Andrew Ilyas

And we basically showed that by plugging in this class of techniques with a super rich history and optimization and plugging that in for what we were doing in the query limited setting, we could significantly accelerate black box attacks.

Yeah, so I think if you sort of step back and view what we've been talking about so far, I think the data models, data attribution stuff is really focused on understanding this data set and learning algorithm stages of the pipeline.

A lot of my work on adversarial examples is about understanding this final stage of the pipeline and have some other work on other aspects of the final stage of the pipeline.

But really, the missing piece is what if your data collection process itself is biased?

And so I've done a lot of work both with Alexander on the more empirical side, but also with my other advisor, Kostas Daskalakis, on the more theoretical side of what happens when you're doing statistical inference or you're doing machine learning and the way that you collect data is biased in some way.

Can we find the ways in which that data is biased?

and can we correct for it?

So I can maybe give you like one highlight from each side, on the empirical side and the theoretical side.

On the empirical side, probably my favorite one is this work that was led by two students who are now graduated, Dimitris and Shivani, Dimitris Tsipras and Shivani Santaker.

And it was this really, really cool work that I was happy to be a part of that was about studying the ImageNet dataset, which like we think of as this sort of static, you know, like represented, or we used to think of at least at the time of this paper as like this representative benchmark of image classification.

And so they, you know, we went in there and tried to uncover sort of like how the ImageNet dataset was collected, you know, what possible biases could emerge.

And, you know, in general we found, so like the way ImageNet was collected just as a,

As a note, the way it was actually collected is the original authors scraped Flickr with a bunch of tags.

So for a given search term, they turned that class into a bunch of search terms.

They searched Flickr for the search terms.

And then they uploaded those images to Mechanical Turk and asked people, does this image contain this class?

Yes or no.

And so as a result, there are a bunch of really interesting biases that kind of creep in unexpectedly from doing this.

So for example, for confusing classes, like if there are two breeds of dogs that look very similar, because you're not actually asking people, is this breed A or breed B?

You're just asking them, is this an example of breed A?