Provably Robust Conformal Prediction with Improved Efficiency
Ge Yan, Yaniv Romano, Tsui-Wei Weng
TL;DR
This paper introduces RSCP+ and two new methods, PTT and RCT, to improve the efficiency and robustness of conformal prediction under adversarial conditions, achieving significant reductions in uncertainty set size while maintaining coverage guarantees.
Contribution
The paper proposes RSCP+ for provable robustness guarantees and introduces PTT and RCT methods to reduce prediction set size with minimal computational overhead.
Findings
RSCP+ fixes flaws in previous robustness guarantees.
PTT and RCT significantly reduce prediction set size.
Methods achieve up to 16.9x efficiency improvement on ImageNet.
Abstract
Conformal prediction is a powerful tool to generate uncertainty sets with guaranteed coverage using any predictive model, under the assumption that the training and test data are i.i.d.. Recently, it has been shown that adversarial examples are able to manipulate conformal methods to construct prediction sets with invalid coverage rates, as the i.i.d. assumption is violated. To address this issue, a recent work, Randomized Smoothed Conformal Prediction (RSCP), was first proposed to certify the robustness of conformal prediction methods to adversarial noise. However, RSCP has two major limitations: (i) its robustness guarantee is flawed when used in practice and (ii) it tends to produce large uncertainty sets. To address these limitations, we first propose a novel framework called RSCP+ to provide provable robustness guarantee in evaluation, which fixes the issues in the original RSCP…
Peer Reviews
Decision·ICLR 2024 poster
1. This approach is novel and theoretically sound for conformal prediction. This paper considers the conformal prediction in an adversarial setting where exchangeability is violated; thus traditional methods fail to guarantee coverage. The authors improves RSCP by adjusting its non-conformity score and bounds the estimation error. 2. This approach is theoretically grounded and computationally efficient. This paper designs two post-training transformation functions: Ranking Transformation and
1. RSCP+ fail to construct informative prediction sets independently: it tends to give the whole prediction sets (include all classes) as observed on Cifar-10, Cifar-100, ImageNet. 2. RSCP+ generates relatively large prediction sets on dataset such as ImageNet even with PTT, limiting its application. 3. The impact of number of Monte Carlo on RSCP+ remains ambiguous, since the experiment is only conducted on Cifar-10.
- The paper tackles an important subject: uncertainty quantification via conformal prediction in the presence of adversarial perturbations - The paper is well written for the most part (see Weaknesses for some comments), and the authors go into great lengths to provide details, as seen by the dense Appendix. Technical contributions look sound to me. - The paper correctly identifies a technical flaw in a prior framework (RSCP), and presents a correction based on the Hoeffding bound to establish a
- The paper, to its credit, tackles three different techniques, which has unfortunately degraded the reading experience. The proposed techniques have little to do with each other, and jumping between them was a bit hard to grasp in the first few reads. Having to fit all this in the page limit certainly does not help the authors. There is also an over reliance on the Appendix, which made the reading experience very choppy. I am not sure what is the best way to tackle this frankly. - One thing I
1. The background of this problem is well illustrated. 2. The framework of RSCP+ is more efficient compared with the existing RSCP. The novelty of this method is also significant. 3. Two specific methods PTT and RCT make this new framework more practical.
Overall, I think this submission is a good paper, but I have the following concerns. **1. The literature review is not sufficient and complete.** For the conformal prediction with adversarial noise, this author discussed only one related work Gendler et al. (2021). However, I find that a published work [1] is closely related to this problem. The authors should clarify the differences between the submission and [1]. In addition, [2] and [3] are also related works. **2. The difference between R
Code & Models
Videos
Taxonomy
TopicsFace and Expression Recognition · Neural Networks and Applications
MethodsSparse Evolutionary Training