https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning
A curated list of trustworthy deep learning papers. Daily updating...
https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning
List: awesome-trustworthy-deep-learning
adversarial-machine-learning ai-alignment backdoor causality deep-learning fairness gradient-leakage green-ai hallucinations interpretable-deep-learning machine-unlearning membership-inference-attack out-of-distribution-generalization ownership poisoning privacy robustness security uncertainty watermarking
Last synced: 27 days ago
JSON representation
A curated list of trustworthy deep learning papers. Daily updating...
- Host: GitHub
- URL: https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning
- Owner: MinghuiChen43
- License: mit
- Created: 2020-07-19T16:07:06.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-05-17T06:45:28.000Z (11 months ago)
- Last Synced: 2024-05-21T01:09:02.867Z (11 months ago)
- Topics: adversarial-machine-learning, ai-alignment, backdoor, causality, deep-learning, fairness, gradient-leakage, green-ai, hallucinations, interpretable-deep-learning, machine-unlearning, membership-inference-attack, out-of-distribution-generalization, ownership, poisoning, privacy, robustness, security, uncertainty, watermarking
- Homepage:
- Size: 6.58 MB
- Stars: 290
- Watchers: 12
- Forks: 32
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-deep-phenomena - Awesome Trustworthy Deep Learning - trustworthy-deep-learning)  (Related Resources / Others: 2016)
- ultimate-awesome - awesome-trustworthy-deep-learning - A curated list of trustworthy deep learning papers. Daily updating. (Other Lists / Julia Lists)
- awesome-safety-critical-ai - Awesome Trustworthy AI - of-distribution generalization, adversarial examples, backdoor attack, model inversion attack, machine unlearning, &c. (<a id="meta"></a>đ Meta / Bleeding Edge âïž)
README
[](https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning/graphs/commit-activity)
[](https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning/stargazers)
[](https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning)
[](https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning/watchers)
[](https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning/network/members)
# Awesome Trustworthy Deep Learning [](https://github.com/MinghuiChen43/awesome-trustworthy-deep-learning)
The deployment of deep learning in real-world systems calls for a set of complementary technologies that will ensure that deep learning is trustworthy [(Nicolas Papernot)](https://www.papernot.fr/teaching/f19-trustworthy-ml). The list covers different topics in emerging research areas including but not limited to out-of-distribution generalization, adversarial examples, backdoor attack, model inversion attack, machine unlearning, etc.
Daily updating from ArXiv. The preview README only includes papers submitted to ArXiv within the **last one year**. More paper can be found here :open_file_folder: [Full List].
# Table of Contents
- [Awesome Trustworthy Deep Learning Paper List :page_with_curl:](#awesome-trustworthy--deep-learning)
- [Survey](#survey)
- [Out-of-Distribution Generalization](#out-of-distribution-generalization)
- [Evasion Attacks and Defenses](#evasion-attacks-and-defenses)
- [Poisoning Attacks and Defenses](#poisoning-attacks-and-defenses)
- [Privacy](#privacy)
- [Fairness](#fairness)
- [Interpretability](#interpretability)
- [Alignment](#alignment)
- [Others](#others)
- [Related Awesome Lists :astonished:](#related-awesome-lists)
- [Toolboxes :toolbox:](#toolboxes)
- [Seminar :alarm_clock:](#seminar)
- [Workshops :fire:](#workshops)
- [Tutorials :woman_teacher:](#tutorials)
- [Talks :microphone:](#talks)
- [Blogs :writing_hand:](#blogs)
- [Other Resources :sparkles:](#other-resources)
- [Contributing :wink:](#contributing)
# Paper List
## Survey
:open_file_folder: [Full List of Survey].
## Out-of-Distribution Generalization
:open_file_folder: [Full List of Out-of-Distribution Generalization].
## Evasion Attacks and Defenses
:open_file_folder: [Full List of Evasion Attacks and Defenses].
- REINFORCE Adversarial Attacks on Large Language Models: An Adaptive, Distributional, and Semantic Objective. [[paper]](https://arxiv.org/abs/2502.17254)
- Simon Geisler, Tom WollschlĂ€ger, M. H. I. Abdalla, Vincent Cohen-Addad, Johannes Gasteiger, Stephan GĂŒnnemann.
- Key Word: Adversarial Attacks; Large Language Models; Reinforcement Learning.
- Digest This paper critiques existing adversarial attacks on LLMs that maximize the likelihood of an affirmative response, arguing that such methods overestimate model robustness. To improve attack efficacy, the authors propose an adaptive, semantic optimization approach using a REINFORCE-based objective. Applied to Greedy Coordinate Gradient (GCG) and Projected Gradient Descent (PGD) jailbreak attacks, their method significantly enhances attack success rates, doubling ASR on Llama3 and increasing ASR from 2% to 50% against circuit breaker defenses.
- Constitutional Classifiers: Defending against Universal Jailbreaks across Thousands of Hours of Red Teaming. [[paper]](https://arxiv.org/abs/2501.18837)
- Mrinank Sharma, Meg Tong, Jesse Mu, Jerry Wei, Jorrit Kruthoff, Scott Goodfriend, Euan Ong, Alwin Peng, Raj Agarwal, Cem Anil, Amanda Askell, Nathan Bailey, Joe Benton, Emma Bluemke, Samuel R. Bowman, Eric Christiansen, Hoagy Cunningham, Andy Dau, Anjali Gopal, Rob Gilson, Logan Graham, Logan Howard, Nimit Kalra, Taesung Lee, Kevin Lin, Peter Lofgren, Francesco Mosconi, Clare O'Hara, Catherine Olsson, Linda Petrini, Samir Rajani, Nikhil Saxena, Alex Silverstein, Tanya Singh, Theodore Sumers, Leonard Tang, Kevin K. Troy, Constantin Weisser, Ruiqi Zhong, Giulio Zhou, Jan Leike, Jared Kaplan, Ethan Perez.
- Key Word: Red Teaming; Jailbreak.
- Digest This paper introduces Constitutional Classifiers, a defense against universal jailbreaks in LLMs. These classifiers are trained on synthetic data generated using natural language rules to enforce content restrictions. Extensive red teaming and automated evaluations show that the approach effectively blocks jailbreaks while maintaining practical deployment viability, with minimal refusal rate increase (0.38%) and a 23.7% inference overhead. The findings demonstrate that robust jailbreak defenses can be achieved without significantly compromising usability.
## Poisoning Attacks and Defenses
:open_file_folder: [Full List of Poisoning Attacks and Defenses].
## Privacy
:open_file_folder: [Full List of Privacy].
- When to Forget? Complexity Trade-offs in Machine Unlearning. [[paper]](https://arxiv.org/abs/2502.17323)
- Martin Van Waerebeke, Marco Lorenzi, Giovanni Neglia, Kevin Scaman.
- Key Word: Certified Unlearning.
- Digest This paper analyzes the efficiency of Machine Unlearning (MU) and establishes the first minimax upper and lower bounds on unlearning computation time. Under strongly convex objectives and without access to forgotten data, the authors introduce the unlearning complexity ratio, comparing unlearning costs to full retraining. A phase diagram reveals three regimes: infeasibility, trivial unlearning via noise, and significant computational savings. The study highlights key factorsâdata dimensionality, forget set size, and privacy constraintsâthat influence the feasibility of efficient unlearning.
- Open Problems in Machine Unlearning for AI Safety. [[paper]](https://arxiv.org/abs/2501.04952)
- Fazl Barez, Tingchen Fu, Ameya Prabhu, Stephen Casper, Amartya Sanyal, Adel Bibi, Aidan O'Gara, Robert Kirk, Ben Bucknall, Tim Fist, Luke Ong, Philip Torr, Kwok-Yan Lam, Robert Trager, David Krueger, Sören Mindermann, José Hernandez-Orallo, Mor Geva, Yarin Gal.
- Key Word: Machine Unlearning.
- Digest As AI systems grow in capability and autonomy in critical areas like cybersecurity, healthcare, and biological research, ensuring their alignment with human values is crucial. Machine unlearning, originally focused on privacy and data removal, is gaining attention for its potential in AI safety. However, this paper identifies significant limitations preventing unlearning from fully addressing safety concerns, especially in managing dual-use knowledge where information can have both beneficial and harmful applications. It highlights challenges such as unintended side effects, conflicts with existing safety mechanisms, and difficulties in evaluating robustness and preserving safety features during unlearning. By outlining these constraints and open problems, the paper aims to guide future research toward more realistic and effective AI safety strategies.
## Fairness
:open_file_folder: [Full List of Fairness].
## Interpretability
:open_file_folder: [Full List of Interpretability].
- SAEBench: A Comprehensive Benchmark for Sparse Autoencoders in Language Model Interpretability. [[paper]](https://arxiv.org/abs/2503.09532)
- Adam Karvonen, Can Rager, Johnny Lin, Curt Tigges, Joseph Bloom, David Chanin, Yeu-Tong Lau, Eoin Farrell, Callum McDougall, Kola Ayonrinde, Matthew Wearden, Arthur Conmy, Samuel Marks, Neel Nanda.
- Key Word: Sparse Autoencoder; Benchmark.
- Digest The paper introduces SAEBench, a comprehensive evaluation suite for sparse autoencoders (SAEs) that assesses their performance across seven diverse metrics, including interpretability, feature disentanglement, and practical applications like unlearning. It highlights that improvements in traditional unsupervised proxy metrics do not always lead to better real-world performance. The authors open-source over 200 SAEs spanning eight architectures and training algorithms, revealing that Matryoshka SAEs, despite underperforming on proxy metrics, excel in feature disentanglement, especially at scale. SAEBench provides a standardized framework for comparing SAE designs and studying scaling trends in their development.
- Towards Understanding Distilled Reasoning Models: A Representational Approach. [[paper]](https://arxiv.org/abs/2503.03730)
- David D. Baek, Max Tegmark.
- Key Word: Mechanistic Interpretability; Model Distillation; Model Steering.
- Digest This paper examines the impact of model distillation on reasoning feature development in large language models (LLMs). Using a crosscoder trained on Qwen-series models, the study finds that distillation creates unique reasoning feature directions, enabling control over thinking styles (e.g., over-thinking vs. incisive-thinking). The analysis covers four reasoning types: self-reflection, deductive, alternative, and contrastive reasoning. Additionally, the study explores changes in feature geometry, suggesting that larger distilled models develop more structured representations, improving distillation performance. These findings enhance understanding of distillationâs role in shaping model reasoning and transparency.
- From superposition to sparse codes: interpretable representations in neural networks. [[paper]](https://arxiv.org/abs/2503.01824)
- David Klindt, Charles O'Neill, Patrik Reizinger, Harald Maurer, Nina Miolane.
- Key Word: Superposition; Sparse Coding.
- Digest This paper explores how neural networks represent information, proposing that they encode features in superpositionâlinearly overlaying input concepts. The authors introduce a three-step framework to extract interpretable representations: (1) Identifiability theory shows that neural networks recover latent features up to a linear transformation; (2) Sparse coding techniques disentangle these features using compressed sensing principles; (3) Interpretability metrics evaluate alignment with human-interpretable concepts. By integrating insights from neuroscience, representation learning, and interpretability research, the paper offers a perspective with implications for neural coding, AI transparency, and deep learning interpretability.
- Projecting Assumptions: The Duality Between Sparse Autoencoders and Concept Geometry. [[paper]](https://arxiv.org/abs/2503.01822)
- Sai Sumedh R. Hindupur, Ekdeep Singh Lubana, Thomas Fel, Demba Ba.
- Key Word: Sparse Autoencoder.
- Digest This paper examines the limitations of Sparse Autoencoders (SAEs) in interpreting neural network representations. It introduces a bilevel optimization framework showing that SAEs impose structural biases, affecting which concepts they can detect. Different SAE architectures are not interchangeable, as switching them can reveal or obscure concepts. Through experiments on toy models, semi-synthetic data, and large-scale datasets, the study highlights two key properties of real-world concepts: varying intrinsic dimensionality and nonlinear separability. Standard SAEs fail when these factors are ignored, but a new SAE design incorporating them uncovers previously hidden concepts. The findings challenge the notion of a universal SAE and emphasize the importance of architecture-specific choices in interpretability.
- Everything, Everywhere, All at Once: Is Mechanistic Interpretability Identifiable? [[paper]](https://arxiv.org/abs/2502.20914)
- Maxime Méloux, Silviu Maniu, François Portet, Maxime Peyrard.
- Key Word: Mechanistic Interpretability.
- Digest This work explores the identifiability of Mechanistic Interpretability (MI) explanations in neural networks. It examines whether unique explanations exist for a given behavior by drawing parallels to identifiability in statistics. The study identifies two MI strategies: âwhere-then-whatâ (isolating circuits before interpreting) and âwhat-then-whereâ (starting with candidate algorithms and finding neural activation subspaces). Experiments on Boolean functions and small MLPs reveal systematic non-identifiabilityâmultiple circuits, interpretations, and subspaces can explain the same behavior. The study questions whether uniqueness is necessary, suggesting that predictive and manipulability criteria might suffice, and discusses validation through the inner interpretability framework.
- Open Problems in Mechanistic Interpretability. [[paper]](https://arxiv.org/abs/2501.16496)
- Lee Sharkey, Bilal Chughtai, Joshua Batson, Jack Lindsey, Jeff Wu, Lucius Bushnaq, Nicholas Goldowsky-Dill, Stefan Heimersheim, Alejandro Ortega, Joseph Bloom, Stella Biderman, Adria Garriga-Alonso, Arthur Conmy, Neel Nanda, Jessica Rumbelow, Martin Wattenberg, Nandi Schoots, Joseph Miller, Eric J. Michaud, Stephen Casper, Max Tegmark, William Saunders, David Bau, Eric Todd, Atticus Geiger, Mor Geva, Jesse Hoogland, Daniel Murfet, Tom McGrath.
- Key Word: Mechanistic Interpretability.
- Digest This review explores the current challenges and open problems in mechanistic interpretability, which seeks to understand the computational mechanisms behind neural networks. While progress has been made, further conceptual and practical advancements are needed to deepen insights, refine applications, and address socio-technical challenges. The paper highlights key areas for future research to enhance AI transparency, safety, and scientific understanding of intelligence.
- Sparse Autoencoders Do Not Find Canonical Units of Analysis. [[paper]](https://arxiv.org/abs/2502.04878)
- Patrick Leask, Bart Bussmann, Michael Pearce, Joseph Bloom, Curt Tigges, Noura Al Moubayed, Lee Sharkey, Neel Nanda.
- Key Word: Mechanistic Interpretability; Sparse Autoencoders; Representational Structure.
- Digest This paper challenges the assumption that Sparse Autoencoders (SAEs) can identify a canonical set of atomic features in LLMs. Using SAE stitching, the authors show that SAEs are incomplete, as larger SAEs contain novel latents not captured by smaller ones. Through meta-SAEs, they demonstrate that SAE latents are not atomic, as they often decompose into smaller, interpretable components (e.g., âEinsteinâ â âscientistâ + âGermanyâ + âfamous personâ). While SAEs may still be useful, the authors suggest rethinking their role in mechanistic interpretability and exploring alternative methods for finding fundamental features. An interactive dashboard is provided for further exploration.
## Alignment
:open_file_folder: [Full List of Alignment].
- You Are What You Eat -- AI Alignment Requires Understanding How Data Shapes Structure and Generalisation. [[paper]](https://arxiv.org/abs/2502.05475)
- Simon Pepin Lehalleur, Jesse Hoogland, Matthew Farrugia-Roberts, Susan Wei, Alexander Gietelink Oldenziel, George Wang, Liam Carroll, Daniel Murfet.
- Key Word: AI Alignment.
- Digest This paper argues that understanding the relationship between data distribution structure and model structure is key to AI alignment. It highlights that neural networks with identical training performance can generalize differently due to internal computational differences, making standard evaluation methods insufficient for safety assurances. To advance AI alignment, the authors propose developing statistical foundations to systematically analyze how these structures influence generalization.
## Others
:open_file_folder: [Full List of Others].
- The MASK Benchmark: Disentangling Honesty From Accuracy in AI Systems. [[paper]](https://arxiv.org/abs/2503.03750)
- Richard Ren, Arunim Agarwal, Mantas Mazeika, Cristina Menghini, Robert Vacareanu, Brad Kenstler, Mick Yang, Isabelle Barrass, Alice Gatti, Xuwang Yin, Eduardo Trevino, Matias Geralnik, Adam Khoja, Dean Lee, Summer Yue, Dan Hendrycks.
- Key Word: Honesty; Benchmark.
- Digest This paper addresses concerns about honesty in large language models (LLMs), distinguishing it from accuracy. Current honesty evaluations are limited, often conflating honesty with correctness. To address this, the authors introduce a large-scale, human-collected dataset that directly measures honesty. Their findings reveal that while larger models achieve higher accuracy, they do not necessarily become more honest. Notably, frontier LLMs, despite excelling in truthfulness benchmarks, often lie under pressure. The study also demonstrates that simple interventions, such as representation engineering, can enhance honesty, highlighting the need for robust evaluations and interventions to ensure trustworthy AI.
- Superintelligent Agents Pose Catastrophic Risks: Can Scientist AI Offer a Safer Path? [[paper]](https://arxiv.org/abs/2502.15657)
- Yoshua Bengio, Michael Cohen, Damiano Fornasiere, Joumana Ghosn, Pietro Greiner, Matt MacDermott, Sören Mindermann, Adam Oberman, Jesse Richardson, Oliver Richardson, Marc-Antoine Rondeau, Pierre-Luc St-Charles, David Williams-King.
- Key Word: Scientist AI; Agentic AI; AI Safety.
- Digest The paper discusses the risks posed by generalist AI agents, which can autonomously plan, act, and pursue goals. These risks include deception, misalignment with human interests, and loss of human control. The authors argue for a shift away from agency-driven AI towards a non-agentic AI system called Scientist AI, designed to explain the world rather than act in it. Scientist AI consists of a world model that generates theories and a question-answering system, both incorporating uncertainty to prevent overconfidence. This approach aims to advance scientific progress and AI safety while mitigating risks associated with autonomous AI agents.
- Do Large Language Model Benchmarks Test Reliability? [[paper]](https://arxiv.org/abs/2502.03461)
- Joshua Vendrow, Edward Vendrow, Sara Beery, Aleksander Madry.
- Key Word: Large Language Model Benchmark; Reliability.
- Digest This paper highlights the lack of focus on LLM reliability in existing benchmarks, despite extensive efforts to track model capabilities. The authors identify pervasive label errors in current benchmarks, which obscure model failures and unreliable behavior. To address this, they introduce platinum benchmarksâcarefully curated datasets with minimal label errors and ambiguity. By refining examples from 15 popular benchmarks and evaluating various models, they find that even frontier LLMs struggle with basic tasks, such as elementary math problems, revealing systematic failure patterns.
# Related Awesome Lists
## Robustness Lists
- [A Complete List of All (arXiv) Adversarial Example Papers](https://nicholas.carlini.com/writing/2019/all-adversarial-example-papers.html)
- [OOD robustness and transfer learning](https://github.com/jindongwang/transferlearning)  
- [Must-read Papers on Textual Adversarial Attack and Defense](https://github.com/thunlp/TAADpapers)  
- [Backdoor Learning Resources](https://github.com/THUYimingLi/backdoor-learning-resources)  
- [Paper of Robust ML](https://github.com/P2333/Papers-of-Robust-ML)  
- [The Papers of Adversarial Examples](https://github.com/xiaosen-wang/Adversarial-Examples-Paper)  
## Privacy Lists
- [Awesome Attacks on Machine Learning Privacy](https://github.com/stratosphereips/awesome-ml-privacy-attacks)  
- [Aweosme Privacy](https://github.com/Guyanqi/Awesome-Privacy)  
- [Privacy-Preserving-Machine-Learning-Resources](https://github.com/Ye-D/PPML-Resource)  
- [Awesome Machine Unlearning](https://github.com/tamlhp/awesome-machine-unlearning)  
- [Awesome Privacy Papers for Visual Data](https://github.com/brighter-ai/awesome-privacy-papers)  
## Fairness Lists
- [Awesome Fairness Papers](https://github.com/uclanlp/awesome-fairness-papers)  
- [Awesome Fairness in AI](https://github.com/datamllab/awesome-fairness-in-ai)  
## Interpretability Lists
- [Awesome Machine Learning Interpretability](https://github.com/jphall663/awesome-machine-learning-interpretability)  
- [Awesome Interpretable Machine Learning](https://github.com/lopusz/awesome-interpretable-machine-learning)  
- [Awesome Explainable AI](https://github.com/wangyongjie-ntu/Awesome-explainable-AI)  
- [Awesome Deep Learning Interpretability](https://github.com/oneTaken/awesome_deep_learning_interpretability)  
- [Awesome Interpretability in Large Language Models](https://github.com/ruizheliUOA/Awesome-Interpretability-in-Large-Language-Models)  
- [Awesome LLM Interpretability](https://github.com/JShollaj/awesome-llm-interpretability)  
## Other Lists
- [Awesome Out-of-distribution Detection](https://github.com/continuousml/Awesome-Out-Of-Distribution-Detection)  
- [Awesome Open Set Recognition list](https://github.com/iCGY96/awesome_OpenSetRecognition_list)  
- [Awesome Novel Class Discovery](https://github.com/JosephKJ/Awesome-Novel-Class-Discovery)  
- [Awesome Open-World-Learning](https://github.com/zhoudw-zdw/Awesome-open-world-learning)  
- [Blockchain Papers](https://github.com/decrypto-org/blockchain-papers)  
- [Awesome Blockchain AI](https://github.com/steven2358/awesome-blockchain-ai)  
- [Awesome Causality Algorithms](https://github.com/rguo12/awesome-causality-algorithms)  
- [Awesome AI Security](https://github.com/DeepSpaceHarbor/Awesome-AI-Security)  
- [A curated list of AI Security & Privacy events](https://github.com/ZhengyuZhao/AI-Security-and-Privacy-Events)  
- [Awesome Deep Phenomena](https://github.com/MinghuiChen43/awesome-deep-phenomena)  
# Toolboxes
## Robustness Toolboxes
- [DeepDG: OOD generalization toolbox](https://github.com/jindongwang/transferlearning/tree/master/code/DeepDG) 
- A domain generalization toolbox for research purpose.
- [Cleverhans](https://github.com/cleverhans-lab/cleverhans) 
- This repository contains the source code for CleverHans, a Python library to benchmark machine learning systems' vulnerability to adversarial examples.
- [Adversarial Robustness Toolbox (ART)](https://github.com/Trusted-AI/adversarial-robustness-toolbox) 
- Adversarial Robustness Toolbox (ART) is a Python library for Machine Learning Security. ART provides tools that enable developers and researchers to evaluate, defend, certify and verify Machine Learning models and applications against the adversarial threats of Evasion, Poisoning, Extraction, and Inference.
- [Adversarial-Attacks-Pytorch](https://github.com/Harry24k/adversarial-attacks-pytorch) 
- PyTorch implementation of adversarial attacks.
- [Advtorch](https://github.com/BorealisAI/advertorch) 
- Advtorch is a Python toolbox for adversarial robustness research. The primary functionalities are implemented in PyTorch. Specifically, AdverTorch contains modules for generating adversarial perturbations and defending against adversarial examples, also scripts for adversarial training.
- [RobustBench](https://github.com/RobustBench/robustbench) 
- A standardized benchmark for adversarial robustness.
- [BackdoorBox](https://github.com/THUYimingLi/BackdoorBox) 
- The open-sourced Python toolbox for backdoor attacks and defenses.
- [BackdoorBench](https://github.com/SCLBD/BackdoorBench) 
- A comprehensive benchmark of backdoor attack and defense methods.
## Privacy Toolboxes
- [Diffprivlib](https://github.com/IBM/differential-privacy-library) 
- Diffprivlib is a general-purpose library for experimenting with, investigating and developing applications in, differential privacy.
- [Privacy Meter](https://github.com/privacytrustlab/ml_privacy_meter) 
- Privacy Meter is an open-source library to audit data privacy in statistical and machine learning algorithms.
- [OpenDP](https://github.com/opendp/opendp) 
- The OpenDP Library is a modular collection of statistical algorithms that adhere to the definition of differential privacy.
- [PrivacyRaven](https://github.com/trailofbits/PrivacyRaven) 
- PrivacyRaven is a privacy testing library for deep learning systems.
- [PersonalizedFL](https://github.com/microsoft/PersonalizedFL) 
- PersonalizedFL is a toolbox for personalized federated learning.
- [TAPAS](https://github.com/alan-turing-institute/privacy-sdg-toolbox) 
- Evaluating the privacy of synthetic data with an adversarial toolbox.
## Fairness Toolboxes
- [AI Fairness 360](https://github.com/Trusted-AI/AIF360) 
- The AI Fairness 360 toolkit is an extensible open-source library containing techniques developed by the research community to help detect and mitigate bias in machine learning models throughout the AI application lifecycle.
- [Fairlearn](https://github.com/fairlearn/fairlearn) 
- Fairlearn is a Python package that empowers developers of artificial intelligence (AI) systems to assess their system's fairness and mitigate any observed unfairness issues.
- [Aequitas](https://github.com/dssg/aequitas) 
- Aequitas is an open-source bias audit toolkit for data scientists, machine learning researchers, and policymakers to audit machine learning models for discrimination and bias, and to make informed and equitable decisions around developing and deploying predictive tools.
- [FAT Forensics](https://github.com/fat-forensics/fat-forensics) 
- FAT Forensics implements the state of the art fairness, accountability and transparency (FAT) algorithms for the three main components of any data modelling pipeline: data (raw data and features), predictive models and model predictions.
## Interpretability Toolboxes
- [Lime](https://github.com/marcotcr/lime) 
- This project is about explaining what machine learning classifiers (or models) are doing.
- [InterpretML](https://github.com/interpretml/interpret/) 
- InterpretML is an open-source package that incorporates state-of-the-art machine learning interpretability techniques under one roof.
- [Deep Visualization Toolbox](https://github.com/yosinski/deep-visualization-toolbox) 
- This is the code required to run the Deep Visualization Toolbox, as well as to generate the neuron-by-neuron visualizations using regularized optimization.
- [Captum](https://github.com/pytorch/captum) 
- Captum is a model interpretability and understanding library for PyTorch.
- [Alibi](https://github.com/SeldonIO/alibi) 
- Alibi is an open source Python library aimed at machine learning model inspection and interpretation.
- [AI Explainability 360](https://github.com/Trusted-AI/AIX360) 
- The AI Explainability 360 toolkit is an open-source library that supports interpretability and explainability of datasets and machine learning models.
## Other Toolboxes
- [Uncertainty Toolbox](https://github.com/uncertainty-toolbox/uncertainty-toolbox) 
- [Causal Inference 360](https://github.com/IBM/causallib) 
- A Python package for inferring causal effects from observational data.
- [Fortuna](https://github.com/awslabs/fortuna) 
- Fortuna is a library for uncertainty quantification that makes it easy for users to run benchmarks and bring uncertainty to production systems.
- [VerifAI](https://github.com/BerkeleyLearnVerify/VerifAI) 
- VerifAI is a software toolkit for the formal design and analysis of systems that include artificial intelligence (AI) and machine learning (ML) components.
# Seminar
- [Privacy and Security in ML Seminars](https://prisec-ml.github.io/)
- [MLSec Laboratory - PRALab University of Cagliari](https://www.youtube.com/@MLSec/featured)
- [Challenges and Opportunities for Security & Privacy in Machine Learning](https://vsehwag.github.io/SPML_seminar/)
# Workshops
## Robustness Workshops
- [Backdoor Attacks and Defenses in Machine Learning (ICLR 2023)](https://iclr23-bands.github.io/)
- [New Frontiers in Adversarial Machine Learning (ICML 2023)](https://advml-frontier.github.io/)
- [Adversarial Machine Learning on Computer Vision: Art of Robustness (CVPR 2023)](https://robustart.github.io/)
- [ML Safety Workshop (NeurIPS 2022)](https://neurips2022.mlsafety.org/)
- [Workshop on Adversarial Robustness In the Real World (ECCV 2022)](https://eccv22-arow.github.io/)
- [Formal Verification of Machine Learning (ICML 2022)](https://www.ml-verification.com/)
- [Shift Happens Workshop (ICML 2022)](https://shift-happens-benchmark.github.io/)
- [Principles of Distribution Shift (ICML 2022)](https://sites.google.com/view/icml-2022-pods)
- [New Frontiers in Adversarial Machine Learning (ICML 2022)](https://advml-frontier.github.io/)
- [Workshop on Spurious Correlations, Invariance, and Stability (ICML 2022)](https://sites.google.com/view/scis-workshop/home)
- [Robust and reliable machine learning in the real world (ICLR 2021)](https://sites.google.com/connect.hku.hk/robustml-2021/home)
- [Distribution Shifts Connecting Methods and Applications (NeurIPS 2021)](https://sites.google.com/view/distshift2021)
- [Workshop on Adversarial Robustness In the Real World (ICCV 2021)](https://iccv21-adv-workshop.github.io/)
- [Uncertainty and Robustness in Deep Learning Workshop (ICML 2021)](https://sites.google.com/view/udlworkshop2021/home)
- [RobustML Workshop (ICLR 2021)](https://sites.google.com/connect.hku.hk/robustml-2021/home)
- [Uncertainty and Robustness in Deep Learning Workshop (ICML 2020)](https://sites.google.com/view/udlworkshop2020/home)
## Privacy Workshops
- [Pitfalls of limited data and computation for Trustworthy ML (ICLR 2023)](https://sites.google.com/view/trustml-unlimited/home)
- [Theory and Practice of Differential Privacy (ICML 2022)](https://tpdp.journalprivacyconfidentiality.org/2022/)
## Fairness Workshops
- [Algorithmic Fairness through the Lens of Causality and Privacy (NeurIPS 2022)](https://www.afciworkshop.org/)
## Interpretability Workshops
- [Interpretable Machine Learning in Healthcare (ICML 2022)](https://sites.google.com/view/imlh2022)
## Other Workshops
- [Pitfalls of limited data and computation for Trustworthy ML (ICLR 2023)](https://sites.google.com/view/trustml-unlimited/home)
- [Formal Verification of Machine Learning (ICML 2023)](https://www.ml-verification.com/)
- [Secure and Safe Autonomous Driving (SSAD) Workshop and Challenge (CVPR 2023)](https://trust-ai.github.io/SSAD2023/)
- [Trustworthy and Reliable Large-Scale Machine Learning Models (ICLR 2023)](https://rtml-iclr2023.github.io/)
- [TrustNLP: Third Workshop on Trustworthy Natural Language Processing (ACL 2023)](https://trustnlpworkshop.github.io/)
- [Workshop on Physics for Machine Learning (ICLR 2023)](https://physics4ml.github.io/)
- [Pitfalls of limited data and computation for Trustworthy ML (ICLR 2023)](https://sites.google.com/view/trustml-unlimited/)
- [Workshop on Mathematical and Empirical Understanding of Foundation Models (ICLR 2023)](https://sites.google.com/view/me-fomo2023)
- [ARTIFICIAL INTELLIGENCE AND SECURITY (CCS 2022)](https://aisec.cc/)
- [Automotive and Autonomous Vehicle Security (AutoSec) (NDSS 2022)](https://www.ndss-symposium.org/ndss-program/autosec-2022/)
- [NeurIPS ML Safety Workshop (NeurIPS 2022)](https://neurips2022.mlsafety.org/)
- [Trustworthy and Socially Responsible Machine Learning (NeurIPS 2022)](https://tsrml2022.github.io/)
- [International Workshop on Trustworthy Federated Learning (IJCAI 2022)](https://federated-learning.org/fl-ijcai-2022/)
- [Workshop on AI Safety (IJCAI 2022)](https://www.aisafetyw.org/)
- [1st Workshop on Formal Verification of Machine Learning (ICML 2022)](https://www.ml-verification.com/)
- [Workshop on Distribution-Free Uncertainty Quantification (ICML 2022)](https://sites.google.com/berkeley.edu/dfuq-22/home)
- [First Workshop on Causal Representation Learning (UAI 2022)](https://crl-uai-2022.github.io/)
- [I Canât Believe Itâs Not Better! (ICBINB) Workshop Series](https://i-cant-believe-its-not-better.github.io/)
# Tutorials
## Robustness Tutorials
- [Tutorial on Domain Generalization (IJCAI-ECAI 2022)](https://dgresearch.github.io/)
- [Practical Adversarial Robustness in Deep Learning: Problems and Solutions (CVPR 2021)](https://sites.google.com/view/par-2021)
- [A Tutorial about Adversarial Attacks & Defenses (KDD 2021)](https://sites.google.com/view/kdd21-tutorial-adv-robust/)
- [Adversarial Robustness of Deep Learning Models (ECCV 2020)](https://sites.google.com/umich.edu/eccv-2020-adv-robustness)
- [Adversarial Robustness: Theory and Practice (NeurIPS 2018)](https://nips.cc/Conferences/2018/ScheduleMultitrack?event=10978) [[Note]](https://adversarial-ml-tutorial.org/)
- [Adversarial Machine Learning Tutorial (AAAI 2018)](https://aaai18adversarial.github.io/index.html#)
# Talks
## Robustness Talks
- [Ian Goodfellow: Adversarial Machine Learning (ICLR 2019)](https://www.youtube.com/watch?v=sucqskXRkss)
- [Jindong Wang: Building more robust machine learning models (MLNLP)](https://www.bilibili.com/video/BV1hP411V7SP/)
# Blogs
## Robustness Blogs
- [Pixels still beat text: Attacking the OpenAI CLIP model with text patches and adversarial pixel perturbations](https://stanislavfort.github.io/blog/OpenAI_CLIP_stickers_and_adversarial_examples/)
- [Adversarial examples for the OpenAI CLIP in its zero-shot classification regime and their semantic generalization](https://stanislavfort.github.io/blog/OpenAI_CLIP_adversarial_examples/)
- [A Discussion of Adversarial Examples Are Not Bugs, They Are Features](https://distill.pub/2019/advex-bugs-discussion/)
## Interpretability Blogs
- [Multimodal Neurons in Artificial Neural Networks](https://distill.pub/2021/multimodal-neurons/)
- [Curve Detectors](https://distill.pub/2020/circuits/curve-detectors/)
- [Visualizing the Impact of Feature Attribution Baselines](https://distill.pub/2020/attribution-baselines/)
- [Visualizing Neural Networks with the Grand Tour](https://distill.pub/2020/grand-tour/)
## Other Blogs
- [Cleverhans Blog - Ian Goodfellow, Nicolas Papernot](http://www.cleverhans.io/)
# Other Resources
- [AI Security and Privacy (AISP) Seminar Series](http://scl.sribd.cn/seminar/index.html)
- [ML Safety Newsletter](https://newsletter.mlsafety.org/)
- [Trustworthy ML Initiative](https://www.trustworthyml.org/home)
- [Trustworthy AI Project](https://www.trustworthyaiproject.eu/)
- [ECE1784H: Trustworthy Machine Learning (Course, Fall 2019) - Nicolas Papernot](https://www.papernot.fr/teaching/f19-trustworthy-ml)
- [A School for all Seasons on Trustworthy Machine Learning (Course) - Reza Shokri, Nicolas Papernot](https://trustworthy-machine-learning.github.io/)
- [Trustworthy Machine Learning (Book)](http://www.trustworthymachinelearning.com/)
- [AI Safety Support (Lots of Links)](https://www.aisafetysupport.org/lots-of-links)
# Contributing
Welcome to recommend paper that you find interesting and focused on trustworthy deep learning. You can submit an issue or contact me via [[email]](mailto:[email protected]). Also, if there are any errors in the paper information, please feel free to correct me.
Formatting (The order of the papers is reversed based on the initial submission time to arXiv)
- Paper Title [[paper]](https://arxiv.org/abs/xxxx.xxxx)
- Authors. *Published Conference or Journal*
- Key Word: XXX.
- Digest XXXXXX