Trustworthy Actionable Perturbations

As machine learning (ML) classifiers have experienced widespread adoption in applications that have an out-sized impact on individuals’ lives (such as credit lending (Leo et al., 2019), college admissions (Martinez Neda et al., 2021) and healthcare (Sauer et al., 2022)), the need to understand classifiers’ decision making and how to avoid undesirable classifications has become increasingly important. One of the most important tools for filling this need is the counterfactual: a counterfactual for a given input and classifier is a similar input that results in a different classification. Suppose a classifier is designed to determine whether a loan application represents a good or bad credit risk. If the classifier determines a loan to be a bad credit risk, a counterfactual would be a modified loan application that is classified as a good credit risk, e.g. the individual in a loan application is a bad credit risk, but an otherwise identical applicant who is $5$ years younger with a $$500$ higher monthly income would be a good credit risk. (Wachter et al., 2017) first suggested the use of Counterfactuals Explanations (CE) to help understand classifiers’ decisions making. Subsequent works explored the use of counterfactuals to help individuals change an undesirable classification (Ustun et al., 2019; Karimi et al., 2021; Poyiadzi et al., 2020). Returning to the example of an individual turned down for a loan, this type of counterfactual would not suggest an individual decrease their age (clearly impossible), but rather make practical changes such as pay off all credit card debt and request a $10\%$ smaller loan. These counterfactuals came to be known as Actionable Counterfactuals (AC) or Algorithmic Recourses (AR). Although, these counterfactuals change a classifier’s decision, it can not be assumed they will have the same affect on the real world (Freiesleben, 2022), e.g. a change that causes a classifier to determine someone is a good credit risk may not increase the person’s odds of paying off the loan in reality. (König et al., 2023) point out that a counterfactual could change a classifiers decision without changing the real world if the modifications are not causally linked to the output. For example, having a mailing address in an affluent neighborhood may correlate to higher odds of paying off a loan and changing the address could affect a classifiers decision, but there is no causal link. Accordingly, telling an applicant to change their mailing address to a P.O. box in a wealthy neighborhood would not improve their chances of paying off a loan. (König et al., 2023) proposed a framework to ensure modifications are causally linked to the output which they called Improvement-Focused Causal Recourse (ICR).

In this paper, we focus on tackling new challenges for this problem, which have not been addressed in prior work. Trustworthy Actionable Perturbations (TAP) focus on three novel improvements for affecting real world outcomes.

Trustworthiness Against Adversarial Examples: (Szegedy et al., 2013) showed that ML classifiers are brittle and small modifications to an input can cause misclassifications in otherwise accurate classifiers. Among the various definitions of adversarial behavior, we use the definition: modifications to a data point are adversarial if they cause a classifier to be far less accurate on modified data points than the original data (Diochnos et al., 2018). These modified inputs are called adversarial examples and the algorithms that create them are called adversarial attacks. The algorithms that create counterfactuals are very similar to adversarial attacks and (Pawelczyk et al., 2022) showed they produce similar outputs, which leads to the troubling conclusion that many counterfactuals may act as adversarial examples and change the classifier decision (individual is now offered a loan) without changing the true underlying class probabilities (individual is still likely to default on the loan). The adversarial vulnerability of classifiers is separate from causality concerns. For this reason, we introduce a novel two step procedure where (1) we generate a suggested change and (2) we use an independently trained verifier to certify that this change is not acting as an adversarial example. We present a methodology for training this verifier and provide analytical results showing that it is PAC-learnable (Theorem 2.3).

Flexible Goal Definition: AC/AR focus solely on the final classification of a data point, but this may not always be sufficient or feasible. For instance a valid AC/AR may lead to a $51\%$ likelihood of paying off a loan, but this may not satisfy the individual. Additionally, a change that improves a cancer patient’s odds of survival form $15\%$ to $40\%$ would not constitute a valid AC/AR even though it would be very useful. Accordingly, our framework defines goals through a target set of acceptable outcomes that can be tailored to an individual’s needs, and we demonstrate how these target sets can be designed. We note that ICR (König et al., 2023) and one of the AC/AR methods (Dandl et al., 2020) propose the use of goals other than final classification, but our formulation is more flexible and applies to multi-class scenarios. We develop a principled measure of reward by defining a distance to the target set using statistical divergence. We analyze this distance theoretically in Theorem 2.2.

Real World Efficiency: Previous works on CE and AC/AR reduce the amount of changes made by a counterfactual by minimizing a weighted $\ell$-norm of the changes (with the exception of (Ramakrishnan et al., 2020)), however these norms often fail to represent the real world cost of making changes. Alternatively, we minimize a cost measure built specifically to reflect real world costs of a change. By using this measure of real world cost and principled measure of rewards (distance to target set), TAP can suggest more efficient advice. We present a few examples of the utility of producing efficient advice through TAP: (a) Suggest the course of treatment that would double a patient’s odds of survival while requiring the least staff hours. (b) List the skills an job applicant could acquire in the least amount of time that would lead to a high probability of receiving an interview. (c) Find the cheapest modifications to a product that would bring it into a more premium price range and enhance marketability. We illustrate through experiments on real world data how the use of application specific cost functions leads to more efficient advice.

Figure 1(a) illustrates our framework of Trustworthy Actionable Perturbations (TAP) for using feasible actions, true cost and an individualized goal to create an efficient change, which is then verified to ensure that the change affects the true class probabilities instead of acting adversarially. Our goal to change the true class probabilities (real world outcomes) differs from previous CE and AC/AR works that seek only to change the classifier’s decision. We share our goal with ICR which is focused on ensuring that only features causally related to the class are modified. Our framework, on the other hand, focuses on ensuring that the changes do not exploit the brittleness of ML classifiers and cause misclassifications. This can occur regardless of whether modified features are causally related to the output. Figure 1(b) provides a summary of the objectives and features of various existing approaches alongside TAP.

Problem Setting and Goals: Suppose there is an unknown distribution $(\mathbf{x},C)\sim\mathcal{D}$. Here $\mathbf{x}$ is a member of the input space $\mathcal{X}\subset\mathbb{R}^{d}$ and $C\in\{1,...,k\}$ is the class of $\mathbf{x}$. We define the true class probabilities $\mathbf{y}(\mathbf{x}):=\left(\mathbb{P}(C=1|\mathbf{x}),...,\mathbb{P}(C=k|\mathbf{x})\right)$. We let $\mathcal{Y}$ denote the $k$-simplex and use a classifier $M:\mathcal{X}\rightarrow\mathcal{Y}$ to estimate $\mathbf{y}(\mathbf{x})$. Our goal in designing TAP is as follows: Given an input $\mathbf{x}$ with an undesirable classification $M(\mathbf{x})$, find the most efficient real world actions to create a modified input $\tilde{\mathbf{x}}$ such that the corresponding true probabilities $\mathbf{y}(\tilde{\mathbf{x}})$ (and not just $M(\mathbf{\tilde{x}})$) are more desirable.

Real World Actionability: TAP should only suggest modifications that are feasible in the real world (e.g., not decreasing an individual’s age). To this end, we introduce: the Actionable Set $\mathcal{A}(\mathbf{x})$ of a data point $\mathbf{x}$ as the set of all perturbations of $\mathbf{x}$ that are feasible in the real world. For example, if $\mathcal{X}$ represents loan applications with $x_{1}$ the age of the applicant, $x_{2}$ the applicant’s credit score, $x_{3}$ the amount of credit and $x_{4}$ the loan duration, the actionable set could be $\mathcal{A}(\mathbf{x})=\{\tilde{\mathbf{x}}\in\mathcal{X}|\tilde{x}_{1}=x_{1},\tilde{x}_{2}=x_{2}\}$, i.e. the applicant can change the size and duration of the loan they request, but not their age or credit score. Previous works have examined the complexities of actionability including causal relations between inputs, e.g. one can’t increase their education without an increase in age (Mahajan et al., 2019; Karimi et al., 2020b). All of these considerations, as well as a limiting changes to attributes which are believed to have a causal link to the output, can be incorporated into $\mathcal{A}(\mathbf{x})$.

Efficiency: The definition of the most efficient change depends on the context of the problem and could involve a well defined value such as “cost in dollars” or more nebulous value such as “amount of effort required.” We characterize this value with a function $d_{\mathcal{X}}:\mathcal{X}\times\mathcal{X}\rightarrow\mathbb{R}$, where $d_{\mathcal{X}}(\mathbf{x},\tilde{\mathbf{x}})$ is the cost of changing $\mathbf{x}$ to $\tilde{\mathbf{x}}$. For example, if $\mathbf{x}$ and $\tilde{\mathbf{x}}$ represent resumes, then $d_{\mathcal{X}}(\mathbf{x},\tilde{\mathbf{x}})$ could represent the time it would take to acquire the attributes listed on resume $\tilde{\mathbf{x}}$, but not on $\mathbf{x}$. We note this function may not be a true distance measure. For example, if $d_{\mathcal{X}}$ represents the difference in financial cost between two courses of medical treatment, then $d_{\mathcal{X}}(\mathbf{x},\tilde{\mathbf{x}})$ should be negative when $\tilde{\mathbf{x}}$ is more affordable than $\mathbf{x}$.

Desirability: We now define what we mean by a desirable outcome—the goal of a TAP. The Target Set $T$ is the set of all elements of $\mathcal{Y}$ that would be an acceptable result of a TAP. If we wish to belong to a desirable class $w$ with probability no less than $p$, the target set would have the form $T=\{{\mathbf{z}}\in\mathcal{Y}|z_{w}\geq p\}.$ If our goal is rather to avoid some undesirable class $u$, $T$ could be of the form $T=\{{\mathbf{z}}\in\mathcal{Y}|z_{u}\leq q\}$ for a fixed $q$. More generally, if we wish to belong to a set of desirable classes $\mathcal{W}$ with probability at least $p$ and we wish to belong to a set of undesirable classes $\mathcal{U}$ with probability no greater than $q$, we would use

We must quantify how close an TAP comes to achieving its goal in a principled manner. To do this, we first choose a measure of statistical distance $D({\mathbf{y}}||\mathbf{z})$ (we use Kullback-Leibler (KL) Divergence). We then denote $d_{\mathcal{Y}}({\mathbf{y}},T)$ as the distance of ${\mathbf{y}}$ to the target set $T$, defined as follows:

We may now formally define Trustworthy Actionable Perturbations. Let $\epsilon$ represent budget —the amount of work we are willing to perform, and $\delta$ represent tolerance —how close the final result is to our target set $T$.

In order to verify the second condition we must be able to calculate $d_{\mathcal{Y}}$. Fortunately, the optimization problem in (2) has a differentiable closed form solution when $D({\mathbf{y}}||\mathbf{z})$ is an $f$-divergence: a broad class of measures including KL-divergence, total-variation (TV) and other commonly used statistical distances. An $f$-divergence is defined as $D({\mathbf{y}}||\mathbf{z})=\sum_{i=1}^{k}\mathbf{z}_{i}f\left(\frac{{\mathbf{y}}_{i}}{\mathbf{z}_{i}}\right)$, where $f$ is a convex function satisfying $f(1)=0$ and $f(0)=\lim_{x\to 0^{+}}f(x)$ (Polyanskiy & Wu, 2024). Theorem 2.2 describes the solution to (2).

Equation (3) in Theorem 2.2 is easily calculable and continuously differentiable despite its piece-wise form, which will be significant when creating TAP (see Section 3). The proof of Theorem 2.2 involves showing that optimization problem (2) is convex and finding a value $\mathbf{z}$ that satisfies the KKT conditions. This proof and additional results about $d_{\mathcal{Y}}$ are found in the Appendix A.1.

Real-world Verifiability of TAP: Note that TAP are defined with respect to the true class probabilities ${\mathbf{y}}(\tilde{\mathbf{x}})$ because TAP should have an effect in the real world. Notwithstanding, ${\mathbf{y}}(\tilde{\mathbf{x}})$ is unknown and we must use $M(\tilde{\mathbf{x}})$ to create our TAP (more details in Section 3), which introduces the risk that we might produce an $\tilde{\mathbf{x}}$ that has the desired effect on $M(\tilde{\mathbf{x}})$ but not ${\mathbf{y}}(\tilde{\mathbf{x}})$ (like an adversarial example). This is of particular concern because TAP and all other counterfactuals are created by solving an optimization problem of the form

which is precisely how most adversarial examples are created (Pawelczyk et al., 2022). When counterfactuals were first introduced to ML (Wachter et al., 2017), the concern that counterfactuals would act as adversarial examples was dismissed because the adversarial attacks of the time 1) modified many more features than counterfactuals and 2) were targeted almost exclusively at image data whereas counterfactuals were proposed for use on tabular data. Since that time, Gourdeau et al. (2021); Su et al. (2019) demonstrated that adversarial attacks can be effective when changing a very small number of features, and several works (Ballet et al., 2019; Mathov et al., 2020; Cartella et al., 2021; Kumar et al., 2021) have shown that adversarial examples exist on tabular data sets. This implies that verification is necessary to achieve results that can be trusted to change the true class probabilities.

Verifying $\tilde{\mathbf{x}}$ may appear similar to detecting adversarial examples, which has been the object of significant research (Yang et al., 2020; Roth et al., 2019; Fidel et al., 2020; Carlini & Wagner, 2017a) with no satisfactory solution. Fortunately, we have an important advantage over detecting adversarial examples: we know the original data point $\mathbf{x}$ and exactly how it was modified, i.e., $\tilde{\mathbf{x}}$. To capitalize on this knowledge, we propose a novel verification procedure using a classifier $V:\mathcal{X}\times\mathcal{X}\rightarrow[0,1]$ which compares two inputs simultaneously and predicts the probability of the inputs belonging to the same class: the value of $V(\mathbf{x},\tilde{\mathbf{x}})$ estimates $\mathbb{P}(C=\tilde{C}|\mathbf{x},\tilde{\mathbf{x}})$. Because $V$ has a different classification task from $M$, attacks targeted against $M$ should not be effective against $V$, and we can use the discrepancy between estimates of $M$ and $V$ to determine if an $\tilde{\mathbf{x}}$ acts adversarially on $M$. In order to make this comparison, we use the fact that $\mathbb{P}(C=\tilde{C}|\mathbf{x},\tilde{\mathbf{x}})$ can also be estimated using $M$ by calculating $\sum_{i=1}^{k}M_{i}(\mathbf{x})M_{i}(\tilde{\mathbf{x}})$. If $\tilde{\mathbf{x}}$ acts adversarially we would expect $\sum_{i=1}^{k}M_{i}(\mathbf{x})M_{i}(\tilde{\mathbf{x}})$ to be very small while $V(\mathbf{x},\tilde{\mathbf{x}})$ is large. If $\tilde{\mathbf{x}}$ is not adversarial we would expect similar values from both $\sum_{i=1}^{k}M_{i}(\mathbf{x})M_{i}(\tilde{\mathbf{x}})$ and $V(\mathbf{x},\tilde{\mathbf{x}})$. Accordingly, we define

and verify that an $\tilde{\mathbf{x}}$ is trustworthy only if $\Delta(\mathbf{x},\tilde{\mathbf{x}})<\gamma$. In Section 3, we describe how we selected the threshold $\gamma$.

Training a Verifier & PAC Learnability: In order to create $V$, we must have data on which it can be trained. We build this difference training data by creating all possible pairs of elements from our original training data and labeling the pairs by whether they belong to the same class ($1$ for the same class, $0$ for different classes). If the original training data is $\{\mathbf{x}^{(i)},C^{(i)}\}_{i=1}^{n}$, the difference training data is $\{(\mathbf{x}^{(i)},\mathbf{x}^{(j)}),z^{(i,j)}\}_{1\leq i,j\leq n}$, where $z^{(i,j)}=\mathbbm{1}[C^{(i)}=C^{(j)}]$. We use the same architecture for $V$ as $M$ (only changing the number of inputs and outputs), but differing architectures could also be used. Now that we have a method for training $V$, we show that training in this way leads to a generalizable verifier. To this end, we next present a probably approximately correct (PAC) bound on $V$’s generalization gap which depends on $n$ (number of training samples), $k$ (number of classes), and $d$ (data dimensionality).

To prove Theorem 2.3, we construct a definition of risk that fits this new learning scenario (i.e., learning if two samples are from the same class or not, as opposed to conventional classification). This risk takes into account that we expect large imbalances between the number of point pairs from the same class and from different classes. In order to obtain the bounds on the generalization gap, we expand this risk into a sum of terms which can be bounded with existing Rademacher complexity PAC-methods. Finally, we bound the growth of these Rademacher complexity terms as a function of $n,k$ and $d$ to arrive at (6). The complete proof, including detailed definitions of $\mathrm{R}(V)$ and $\hat{\mathrm{R}}_{S}(V)$ as well as additional discussion, is presented in the Appendix A.2.

Two Step Creation Method: We now present and discuss the general optimization framework for creating TAP. Ideally, we would like to solve the following optimization problem: $\arg\min_{\tilde{\mathbf{x}}\in\mathcal{A}(\mathbf{x})}d_{\mathcal{Y}}(\tilde{\mathbf{y}},T)+\lambda d_{\mathcal{X}}(\tilde{\mathbf{x}},\mathbf{x})$, where the scalar parameter $\lambda$ balances the effort($\epsilon$)-reward($\delta$) trade-off. Solving this optimization would be guaranteed to create an effective TAP; unfortunately ${\mathbf{y}}(\tilde{\mathbf{x}})$ is unknown and we cannot solve this problem directly. Instead propose the following two-step procedure where: in Step $1$, we treat $M(\tilde{\mathbf{x}})$ as a surrogate for ${\mathbf{y}}(\tilde{\mathbf{x}})$, and in Step $2$, we use a verification algorithm to ensure that $\tilde{\mathbf{x}}$ is not just fooling the classifier.

Solving Step 1: We solve (7) using gradient descent which requires us to use differentiable models $M$ and formulate $d_{\mathcal{X}}$ in a differentiable manner ($d_{\mathcal{Y}}$ is differentiable according to Theorem 2.2). We modify our gradient descent to address two challenges. (1) We must insure that our solution is actionable: $\tilde{\mathbf{x}}\in\mathcal{A}(\mathbf{x})$. (2) Our solution $\tilde{\mathbf{x}}$ must follow any formatting rules associated with the data set (for instance, Boolean variables must be either 0 or 1, categorical features must respect one-hot encoding, etc.). A perturbation that follows these formatting rules is called coherent. To solve these two difficulties, we first assume $\mathcal{A}(\mathbf{x})=\{\tilde{\mathbf{x}}|l_{i}\leq\tilde{\mathbf{x}}_{i}\leq u_{i},1\leq i\leq d\}$ for some set of lower bounds $\{l_{i}\}_{i=1}^{d}$ and upper bounds $\{u_{i}\}_{i=1}^{d}$. An attribute is immutable if $l_{i}=u_{i}$. We ensure actionability by setting all elements of the gradient corresponding to immutable features to zero and adding a large penalty $b(\tilde{\mathbf{x}})$ term to the objective function which punishes points for leaving the actionable set. To ensure coherence, we project the result of our gradient descent onto the coherent space by using a function $cond:\mathbb{R}^{m}\rightarrow\mathcal{X}$ which performs the appropriate value rounding to make an input coherent. We found it useful to introduce a second penalty term $p(\tilde{\mathbf{x}})$ which requires that any one-hot encoded features sum to $1$. This ensures our answers never stray too far from a coherent point and improves robustness. Details on $b$, $p$ and $cond$ are found in the Appendix A.3.3. In practice we also found it useful to replace regular gradient descent with the ADAM algorithm (Kingma & Ba, 2014).

Solving Step 2: In Section 2, we discussed the necessity of verification and suggested that an TAP can be trusted if $\Delta(\mathbf{x},\tilde{\mathbf{x}})=\left|V(\mathbf{x},\tilde{\mathbf{x}})-\sum_{i=1}^{k}M_{i}(\mathbf{x})M_{i}(\tilde{\mathbf{x}})\right|$ is smaller than a threshold $\gamma$. Our process for choosing $\gamma$ starts with deciding on an acceptable risk of eliminating a truly effective TAP (we use 10%). To find the $\gamma$ corresponding to this risk, we calculate $\Delta(\mathbf{x}^{(i)},\mathbf{x}^{(j)})$ for a sufficiently large number of pairs $(\mathbf{x}^{(i)},\mathbf{x}^{(j)})$ from the testing data such that $C^{(i)}\neq C^{(j)}$. Finally, we pick $\gamma$ such that only the desired percentage of $\Delta(\mathbf{x}^{(i)},\mathbf{x}^{(j)})$ values (e.g. 10%) are above $\gamma$. The verification procedure is now reduced to eliminating any $\tilde{\mathbf{x}}$ that results in $\Delta(\mathbf{x},\tilde{\mathbf{x}})>\gamma$.

Adjusting for Suitability and Verifiability: When creating TAP we will often have a particular budget ($\epsilon$) or tolerance ($\delta$) bound we need to satisfy. To find a suitable TAP we repeat Step 1 of our process adjusting $\lambda$ until the desired budget or tolerance is met: increasing $\lambda$ to decrease $\epsilon$ and decreasing $\lambda$ to decrease $\delta$. It may also be appropriate to use a variety of $\lambda$ values and plot the $\epsilon$ and $\delta$ values of each resulting TAP (see Figure 4). The user may then select a TAP they see as offering particularly good value. When a TAP fails the verification step, there are a few recourses. (1) Sometimes it is sufficient to decrease $\lambda$, putting greater emphasis on reaching the target set. (2) “Shrink” the target set (increase the value of $p$ and decrease the value of $q$) in order to force the algorithm to find more effective changes. (3) Add a random perturbation to $\mathbf{x}$ in order to move the starting point away from the adversarial example. The entire procedure is described in Algorithm 1.

Data Sets: We compare TAP, counterfactuals and adversarial attacks on four data sets from different fields; data set details are found in Figure 3 and the Appendix A.3.1.

Adult Income (Kohavi & Becker, 1996): This data set contains demographic information on Americans labelled by whether they had a high income. The actionable set $\mathcal{A}(\mathbf{x)}$ allows individuals to increase their education, change jobs and adjust their weekly work hours. The cost function $d_{\mathcal{X}}$ sums the expected number of years to improve education, a one-year cost to change jobs and the square of the change in hours worked (weighted so an additional 3 hours of work per week is equal to a year spent on education).
Law School Success (Wightman, 1998): This data set contains information on law school students labelled by whether they passed the BAR exam. $\mathcal{A}(\mathbf{x)}$ allows changes to law school grades (through more studying) and the region where the exam is taken. The cost function $d_{\mathcal{X}}$ sums the increase in grades and the physical distance travelled to take the BAR. Moving to an adjacent region (Far West to North West) is weighted equal to increasing grades one standard deviation.
Diabetes Prediction (for Disease Control &, CDC): The individuals in this data set are labelled by whether they have diabetes. We define $\mathcal{A}(\mathbf{x})$ to allow changes in health habits, BMI, education and income. We use a weighted 2-norm for $d_{\mathcal{X}}$ to represent the relative difficulty of making changes. For example, starting to get regular physical activity is weighted the same as drop** one BMI.
German Credit (Hofmann, 1994): This data set contains loan applications. In $\mathcal{A}(\mathbf{x})$, we allow for changes to the loan duration and size and funds in the checking and savings accounts. We use $d_{\mathcal{X}}$ to measure the total difference in Deutsche Marks (DM) over all elements of the application.

Other Methods: We compare our results against counterfactuals created using the original method proposed to create counterfactuals (Wachter et al., 2017) and the diverse counterfactuals (DICE) method in (Mothilal et al., 2020), the most cited methods in the literature. These methods use an $\ell_{p}$ norm based cost function that often fails to reflect real world costs (see examples on the next page). We also compare TAP against the Carlini & Wagner (2017b) $\ell_{2}$ adversarial attack, one of the most well known and effective adversarial attacks. The counterfactuals belong to the same actionable set as the TAP, but the adversarial examples are not limited to an actionable set and may not be coherent.

Models: Gradient boosted tree algorithms (Friedman, 2001) are considered state of the art architectures for tabular data classification (Shwartz-Ziv & Armon, 2022). Unfortunately, these models are not differentiable and cannot be used with our framework. Instead we use neural networks which we tuned until they provide accuracy on par with gradient boosted tree models on the same data set. Details on our models’ structure, training are given in Appendix A.3.2.

Representative Examples of TAP and Trade-off between cost/desirability: We first examine two representative examples of how TAP behave differently than counterfactuals for specific individuals. Figure 4 shows a plot of the $\epsilon$/$\delta$ values of TAP and counterfactuals for one individual in the Law School data set and one individual in the Adult Income data set. We examine the results from the Law School data set: The TAP labelled TAP-1 suggests only a mild ($0.2$ standard deviation) increase in grades and the relatively short move from the Far West to the Great Lakes region resulting in a small $11\%$ increase in the chance of passing the BAR. On the other hand, TAP-2 suggest a larger increase in grades and a longer move which results in a much larger $34\%$ increase to the odds of success. Finally the counterfactual CF-1 suggest an enormous increase in grades and massive cross country move to achieve $51\%$ increase in the odds of success. Turning our attention to the Adult Income example: TAP-3 suggests a relatively simple increase in education to the masters level resulting in a $20\%$ increase to the odds of a high income. Alternatively, TAP-4 achieves an $71\%$ increase by suggesting far more changes including a professional degree and becoming self-employed. The counterfactual CF-2 does not suggest becoming self-employed and produces a smaller $67\%$ increase in the odds of high income despite also suggesting a professional degree and a drastic $16$ hour increase in the hours worked per week.

These examples illustrates two trends: 1) TAP offer both low-cost/low-reward (large-$\delta$/small-$\epsilon$) and high-cost/high-reward options, whereas counterfactual methods (Wachter et al., 2017; Mothilal et al., 2020) only offer high-cost options. This is because TAP are defined by distance to the target set, but counterfactuals are defined as belonging to the desirable class. That rules out any advice that doesn’t result in the desirable class being the most likely class. 2) Counterfactuals are prone to suggesting very high-cost outliers. This has two main causes: (a) The $\ell_{1}$ norm used to create the counterfactuals does not accurately represent real world effort. For example this norm considers any move in region to cost the same regardless of actual distance. (b) Because counterfactuals do not use a target set, they are prone to “overshooting” the desired goal. For example $CF_{1}$ resulted in a $95\%$ chance of passing the BAR when our goal was only $85\%$.

Comparison of TAP vs. Other Approaches: We now compare TAP, counterfactuals (Wachter et al., 2017; Mothilal et al., 2020) and CW attacks (Carlini & Wagner, 2017b) over the entire data sets. In Figure 5: Each bar chart refers to a particular data set and desired distance $\delta$ to the target set $T$. Each bar shows the percentage of individuals that a method was able to move inside the goal $\delta$ at a variety of costs $\epsilon$. (Bar charts for all data sets are found in the Appendix A.3.4.) The table summarizes this information for all data sets with the upper (red) value in each cell representing the data before the verification procedure and the lower (green) value the success rate after the verification procedure. Consider the bar chart on the top middle which refers to the German Credit data and a goal of $\delta=0.5$ from the target (the same information as the last three columns of the table). At a $\epsilon=0$ Deutsche Marks (DM) cost, TAP are able to move $73\%$ of individuals within the goal range by closing empty accounts. Counterfactuals do not match this success until the cost $\epsilon=7,000\text{DM}$, and CW attacks never achieve more than a $31\%$ success rate. TAP outperform counterfactuals in all of the test scenarios.

Impact and Effectiveness of Verifier: The first important take away from the success rates after verification is that the verifier was 100% effective at eliminating Carlini Wagner adversarial examples (visible in the bottom row of the table in Figure 5 c), implying that the verification method does indeed eliminate inputs that fool the classifier. Importantly, the verification procedure also removes a significant number of TAP and counterfactuals. Consider the second column of Figure 5 c: Out of all TAP generated $14\%$ appeared effective but were eliminated by the verification procedure. Counterfactual methods fared even worse with $20\%$ to $27\%$ of counterfactuals eliminated. This reinforces the necessity of a verification procedure.

Concluding Remarks & Future Work: In this work, we proposed Trustworthy Actionable Perturbations (TAP) which leverage ML classifiers to find efficient actions to achieve real world results. Our proposed framework introduces a novel verification procedure, flexible definition of goals, and principled reward measure for use in generating counterfactuals. We demonstrated their effectiveness when compared to other methods on data sets from multiple fields. Finally we note that our framework is flexible enough to incorporate contributions from previous works on counterfactuals such as individualized cost measures (De Toni et al., 2023), causal relations between inputs (Mahajan et al., 2019; Karimi et al., 2020b), causal relationships to the output (König et al., 2023), and advanced optimization methods (Guidotti et al., 2018; Karimi et al., 2020a).

As the use of AI and ML expands into critical applications such as healthcare, criminal justice, and hiring, the importance of explaining decisions deemed unfavorable and providing recourse to such users has grown significantly. In this context, our paper introduces a novel contribution aimed at making recourse mechanisms more trustworthy. We present a flexible framework, Trustworthy Actionable Perturbations (TAP), designed to generate cost-effective recourse which can ensure that the recourse being provided to users results in real-world changes. TAP can be useful to both end-users and institutions that suggest the recourse. The technical tools and the analytical results developed in the paper (including a flexible target set, and a novel pair-wise verification procedure) can also find use and lead to new insights for other problems such as cost-sensitive learning and adversarial defense.

We thank the anonymous ICML reviewers and the area chairs for their insightful suggestions. This work was supported by NSF grants CAREER 1651492, CCF-2100013, CNS-2209951, CNS-1822071, CNS-2317192, and by the U.S. Department of Energy, Office of Science, Office of Advanced Scientific Computing under Award Number DE-SC-ERKJ422, and NIH Award R01-CA261457-01A1.