Counterfactuals, or modified inputs that lead to a different outcome, are an important tool for understanding the logic used by machine learning classifiers and how to change an undesirable classification. Even if a counterfactual changes a classifier’s decision, however, it may not affect the true underlying class probabilities, i.e. the counterfactual may act like an adversarial attack and “fool” the classifier. We propose a new framework for creating modified inputs that change the true underlying probabilities in a beneficial way which we call Trustworthy Actionable Perturbations (TAP). This includes a novel verification procedure to ensure that TAP change the true class probabilities instead of acting adversarially. Our framework also includes new cost, reward, and goal definitions that are better suited to effectuating change in the real world. We present PAC-learnability results for our verification procedure and theoretically analyze our new method for measuring reward. We also develop a methodology for creating TAP and compare our results to those achieved by previous counterfactual methods.
Machine Learning, ICML
1 Introduction
As machine learning (ML) classifiers have experienced widespread adoption in applications that have an out-sized impact on individuals’ lives (such as credit lending (Leo et al., 2019), college admissions (Martinez Neda et al., 2021) and healthcare (Sauer et al., 2022)), the need to understand classifiers’ decision making and how to avoid undesirable classifications has become increasingly important. One of the most important tools for filling this need is the counterfactual: a counterfactual for a given input and classifier is a similar input that results in a different classification. Suppose a classifier is designed to determine whether a loan application represents a good or bad credit risk. If the classifier determines a loan to be a bad credit risk, a counterfactual would be a modified loan application that is classified as a good credit risk, e.g. the individual in a loan application is a bad credit risk, but an otherwise identical applicant who is years younger with a $ higher monthly income would be a good credit risk. (Wachter et al., 2017) first suggested the use of Counterfactuals Explanations (CE) to help understand classifiers’ decisions making. Subsequent works explored the use of counterfactuals to help individuals change an undesirable classification (Ustun et al., 2019; Karimi et al., 2021; Poyiadzi et al., 2020). Returning to the example of an individual turned down for a loan, this type of counterfactual would not suggest an individual decrease their age (clearly impossible), but rather make practical changes such as pay off all credit card debt and request a smaller loan. These counterfactuals came to be known as Actionable Counterfactuals (AC) or Algorithmic Recourses (AR). Although, these counterfactuals change a classifier’s decision, it can not be assumed they will have the same affect on the real world (Freiesleben, 2022), e.g. a change that causes a classifier to determine someone is a good credit risk may not increase the person’s odds of paying off the loan in reality. (König et al., 2023) point out that a counterfactual could change a classifiers decision without changing the real world if the modifications are not causally linked to the output. For example, having a mailing address in an affluent neighborhood may correlate to higher odds of paying off a loan and changing the address could affect a classifiers decision, but there is no causal link. Accordingly, telling an applicant to change their mailing address to a P.O. box in a wealthy neighborhood would not improve their chances of paying off a loan. (König et al., 2023) proposed a framework to ensure modifications are causally linked to the output which they called Improvement-Focused Causal Recourse (ICR).
Figure 1: a) Overview of the framework for creating Trustworthy Actionable Perturbations (TAP). b) Comparison of objectives and features of TAP and Counterfactual Explanations (CE) (Wachter et al., 2017), Actionable Counterfactuals/Algorithmic Recourse (AC/AR) (Ustun et al., 2019; Karimi et al., 2021; Poyiadzi et al., 2020), Improvement-Focused Causal Recourse (ICR) (König et al., 2023).
In this paper, we focus on tackling new challenges for this problem, which have not been addressed in prior work.
Trustworthy Actionable Perturbations (TAP) focus on three novel improvements for affecting real world outcomes.
Trustworthiness Against Adversarial Examples: (Szegedy et al., 2013) showed that ML classifiers are brittle and small modifications to an input can cause misclassifications in otherwise accurate classifiers. Among the various definitions of adversarial behavior, we use the definition: modifications to a data point are adversarial if they cause a classifier to be far less accurate on modified data points than the original data (Diochnos et al., 2018). These modified inputs are called adversarial examples and the algorithms that create them are called adversarial attacks. The algorithms that create counterfactuals are very similar to adversarial attacks and (Pawelczyk et al., 2022) showed they produce similar outputs, which leads to the troubling conclusion that many counterfactuals may act as adversarial examples and change the classifier decision (individual is now offered a loan) without changing the true underlying class probabilities (individual is still likely to default on the loan). The adversarial vulnerability of classifiers is separate from causality concerns. For this reason, we introduce a novel two step procedure where (1) we generate a suggested change and (2) we use an independently trained verifier to certify that this change is not acting as an adversarial example. We present a methodology for training this verifier and provide analytical results showing that it is PAC-learnable (Theorem 2.3).
Flexible Goal Definition: AC/AR focus solely on the final classification of a data point, but this may not always be sufficient or feasible.
For instance a valid AC/AR may lead to a likelihood of paying off a loan, but this may not satisfy the individual. Additionally, a change that improves a cancer patient’s odds of survival form to would not constitute a valid AC/AR even though it would be very useful.
Accordingly, our framework defines goals through a target set of acceptable outcomes that can be tailored to an individual’s needs, and we demonstrate how these target sets can be designed. We note that ICR (König et al., 2023) and one of the AC/AR methods
(Dandl et al., 2020) propose the use of goals other than final classification, but our formulation is more flexible and applies to multi-class scenarios. We develop a principled measure of reward by defining a distance to the target set using statistical divergence. We analyze this distance theoretically in Theorem 2.2.
Real World Efficiency: Previous works on CE and AC/AR reduce the amount of changes made by a counterfactual by minimizing a weighted -norm of the changes (with the exception of (Ramakrishnan et al., 2020)), however these norms often fail to represent the real world cost of making changes. Alternatively, we minimize a cost measure built specifically to reflect real world costs of a change. By using this measure of real world cost and principled measure of rewards (distance to target set), TAP can suggest more efficient advice. We present a few examples of the utility of producing efficient advice through TAP: (a) Suggest the course of treatment that would double a patient’s odds of survival while requiring the least staff hours. (b) List the skills an job applicant could acquire in the least amount of time that would lead to a high probability of receiving an interview. (c) Find the cheapest modifications to a product that would bring it into a more premium price range and enhance marketability. We illustrate through experiments on real world data how the use of application specific cost functions leads to more efficient advice.
Figure 1(a) illustrates our framework of Trustworthy Actionable Perturbations (TAP) for using feasible actions, true cost and an individualized goal to create an efficient change, which is then verified to ensure that the change affects the true class probabilities instead of acting adversarially. Our goal to change the true class probabilities (real world outcomes) differs from previous CE and AC/AR works that seek only to change the classifier’s decision. We share our goal with ICR which is focused on ensuring that only features causally related to the class are modified. Our framework, on the other hand, focuses on ensuring that the changes do not exploit the brittleness of ML classifiers and cause misclassifications. This can occur regardless of whether modified features are causally related to the output. Figure 1(b) provides a summary of the objectives and features of various existing approaches alongside TAP.
2 Trustworthy Actionable Perturbations
Problem Setting and Goals: Suppose there is an unknown distribution . Here is a member of the input space and is the class of . We define the true class probabilities . We let denote the -simplex and use a classifier to estimate . Our goal in designing TAP is as follows: Given an input with an undesirable classification , find the most efficient real world actions to create a modified input such that the corresponding true probabilities (and not just ) are more desirable.
Real World Actionability:
TAP should only suggest modifications that are feasible in the real world (e.g., not decreasing an individual’s age). To this end, we introduce: the Actionable Set of a data point as the set of all perturbations of that are feasible in the real world. For example, if represents loan applications with the age of the applicant, the applicant’s credit score, the amount of credit and the loan duration, the actionable set could be
,
i.e. the applicant can change the size and duration of the loan they request, but not their age or credit score. Previous works have examined the complexities of actionability including causal relations between inputs, e.g. one can’t increase their education without an increase in age (Mahajan et al., 2019; Karimi et al., 2020b). All of these considerations, as well as a limiting changes to attributes which are believed to have a causal link to the output, can be incorporated into .
Efficiency: The definition of the most efficient change depends on the context of the problem and could involve a well defined value such as “cost in dollars” or more nebulous value such as “amount of effort required.” We characterize this value with a function , where is the cost of changing to . For example, if and represent resumes, then could represent the time it would take to acquire the attributes listed on resume , but not on . We note this function may not be a true distance measure. For example, if represents the difference in financial cost between two courses of medical treatment, then should be negative when is more affordable than .
Desirability: We now define what we mean by a desirable outcome—the goal of a TAP. The Target Set is the set of all elements of that would be an acceptable result of a TAP.
If we wish to belong to a desirable class with probability no less than , the target set would have the form If our goal is rather to avoid some undesirable class , could be of the form
for a fixed . More generally, if we wish to belong to a set of desirable classes with probability at least and we wish to belong to a set of undesirable classes with probability no greater than , we would use
(1)
We must quantify how close an TAP comes to achieving its goal in a principled manner. To do this, we first choose a measure of statistical distance (we use Kullback-Leibler (KL) Divergence). We then denote as the distance of to the target set , defined as follows:
(2)
We may now formally define Trustworthy Actionable Perturbations. Let represent budget —the amount of work we are willing to perform, and represent tolerance —how close the final result is to our target set .
is an -trustworthy actionable perturbation for and a target set if
1.
2.
3.
In order to verify the second condition we must be able to calculate . Fortunately, the optimization problem in (2) has a differentiable closed form solution when is an -divergence: a broad class of measures including KL-divergence, total-variation (TV) and other commonly used statistical distances. An -divergence is defined as , where is a convex function satisfying and (Polyanskiy & Wu, 2024). Theorem 2.2 describes the solution to (2).
Figure 2: Illustration of the partition on used to calculate the distance from the target set in Theorem 2.2. Although the cost function takes different functional form(s) in the four regions, it is continuously differentiable in the entire space.
Theorem 2.2.
If is an -Divergence with twice differentiable and is of form (1), then
(3)
where , and the sets and are a partition of defined and visualized in Figure 2.
Furthermore, is continuously differentiable in over its entire domain.
Equation (3) in Theorem 2.2 is easily calculable and continuously differentiable despite its piece-wise form, which will be significant when creating TAP (see Section 3). The proof of Theorem 2.2 involves showing that optimization problem (2) is convex and finding a value that satisfies the KKT conditions. This proof and additional results about are found in the Appendix A.1.
Real-world Verifiability of TAP: Note that TAP are defined with respect to the true class probabilities because TAP should have an effect in the real world. Notwithstanding, is unknown and we must use to create our TAP (more details in Section 3), which introduces the risk that we might produce an that has the desired effect on but not (like an adversarial example).
This is of particular concern because TAP and all other counterfactuals are created by solving an optimization problem of the form
(4)
which is precisely how most adversarial examples are created (Pawelczyk et al., 2022). When counterfactuals were first introduced to ML (Wachter et al., 2017), the concern that counterfactuals would act as adversarial examples was dismissed because the adversarial attacks of the time 1) modified many more features than counterfactuals and 2) were targeted almost exclusively at image data whereas counterfactuals were proposed for use on tabular data. Since that time, Gourdeau et al. (2021); Su et al. (2019) demonstrated that adversarial attacks can be effective when changing a very small number of features,
and several works (Ballet et al., 2019; Mathov et al., 2020; Cartella et al., 2021; Kumar et al., 2021) have shown that adversarial examples exist on tabular data sets. This implies that verification is necessary to achieve results that can be trusted to change the true class probabilities.
Verifying may appear similar to detecting adversarial examples, which has been the object of significant research (Yang et al., 2020; Roth et al., 2019; Fidel et al., 2020; Carlini & Wagner, 2017a) with no satisfactory solution.
Fortunately, we have an important advantage over detecting adversarial examples: we know the original data point and exactly how it was modified, i.e., . To capitalize on this knowledge, we propose a novel verification procedure using a classifier which compares two inputs simultaneously and predicts the probability of the inputs belonging to the same class: the value of estimates .
Because has a different classification task from , attacks targeted against should not be effective against , and we can use the discrepancy between estimates of and to determine if an acts adversarially on . In order to make this comparison, we use the fact that can also be estimated using by calculating . If acts adversarially we would expect to be very small while is large. If is not adversarial we would expect similar values from both and . Accordingly, we define
(5)
and verify that an is trustworthy only if .
In Section 3, we describe how we selected the threshold .
Training a Verifier & PAC Learnability: In order to create , we must have data on which it can be trained. We build this difference training data by creating all possible pairs of elements from our original training data and labeling the pairs by whether they belong to the same class ( for the same class, for different classes). If the original training data is , the difference training data is , where . We use the same architecture for as (only changing the number of inputs and outputs), but differing architectures could also be used. Now that we have a method for training , we show that training in this way leads to a generalizable verifier. To this end, we next present a probably approximately correct (PAC) bound on ’s generalization gap which depends on (number of training samples), (number of classes), and (data dimensionality).
Theorem 2.3.
Let be the true risk of a verifier over data drawn from and be the empirical risk over a sample of labelled point pairs drawn i.i.d. from . Both risks are defined using a bounded loss function . Also let be selected from a function class . Then for any , with probability , the following bound on the generalization gap holds.
(6)
Here the terms with explicit dependence on have been suppressed because they are dominated by the term in (6). The precise generalization bound is presented in (43) in the Appendix.
To prove Theorem 2.3, we construct a definition of risk that fits this new learning scenario (i.e., learning if two samples are from the same class or not, as opposed to conventional classification). This risk takes into account that we expect large imbalances between the number of point pairs from the same class and from different classes. In order to obtain the bounds on the generalization gap, we expand this risk into a sum of terms which can be bounded with existing Rademacher complexity PAC-methods. Finally, we bound the growth of these Rademacher complexity terms as a function of and to arrive at (6). The complete proof, including detailed definitions of and as well as additional discussion, is presented in the Appendix A.2.
Remark 2.4.
The bound in Theorem 2.3 is small as long as and is exponentially larger than . The relation between and is crucial because it implies that the denominator . This differs from typical PAC bounds where the primary requirement is be exponentially larger than (Theorem 4.3 in (Gottlieb et al., 2016)) and have mild dependence on the number of classes . The key implication of this result is: when using a verifier as described in this paper, as the data sets used increase in number of classes , it is essential that the amount of training data increases at a rate of .
3 Generating TAP
Two Step Creation Method: We now present and discuss the general optimization framework for creating TAP. Ideally, we would like to solve the following optimization problem: ,
where the scalar parameter balances the effort()-reward() trade-off.
Solving this optimization would be guaranteed to create an effective TAP; unfortunately is unknown and we cannot solve this problem directly.
Instead propose the following two-step procedure where: in Step , we treat as a surrogate for , and in Step , we use a verification algorithm to ensure that is not just fooling the classifier.
(7)
(8)
TAP
Solving Step 1: We solve (7) using gradient descent which requires us to use differentiable models and formulate in a differentiable manner ( is differentiable according to Theorem 2.2). We modify our gradient descent to address two challenges. (1) We must insure that our solution is actionable: . (2) Our solution must follow any formatting rules associated with the data set (for instance, Boolean variables must be either 0 or 1, categorical features must respect one-hot encoding, etc.). A perturbation that follows these formatting rules is called coherent. To solve these two difficulties, we first assume
for some set of lower bounds and upper bounds . An attribute is immutable if .
We ensure actionability by setting all elements of the gradient corresponding to immutable features to zero and adding a large penalty term to the objective function which punishes points for leaving the actionable set.
To ensure coherence, we project the result of our gradient descent onto the coherent space by using a function which performs the appropriate value rounding to make an input coherent. We found it useful to introduce a second penalty term which requires that any one-hot encoded features sum to . This ensures our answers never stray too far from a coherent point and improves robustness. Details on , and are found in the Appendix A.3.3. In practice we also found it useful to replace regular gradient descent with the ADAM algorithm (Kingma & Ba, 2014).
Algorithm 1 Generating TAP
Input: Classifiers & , point , target family , learning rate , verification-cut off
while not converged do
for all immutable features .
endwhile
(project onto the coherent space)
if and requirements NOT met then
Adjust (see text for explanation)
Return to while loop
endif
ifthen
Adjust problem parameters (see text for explanation)
Restart algorithm
endif
return
Figure 3: Table containing details on data sets used for testing.
Solving Step 2: In Section 2, we discussed the necessity of verification and suggested that an TAP can be trusted if is smaller than a threshold . Our process for choosing starts with deciding on an acceptable risk of eliminating a truly effective TAP (we use 10%). To find the corresponding to this risk, we calculate for a sufficiently large number of pairs from the testing data such that . Finally, we pick such that only the desired percentage of values (e.g. 10%) are above . The verification procedure is now reduced to eliminating any that results in .
Adjusting for Suitability and Verifiability: When creating TAP we will often have a particular budget () or tolerance () bound we need to satisfy. To find a suitable TAP we repeat Step 1 of our process adjusting until the desired budget or tolerance is met: increasing to decrease and decreasing to decrease . It may also be appropriate to use a variety of values and plot the and values of each resulting TAP (see Figure 4). The user may then select a TAP they see as offering particularly good value. When a TAP fails the verification step, there are a few recourses. (1) Sometimes it is sufficient to decrease , putting greater emphasis on reaching the target set.
(2) “Shrink” the target set (increase the value of and decrease the value of ) in order to force the algorithm to find more effective changes. (3) Add a random perturbation to in order to move the starting point away from the adversarial example. The entire procedure is described in Algorithm 1.
4 Experimental Results
Data Sets: We compare TAP, counterfactuals and adversarial attacks on four data sets from different fields; data set details are found in Figure 3 and the Appendix A.3.1.
Figure 4: Cost-Benefit plots of TAP and counterfactuals for an individually from the Law School data set with grades measured in standard deviations from the mean (a) and an individual in the Adult Income data set (b).
Adult Income (Kohavi & Becker, 1996): This data set contains demographic information on Americans labelled by whether they had a high income. The actionable set allows individuals to increase their education, change jobs and adjust their weekly work hours. The cost function sums the expected number of years to improve education, a one-year cost to change jobs and the square of the change in hours worked (weighted so an additional 3 hours of work per week is equal to a year spent on education).
Law School Success (Wightman, 1998): This data set contains information on law school students labelled by whether they passed the BAR exam. allows changes to law school grades (through more studying) and the region where the exam is taken. The cost function sums the increase in grades and the physical distance travelled to take the BAR. Moving to an adjacent region (Far West to North West) is weighted equal to increasing grades one standard deviation.
Diabetes Prediction (for Disease Control &, CDC): The individuals in this data set are labelled by whether they have diabetes. We define to allow changes in health habits, BMI, education and income. We use a weighted 2-norm for to represent the relative difficulty of making changes. For example, starting to get regular physical activity is weighted the same as drop** one BMI.
German Credit (Hofmann, 1994): This data set contains loan applications. In , we allow for changes to the loan duration and size and funds in the checking and savings accounts. We use to measure the total difference in Deutsche Marks (DM) over all elements of the application.
Other Methods: We compare our results against counterfactuals created using the original method proposed to create counterfactuals (Wachter et al., 2017) and the diverse counterfactuals (DICE) method in (Mothilal et al., 2020), the most cited methods in the literature. These methods use an norm based cost function that often fails to reflect real world costs (see examples on the next page). We also compare TAP against the Carlini & Wagner (2017b) adversarial attack, one of the most well known and effective adversarial attacks. The counterfactuals belong to the same actionable set as the TAP, but the adversarial examples are not limited to an actionable set and may not be coherent.
Models: Gradient boosted tree algorithms (Friedman, 2001) are considered state of the art architectures for tabular data classification (Shwartz-Ziv & Armon, 2022). Unfortunately, these models are not differentiable and cannot be used with our framework. Instead we use neural networks which we tuned until they provide accuracy on par with gradient boosted tree models on the same data set. Details on our models’ structure, training are given in Appendix A.3.2.
Figure 5: a) & b) show average success rate for moving individuals within a variety of distances () to the target set. The y-axis shows the percentage of individuals within the goal distance, and the x-axis, represents different costs ( values). c) Summarizes success values for all data sets. The upper (red) value for each row is the success rate before the verification procedure and the lower (green) value is the success rate after verification with a chance of rejecting valid examples.
Representative Examples of TAP and Trade-off between cost/desirability: We first examine two representative examples of how TAP behave differently than counterfactuals for specific individuals.
Figure 4 shows a plot of the / values of TAP and counterfactuals for one individual in the Law School data set and one individual in the Adult Income data set. We examine the results from the Law School data set: The TAP labelled TAP-1 suggests only a mild ( standard deviation) increase in grades and the relatively short move from the Far West to the Great Lakes region resulting in a small increase in the chance of passing the BAR. On the other hand, TAP-2 suggest a larger increase in grades and a longer move which results in a much larger increase to the odds of success. Finally the counterfactual CF-1 suggest an enormous increase in grades and massive cross country move to achieve increase in the odds of success. Turning our attention to the Adult Income example: TAP-3 suggests a relatively simple increase in education to the masters level resulting in a increase to the odds of a high income. Alternatively, TAP-4 achieves an increase by suggesting far more changes including a professional degree and becoming self-employed. The counterfactual CF-2 does not suggest becoming self-employed and produces a smaller increase in the odds of high income despite also suggesting a professional degree and a drastic hour increase in the hours worked per week.
These examples illustrates two trends: 1) TAP offer both low-cost/low-reward (large-/small-) and high-cost/high-reward options, whereas counterfactual methods (Wachter et al., 2017; Mothilal et al., 2020) only offer high-cost options. This is because TAP are defined by distance to the target set, but counterfactuals are defined as belonging to the desirable class. That rules out any advice that doesn’t result in the desirable class being the most likely class. 2) Counterfactuals are prone to suggesting very high-cost outliers. This has two main causes: (a) The norm used to create the counterfactuals does not accurately represent real world effort. For example this norm considers any move in region to cost the same regardless of actual distance.
(b) Because counterfactuals do not use a target set, they are prone to “overshooting” the desired goal. For example resulted in a chance of passing the BAR when our goal was only .
Comparison of TAP vs. Other Approaches: We now compare TAP, counterfactuals (Wachter et al., 2017; Mothilal et al., 2020) and CW attacks (Carlini & Wagner, 2017b) over the entire data sets. In Figure 5: Each bar chart refers to a particular data set and desired distance to the target set . Each bar shows the percentage of individuals that a method was able to move inside the goal at a variety of costs .
(Bar charts for all data sets are found in the Appendix A.3.4.)
The table summarizes this information for all data sets with the upper (red) value in each cell representing the data before the verification procedure and the lower (green) value the success rate after the verification procedure. Consider the bar chart on the top middle which refers to the German Credit data and a goal of from the target (the same information as the last three columns of the table). At a Deutsche Marks (DM) cost, TAP are able to move of individuals within the goal range by closing empty accounts. Counterfactuals do not match this success until the cost , and CW attacks never achieve more than a success rate. TAP outperform counterfactuals in all of the test scenarios.
Impact and Effectiveness of Verifier: The first important take away from the success rates after verification is that the verifier was 100% effective at eliminating Carlini Wagner adversarial examples (visible in the bottom row of the table in Figure 5 c), implying that the verification method does indeed eliminate inputs that fool the classifier. Importantly, the verification procedure also removes a significant number of TAP and counterfactuals. Consider the second column of Figure 5 c: Out of all TAP generated appeared effective but were eliminated by the verification procedure. Counterfactual methods fared even worse with to of counterfactuals eliminated. This reinforces the necessity of a verification procedure.
Concluding Remarks & Future Work: In this work, we proposed Trustworthy Actionable Perturbations (TAP) which leverage ML classifiers to find efficient actions to achieve real world results. Our proposed framework introduces a novel verification procedure, flexible definition of goals, and principled reward measure for use in generating counterfactuals.
We demonstrated their effectiveness when compared to other methods on data sets from multiple fields. Finally we note that our framework is flexible enough to incorporate contributions from previous works on counterfactuals such as individualized cost measures (De Toni et al., 2023), causal relations between inputs (Mahajan et al., 2019; Karimi et al., 2020b), causal relationships to the output (König et al., 2023), and advanced optimization methods (Guidotti et al., 2018; Karimi et al., 2020a).
Impact Statement
As the use of AI and ML expands into critical applications such as healthcare, criminal justice, and hiring, the importance of explaining decisions deemed unfavorable and providing recourse to such users has grown significantly. In this context, our paper introduces a novel contribution aimed at making recourse mechanisms more trustworthy. We present a flexible framework, Trustworthy Actionable Perturbations (TAP), designed to generate cost-effective recourse which can ensure that the recourse being provided to users results in real-world changes. TAP can be useful to both end-users and institutions that suggest the recourse. The technical tools and the analytical results developed in the paper (including a flexible target set, and a novel pair-wise verification procedure) can also find use and lead to new insights for other problems such as cost-sensitive learning and adversarial defense.
Acknowledgements
We thank the anonymous ICML reviewers and the area chairs for their insightful suggestions.
This work was supported by NSF grants CAREER 1651492, CCF-2100013, CNS-2209951, CNS-1822071, CNS-2317192, and by the U.S. Department of Energy, Office of Science, Office of Advanced Scientific Computing under Award Number DE-SC-ERKJ422, and NIH Award R01-CA261457-01A1.
References
Ballet et al. (2019)
Ballet, V., Renard, X., Aigrain, J., Laugel, T., Frossard, P., and Detyniecki, M.
Imperceptible adversarial attacks on tabular data.
arXiv preprint arXiv:1911.03274, 2019.
Bartlett & Mendelson (2002)
Bartlett, P. L. and Mendelson, S.
Rademacher and Gaussian Complexities: Risk Bounds and Structural Results.
Journal of Machine Learning Research, 3(Nov):463–482, 2002.
Carlini & Wagner (2017a)
Carlini, N. and Wagner, D.
Adversarial examples are not easily detected: Bypassing ten detection methods.
In Proceedings of the 10th ACM workshop on artificial intelligence and security, pp. 3–14, 2017a.
Carlini & Wagner (2017b)
Carlini, N. and Wagner, D.
Towards evaluating the robustness of neural networks.
In 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57, 2017b.
Cartella et al. (2021)
Cartella, F., Anunciacao, O., Funabiki, Y., Yamaguchi, D., Akishita, T., and Elshocht, O.
Adversarial attacks for tabular data: Application to fraud detection and imbalanced data.
arXiv preprint arXiv:2101.08030, 2021.
Dandl et al. (2020)
Dandl, S., Molnar, C., Binder, M., and Bischl, B.
Multi-objective counterfactual explanations.
In International Conference on Parallel Problem Solving from Nature, pp. 448–469. Springer, 2020.
De Toni et al. (2023)
De Toni, G., Viappiani, P., Teso, S., Lepri, B., and Passerini, A.
Personalized algorithmic recourse with preference elicitation.
Transactions on Machine Learning Research, 2023.
Diochnos et al. (2018)
Diochnos, D., Mahloujifar, S., and Mahmoody, M.
Adversarial risk and robustness: General definitions and implications for the uniform distribution.
Advances in Neural Information Processing Systems, 31, 2018.
Fidel et al. (2020)
Fidel, G., Bitton, R., and Shabtai, A.
When explainability meets adversarial learning: Detecting adversarial examples using shap signatures.
In 2020 international joint conference on neural networks (IJCNN), pp. 1–8. IEEE, 2020.
for Disease Control & (CDC)
for Disease Control, C. and (CDC), P.
Behavioral risk factor surveillance system survey data (brfss), 2015.
URL https://www.cdc.gov/brfss/index.html.
Freiesleben (2022)
Freiesleben, T.
The intriguing relation between counterfactual explanations and adversarial examples.
Minds and Machines, 32(1):77–109, 2022.
Friedman (2001)
Friedman, J. H.
Greedy function approximation: a gradient boosting machine.
Annals of statistics, pp. 1189–1232, 2001.
Gottlieb et al. (2016)
Gottlieb, L.-A., Kontorovich, A., and Krauthgamer, R.
Adaptive metric dimensionality reduction.
Theoretical Computer Science, 620:105–118, 2016.
Gourdeau et al. (2021)
Gourdeau, P., Kanade, V., Kwiatkowska, M., and Worrell, J.
On the hardness of robust classification.
Journal of Machine Learning Research, 22(273):1–29, 2021.
Guidotti et al. (2018)
Guidotti, R., Monreale, A., Ruggieri, S., Pedreschi, D., Turini, F., and Giannotti, F.
Local rule-based explanations of black box decision systems.
arXiv preprint arXiv:1805.10820, 2018.
Karimi et al. (2020a)
Karimi, A.-H., Barthe, G., Balle, B., and Valera, I.
Model-agnostic counterfactual explanations for consequential decisions.
In International Conference on Artificial Intelligence and Statistics, pp. 895–905. PMLR, 2020a.
Karimi et al. (2020b)
Karimi, A.-H., Von Kügelgen, J., Schölkopf, B., and Valera, I.
Algorithmic recourse under imperfect causal knowledge: a probabilistic approach.
Advances in neural information processing systems, 33:265–277, 2020b.
Karimi et al. (2021)
Karimi, A.-H., Schölkopf, B., and Valera, I.
Algorithmic recourse: from counterfactual explanations to interventions.
In Proceedings of the 2021 ACM conference on fairness, accountability, and transparency, pp. 353–362, 2021.
Kingma & Ba (2014)
Kingma, D. P. and Ba, J.
Adam: A method for stochastic optimization.
arXiv preprint arXiv:1412.6980, 2014.
Kohavi & Becker (1996)
Kohavi, R. and Becker, B.
Uci adult dataset.
UCI machine learning repository, 1996.
König et al. (2023)
König, G., Freiesleben, T., and Grosse-Wentrup, M.
Improvement-focused causal recourse (icr).
In Proceedings of the AAAI Conference on Artificial Intelligence, volume 37, pp. 11847–11855, 2023.
Kumar et al. (2021)
Kumar, N., Vimal, S., Kayathwal, K., and Dhama, G.
Evolutionary adversarial attacks on payment systems.
In 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 813–818. IEEE, 2021.
Leo et al. (2019)
Leo, M., Sharma, S., and Maddulety, K.
Machine learning in banking risk management: A literature review.
Risks, 7(1):29, 2019.
Mahajan et al. (2019)
Mahajan, D., Tan, C., and Sharma, A.
Preserving causal constraints in counterfactual explanations for machine learning classifiers.
arXiv preprint arXiv:1912.03277, 2019.
Martinez Neda et al. (2021)
Martinez Neda, B., Zeng, Y., and Gago-Masague, S.
Using machine learning in admissions: Reducing human and algorithmic bias in the selection process.
In Proceedings of the 52nd ACM Technical Symposium on Computer Science Education, pp. 1323–1323, 2021.
Mathov et al. (2020)
Mathov, Y., Levy, E., Katzir, Z., Shabtai, A., and Elovici, Y.
Not all datasets are born equal: On heterogeneous data and adversarial examples.
arXiv preprint arXiv:2010.03180, 2020.
Mohri et al. (2018)
Mohri, M., Rostamizadeh, A., and Talwalkar, A.
Foundations of Machine Learning.
MIT press, 2018.
Mothilal et al. (2020)
Mothilal, R. K., Sharma, A., and Tan, C.
Explaining machine learning classifiers through diverse counterfactual explanations.
In Proceedings of the 2020 conference on fairness, accountability, and transparency, pp. 607–617, 2020.
Naeini et al. (2015)
Naeini, M. P., Cooper, G., and Hauskrecht, M.
Obtaining well calibrated probabilities using bayesian binning.
In Proceedings of the AAAI conference on artificial intelligence, volume 29, 2015.
Pawelczyk et al. (2022)
Pawelczyk, M., Agarwal, C., Joshi, S., Upadhyay, S., and Lakkaraju, H.
Exploring counterfactual explanations through the lens of adversarial examples: A theoretical and empirical analysis.
In International Conference on Artificial Intelligence and Statistics, pp. 4574–4594. PMLR, 2022.
Polyanskiy & Wu (2024)
Polyanskiy, Y. and Wu, Y.
Information theory: From coding to learning.
2024.
Poyiadzi et al. (2020)
Poyiadzi, R., Sokol, K., Santos-Rodriguez, R., De Bie, T., and Flach, P.
Face: feasible and actionable counterfactual explanations.
In Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society, pp. 344–350, 2020.
Ramakrishnan et al. (2020)
Ramakrishnan, G., Lee, Y. C., and Albarghouthi, A.
Synthesizing action sequences for modifying model decisions.
In Proceedings of the AAAI Conference on Artificial Intelligence, volume 34, pp. 5462–5469, 2020.
Roth et al. (2019)
Roth, K., Kilcher, Y., and Hofmann, T.
The odds are odd: A statistical test for detecting adversarial examples.
In International Conference on Machine Learning, pp. 5498–5507. PMLR, 2019.
Sauer et al. (2022)
Sauer, C. M., Dam, T. A., Celi, L. A., Faltys, M., de la Hoz, M. A., Adhikari, L., Ziesemer, K. A., Girbes, A., Thoral, P. J., and Elbers, P.
Systematic review and comparison of publicly available icu data sets—a decision guide for clinicians and data scientists.
Critical care medicine, 50(6):e581–e588, 2022.
Shwartz-Ziv & Armon (2022)
Shwartz-Ziv, R. and Armon, A.
Tabular data: Deep learning is not all you need.
Information Fusion, 81:84–90, 2022.
Su et al. (2019)
Su, J., Vargas, D. V., and Sakurai, K.
One pixel attack for fooling deep neural networks.
IEEE Transactions on Evolutionary Computation, 23(5):828–841, 2019.
Szegedy et al. (2013)
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R.
Intriguing properties of neural networks.
arXiv preprint arXiv:1312.6199, 2013.
Ustun et al. (2019)
Ustun, B., Spangher, A., and Liu, Y.
Actionable recourse in linear classification.
In Proceedings of the conference on fairness, accountability, and transparency, pp. 10–19, 2019.
Wachter et al. (2017)
Wachter, S., Mittelstadt, B. D., and Russell, C.
Counterfactual explanations without opening the black box: Automated decisions and the gdpr.
Cybersecurity, 2017.
Wightman (1998)
Wightman, L. F.
Lsac national longitudinal bar passage study. lsac research report series.
1998.
Yang et al. (2020)
Yang, P., Chen, J., Hsieh, C.-J., Wang, J.-L., and Jordan, M.
Ml-loo: Detecting adversarial examples with feature attribution.
In Proceedings of the AAAI Conference on Artificial Intelligence, volume 34, pp. 6639–6647, 2020.
Appendix A Appendix
The Appendix is organized as follows:
A.1 Proof of Theorem 2.2 (Analysis of statistical distance to the target set )
A.2 Proofs of Theorem 2.3 (PAC generalization bounds for Verifier)
A.3 Additional details about the implementation of experiments
A.3.1 Details about data sets and their corresponding cost functions
A.3.2 Details about the models used
A.3.3 Details about the objective function used for optimization
A.3.4 Additional experimental results showing the comparative performance of TAP vs. other methods.
A.1 Proof of Theorem 2.2 (Analysis of statistical distance to the target set )
Recall that our target sets have the form
where either or could be empty.
Also recall
(9)
We must prove three facts: 1) has the closed form found in equation (3), 2) This function is continuous, 3) the derivative of the function is continuous. We begin by proving the closed form equation.
Our proof will be made easier by introducing notation as the neutral classes that are neither desirable nor undesirable.
We will use the fact that to rewrite (3) as
where , and .
The case where is obvious so we consider only the case where , First note that -divergence is convex in . Furthermore is a convex set. Therefore any satisfying the KKT conditions is a minimizer. The KKT conditions for this problem can be written as
(10)
(11)
(12)
(13)
(14)
(15)
(16)
where the Lagrangian is defined by
Note that we have neglected to explicitly state the requirement that for all . This is because our eventual solution will satisfy these bounds anyways, and omitting these bounds will drastically simplify our calculations.
We now rewrite (10) as
(17)
(18)
(19)
We now propose a solution can be found where that the ratios are constant in each of the sets , , . That is
In that case we can satisfy conditions (17), (18) and (19) (originally (10)) by setting
We can now reformulate (14) so that it is easier to analyze. We will first define . Note that because is convex for all and is increasing. We can then rewrite our formulas for , and .
Then becomes
and similarly becomes . This means (14) is equivalent to
(20)
We must now find values of , and that satisfy (11) through (16). We will consider 3 cases illustrated in Figure 6.
Figure 6: The three cases visualized in probability space.
Case: 1 Suppose and .
Let and . This implies which satisfies (16) and half of (14). This also implies satisfying (12) and (15). We will use the fact in our proof of condition (13).
This implies and satisfies the other half of (14).
We have now shown all the KKT conditions are satisfied and we have found a minimizer. We now plug these values into (9) to find a closed form for the distance.
Case: 2 Suppose and .
Let and . This implies which satisfies (15) and half of (14). We also have satisfying (13) and (16). We now prove condition (12) is satisfied.
Finally we prove implying which satisfies the other half of (14)
Now that we have proven that this is a minimizer we will again plug solution into (9) to find the distance value.
Case: 3 Suppose and .
Let , and in which case (satisfying (12) and (15)), (satisfying (13) and (16)). The choice of ensures that (11) is satisfied:
To show that (14) is satisfied. We note implies and implies . this proves (20) which is equivalent to (14)
Plugging these minimizing values of into (9) yields
This proves the closed form in equation (3) and we may now proceed to show that this function is continuous. To prove continuity we need only show continuity the piece-wise boundaries which we will evaluate one at a time.
Boundary 1: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
The two functions are equal on the boundary and the boundary is continuous.
Boundary 2: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
The two functions are equal on the boundary and the boundary is continuous.
Boundary 3: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
The two functions are equal on the boundary and the boundary is continuous.
Boundary 4: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
The two functions are equal on the boundary and the boundary is continuous. We have now shown continuity on all boundaries and the function is continuous. Now to show that the derivative of the function is continuous we need only show the all partial derivatives exist and agree on the boundaries. We use the closed form equation (3) found in the body of the paper (which is equivalent to the one found in the beginning of the proof) but suppresses . This makes it easier to differentiate with respect to , .
We now take the derivative with respect to a desirable class ().
Now we need only ensure all pieces agree on the boundaries to show that the derivative exists and is continuous.
Boundary 1: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
Then setting the derivative at the boundary to makes the derivative on this boundary continuous.
Boundary 2: . The two functions that share this boundary are both , and setting the derivative at the boundary to makes the derivative on this boundary continuous.
Boundary 3: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
Then setting the derivative at the boundary to makes the derivative on this boundary continuous.
Boundary 4: . The two functions that share this boundary are and . We rewrite the boundary as and plug it into the latter function.
Then setting the derivative at the boundary to makes the derivative on this boundary continuous.
This yields the continuous partial derivative
(21)
We now take the derivative with respect to a undesirable class ().
Now we need only ensure that there is agreement on the boundaries.
Boundary 1: . The two functions that share this boundary are both , and setting the derivative at the boundary to makes the derivative on this boundary continuous.
Boundary 2: . The two functions that share this boundary are both and . Plugging the boundary into the latter function yields
Then setting the derivative at the boundary to makes the derivative on this boundary continuous.
Boundary 3: . The two functions that share this boundary are and . We rewrite the boundary as and plug it into the latter function.
Then setting the derivative at the boundary to makes the derivative on this boundary continuous.
Boundary 4: . The two functions that share this boundary are and . Plugging the boundary into the latter function yields
Then setting the derivative at the boundary to makes the derivative on this boundary continuous.
This yields the continuous partial derivative
(22)
Additional Analysis on
The following lemma shows that exhibits desirable behavior for any -divergence if we restrict ourselves to the binary classification setting.
Lemma A.1.
In the binary classification setting, if then is decreasing (not necessarily strictly) in for any -divergence.
We now present the proof of Lemma A.1. Recall . For binary probability distributions and , the -divergence has the simple form
(23)
for a convex function with .
We show a relationship between this formula and a secant line. To refer to the secant line of a function from point to evaluated at , we will use the notation . When using this notation we will assume that .
We assume and show that is equivalent to the secant line of from to evaluated at . (Note .) We show this simply using the point slope form.
Now that is related to a secant line we prove a few facts about secant lines of convex functions. If is convex, then is decreasing in and increasing in whenever . Recall that if is convex, then by definition for any , we have
(24)
Then for any we have
(25)
(26)
for . It follows that for any
(27)
and is increasing in .
A similar argument shows that is decreasing in when .
We will use these facts to analyze . The -divergence between identical distributions is zero, so we have whenever . When we have and
which is decreasing in and increasing in , so to achieve the minimum we use the smallest possible , i.e. . We may now simplify
Note that this is continuous at because . With this closed form solution for we may finish the proof.
We have already shown that is decreasing in and increasing in , so increasing will decrease and is decreasing in .
We now present a corollary to Theorem 2.2 that shows explicitly that decreases with added probability to the desirable classes and increases with added probability to the undesirable classes.
Corollary A.2.
If is of form (1) and is twice differentiable, then is decreasing in if and is increasing if .
To prove Corollary A.2, we need only show equation (3) is decreasing in for and increasing in for , we need only prove that the partial derivative (21) is non-positive and the partial derivative (22) is non-negative. We will rely heavily on the fact that is increasing because is convex.
Clearly the first two cases are non-negative, so we consider the third case.
Because , we have and
We can no prove the fourth case is positive.
This shows that (22) is non-negative and (3) is increasing in for .
A.2 Proofs of Theorem 2.3 (PAC generalization bounds for Verifier)
Let us define as the distribution of the data conditioned on the event that it is drawn from class .
We define a loss function as follows:
(28)
where is some differentiable function (e.g., which would lead to the cross-entropy loss). Furthermore, we assume that the output of the loss is upper bounded by a constant and is Lipschitz. The verifier output of estimates probability that and belong to the same class.
Using this loss, we now define the true risk of a verifier as
(29)
The verifier faces two types of inputs that it should be able to distinguish: (a) pairs of inputs that can come from the same class (i.e., for some class ) and (b) pairs of inputs that can belong to different classes (i.e., and for some pair of classes ). This formulation of risk assigns equal value to identifying pairs from the same class and pairs form different classes because both of (accuracy on pairs form different classes) and (accuracy on pairs form the same class) are normalized by dividing by the total number of terms in the sum. Specifically, we normalize the total risk for misclassifying pairs from different classes by , which is the number of distinct ordered pairs of classes we can form out of classes. Similarly, we normalize the total risk of misclassifying pairs from same classes by . Furthermore, both and assign equal importance to each possible type of combination (which class the first element of the pair comes form and which class the second element of the pair comes from).
To calculate our empirical risk we will assume we are given sets , each containing samples drawn independently from the corresponding as defined above. We index these sets as follows:
(30)
We define the entire dataset as
(31)
We define our empirical risk for training the verifier over the set as follows:
(32)
where denotes the empirical risk of the verifier on inputs from different classes; and denotes the empirical risk of the verifier on inputs from the same class. It is straightforward to verify that is an unbiased estimator of the true risk , i.e., .
Let us define worst case generalization gap for a given dataset as
(33)
where denotes the hypothesis class from which the verifier is selected.
To bound this generalization gap, we will use the notion of Rademacher complexity which measures the correlation between the function class and the random labels to upper bound the generalization gap (Mohri et al., 2018). The Rademacher complexity of a hypothesis class over a particular data set is formally defined as:
Definition A.3.
The empirical Rademacher complexity of a function class with respect to the set is given by the following equation:
(34)
where ’s are i.i.d. Rademacher random variables, i.e., .
In the following steps, we upper bound the generalization gap in (33) as using Rademacher complexity.
We first bound the generalization gap using triangle inequality as follows:
(35)
(36)
The above bound first decomposes the generalization gap into the sum of two generalization gaps, the first over the pair of samples coming from different classes; and the second over the samples drawn from the same class.
To proceed we will need a few additional definitions: we define to represent the distribution over pairs where is drawn from and is drawn from independently.
We also define the sets
(37)
and enumerate the elements of each set by when . When the enumeration takes the form .
Using our definitions of true and empirical risk, we can now upper bound the above sum as follows,
(38)
where the second inequality follows by bounding the absolute value of a sum by the sum of the absolute values (across both the “diff” and “same” terms).
We now use the standard Rademacher complexity PAC-bound (Mohri et al., 2018; Bartlett & Mendelson, 2002) on each of the supremums in (38). The result is that for any ,formulation the following holds with probability over the choice of :
(39)
where the final inequality comes form replacing with the larger .
Equation (39) can be interpreted as the sum of three terms: the first term is the average Rademacher complexity over the datasets corresponding to pairs which are drawn from different classes; the second term is the average Rademacher complexity over the datasets corresponding to pairs which are drawn from same classes; the third term is a standard term which shows the dependence on (as well as ).
We now apply the bound on empirical Rademacher complexity
(40)
with the dimension of the elements of (Gottlieb et al., 2016). To apply this we will recall the dimension of the elements of is , and when , and . Applying our Rademacher complexity bound yields
(41)
(42)
(43)
The bound in (43) is our final PAC bound true with probability . However, we expect the containing term to be dominated by the other term because and is expected to be much larger than .
A.3 Additional Implementation Details
In this section we give additional details on how we implemented our methods to create the experimental results found in this paper.
A.3.1 Data Set and Cost Function Details
Here we give additional description of each data set and the corresponding the cost functions used in our experiments. As noted in Section 3 we must ensure is differentiable. When dealing with categorical features costs are by nature discrete (and not differentiable). We show how we were able to write these costs in a differentiable form. Suppose is a one-hot encoding of a categorical feature and define the transition cost matrix such that as the cost of changing from category to category . Then represents the costs of changing this categorical feature and is differentiable in .
Adult Income Prediction Dataset: (Kohavi & Becker, 1996) This widely used data set contains information from the 1994 U.S. census, with individuals labelled by whether their annual income was over $50,000 ($100,000 in 2023 adjusted for inflation). We define our target set as over 80% probability high income. Our actionable set allows changes in job type, education and number of hours worked with all other attributes immutable. The cost function includes the expected number of years to improve education (e.g. two years to go from associate’s degree to bachelors degree), a one-year cost to change employer type and the 2-norm of the change in hours worked per week (weighted so 3 hours per week is equivalent to a year spent on education). Here Trustworthy Actionable Perturbations suggest the best way to improve an individuals odds of making a large income with the least time and effort.
Specifically is the sum cost from changes (1) hours worked per week (2) change in employment type (3) change in education and (4) change in field of work.
The cost from a change in hours is given by where is the change in weekly hours worked. This will mean extra hours of work are approximately equivalent to one year of schooling.
The cost from a change in employer (the options are government, private, self-employed and other) is always (equivalent to a year spent on education).
The possible levels of education are (1) any schooling, (2) High School Degree, (3) Professional Degree, (4) some college, (5) Associate’s Degree, (6) Bachelors Degree, (7) Master’s Degree, (8) Doctorate Degree. The cost transition matrix associated with the level of education (as ordered above) is
(44)
where is a large number meant to prevent suggestions that lead to a decrease in education, which is impossible (we use ). These numbers represent the expected number of years required to gain the specified degree (i.e. the cost of going from a high school degree to a bachelors degree is ).
Finally the options for fields of work are (1) Service, (2) Sales, (3) Blue-Collar (4) White Collar, (5) Professional, (6) Other. The cost transition matrix associated with the level of education (as ordered above) is
(45)
This represents a cost of for any change
Law School Success Prediction Dataset: (Wightman, 1998) This data set contains demographic information and academic records for over 20,000 law school students labelled by whether or not a student passed the BAR exam. Our target set is an 85% chance of passing the BAR. To create , we suppose the law school performance is merely a projection that can be changed through more studying, allowing us to change the law school grades and the location where the students take the BAR. The cost function sums the increase in grades and the physical distance travelled to take the BAR where moving to an adjacent region (e.g. Far West to North West) is weighted the same as increasing grades by one standard deviation.
Specifically sums the increase in grades and the physical distance travelled to take the BAR where moving to an adjacent region (e.g. Far West to North West) is weighted the same as increasing grades one standard deviation. This set up returns the optimal combination of studying harder and moving location to take the BAR.In this data set is sum of the change in grades (in standard deviations from the mean) and distance traveled. The country was divided into eight regions: (1) Far West, (2) Great Lakes, (3) Mid-South, (4) Mountain West, (5) Mid-West, (6) North East, (7) New England, (8) North West. We use the transition cost matrix
(46)
Moves to adjacent regions result in a cost of , while the highest cost of is incurred by moving from Far West to New England or back.
Diabetes Prediction Dataset: (for Disease Control &, CDC) This data set contains information on the demographics, health conditions and health habits of 250,000 individuals labelled by whether an individual is diabetic extracted from the Behavioral Risk Factor Surveillance System (BRFSS), a health-related telephone survey that is collected annually by the CDC.. We define to allow changes in health habits, BMI, education and income. We use a weighted 2-norm for to represent the relative difficulty of making changes. For example, starting to get regular physical activity is weighted the same as drop** one BMI point. Increasing education, income and health insurance were weighted as more difficult that simply adjusting health habits.
German Credit Dataset: (Hofmann, 1994) This commonly used data set contains information on 1,000 loan applications in Germany labelled by their credit risk. The actionable set allows for changes in the loan request (time and size) as well as the funds in the applicants checking and savings account and whither the applicant has a telephone. The target set is a greater than 80% of being a good credit risk. The cost function is the direct measuring the total difference in Deutsche Marks (DM) between all elements of the application. No cost was assigned to closing empty accounts. The change in length of loan is converted to DM through the individual’s monthly disposable income. Finally we set a flat cost of 50DM to acquire a telephone.
A.3.2 Model Details
We used fully connected feed forward neural networks. Each network used 3 hidden layers with ReLu activation functions between each layer. We tuned the parameters of the neural networks until we achieved accuracy on par with common tree based classifiers (random forests and histogram boosted trees). Accuracy results are presented in table A.3.2. For all data sets except the German Credit data set each hidden layer had nodes. The German Credit data set required nodes per layer. Additionally, for the German Credit data set only, we used dropout regularization of on each hidden layer. We trained these models using the ADAM optimizer to minimize cross entropy loss. We used an train-validate-test data split and implemented early stop** with the validation data. All Trustworthy Actionable Perturbations, counterfactuals and adversarial examples were created for the testing data. We used identical architecture for as , except for doubling the input size. Accuracy data may be found in table 3.
Adult Income
Law School Success
Diabetes Prediction
German Credit
Random Forest
73%
64%
62%
74%
Histogram Gradient Boosted Trees
81%
77%
75%
69%
Neural Network
80%
77%
75%
75%
We also tested the calibration of our networks by calculating the expected calibration error (ECE) (Naeini et al., 2015). We used 15 bins and record the results in table A.3.2
Adult Income
Law School Success
Diabetes Prediction
German Credit
ECE (15 bins)
16%
15%
7%
21%
A.3.3 Objective Function Details
In our implementation we formulated the actionablility penalty term as
(47)
with a sufficiently large constant.
We formulated our coherence penalty term as
(48)
with another appropriately large constant. The conditioner function simply rounded integer and Boolean values to the nearest integer value. For one-hot encoded features categorical features, the category with the largest value set to one and all other categories set to zero.
A.3.4 Additional Experimental Results
Here we show success bar charts similar to those found in figure 7 compare the efficacy of Trustworthy Actionable Perturbations, counterfactuals (Wachter et al., 2017; Mothilal et al., 2020) and adversarial examples from the Carlini Wagner attack (Carlini & Wagner, 2017b) for all data sets. These are similar to Figure 5, but include all data sets and an increased number of cost () values.
Each bar chart refers to a particular data set and desired distance to the target set . Inside of each chart, the bars show the percentage of individuals that a method was able to successfully move inside the goal at a variety of costs . Figure 7 shows data before the verification procedure has been performed and 7 shows the data after all . In these tests, the Trustworthy Actionable Perturbations (in blue) outperform the counterfactuals (in green and orange) in nearly all cases except for when both methods achieved success or the very high-cost (large ) high reward () scenarios. Carlini Wagner attacks (red) are only effective at larger values because they are designed to move a data point just barely inside the target class. The Carlini Wagner attacks are not required to be actionable (or even feasible), so they do not constitute useful advise. The verifier is able to recognize that these adversarial examples are untrustworthy in all cases.
Figure 7: Performance comparison over entire datasets before verification: The graphs show average success rate for moving individuals within a variety of distances () to the target set. The y-axis shows the percentage of individuals within the goal distance, and the x-axis, represents different costs ( values) to achieve the goal. These values were obtained before applying the verification procedure.Figure 8: Performance comparison over entire datasets after verification: The graphs show average success rate for moving individuals within a variety of distances () to the target set. The y-axis shows the percentage of individuals within the goal distance, and the x-axis, represents different costs ( values) to achieve the goal. These values were obtained after applying the verification procedure with a chance of eliminating valid inputs.