Certified $\ell_2$ Attribution Robustness via Uniformly Smoothed Attributions

1. Could the robustness certification be extended to encompass more random distributions, such as the Gaussian distribution? If not, please discuss the main challenges associated with such an extension.
2. The authors suggest that cosine similarity is more likely to extend to other domains. A recommendation would be to conduct experiments in practical scenarios where cosine similarity robustness is particularly useful. Additionally, the title "Uniformly Smoothed Attributions" might be perceived as somewhat narrow in scope. Consider a title that better reflects the broader applicability of your work.

1. According to Weakness 1, is it necessary to impose constraints on the model output $f(x)$ in Eq. (1), such as requiring that $f(x)$ and $f(x + \delta)$ are similar or yield the same classification result?

2. In Line 751, do R3 and R1 represent the centers of the spheres for $g(\tilde{x})$ and $g(x)$, respectively?

1. There is a brief mention (paragraph starting at 398) that the certificates provided in this paper are actually 'probabilistic' certificates as $h(x)$ cannot actually be exactly computed. This needs to be made much more explicit. Compounding this is the fact that paragraph just mentions the number of samples used for the experiments but does not ever mention the 'actual probability' that these certificates hold at. In Appendix C.1 the paper empirically shows that when $N = 100,000$ that the certificates are close for the networks the datasets considered when $\alpha = 0.01$ (i.e. the certificate almost holds with probability $99\%$ when using 100,000 samples). In other words, the computed values in this paper are neither a true certificate nor a probabilistic certificate (line 403: "almost surely"). This leads into my next question as it should be possible to obtain true probabilistic certificates.
2. There is an unsubstantiated claim in line 195 that because this paper aims to certify under $\ell_2$ attacks a uniform distribution should be chosen. However, in the original randomized smoothing paper (Cohen et al. 2019) $\ell_2$ attacks are being certified but the distribution chosen is Gaussian. See Theorem 2 in Cohen et al. 2019: "Theorem 2 shows that Gaussian smoothing naturally induces $\ell_2$ robustness: if we make no assumptions on the base classifier beyond the class probabilities (2), then the set of perturbations to which a Gaussian-smoothed classifier is provably robust is exactly an $\ell_2$ ball." What happens if you use a gaussian distribution instead? What is the benefit of a uniform distribution?
3. "The proposed result does not assume anything on the classifiers" (line 308) is contradicted by "is a function of the input gradient, $\nabla f(\mathbf{x})$, which is bounded for Lipschitz continuous networks" (line 261). While most networks are Lipschitz continuous, not all networks are. For example, "The Lipschitz Constant of Self-Attention" Kim et al. Theorem 3.1 gives Dot Product Multihead Attention is not Lipchitz continuous.
4. As a followup to weakness 3, the computations in this paper depend on $M$ which is defined as $||g(x)||_2 \leq M$ (line 756, also for an important variable why is it only formally defined in the appendix). $g$, although never formally defined, is a function of $\nabla f(\mathbf{x})$. $\nabla f(\mathbf{x})$ is bounded by the Lipschitz constant of the network. There are many potential ways to compute the Lipschitz constant of the network, is the paper using an approximate method? Which one? It is important to know as it affects both the precision of the certificate and the runtime.
5. On the note of runtime, I could be wrong but in the entire paper and appendix I only found a single mention of runtime at line 475 which claims that certification for ImageNet on ResNet-50 takes around 15 seconds per sample. According to line 405, the number of samples is 100,000. Even being generous this seems slightly hard to believe to me. This is not scientific, but if we look at some online resources [1] with half-precision shows 4,000 inferences per second on a 3080 GPU, a comment in [2] indicates that the 3090 is roughly 30% faster than the 3080 on ResNet-50 inferences. This means in 15 seconds you can do roughly 80k inferences. However, all the attribution methods (including the ones used in this paper) require backpropping all the way to the input layer, an additional cost on top of inference time. This also does not include Lipschitz constant computation time [3] may not be the most up to date but it suggests that even approximations should take a couple of seconds if not tens-hundreds of seconds. I would like to see a more comprehensive analysis of runtime for the experiments because the numbers are slightly confusing me.

[1] https://medium.com/@niksa.jakovljevic/optimizing-resnet-50-8x-inference-throughput-with-just-a-few-commands-41fa148a25df

[2] https://www.reddit.com/r/deeplearning/comments/zf3qn3/rtx_3080_vs_rtx_3090/#:~:text=In%20DL%20benchmarks%2C%20even%20if,because%20of%20the%20memory%20limitations.

[3] https://proceedings.neurips.cc/paper_files/paper/2019/file/95e1533eb1b20a97777749fb94fdb944-Paper.pdf

Suggestions

1. Can you define attribution function $g$ or at least verbally describe it in the paper?
2. Can you boost the brightness of Figure 1 (b, c, d)? These will not look good especially when printed.
3. $cos$ is a different function from cosine similarity, please define it.
4. What do the three numbers in line 201 represent, do we want higher values? What do they mean? How do they relate to effectiveness of attribution?
5. Why is it intractable to optimize cosine similarity (line 228)? Can you cite something or prove it?
6. $a\mathbf{v} = R_1 - R_3$ line 752
7. line 242 this arbitrary translation can be made regardless of what you have written above, but what you have written above is also not enough to show that the magnitude of $a$ is constrained by "a constant related to the intersecting...". Explicitly say here what $a$ is restrained by you can leave the proof in the appendix.
8. line 248, 782 what about $h(\mathbf{x})$ and h(\mathbf\{\tilde{x}}) form a spherical cone? Neither the intersection, union, nor symmetric difference form a spherical cone (https://en.wikipedia.org/wiki/Spherical_sector), or if you say they do, can you prove it? What does the spherical cone have to do with directional decomposition?
9. line 405, I don't think $N^*$ is defined.
10. line 706, $q$ -> $p$

Related Work

1. As you are only required to address articles published before July 2024, this does not count towards my grade; however, I am curious how your method compares to "Advancing Certified Robustness of Explanation via Gradient Quantization" CIKM '24 which uses ideas from randomized smoothing to provide explanation robustness.

Below, I give comments on clarity and writing. I only have time to do this for the abstract and introduction given the amount of issues, please go over the entire paper making these corrections.

Clarity

1. (line 17) "from a certain space" is too ambiguous
2. (line 18) "the attack region"? What attack region, you haven't defined that.
3. (line 19) "guaranteed to be lower bounded." Lower bounded by what? I can prove that it is lower bounded by $-1$ but that is not interesting, what do you lower bound it by? either what method, or what metric, etc?
4. (line 20) "of the certification" what certification? "the original one" what original one? maybe you are trying to say something like "Additionally, we certify the minimum smoothing radius (or maximum perturbation size) such that an attribution remains unchanged."
5. (line 23) "the proposed method" what proposed method? There is a derivation of a formulation, and a proof what is the method?
6. (line 23) "on three datasets" be clear here, what datasets?
7. (line 33) What applications?
8. (line 40) "people naturally requires the confirmation of the safety critical decisions" does not make sense, I assume you are trying to say that people would want to know how safety critical decisions are made but it is unclear
9. (line 41) The risk is because the users lack expertise in ML and technical details of attributions, or the risk is because the model is not robust. Even if a user was an expert in ML/attributions an adversarial attack changing the attribution would likely be hard to notice.
10. (line 44) In contrast to the above comment, shouldn't it be "users" who lose trust?
11. (line 45) "Thus, a trustworthy..." does not follow from the previous statements, I think you want to say that a trustworthy model must produce both robust predictions but also robust explanations. Also, there are other methods of explanation besides attribution so a trustworthy model could have explainability produced by a different method.
12. (line 53) "Unlike adversarial defense, which has been ..." This sentence has multiple issues, "that using both empirical..." comes after adversarial attacks, except what I assume you mean is that there are both empirical and certified adversarial defense methods. Instead I think you want to say something like "While there has been extensive work in both empirical (cite) and certified (cite) defenses against adversarial attacks targeting prediction accuracy, there are almost no works on defending against attacks targeting model attributions.
13. (line 60) What is categorical ranking measurements? Why are they not easy to extend to other domains?
14. (line 61) Do they attempt to derive, or they do derive? I think you want to say something like "Wang & Kong (2023) derives a practical upper bound of the cosine similarity of the worst-case attribution under attack; however, their method has strict assumptions <say on what> and is computationally intensive"
15. (line 63) "the smoothed version of attributions" does not follow because you have not described a smooth version of model attribution. "we focus on smoothed model attributions and provide a theoretical guarantee that these attributions are robust to any perturbation within an $\ell_2$ ball.
16. (line 75) "we find an effective upper bound on Equation (1), or equivalently, a lower bound on the worst-case attribution similarity." I assume you do find a bound, not attempt to find a bound.
17. (line 76) "We propose.." This sentence is way to long and does not read well. "We propose uniformly smoothed attribution - a smoothed version of model attribution. We analytically provide a lower bound on the worst case cosine similarity for uniformly smoothed attribution."
18. (line 82) The theoretical guarantee demonstrates? "We provide a theoretical guarantee on the robustness of uniformly smoothed attribution under perturbations belonging to a given input specification."
19. (line 83) "The robustness is measured by..." This is not new, Equation (1) from Wang & Kong is the same, you don't need this sentence.
20. (line 85) Just larger sized images? or also larger and more diverse network architectures?
21. (line 86) Wang & Kong provides theoretical guarantees (see theorems 1 and 2), so this is not the first work that provides theoretical guarantees for attribution robustness. Instead you maybe want to say that it is the first scalable or the first work that provides guarantees for general NN architectures.
22. (line 88) Your alternate certificates are not equivalent, the original ones have a bound on the perturbation size, this certificate gives the maximum perturbation radius for which the attribution difference remains under a certain threshold. I understand that they are derived in a similar way, but they give different guarantees.
23. (line 93) "Well-bounded integrated gradients" <- you never define this, cite the paper or something? what does it mean for it to be well-bounded?
24. (line 99) "this paper and" -> "the paper"

Minor Comments

1. (line 12) "the attributions" I think should be "model attributions", similarly "... manipulate model attributions without changing model predictions"
2. (line 15) "an effective verification method" or "an effective certification method" since you are using these to understand robustness not defend against it
3. (line 17) "use a uniform smoothing"
4. (line 17) "It is proved" i.e. someone else did it, if its this case, say who? or "We proved" i.e. you do it in this paper
5. (line 19) "the cosine similarity between the uniformly smoothed attribution of a perturbed sample and an unperturbed sample is..."
6. (line 24) "the attributions"
7. (line 25) networks -> network, schemes -> scheme, datasets -> dataset
8. (line 29) developments -> development
9. (line 30) have -> has, discussions of the -> discussion on
10. (line 32) (Brown et al, 2020) links to "Language models are few-shot learners." what does this paper have to do with explainability of LLMs?
11. (line 38) "the explainability" or what? or what explainability?
12. (line 40) requires -> require
13. (line 46) "the attributions" -> "model attributions", have also been shown recently -> have recently been shown to also
14. (line 48) can be -> are
15. (line 50) "This misleadingly..." this sentence is basically already said above
16. (line 63) "Currently, there is no scalable method for providing generalized certificates of attribution robustness"
17. (line 64) we put our focus -> we focus
18. (line 67) "Based on the previously..." -> "Wang & Kong (2023) define attribution robustness as the worst cases attribution difference $D(\cdot, \cdot)$ resulting from a perturbation within a certain attack radius. Formally, given a network $f$, ..., Wang & Kong (2023) define attribution robustness as..."
19. (line 70) this formula does not depend on $f$, you have not defined an attribution function $g$, I think you want to somehow specify that $g$ depends on $f$ for example, $g_f$
20. (line 73) assumptions -> assumption, networks -> network, ", and, as a result, is unable to" -> "so it does not"
21. (line 74) "give a complete certificate" or "provide a completely certify model attribution for general neural networks"
22. (line 80) contribution -> contributions
23. (line 92) the attribution -> model attributions
24. (line 93) evaluated -> evaluate

• What is the difference between the maximum allowable perturbation $\epsilon$ and $l_2$-norm ball with a radius $r$?

• How do we use the proposed method if the gradients do not satisfy the Lipschitz condition?

• What does the variable $R$ represent in Equation 9?

• Why do the authors only consider the $l_2$ attribution attack?

• Why do the authors choose uniform distribution?