ICLR submission deadline) data valuation metrics such as Beta Shapley [Kwon, 2021], DAVINZ [Wu, 2022], Data OOB [Kwon, 2023], LAVA [Just, 2023], or CG-score [Nohyun, 2023], which are known to provide more robust values and are efficient to compute.

The reviewers mention the latest data valuation methods, which we have not compared with. We would like to point out that the methods (from 2023) focus on efficiency and are not specific to the predictive task. On the other hand, our framework is designed to be targeted towards one or more tasks using the value function metrics. Hence, we feel that the comparison with these methods would probably be unfair. However, for completeness, we provide the below comparison with CG-Score. As can be seen, our method outperforms the latest baselines as well in terms of Standard Accuracy (SA) and Robust Accuracy (RA).

CG-score vs VTruST on CIFAR10

Subset size | CG Score | VTruST

20% - SA, RA | 84.11, 77.31 | 92.25, 85.54

40% - SA, RA | 89.13, 83.25 | 94.74, 88.23

60% - SA, RA | 92.56, 87.13 | 94.77, 89.21

The fairness baselines also seem not recent (<=2021)

We report a comparison with a recent paper - FairDRO [1] using their metric DCA (Difference of Conditional Accuracy) below. The lower the value, the better is the fairness.

COMPAS

Metrics | VTruST | FairDRO

ER | 0.34 | 0.43

DCA | 0.035 | 0.04

Adult Census

Metrics | VTruST | FairDRO

ER | 0.18 | 0.21

DCA | 0.015 | 0.02

As we can see, our method outperforms this recent baseline in both ER as well as DCA. Since the new method follows a different metric (DCA) compared to the existing baselines (EODisparity), we shall add this result in the appendix of the final version of our paper (due to space constraints).

[1] Jung, Sangwon, et al. "Re-weighting Based Group Fairness Regularization via Classwise Robust Optimization." ICLR 2023

Minor:

We revised it in the updated version.

We thank the reviewer for their thoughtful feedback and good questions! We address them below.

Why are these two metrics that require a trade-off?

Many notions of robustness (e.g. adversarial robustness, etc.), and their tradeoffs with accuracy have been studied in the literature. We follow the notion of robustness defined in Hendryks et a. [1], which is not adversarial but based on random perturbations leading to image corruptions. We use the same technique to generate the augmented dataset $\mathcal{D}_a$. The value functions are defined as loss on validation datasets. Hence, they are different for accuracy (“value” according to reviewer) which uses $\mathcal{D}’$ and “robustness” which uses $\mathcal{D}'_a$ (see Section 2.2). These value functions guide the selection of important training datapoints, which we find are different from each other. Hence, we report the tradeoff between these two value functions.

[1] Hendrycks, Dan, and Thomas Dietterich. "Benchmarking neural network robustness to common corruptions and perturbations."ICLR 2019.

When users need to reset the weights, does your algorithm need to be rerun?

Yes, the current algorithm needs to be re-run for different values of $\lambda$. However, $\lambda$ only affects the value function and not the features $X_i$ which are dependent on the training run. Hence, for each training run, we can perform subset set-selection for a grid of $\lambda$ in parallel, without additional inference/parameter update cost.

Why didn't you compare with other method baselines in your robustness experiments?

We compared the image robustness algorithm with state-of-the-art AugMax (NeurIPS 2021) and SSR (NeurIPS 2021) in Table 5. We also compared our method with latest data valuation method [2] as a response to the second reviewer’s comment and found ours to outperform the former method. We will be happy to compare with any suggested baselines. Besides, we have added some results for the robustness on tabular data in the revised document.

[2] Nohyun, Ki, Hoyong Choi, and Hye Won Chung. "Data valuation without training of a model." ICLR 2023.

Compare with other method baselines in your robustness experiments; The two metrics do not have a trade-off relationship

While the metrics reported initially on the CIFAR10 showed a weaker tradeoff relationship, that might be a property of the dataset which already contains many images per class. We have added a figure (in Figure 3 of the revised document), which shows the tradeoff more clearly. We thank the reviewer for the comment. We shall report the tradeoff on TinyImagenet, shortly.