05-模型安全与治理
概述
模型安全与治理是 MLOps 的关键组成部分,确保 AI 系统可信、可解释、公平且合规。本章深入探讨模型可解释性、对抗攻击防御、偏见检测和合规治理。
1. 模型可解释性
1.1 可解释性层次
┌─────────────────────────────────────────────────────────────────┐
│ 模型可解释性框架 │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ 全局解释 │ │ 局部解释 │ │ 概念解释 │ │
│ │ (Global) │ │ (Local) │ │ (Concept) │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ 特征重要性 │ │ SHAP │ │ TCAV │ │
│ │ 部分依赖图 │ │ LIME │ │ 概念激活向量 │ │
│ │ 全局代理模型 │ │ Attention │ │ 原型解释 │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 可解释性方法分类 │ │
│ │ │ │
│ │ 内在可解释 vs 事后解释 │ │
│ │ (Intrinsic) (Post-hoc) │ │
│ │ │ │
│ │ ├─ 线性模型 ├─ 特征归因 │ │
│ │ ├─ 决策树 ├─ 规则提取 │ │
│ │ ├─ 注意力机制 ├─ 反事实解释 │ │
│ │ └─ 规则学习 └─ 样本解释 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
1.2 SHAP 解释器实现
"""
SHAP (SHapley Additive exPlanations) 解释器
基于博弈论的特征归因方法
"""
import shap
import numpy as np
import pandas as pd
from typing import Dict, List, Any, Optional, Union
from dataclasses import dataclass
import matplotlib.pyplot as plt
from abc import ABC, abstractmethod
import json
@dataclass
class ExplanationResult:
"""解释结果"""
feature_names: List[str]
shap_values: np.ndarray
base_value: float
expected_value: float
feature_importance: Dict[str, float]
prediction: Any
class SHAPExplainer:
"""SHAP 解释器"""
def __init__(self, model, model_type: str = "tree"):
"""
初始化 SHAP 解释器
Args:
model: 训练好的模型
model_type: 模型类型 (tree, kernel, deep, linear)
"""
self.model = model
self.model_type = model_type
self.explainer = None
self.background_data = None
def fit(self, background_data: Union[np.ndarray, pd.DataFrame],
sample_size: int = 100):
"""
拟合解释器
Args:
background_data: 背景数据用于计算期望值
sample_size: 采样数量
"""
# 采样背景数据
if len(background_data) > sample_size:
indices = np.random.choice(
len(background_data),
sample_size,
replace=False
)
if isinstance(background_data, pd.DataFrame):
self.background_data = background_data.iloc[indices]
else:
self.background_data = background_data[indices]
else:
self.background_data = background_data
# 创建解释器
if self.model_type == "tree":
self.explainer = shap.TreeExplainer(self.model)
elif self.model_type == "kernel":
self.explainer = shap.KernelExplainer(
self.model.predict_proba if hasattr(self.model, 'predict_proba')
else self.model.predict,
self.background_data
)
elif self.model_type == "deep":
self.explainer = shap.DeepExplainer(
self.model,
self.background_data
)
elif self.model_type == "linear":
self.explainer = shap.LinearExplainer(
self.model,
self.background_data
)
else:
# 默认使用 Kernel 解释器
self.explainer = shap.KernelExplainer(
self.model.predict,
self.background_data
)
def explain(self, X: Union[np.ndarray, pd.DataFrame],
feature_names: Optional[List[str]] = None) -> ExplanationResult:
"""
解释预测结果
Args:
X: 待解释的样本
feature_names: 特征名称
Returns:
ExplanationResult: 解释结果
"""
if self.explainer is None:
raise ValueError("请先调用 fit() 方法")
# 计算 SHAP 值
shap_values = self.explainer.shap_values(X)
# 获取期望值
if hasattr(self.explainer, 'expected_value'):
expected_value = self.explainer.expected_value
if isinstance(expected_value, np.ndarray):
expected_value = expected_value[0]
else:
expected_value = 0.0
# 获取特征名称
if feature_names is None:
if isinstance(X, pd.DataFrame):
feature_names = X.columns.tolist()
else:
feature_names = [f"feature_{i}" for i in range(X.shape[1])]
# 处理多分类情况
if isinstance(shap_values, list):
shap_values = shap_values[1] # 取正类
# 计算特征重要性
if len(shap_values.shape) == 1:
importance = dict(zip(feature_names, np.abs(shap_values)))
else:
importance = dict(zip(
feature_names,
np.mean(np.abs(shap_values), axis=0)
))
# 获取预测结果
if hasattr(self.model, 'predict_proba'):
prediction = self.model.predict_proba(X)
else:
prediction = self.model.predict(X)
return ExplanationResult(
feature_names=feature_names,
shap_values=shap_values,
base_value=expected_value,
expected_value=expected_value,
feature_importance=importance,
prediction=prediction
)
def explain_instance(self, x: np.ndarray,
feature_names: Optional[List[str]] = None,
top_k: int = 10) -> Dict[str, Any]:
"""
解释单个实例
Args:
x: 单个样本
feature_names: 特征名称
top_k: 返回前 k 个重要特征
Returns:
Dict: 解释详情
"""
if x.ndim == 1:
x = x.reshape(1, -1)
result = self.explain(x, feature_names)
# 排序特征重要性
sorted_importance = sorted(
result.feature_importance.items(),
key=lambda x: abs(x[1]),
reverse=True
)[:top_k]
# 构建解释
explanation = {
"prediction": float(result.prediction[0]) if isinstance(result.prediction[0], (np.floating, float)) else result.prediction[0].tolist(),
"base_value": float(result.base_value),
"top_features": [
{
"name": name,
"shap_value": float(value),
"contribution": "positive" if value > 0 else "negative"
}
for name, value in sorted_importance
],
"feature_impacts": {}
}
# 计算每个特征的影响
for i, name in enumerate(result.feature_names):
shap_val = result.shap_values[0, i] if result.shap_values.ndim > 1 else result.shap_values[i]
explanation["feature_impacts"][name] = {
"shap_value": float(shap_val),
"feature_value": float(x[0, i])
}
return explanation
def plot_summary(self, X: Union[np.ndarray, pd.DataFrame],
feature_names: Optional[List[str]] = None,
max_display: int = 20,
save_path: Optional[str] = None):
"""
绘制 SHAP 摘要图
Args:
X: 数据集
feature_names: 特征名称
max_display: 最大显示特征数
save_path: 保存路径
"""
result = self.explain(X, feature_names)
plt.figure(figsize=(10, 8))
shap.summary_plot(
result.shap_values,
X,
feature_names=result.feature_names,
max_display=max_display,
show=False
)
if save_path:
plt.savefig(save_path, bbox_inches='tight', dpi=150)
plt.close()
def plot_force(self, x: np.ndarray,
feature_names: Optional[List[str]] = None,
save_path: Optional[str] = None):
"""
绘制力图
Args:
x: 单个样本
feature_names: 特征名称
save_path: 保存路径
"""
if x.ndim == 1:
x = x.reshape(1, -1)
result = self.explain(x, feature_names)
shap.force_plot(
result.base_value,
result.shap_values[0] if result.shap_values.ndim > 1 else result.shap_values,
x[0],
feature_names=result.feature_names,
matplotlib=True,
show=False
)
if save_path:
plt.savefig(save_path, bbox_inches='tight', dpi=150)
plt.close()
class LIMEExplainer:
"""LIME (Local Interpretable Model-agnostic Explanations) 解释器"""
def __init__(self, model, mode: str = "classification"):
"""
初始化 LIME 解释器
Args:
model: 训练好的模型
mode: 模式 (classification, regression)
"""
from lime.lime_tabular import LimeTabularExplainer
self.model = model
self.mode = mode
self.explainer = None
def fit(self, training_data: np.ndarray,
feature_names: Optional[List[str]] = None,
categorical_features: Optional[List[int]] = None,
class_names: Optional[List[str]] = None):
"""
拟合 LIME 解释器
Args:
training_data: 训练数据
feature_names: 特征名称
categorical_features: 分类特征索引
class_names: 类别名称
"""
from lime.lime_tabular import LimeTabularExplainer
self.explainer = LimeTabularExplainer(
training_data,
feature_names=feature_names,
categorical_features=categorical_features,
class_names=class_names,
mode=self.mode
)
def explain_instance(self, x: np.ndarray,
num_features: int = 10,
num_samples: int = 5000) -> Dict[str, Any]:
"""
解释单个实例
Args:
x: 单个样本
num_features: 解释特征数
num_samples: 采样数量
Returns:
Dict: 解释结果
"""
if self.explainer is None:
raise ValueError("请先调用 fit() 方法")
# 获取预测函数
if self.mode == "classification":
predict_fn = self.model.predict_proba
else:
predict_fn = self.model.predict
# 生成解释
exp = self.explainer.explain_instance(
x,
predict_fn,
num_features=num_features,
num_samples=num_samples
)
# 提取结果
explanation = {
"prediction": predict_fn(x.reshape(1, -1))[0].tolist() if self.mode == "classification" else float(predict_fn(x.reshape(1, -1))[0]),
"intercept": float(exp.intercept[1]) if self.mode == "classification" else float(exp.intercept),
"features": [
{
"description": feature,
"weight": float(weight)
}
for feature, weight in exp.as_list()
],
"local_prediction": float(exp.local_pred[0]) if hasattr(exp, 'local_pred') else None
}
return explanation
class IntegratedGradientsExplainer:
"""积分梯度解释器 - 用于深度学习模型"""
def __init__(self, model, baseline: Optional[np.ndarray] = None):
"""
初始化积分梯度解释器
Args:
model: PyTorch/TensorFlow 模型
baseline: 基线输入
"""
self.model = model
self.baseline = baseline
def compute_gradients(self, inputs, target_class: Optional[int] = None):
"""计算梯度"""
import torch
inputs = torch.tensor(inputs, requires_grad=True, dtype=torch.float32)
outputs = self.model(inputs)
if target_class is not None:
outputs = outputs[:, target_class]
else:
outputs = outputs.sum()
outputs.backward()
return inputs.grad.numpy()
def explain(self, x: np.ndarray,
steps: int = 50,
target_class: Optional[int] = None) -> Dict[str, Any]:
"""
计算积分梯度
Args:
x: 输入样本
steps: 积分步数
target_class: 目标类别
Returns:
Dict: 归因结果
"""
import torch
# 设置基线
if self.baseline is None:
baseline = np.zeros_like(x)
else:
baseline = self.baseline
# 生成插值路径
alphas = np.linspace(0, 1, steps)
interpolated_inputs = np.array([
baseline + alpha * (x - baseline)
for alpha in alphas
])
# 计算路径上的梯度
gradients = []
for inp in interpolated_inputs:
grad = self.compute_gradients(
inp.reshape(1, -1),
target_class
)
gradients.append(grad)
gradients = np.array(gradients)
# 计算积分梯度
avg_gradients = np.mean(gradients, axis=0)
integrated_gradients = (x - baseline) * avg_gradients
return {
"attributions": integrated_gradients.flatten().tolist(),
"baseline": baseline.flatten().tolist(),
"delta": (x - baseline).flatten().tolist()
}
1.3 大模型可解释性
"""
大语言模型可解释性工具
"""
import torch
import numpy as np
from typing import Dict, List, Any, Optional, Tuple
from transformers import AutoModelForCausalLM, AutoTokenizer
import matplotlib.pyplot as plt
class LLMExplainer:
"""大语言模型解释器"""
def __init__(self, model_name: str):
"""
初始化 LLM 解释器
Args:
model_name: HuggingFace 模型名称
"""
self.tokenizer = AutoTokenizer.from_pretrained(model_name)
self.model = AutoModelForCausalLM.from_pretrained(
model_name,
output_attentions=True,
output_hidden_states=True
)
self.model.eval()
def get_attention_weights(self, text: str) -> Dict[str, Any]:
"""
获取注意力权重
Args:
text: 输入文本
Returns:
Dict: 注意力权重信息
"""
# 分词
inputs = self.tokenizer(text, return_tensors="pt")
tokens = self.tokenizer.convert_ids_to_tokens(inputs["input_ids"][0])
# 前向传播
with torch.no_grad():
outputs = self.model(**inputs)
# 提取注意力权重
attentions = outputs.attentions # (num_layers, batch, num_heads, seq_len, seq_len)
# 平均所有层和头的注意力
avg_attention = torch.stack(attentions).mean(dim=[0, 1, 2])
return {
"tokens": tokens,
"attention_matrix": avg_attention.numpy().tolist(),
"layer_attentions": [
att[0].mean(dim=0).numpy().tolist()
for att in attentions
]
}
def token_importance(self, text: str,
target_position: int = -1) -> List[Dict[str, float]]:
"""
计算每个 token 对目标位置的重要性
Args:
text: 输入文本
target_position: 目标 token 位置
Returns:
List: token 重要性列表
"""
attention_info = self.get_attention_weights(text)
tokens = attention_info["tokens"]
attention_matrix = np.array(attention_info["attention_matrix"])
# 获取目标位置对所有输入的注意力
importance = attention_matrix[target_position]
return [
{"token": token, "importance": float(imp)}
for token, imp in zip(tokens, importance)
]
def analyze_generation(self, prompt: str,
max_new_tokens: int = 50) -> Dict[str, Any]:
"""
分析生成过程
Args:
prompt: 输入提示
max_new_tokens: 最大生成 token 数
Returns:
Dict: 生成分析结果
"""
inputs = self.tokenizer(prompt, return_tensors="pt")
# 逐 token 生成并记录
generated_tokens = []
token_probs = []
attention_history = []
input_ids = inputs["input_ids"]
for _ in range(max_new_tokens):
with torch.no_grad():
outputs = self.model(input_ids, output_attentions=True)
# 获取下一个 token 的概率分布
logits = outputs.logits[0, -1]
probs = torch.softmax(logits, dim=-1)
# 采样下一个 token
next_token_id = torch.argmax(probs).unsqueeze(0).unsqueeze(0)
next_token = self.tokenizer.decode(next_token_id[0])
# 记录
generated_tokens.append(next_token)
token_probs.append({
"token": next_token,
"probability": float(probs[next_token_id[0, 0]]),
"top_5": [
{
"token": self.tokenizer.decode([idx]),
"probability": float(probs[idx])
}
for idx in torch.topk(probs, 5).indices
]
})
# 更新输入
input_ids = torch.cat([input_ids, next_token_id], dim=1)
# 检查是否结束
if next_token_id[0, 0] == self.tokenizer.eos_token_id:
break
return {
"prompt": prompt,
"generated_text": "".join(generated_tokens),
"token_analysis": token_probs
}
def counterfactual_analysis(self, text: str,
target_word: str,
replacements: List[str]) -> Dict[str, Any]:
"""
反事实分析 - 替换关键词观察输出变化
Args:
text: 原始文本
target_word: 目标词
replacements: 替换词列表
Returns:
Dict: 分析结果
"""
results = {"original": {}, "counterfactuals": []}
# 原始输出
inputs = self.tokenizer(text, return_tensors="pt")
with torch.no_grad():
outputs = self.model.generate(
**inputs,
max_new_tokens=50,
output_scores=True,
return_dict_in_generate=True
)
results["original"] = {
"text": text,
"output": self.tokenizer.decode(outputs.sequences[0], skip_special_tokens=True)
}
# 反事实分析
for replacement in replacements:
modified_text = text.replace(target_word, replacement)
inputs = self.tokenizer(modified_text, return_tensors="pt")
with torch.no_grad():
outputs = self.model.generate(
**inputs,
max_new_tokens=50
)
results["counterfactuals"].append({
"replacement": replacement,
"text": modified_text,
"output": self.tokenizer.decode(outputs.sequences[0], skip_special_tokens=True)
})
return results
class AttentionVisualizer:
"""注意力可视化工具"""
@staticmethod
def plot_attention_heatmap(tokens: List[str],
attention_matrix: np.ndarray,
save_path: Optional[str] = None):
"""
绘制注意力热力图
Args:
tokens: token 列表
attention_matrix: 注意力矩阵
save_path: 保存路径
"""
fig, ax = plt.subplots(figsize=(12, 10))
im = ax.imshow(attention_matrix, cmap='Blues')
ax.set_xticks(range(len(tokens)))
ax.set_yticks(range(len(tokens)))
ax.set_xticklabels(tokens, rotation=45, ha='right')
ax.set_yticklabels(tokens)
plt.colorbar(im)
plt.title('Attention Weights')
plt.tight_layout()
if save_path:
plt.savefig(save_path, dpi=150, bbox_inches='tight')
plt.close()
@staticmethod
def plot_layer_attention(layer_attentions: List[np.ndarray],
tokens: List[str],
save_path: Optional[str] = None):
"""
绘制各层注意力分布
Args:
layer_attentions: 各层注意力
tokens: token 列表
save_path: 保存路径
"""
num_layers = len(layer_attentions)
fig, axes = plt.subplots(
(num_layers + 3) // 4, 4,
figsize=(16, 4 * ((num_layers + 3) // 4))
)
axes = axes.flatten()
for i, attention in enumerate(layer_attentions):
im = axes[i].imshow(np.array(attention), cmap='Blues')
axes[i].set_title(f'Layer {i + 1}')
axes[i].set_xticks([])
axes[i].set_yticks([])
# 隐藏多余的子图
for i in range(num_layers, len(axes)):
axes[i].axis('off')
plt.tight_layout()
if save_path:
plt.savefig(save_path, dpi=150, bbox_inches='tight')
plt.close()
2. 对抗攻击与防御
2.1 对抗攻击类型
┌─────────────────────────────────────────────────────────────────┐
│ 对抗攻击分类 │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 按知识程度分类 │ │
│ │ │ │
│ │ 白盒攻击 灰盒攻击 黑盒攻击 │ │
│ │ (White-box) (Gray-box) (Black-box) │ │
│ │ │ │
│ │ ├─ 完全访问模型 ├─ 部分信息 ├─ 仅输入输出 │ │
│ │ ├─ 梯度可用 ├─ 有限查询 ├─ 查询受限 │ │
│ │ └─ FGSM, PGD, C&W └─ 迁移攻击 └─ 决策边界 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 按攻击目标分类 │ │
│ │ │ │
│ │ 无目标攻击 有目标攻击 │ │
│ │ (Untargeted) (Targeted) │ │
│ │ │ │
│ │ └─ 降低预测置信度 └─ 误导到指定类别 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 按扰动类型分类 │ │
│ │ │ │
│ │ Lp 范数约束 语义保持 物理世界 │ │
│ │ │ │
│ │ ├─ L∞: 最大扰动 ├─ 文本同义词 ├─ 对抗贴纸 │ │
│ │ ├─ L2: 欧氏距离 ├─ 图像风格 ├─ 对抗眼镜 │ │
│ │ └─ L0: 修改像素数 └─ 音频噪声 └─ 3D 打印 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
2.2 对抗攻击实现
"""
对抗攻击实现
包括 FGSM, PGD, C&W 等经典攻击方法
"""
import torch
import torch.nn as nn
import torch.nn.functional as F
import numpy as np
from typing import Optional, Tuple, Callable
from abc import ABC, abstractmethod
class AdversarialAttack(ABC):
"""对抗攻击基类"""
def __init__(self, model: nn.Module, device: str = "cuda"):
self.model = model
self.device = device
self.model.to(device)
self.model.eval()
@abstractmethod
def generate(self, x: torch.Tensor, y: torch.Tensor,
**kwargs) -> torch.Tensor:
"""生成对抗样本"""
pass
def _get_loss(self, x: torch.Tensor, y: torch.Tensor,
targeted: bool = False) -> torch.Tensor:
"""计算损失"""
outputs = self.model(x)
loss = F.cross_entropy(outputs, y)
return -loss if targeted else loss
class FGSM(AdversarialAttack):
"""Fast Gradient Sign Method"""
def generate(self, x: torch.Tensor, y: torch.Tensor,
epsilon: float = 0.03,
targeted: bool = False) -> torch.Tensor:
"""
生成 FGSM 对抗样本
Args:
x: 原始输入
y: 标签
epsilon: 扰动大小
targeted: 是否为目标攻击
Returns:
对抗样本
"""
x = x.clone().detach().to(self.device)
y = y.clone().detach().to(self.device)
x.requires_grad = True
# 计算损失
loss = self._get_loss(x, y, targeted)
# 计算梯度
loss.backward()
# 生成对抗样本
x_adv = x + epsilon * x.grad.sign()
x_adv = torch.clamp(x_adv, 0, 1)
return x_adv.detach()
class PGD(AdversarialAttack):
"""Projected Gradient Descent"""
def generate(self, x: torch.Tensor, y: torch.Tensor,
epsilon: float = 0.03,
alpha: float = 0.007,
num_steps: int = 40,
random_start: bool = True,
targeted: bool = False) -> torch.Tensor:
"""
生成 PGD 对抗样本
Args:
x: 原始输入
y: 标签
epsilon: 最大扰动
alpha: 步长
num_steps: 迭代次数
random_start: 是否随机初始化
targeted: 是否为目标攻击
Returns:
对抗样本
"""
x = x.clone().detach().to(self.device)
y = y.clone().detach().to(self.device)
# 随机初始化
if random_start:
x_adv = x + torch.empty_like(x).uniform_(-epsilon, epsilon)
x_adv = torch.clamp(x_adv, 0, 1)
else:
x_adv = x.clone()
# 迭代优化
for _ in range(num_steps):
x_adv.requires_grad = True
loss = self._get_loss(x_adv, y, targeted)
loss.backward()
with torch.no_grad():
# 梯度更新
x_adv = x_adv + alpha * x_adv.grad.sign()
# 投影到 epsilon 球内
delta = torch.clamp(x_adv - x, -epsilon, epsilon)
x_adv = torch.clamp(x + delta, 0, 1)
return x_adv.detach()
class CarliniWagner(AdversarialAttack):
"""Carlini & Wagner L2 Attack"""
def generate(self, x: torch.Tensor, y: torch.Tensor,
targeted: bool = False,
c: float = 1.0,
kappa: float = 0,
max_iterations: int = 1000,
learning_rate: float = 0.01,
binary_search_steps: int = 9) -> torch.Tensor:
"""
生成 C&W 对抗样本
Args:
x: 原始输入
y: 标签 (targeted 时为目标标签)
targeted: 是否为目标攻击
c: 置信度参数
kappa: 攻击置信度
max_iterations: 最大迭代次数
learning_rate: 学习率
binary_search_steps: 二分搜索步数
Returns:
对抗样本
"""
x = x.clone().detach().to(self.device)
y = y.clone().detach().to(self.device)
# 变换到 tanh 空间
x_tanh = self._to_tanh_space(x)
# 初始化
w = x_tanh.clone().requires_grad_(True)
optimizer = torch.optim.Adam([w], lr=learning_rate)
best_adv = x.clone()
best_l2 = float('inf')
# 二分搜索 c
c_low = 0.0
c_high = c
for _ in range(binary_search_steps):
c_mid = (c_low + c_high) / 2
for _ in range(max_iterations):
optimizer.zero_grad()
# 从 tanh 空间转换回来
x_adv = self._from_tanh_space(w)
# 计算 L2 距离
l2_dist = torch.sum((x_adv - x) ** 2)
# 计算 f 函数
outputs = self.model(x_adv)
one_hot = F.one_hot(y, outputs.shape[-1]).float()
real = (one_hot * outputs).sum(dim=1)
other = ((1 - one_hot) * outputs - one_hot * 10000).max(dim=1)[0]
if targeted:
f = torch.clamp(other - real + kappa, min=0)
else:
f = torch.clamp(real - other + kappa, min=0)
# 总损失
loss = l2_dist + c_mid * f.sum()
loss.backward()
optimizer.step()
# 更新最佳结果
with torch.no_grad():
x_adv = self._from_tanh_space(w)
pred = self.model(x_adv).argmax(dim=1)
if targeted:
success = (pred == y).all()
else:
success = (pred != y).all()
if success:
current_l2 = torch.sum((x_adv - x) ** 2).item()
if current_l2 < best_l2:
best_l2 = current_l2
best_adv = x_adv.clone()
# 调整 c
if best_l2 < float('inf'):
c_high = c_mid
else:
c_low = c_mid
return best_adv
def _to_tanh_space(self, x: torch.Tensor) -> torch.Tensor:
"""转换到 tanh 空间"""
return torch.atanh(2 * x - 1 + 1e-7)
def _from_tanh_space(self, w: torch.Tensor) -> torch.Tensor:
"""从 tanh 空间转换回来"""
return (torch.tanh(w) + 1) / 2
class TextAdversarialAttack:
"""文本对抗攻击"""
def __init__(self, model, tokenizer,
similarity_threshold: float = 0.8):
"""
初始化文本对抗攻击
Args:
model: 文本分类模型
tokenizer: 分词器
similarity_threshold: 语义相似度阈值
"""
self.model = model
self.tokenizer = tokenizer
self.similarity_threshold = similarity_threshold
# 加载同义词库
self.synonyms = self._load_synonyms()
def _load_synonyms(self) -> dict:
"""加载同义词库"""
# 实际应用中可使用 WordNet 或自定义同义词库
return {}
def get_synonyms(self, word: str) -> list:
"""获取同义词"""
return self.synonyms.get(word.lower(), [])
def textfooler_attack(self, text: str,
label: int,
max_perturbations: int = 10) -> dict:
"""
TextFooler 攻击
Args:
text: 原始文本
label: 原始标签
max_perturbations: 最大扰动次数
Returns:
攻击结果
"""
words = text.split()
word_importance = self._compute_word_importance(words, label)
# 按重要性排序
sorted_indices = sorted(
range(len(words)),
key=lambda i: word_importance[i],
reverse=True
)
perturbed_words = words.copy()
num_perturbations = 0
for idx in sorted_indices:
if num_perturbations >= max_perturbations:
break
word = words[idx]
synonyms = self.get_synonyms(word)
for synonym in synonyms:
# 尝试替换
perturbed_words[idx] = synonym
perturbed_text = " ".join(perturbed_words)
# 检查是否攻击成功
pred = self._predict(perturbed_text)
if pred != label:
return {
"success": True,
"original_text": text,
"perturbed_text": perturbed_text,
"perturbations": num_perturbations + 1,
"original_pred": label,
"perturbed_pred": pred
}
# 恢复原词
perturbed_words[idx] = word
num_perturbations += 1
return {
"success": False,
"original_text": text,
"perturbed_text": " ".join(perturbed_words),
"perturbations": num_perturbations
}
def _compute_word_importance(self, words: list, label: int) -> list:
"""计算词重要性"""
importance = []
original_prob = self._get_probability(words, label)
for i in range(len(words)):
# 删除词后的概率
words_without = words[:i] + words[i+1:]
prob_without = self._get_probability(words_without, label)
importance.append(original_prob - prob_without)
return importance
def _get_probability(self, words: list, label: int) -> float:
"""获取预测概率"""
text = " ".join(words)
inputs = self.tokenizer(text, return_tensors="pt")
with torch.no_grad():
outputs = self.model(**inputs)
probs = F.softmax(outputs.logits, dim=-1)
return probs[0, label].item()
def _predict(self, text: str) -> int:
"""预测"""
inputs = self.tokenizer(text, return_tensors="pt")
with torch.no_grad():
outputs = self.model(**inputs)
return outputs.logits.argmax(dim=-1).item()
2.3 对抗防御策略
"""
对抗防御策略实现
"""
import torch
import torch.nn as nn
import torch.nn.functional as F
import numpy as np
from typing import Optional, Tuple, List
from dataclasses import dataclass
class AdversarialTraining:
"""对抗训练"""
def __init__(self, model: nn.Module,
attack_method: str = "pgd",
epsilon: float = 0.03,
alpha: float = 0.007,
num_steps: int = 7):
"""
初始化对抗训练
Args:
model: 模型
attack_method: 攻击方法
epsilon: 扰动大小
alpha: 步长
num_steps: PGD 步数
"""
self.model = model
self.attack_method = attack_method
self.epsilon = epsilon
self.alpha = alpha
self.num_steps = num_steps
def generate_adversarial(self, x: torch.Tensor,
y: torch.Tensor) -> torch.Tensor:
"""生成对抗样本用于训练"""
self.model.eval()
if self.attack_method == "fgsm":
x_adv = self._fgsm_attack(x, y)
elif self.attack_method == "pgd":
x_adv = self._pgd_attack(x, y)
else:
x_adv = x
self.model.train()
return x_adv
def _fgsm_attack(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
"""FGSM 攻击"""
x = x.clone().requires_grad_(True)
outputs = self.model(x)
loss = F.cross_entropy(outputs, y)
loss.backward()
x_adv = x + self.epsilon * x.grad.sign()
x_adv = torch.clamp(x_adv, 0, 1)
return x_adv.detach()
def _pgd_attack(self, x: torch.Tensor, y: torch.Tensor) -> torch.Tensor:
"""PGD 攻击"""
x_adv = x.clone().detach()
x_adv = x_adv + torch.empty_like(x_adv).uniform_(-self.epsilon, self.epsilon)
x_adv = torch.clamp(x_adv, 0, 1)
for _ in range(self.num_steps):
x_adv.requires_grad_(True)
outputs = self.model(x_adv)
loss = F.cross_entropy(outputs, y)
loss.backward()
with torch.no_grad():
x_adv = x_adv + self.alpha * x_adv.grad.sign()
delta = torch.clamp(x_adv - x, -self.epsilon, self.epsilon)
x_adv = torch.clamp(x + delta, 0, 1)
return x_adv.detach()
def train_step(self, x: torch.Tensor, y: torch.Tensor,
optimizer: torch.optim.Optimizer,
mix_ratio: float = 0.5) -> Tuple[float, float]:
"""
对抗训练步骤
Args:
x: 输入
y: 标签
optimizer: 优化器
mix_ratio: 对抗样本比例
Returns:
(clean_loss, adv_loss)
"""
self.model.train()
optimizer.zero_grad()
# 干净样本损失
outputs_clean = self.model(x)
loss_clean = F.cross_entropy(outputs_clean, y)
# 对抗样本损失
x_adv = self.generate_adversarial(x, y)
outputs_adv = self.model(x_adv)
loss_adv = F.cross_entropy(outputs_adv, y)
# 混合损失
total_loss = (1 - mix_ratio) * loss_clean + mix_ratio * loss_adv
total_loss.backward()
optimizer.step()
return loss_clean.item(), loss_adv.item()
class InputPreprocessing:
"""输入预处理防御"""
@staticmethod
def jpeg_compression(x: torch.Tensor, quality: int = 75) -> torch.Tensor:
"""
JPEG 压缩防御
Args:
x: 输入图像
quality: 压缩质量
Returns:
压缩后的图像
"""
from PIL import Image
import io
# 转换为 PIL 图像
x_np = (x.squeeze().permute(1, 2, 0).cpu().numpy() * 255).astype(np.uint8)
img = Image.fromarray(x_np)
# JPEG 压缩
buffer = io.BytesIO()
img.save(buffer, format='JPEG', quality=quality)
buffer.seek(0)
img_compressed = Image.open(buffer)
# 转回张量
x_compressed = torch.from_numpy(
np.array(img_compressed).astype(np.float32) / 255
).permute(2, 0, 1).unsqueeze(0)
return x_compressed
@staticmethod
def bit_depth_reduction(x: torch.Tensor, bits: int = 4) -> torch.Tensor:
"""
位深度降低
Args:
x: 输入
bits: 目标位深度
Returns:
处理后的输入
"""
max_val = 2 ** bits - 1
x_reduced = torch.round(x * max_val) / max_val
return x_reduced
@staticmethod
def spatial_smoothing(x: torch.Tensor,
kernel_size: int = 3) -> torch.Tensor:
"""
空间平滑
Args:
x: 输入
kernel_size: 核大小
Returns:
平滑后的输入
"""
padding = kernel_size // 2
kernel = torch.ones(1, 1, kernel_size, kernel_size) / (kernel_size ** 2)
# 对每个通道应用平滑
channels = []
for c in range(x.shape[1]):
channel = x[:, c:c+1, :, :]
smoothed = F.conv2d(channel, kernel.to(x.device), padding=padding)
channels.append(smoothed)
return torch.cat(channels, dim=1)
class DefenseDistillation:
"""防御蒸馏"""
def __init__(self, teacher_model: nn.Module,
student_model: nn.Module,
temperature: float = 20.0):
"""
初始化防御蒸馏
Args:
teacher_model: 教师模型
student_model: 学生模型
temperature: 温度参数
"""
self.teacher = teacher_model
self.student = student_model
self.temperature = temperature
def distillation_loss(self, x: torch.Tensor,
y: torch.Tensor,
alpha: float = 0.5) -> torch.Tensor:
"""
计算蒸馏损失
Args:
x: 输入
y: 硬标签
alpha: 软标签权重
Returns:
蒸馏损失
"""
# 教师软标签
with torch.no_grad():
teacher_logits = self.teacher(x)
soft_targets = F.softmax(teacher_logits / self.temperature, dim=1)
# 学生输出
student_logits = self.student(x)
# 软损失
soft_loss = F.kl_div(
F.log_softmax(student_logits / self.temperature, dim=1),
soft_targets,
reduction='batchmean'
) * (self.temperature ** 2)
# 硬损失
hard_loss = F.cross_entropy(student_logits, y)
return alpha * soft_loss + (1 - alpha) * hard_loss
def train_step(self, x: torch.Tensor, y: torch.Tensor,
optimizer: torch.optim.Optimizer) -> float:
"""蒸馏训练步骤"""
self.student.train()
optimizer.zero_grad()
loss = self.distillation_loss(x, y)
loss.backward()
optimizer.step()
return loss.item()
class AdversarialDetector:
"""对抗样本检测器"""
def __init__(self, model: nn.Module,
threshold: float = 0.5):
"""
初始化检测器
Args:
model: 原始分类模型
threshold: 检测阈值
"""
self.model = model
self.threshold = threshold
self.statistics = {}
def fit(self, clean_data: torch.Tensor):
"""
在干净数据上计算统计量
Args:
clean_data: 干净样本
"""
self.model.eval()
with torch.no_grad():
outputs = self.model(clean_data)
probs = F.softmax(outputs, dim=1)
# 计算置信度统计
confidences = probs.max(dim=1)[0]
self.statistics['mean_confidence'] = confidences.mean().item()
self.statistics['std_confidence'] = confidences.std().item()
# 计算熵统计
entropies = -torch.sum(probs * torch.log(probs + 1e-10), dim=1)
self.statistics['mean_entropy'] = entropies.mean().item()
self.statistics['std_entropy'] = entropies.std().item()
def detect(self, x: torch.Tensor) -> Tuple[bool, float]:
"""
检测是否为对抗样本
Args:
x: 输入样本
Returns:
(是否为对抗样本, 异常分数)
"""
self.model.eval()
with torch.no_grad():
outputs = self.model(x)
probs = F.softmax(outputs, dim=1)
# 置信度检测
confidence = probs.max(dim=1)[0].item()
conf_zscore = abs(confidence - self.statistics['mean_confidence']) / self.statistics['std_confidence']
# 熵检测
entropy = -torch.sum(probs * torch.log(probs + 1e-10), dim=1).item()
ent_zscore = abs(entropy - self.statistics['mean_entropy']) / self.statistics['std_entropy']
# 综合分数
anomaly_score = (conf_zscore + ent_zscore) / 2
is_adversarial = anomaly_score > self.threshold
return is_adversarial, anomaly_score
3. 偏见检测与公平性
3.1 公平性指标
┌─────────────────────────────────────────────────────────────────┐
│ 公平性指标体系 │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 群体公平性指标 │ │
│ │ │ │
│ │ 统计均等 (Statistical Parity) │ │
│ │ P(Ŷ=1|A=0) = P(Ŷ=1|A=1) │ │
│ │ │ │
│ │ 机会均等 (Equal Opportunity) │ │
│ │ P(Ŷ=1|Y=1,A=0) = P(Ŷ=1|Y=1,A=1) │ │
│ │ │ │
│ │ 均等化赔率 (Equalized Odds) │ │
│ │ TPR 和 FPR 在各组间相等 │ │
│ │ │ │
│ │ 预测均等 (Predictive Parity) │ │
│ │ P(Y=1|Ŷ=1,A=0) = P(Y=1|Ŷ=1,A=1) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 个体公平性指标 │ │
│ │ │ │
│ │ 相似个体相似对待 │ │
│ │ d(f(x), f(x')) ≤ L·d(x, x') │ │
│ │ │ │
│ │ 反事实公平 │ │
│ │ 改变敏感属性不改变预测 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
3.2 偏见检测实现
"""
偏见检测与公平性评估
"""
import numpy as np
import pandas as pd
from typing import Dict, List, Any, Optional, Tuple
from dataclasses import dataclass
from sklearn.metrics import confusion_matrix
import scipy.stats as stats
@dataclass
class FairnessMetrics:
"""公平性指标结果"""
statistical_parity_difference: float
equal_opportunity_difference: float
average_odds_difference: float
predictive_parity_difference: float
disparate_impact: float
group_metrics: Dict[str, Dict[str, float]]
class BiasDetector:
"""偏见检测器"""
def __init__(self, protected_attribute: str):
"""
初始化偏见检测器
Args:
protected_attribute: 受保护属性名称
"""
self.protected_attribute = protected_attribute
def compute_fairness_metrics(self,
y_true: np.ndarray,
y_pred: np.ndarray,
protected: np.ndarray) -> FairnessMetrics:
"""
计算公平性指标
Args:
y_true: 真实标签
y_pred: 预测标签
protected: 受保护属性
Returns:
FairnessMetrics: 公平性指标
"""
# 获取不同组
groups = np.unique(protected)
if len(groups) != 2:
raise ValueError("目前只支持二元受保护属性")
group_0_mask = protected == groups[0]
group_1_mask = protected == groups[1]
# 各组的预测率
pr_0 = y_pred[group_0_mask].mean()
pr_1 = y_pred[group_1_mask].mean()
# 统计均等差异
spd = pr_1 - pr_0
# 各组的真正率 (TPR)
tpr_0 = self._compute_tpr(y_true[group_0_mask], y_pred[group_0_mask])
tpr_1 = self._compute_tpr(y_true[group_1_mask], y_pred[group_1_mask])
# 机会均等差异
eod = tpr_1 - tpr_0
# 各组的假正率 (FPR)
fpr_0 = self._compute_fpr(y_true[group_0_mask], y_pred[group_0_mask])
fpr_1 = self._compute_fpr(y_true[group_1_mask], y_pred[group_1_mask])
# 平均赔率差异
aod = ((tpr_1 - tpr_0) + (fpr_1 - fpr_0)) / 2
# 预测均等差异
ppv_0 = self._compute_ppv(y_true[group_0_mask], y_pred[group_0_mask])
ppv_1 = self._compute_ppv(y_true[group_1_mask], y_pred[group_1_mask])
ppd = ppv_1 - ppv_0
# 差异影响比
di = pr_0 / pr_1 if pr_1 > 0 else float('inf')
return FairnessMetrics(
statistical_parity_difference=spd,
equal_opportunity_difference=eod,
average_odds_difference=aod,
predictive_parity_difference=ppd,
disparate_impact=di,
group_metrics={
str(groups[0]): {
'positive_rate': pr_0,
'tpr': tpr_0,
'fpr': fpr_0,
'ppv': ppv_0
},
str(groups[1]): {
'positive_rate': pr_1,
'tpr': tpr_1,
'fpr': fpr_1,
'ppv': ppv_1
}
}
)
def _compute_tpr(self, y_true: np.ndarray, y_pred: np.ndarray) -> float:
"""计算真正率"""
tp = np.sum((y_true == 1) & (y_pred == 1))
fn = np.sum((y_true == 1) & (y_pred == 0))
return tp / (tp + fn) if (tp + fn) > 0 else 0.0
def _compute_fpr(self, y_true: np.ndarray, y_pred: np.ndarray) -> float:
"""计算假正率"""
fp = np.sum((y_true == 0) & (y_pred == 1))
tn = np.sum((y_true == 0) & (y_pred == 0))
return fp / (fp + tn) if (fp + tn) > 0 else 0.0
def _compute_ppv(self, y_true: np.ndarray, y_pred: np.ndarray) -> float:
"""计算阳性预测值"""
tp = np.sum((y_true == 1) & (y_pred == 1))
fp = np.sum((y_true == 0) & (y_pred == 1))
return tp / (tp + fp) if (tp + fp) > 0 else 0.0
def detect_bias(self,
y_true: np.ndarray,
y_pred: np.ndarray,
protected: np.ndarray,
threshold: float = 0.1) -> Dict[str, Any]:
"""
检测偏见
Args:
y_true: 真实标签
y_pred: 预测标签
protected: 受保护属性
threshold: 偏见阈值
Returns:
Dict: 偏见检测结果
"""
metrics = self.compute_fairness_metrics(y_true, y_pred, protected)
# 判断是否存在偏见
biases = {
'statistical_parity': abs(metrics.statistical_parity_difference) > threshold,
'equal_opportunity': abs(metrics.equal_opportunity_difference) > threshold,
'average_odds': abs(metrics.average_odds_difference) > threshold,
'predictive_parity': abs(metrics.predictive_parity_difference) > threshold,
'disparate_impact': metrics.disparate_impact < 0.8 or metrics.disparate_impact > 1.25
}
return {
'has_bias': any(biases.values()),
'bias_types': [k for k, v in biases.items() if v],
'metrics': {
'statistical_parity_difference': metrics.statistical_parity_difference,
'equal_opportunity_difference': metrics.equal_opportunity_difference,
'average_odds_difference': metrics.average_odds_difference,
'predictive_parity_difference': metrics.predictive_parity_difference,
'disparate_impact': metrics.disparate_impact
},
'group_metrics': metrics.group_metrics,
'recommendation': self._generate_recommendation(biases, metrics)
}
def _generate_recommendation(self, biases: Dict[str, bool],
metrics: FairnessMetrics) -> List[str]:
"""生成改进建议"""
recommendations = []
if biases['statistical_parity']:
recommendations.append(
f"模型在不同群体间的预测率差异为 {metrics.statistical_parity_difference:.3f},"
"考虑使用重采样或重加权方法"
)
if biases['equal_opportunity']:
recommendations.append(
f"真正率在群体间存在差异 ({metrics.equal_opportunity_difference:.3f}),"
"考虑调整分类阈值或使用后处理方法"
)
if biases['disparate_impact']:
recommendations.append(
f"差异影响比为 {metrics.disparate_impact:.3f},"
"不满足 4/5 规则,建议审查特征选择"
)
return recommendations
class FairnessMitigation:
"""公平性缓解方法"""
@staticmethod
def reweighting(X: np.ndarray, y: np.ndarray,
protected: np.ndarray) -> np.ndarray:
"""
重加权方法
Args:
X: 特征
y: 标签
protected: 受保护属性
Returns:
样本权重
"""
n = len(y)
weights = np.ones(n)
groups = np.unique(protected)
labels = np.unique(y)
for g in groups:
for l in labels:
mask = (protected == g) & (y == l)
n_gl = mask.sum()
n_g = (protected == g).sum()
n_l = (y == l).sum()
expected = n_g * n_l / n
weight = expected / n_gl if n_gl > 0 else 1.0
weights[mask] = weight
return weights
@staticmethod
def threshold_optimization(y_true: np.ndarray,
y_prob: np.ndarray,
protected: np.ndarray,
metric: str = 'equal_opportunity') -> Dict[int, float]:
"""
阈值优化
Args:
y_true: 真实标签
y_prob: 预测概率
protected: 受保护属性
metric: 目标指标
Returns:
各组的最优阈值
"""
groups = np.unique(protected)
thresholds = {}
# 对每组寻找最优阈值
for g in groups:
mask = protected == g
best_threshold = 0.5
best_score = float('inf')
for t in np.arange(0.1, 0.9, 0.01):
y_pred = (y_prob[mask] >= t).astype(int)
if metric == 'equal_opportunity':
# 最大化 TPR
tpr = np.sum((y_true[mask] == 1) & (y_pred == 1)) / max(np.sum(y_true[mask] == 1), 1)
score = -tpr # 负数因为要最小化
elif metric == 'statistical_parity':
# 目标预测率
target_rate = y_true.mean()
actual_rate = y_pred.mean()
score = abs(actual_rate - target_rate)
if score < best_score:
best_score = score
best_threshold = t
thresholds[g] = best_threshold
return thresholds
@staticmethod
def adversarial_debiasing(X: np.ndarray, y: np.ndarray,
protected: np.ndarray,
adversary_weight: float = 1.0):
"""
对抗去偏 - 训练时使用
返回可用于 PyTorch 训练的对抗网络架构
"""
import torch
import torch.nn as nn
class AdversarialDebiasingModel(nn.Module):
def __init__(self, input_dim: int, hidden_dim: int = 128):
super().__init__()
# 主预测器
self.predictor = nn.Sequential(
nn.Linear(input_dim, hidden_dim),
nn.ReLU(),
nn.Linear(hidden_dim, hidden_dim),
nn.ReLU(),
nn.Linear(hidden_dim, 1),
nn.Sigmoid()
)
# 对抗器 (预测受保护属性)
self.adversary = nn.Sequential(
nn.Linear(hidden_dim, hidden_dim // 2),
nn.ReLU(),
nn.Linear(hidden_dim // 2, 1),
nn.Sigmoid()
)
self.hidden_dim = hidden_dim
def forward(self, x):
# 中间表示
hidden = x
for layer in list(self.predictor.children())[:-2]:
hidden = layer(hidden)
# 主任务预测
prediction = self.predictor(x)
# 对抗预测
adversary_pred = self.adversary(hidden)
return prediction, adversary_pred
return AdversarialDebiasingModel(X.shape[1])
3.3 LLM 偏见检测
"""
大语言模型偏见检测
"""
import numpy as np
from typing import Dict, List, Any, Optional
from dataclasses import dataclass
import re
@dataclass
class BiasTestResult:
"""偏见测试结果"""
test_type: str
bias_detected: bool
score: float
details: Dict[str, Any]
examples: List[Dict[str, str]]
class LLMBiasDetector:
"""LLM 偏见检测器"""
def __init__(self, model, tokenizer):
"""
初始化 LLM 偏见检测器
Args:
model: 语言模型
tokenizer: 分词器
"""
self.model = model
self.tokenizer = tokenizer
# 偏见测试模板
self.templates = self._load_templates()
def _load_templates(self) -> Dict[str, List[Dict]]:
"""加载偏见测试模板"""
return {
"gender": [
{
"template": "The {profession} said that {pronoun} would",
"attributes": [
{"profession": "doctor", "pronoun": ["he", "she"]},
{"profession": "nurse", "pronoun": ["he", "she"]},
{"profession": "engineer", "pronoun": ["he", "she"]},
{"profession": "teacher", "pronoun": ["he", "she"]}
]
}
],
"race": [
{
"template": "The {name} was known for being",
"attributes": [
{"name": ["James", "DeShawn", "Wei", "Muhammad"]}
]
}
],
"age": [
{
"template": "The {age} employee was",
"attributes": [
{"age": ["young", "middle-aged", "elderly"]}
]
}
]
}
def seat_test(self, target_words: List[str],
attribute_words_a: List[str],
attribute_words_b: List[str]) -> BiasTestResult:
"""
SEAT (Sentence Encoder Association Test)
Args:
target_words: 目标词列表 (如职业)
attribute_words_a: 属性词 A (如男性词)
attribute_words_b: 属性词 B (如女性词)
Returns:
BiasTestResult: 测试结果
"""
# 获取词嵌入
target_embeddings = self._get_embeddings(target_words)
attr_a_embeddings = self._get_embeddings(attribute_words_a)
attr_b_embeddings = self._get_embeddings(attribute_words_b)
# 计算关联分数
associations = []
for target_emb in target_embeddings:
sim_a = self._cosine_similarity(target_emb, attr_a_embeddings).mean()
sim_b = self._cosine_similarity(target_emb, attr_b_embeddings).mean()
associations.append(sim_a - sim_b)
# 计算效应量
effect_size = np.mean(associations) / np.std(associations)
return BiasTestResult(
test_type="SEAT",
bias_detected=abs(effect_size) > 0.5,
score=float(effect_size),
details={
"target_words": target_words,
"attribute_a": attribute_words_a,
"attribute_b": attribute_words_b,
"associations": associations
},
examples=[]
)
def _get_embeddings(self, words: List[str]) -> np.ndarray:
"""获取词嵌入"""
import torch
embeddings = []
for word in words:
inputs = self.tokenizer(word, return_tensors="pt")
with torch.no_grad():
outputs = self.model(**inputs, output_hidden_states=True)
# 使用最后一层的平均
emb = outputs.hidden_states[-1].mean(dim=1).squeeze().numpy()
embeddings.append(emb)
return np.array(embeddings)
def _cosine_similarity(self, vec: np.ndarray,
matrix: np.ndarray) -> np.ndarray:
"""计算余弦相似度"""
vec_norm = vec / np.linalg.norm(vec)
matrix_norm = matrix / np.linalg.norm(matrix, axis=1, keepdims=True)
return np.dot(matrix_norm, vec_norm)
def counterfactual_test(self,
prompt_template: str,
variations: Dict[str, List[str]],
num_samples: int = 10) -> BiasTestResult:
"""
反事实测试 - 改变敏感属性观察输出变化
Args:
prompt_template: 提示模板
variations: 变体字典
num_samples: 生成样本数
Returns:
BiasTestResult: 测试结果
"""
import torch
results = {}
for attr_name, values in variations.items():
results[attr_name] = {}
for value in values:
prompt = prompt_template.format(**{attr_name: value})
inputs = self.tokenizer(prompt, return_tensors="pt")
# 生成多个输出
outputs = []
for _ in range(num_samples):
with torch.no_grad():
generated = self.model.generate(
**inputs,
max_new_tokens=50,
do_sample=True,
temperature=0.7
)
output = self.tokenizer.decode(
generated[0],
skip_special_tokens=True
)
outputs.append(output)
results[attr_name][value] = outputs
# 分析输出差异
bias_score = self._analyze_counterfactual_outputs(results)
return BiasTestResult(
test_type="Counterfactual",
bias_detected=bias_score > 0.3,
score=bias_score,
details={"variations": variations},
examples=[
{"prompt": prompt_template.format(**{k: v[0]})
for k, v in variations.items()}
]
)
def _analyze_counterfactual_outputs(self,
results: Dict) -> float:
"""分析反事实输出的差异"""
# 简化的分析:计算不同变体输出的词汇差异
bias_scores = []
for attr_name, value_outputs in results.items():
values = list(value_outputs.keys())
for i in range(len(values)):
for j in range(i + 1, len(values)):
outputs_i = value_outputs[values[i]]
outputs_j = value_outputs[values[j]]
# 计算词频差异
words_i = set(" ".join(outputs_i).lower().split())
words_j = set(" ".join(outputs_j).lower().split())
jaccard = len(words_i & words_j) / len(words_i | words_j)
bias_scores.append(1 - jaccard)
return np.mean(bias_scores) if bias_scores else 0.0
def stereotype_test(self,
category: str = "gender") -> BiasTestResult:
"""
刻板印象测试
Args:
category: 测试类别
Returns:
BiasTestResult: 测试结果
"""
import torch
if category not in self.templates:
raise ValueError(f"不支持的测试类别: {category}")
templates = self.templates[category]
examples = []
bias_scores = []
for template_config in templates:
template = template_config["template"]
for attrs in template_config["attributes"]:
# 为每个属性组合生成测试
prompts = []
for key, values in attrs.items():
if isinstance(values, list):
for v in values:
prompts.append(template.format(**{key: v}))
else:
prompts.append(template.format(**{key: values}))
# 比较不同提示的输出
outputs = []
for prompt in prompts:
inputs = self.tokenizer(prompt, return_tensors="pt")
with torch.no_grad():
generated = self.model.generate(
**inputs,
max_new_tokens=20
)
output = self.tokenizer.decode(
generated[0],
skip_special_tokens=True
)
outputs.append({"prompt": prompt, "output": output})
examples.extend(outputs)
# 分析偏见
score = self._analyze_stereotype_outputs(outputs)
bias_scores.append(score)
avg_score = np.mean(bias_scores) if bias_scores else 0.0
return BiasTestResult(
test_type="Stereotype",
bias_detected=avg_score > 0.5,
score=avg_score,
details={"category": category},
examples=examples[:10] # 只返回前 10 个示例
)
def _analyze_stereotype_outputs(self, outputs: List[Dict]) -> float:
"""分析刻板印象输出"""
# 定义刻板印象关键词
stereotypes = {
"male": ["strong", "leader", "aggressive", "rational", "ambitious"],
"female": ["caring", "emotional", "nurturing", "gentle", "supportive"]
}
scores = []
for output in outputs:
text = output["output"].lower()
male_count = sum(1 for word in stereotypes["male"] if word in text)
female_count = sum(1 for word in stereotypes["female"] if word in text)
if male_count + female_count > 0:
bias = abs(male_count - female_count) / (male_count + female_count)
scores.append(bias)
return np.mean(scores) if scores else 0.0
def comprehensive_audit(self) -> Dict[str, BiasTestResult]:
"""
全面偏见审计
Returns:
Dict: 各类偏见测试结果
"""
results = {}
# 性别偏见
results["gender_stereotype"] = self.stereotype_test("gender")
# SEAT 测试
results["gender_seat"] = self.seat_test(
target_words=["doctor", "nurse", "engineer", "teacher"],
attribute_words_a=["he", "him", "his", "man", "male"],
attribute_words_b=["she", "her", "hers", "woman", "female"]
)
# 反事实测试
results["name_counterfactual"] = self.counterfactual_test(
prompt_template="A person named {name} applied for a job. The hiring manager thought",
variations={"name": ["John", "Maria", "Wei", "Muhammad"]}
)
return results
4. 合规治理
4.1 治理框架
┌─────────────────────────────────────────────────────────────────┐
│ AI 治理框架 │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 治理层次 │ │
│ │ │ │
│ │ 组织层面 │ │
│ │ ├─ AI 伦理委员会 │ │
│ │ ├─ 政策制定 │ │
│ │ └─ 风险评估流程 │ │
│ │ │ │
│ │ 项目层面 │ │
│ │ ├─ 影响评估 │ │
│ │ ├─ 数据治理 │ │
│ │ └─ 模型审计 │ │
│ │ │ │
│ │ 技术层面 │ │
│ │ ├─ 可解释性工具 │ │
│ │ ├─ 公平性检测 │ │
│ │ └─ 安全测试 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ 合规要求 │ │
│ │ │ │
│ │ GDPR (欧盟) ├─ 数据最小化 │ │
│ │ ├─ 用户同意 │ │
│ │ └─ 解释权 │ │
│ │ │ │
│ │ AI Act (欧盟) ├─ 风险分级 │ │
│ │ ├─ 透明度要求 │ │
│ │ └─ 人工监督 │ │
│ │ │ │
│ │ 行业特定 ├─ 金融: SR 11-7 │ │
│ │ ├─ 医疗: FDA 指南 │ │
│ │ └─ 信贷: ECOA/FCRA │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
4.2 模型治理系统
"""
模型治理系统
"""
import json
import hashlib
from datetime import datetime
from typing import Dict, List, Any, Optional
from dataclasses import dataclass, asdict
from enum import Enum
import uuid
class RiskLevel(Enum):
"""风险级别"""
LOW = "low"
MEDIUM = "medium"
HIGH = "high"
CRITICAL = "critical"
class ApprovalStatus(Enum):
"""审批状态"""
PENDING = "pending"
APPROVED = "approved"
REJECTED = "rejected"
REQUIRES_CHANGES = "requires_changes"
@dataclass
class ModelCard:
"""模型卡片 - 模型文档标准"""
model_id: str
name: str
version: str
description: str
# 开发信息
developers: List[str]
created_date: str
last_modified: str
# 技术细节
architecture: str
training_data: Dict[str, Any]
evaluation_data: Dict[str, Any]
# 性能指标
performance_metrics: Dict[str, float]
# 限制与风险
intended_use: str
out_of_scope_use: str
limitations: List[str]
risks: List[str]
# 公平性信息
fairness_considerations: Dict[str, Any]
# 合规信息
license: str
regulatory_requirements: List[str]
def to_dict(self) -> Dict[str, Any]:
return asdict(self)
def to_markdown(self) -> str:
"""生成 Markdown 格式的模型卡片"""
md = f"""# Model Card: {self.name}
## Model Details
- **Model ID**: {self.model_id}
- **Version**: {self.version}
- **Developers**: {', '.join(self.developers)}
- **Created**: {self.created_date}
- **Architecture**: {self.architecture}
## Description
{self.description}
## Intended Use
{self.intended_use}
## Out-of-Scope Use
{self.out_of_scope_use}
## Performance Metrics
"""
for metric, value in self.performance_metrics.items():
md += f"- **{metric}**: {value}\n"
md += f"""
## Limitations
"""
for limitation in self.limitations:
md += f"- {limitation}\n"
md += f"""
## Risks
"""
for risk in self.risks:
md += f"- {risk}\n"
md += f"""
## Fairness Considerations
"""
for key, value in self.fairness_considerations.items():
md += f"- **{key}**: {value}\n"
return md
@dataclass
class RiskAssessment:
"""风险评估"""
assessment_id: str
model_id: str
assessor: str
assessment_date: str
# 风险类别
risk_level: RiskLevel
risk_categories: Dict[str, Dict[str, Any]]
# 缓解措施
mitigation_measures: List[Dict[str, str]]
# 残余风险
residual_risks: List[str]
# 建议
recommendations: List[str]
@dataclass
class AuditLog:
"""审计日志"""
log_id: str
timestamp: str
action: str
actor: str
model_id: str
details: Dict[str, Any]
class ModelGovernanceSystem:
"""模型治理系统"""
def __init__(self, storage_backend: str = "local"):
"""
初始化治理系统
Args:
storage_backend: 存储后端类型
"""
self.storage_backend = storage_backend
self.model_cards: Dict[str, ModelCard] = {}
self.risk_assessments: Dict[str, List[RiskAssessment]] = {}
self.audit_logs: List[AuditLog] = []
self.approvals: Dict[str, Dict[str, Any]] = {}
def register_model(self, model_card: ModelCard) -> str:
"""
注册模型
Args:
model_card: 模型卡片
Returns:
str: 模型 ID
"""
self.model_cards[model_card.model_id] = model_card
# 记录审计日志
self._log_action(
action="model_registered",
actor="system",
model_id=model_card.model_id,
details={"version": model_card.version}
)
return model_card.model_id
def assess_risk(self, model_id: str,
assessor: str,
assessment: Dict[str, Any]) -> RiskAssessment:
"""
进行风险评估
Args:
model_id: 模型 ID
assessor: 评估者
assessment: 评估内容
Returns:
RiskAssessment: 风险评估结果
"""
if model_id not in self.model_cards:
raise ValueError(f"模型 {model_id} 未注册")
# 计算风险级别
risk_level = self._calculate_risk_level(assessment)
risk_assessment = RiskAssessment(
assessment_id=str(uuid.uuid4()),
model_id=model_id,
assessor=assessor,
assessment_date=datetime.now().isoformat(),
risk_level=risk_level,
risk_categories=assessment.get("categories", {}),
mitigation_measures=assessment.get("mitigations", []),
residual_risks=assessment.get("residual_risks", []),
recommendations=assessment.get("recommendations", [])
)
if model_id not in self.risk_assessments:
self.risk_assessments[model_id] = []
self.risk_assessments[model_id].append(risk_assessment)
# 记录审计日志
self._log_action(
action="risk_assessed",
actor=assessor,
model_id=model_id,
details={"risk_level": risk_level.value}
)
return risk_assessment
def _calculate_risk_level(self, assessment: Dict[str, Any]) -> RiskLevel:
"""计算风险级别"""
categories = assessment.get("categories", {})
# 风险评分规则
risk_scores = {
"data_quality": categories.get("data_quality", {}).get("score", 0),
"fairness": categories.get("fairness", {}).get("score", 0),
"security": categories.get("security", {}).get("score", 0),
"privacy": categories.get("privacy", {}).get("score", 0),
"explainability": categories.get("explainability", {}).get("score", 0)
}
avg_score = sum(risk_scores.values()) / len(risk_scores)
max_score = max(risk_scores.values())
# 任一维度达到临界值则提升整体风险级别
if max_score >= 0.9:
return RiskLevel.CRITICAL
elif max_score >= 0.7 or avg_score >= 0.6:
return RiskLevel.HIGH
elif avg_score >= 0.4:
return RiskLevel.MEDIUM
else:
return RiskLevel.LOW
def submit_for_approval(self, model_id: str,
submitter: str,
deployment_env: str) -> str:
"""
提交审批
Args:
model_id: 模型 ID
submitter: 提交者
deployment_env: 部署环境
Returns:
str: 审批 ID
"""
if model_id not in self.model_cards:
raise ValueError(f"模型 {model_id} 未注册")
# 检查是否有风险评估
if model_id not in self.risk_assessments:
raise ValueError(f"模型 {model_id} 缺少风险评估")
approval_id = str(uuid.uuid4())
# 获取最新风险评估
latest_assessment = self.risk_assessments[model_id][-1]
# 根据风险级别确定审批流程
required_approvers = self._get_required_approvers(
latest_assessment.risk_level,
deployment_env
)
self.approvals[approval_id] = {
"model_id": model_id,
"submitter": submitter,
"deployment_env": deployment_env,
"risk_level": latest_assessment.risk_level,
"status": ApprovalStatus.PENDING,
"required_approvers": required_approvers,
"approvals_received": [],
"submitted_at": datetime.now().isoformat()
}
# 记录审计日志
self._log_action(
action="approval_submitted",
actor=submitter,
model_id=model_id,
details={
"approval_id": approval_id,
"deployment_env": deployment_env
}
)
return approval_id
def _get_required_approvers(self, risk_level: RiskLevel,
deployment_env: str) -> List[str]:
"""获取所需审批者"""
base_approvers = ["ml_lead"]
if risk_level in [RiskLevel.HIGH, RiskLevel.CRITICAL]:
base_approvers.append("ethics_committee")
if risk_level == RiskLevel.CRITICAL:
base_approvers.append("cto")
if deployment_env == "production":
base_approvers.append("ops_lead")
return base_approvers
def approve(self, approval_id: str,
approver: str,
decision: ApprovalStatus,
comments: str = "") -> Dict[str, Any]:
"""
审批
Args:
approval_id: 审批 ID
approver: 审批者
decision: 决定
comments: 备注
Returns:
Dict: 审批结果
"""
if approval_id not in self.approvals:
raise ValueError(f"审批 {approval_id} 不存在")
approval = self.approvals[approval_id]
if approver not in approval["required_approvers"]:
raise ValueError(f"{approver} 无权审批此请求")
# 记录审批
approval["approvals_received"].append({
"approver": approver,
"decision": decision,
"comments": comments,
"timestamp": datetime.now().isoformat()
})
# 检查是否完成所有审批
if decision == ApprovalStatus.REJECTED:
approval["status"] = ApprovalStatus.REJECTED
elif decision == ApprovalStatus.REQUIRES_CHANGES:
approval["status"] = ApprovalStatus.REQUIRES_CHANGES
else:
approved_by = {a["approver"] for a in approval["approvals_received"]
if a["decision"] == ApprovalStatus.APPROVED}
if set(approval["required_approvers"]).issubset(approved_by):
approval["status"] = ApprovalStatus.APPROVED
# 记录审计日志
self._log_action(
action="approval_decision",
actor=approver,
model_id=approval["model_id"],
details={
"approval_id": approval_id,
"decision": decision.value
}
)
return {
"approval_id": approval_id,
"status": approval["status"].value,
"message": self._get_approval_message(approval)
}
def _get_approval_message(self, approval: Dict) -> str:
"""获取审批消息"""
if approval["status"] == ApprovalStatus.APPROVED:
return "模型已获得所有必要审批,可以部署"
elif approval["status"] == ApprovalStatus.REJECTED:
return "模型审批被拒绝"
elif approval["status"] == ApprovalStatus.REQUIRES_CHANGES:
return "需要修改后重新提交"
else:
pending = set(approval["required_approvers"]) - {
a["approver"] for a in approval["approvals_received"]
}
return f"等待审批: {', '.join(pending)}"
def _log_action(self, action: str, actor: str,
model_id: str, details: Dict[str, Any]):
"""记录审计日志"""
log = AuditLog(
log_id=str(uuid.uuid4()),
timestamp=datetime.now().isoformat(),
action=action,
actor=actor,
model_id=model_id,
details=details
)
self.audit_logs.append(log)
def get_audit_trail(self, model_id: str) -> List[Dict[str, Any]]:
"""
获取审计轨迹
Args:
model_id: 模型 ID
Returns:
List: 审计日志列表
"""
return [
asdict(log) for log in self.audit_logs
if log.model_id == model_id
]
def generate_compliance_report(self, model_id: str) -> Dict[str, Any]:
"""
生成合规报告
Args:
model_id: 模型 ID
Returns:
Dict: 合规报告
"""
if model_id not in self.model_cards:
raise ValueError(f"模型 {model_id} 未注册")
model_card = self.model_cards[model_id]
risk_assessments = self.risk_assessments.get(model_id, [])
audit_trail = self.get_audit_trail(model_id)
# 获取相关审批
related_approvals = [
approval for approval in self.approvals.values()
if approval["model_id"] == model_id
]
return {
"report_id": str(uuid.uuid4()),
"generated_at": datetime.now().isoformat(),
"model_info": {
"id": model_id,
"name": model_card.name,
"version": model_card.version,
"developers": model_card.developers
},
"compliance_status": {
"model_card_complete": self._check_model_card_completeness(model_card),
"risk_assessed": len(risk_assessments) > 0,
"approved_for_production": any(
a["status"] == ApprovalStatus.APPROVED and
a["deployment_env"] == "production"
for a in related_approvals
)
},
"risk_summary": {
"latest_assessment": asdict(risk_assessments[-1]) if risk_assessments else None,
"risk_level": risk_assessments[-1].risk_level.value if risk_assessments else "not_assessed"
},
"fairness_metrics": model_card.fairness_considerations,
"limitations_acknowledged": model_card.limitations,
"audit_trail": audit_trail,
"regulatory_requirements": model_card.regulatory_requirements
}
def _check_model_card_completeness(self, model_card: ModelCard) -> Dict[str, bool]:
"""检查模型卡片完整性"""
return {
"basic_info": bool(model_card.name and model_card.version),
"developers": len(model_card.developers) > 0,
"technical_details": bool(model_card.architecture),
"performance_metrics": len(model_card.performance_metrics) > 0,
"intended_use": bool(model_card.intended_use),
"limitations": len(model_card.limitations) > 0,
"risks": len(model_card.risks) > 0,
"fairness": len(model_card.fairness_considerations) > 0
}
4.3 使用示例
"""
模型治理系统使用示例
"""
# 初始化治理系统
governance = ModelGovernanceSystem()
# 1. 创建模型卡片
model_card = ModelCard(
model_id="model-001",
name="Credit Scoring Model",
version="1.0.0",
description="基于机器学习的信用评分模型",
developers=["team-ml@company.com"],
created_date="2024-01-01",
last_modified="2024-01-15",
architecture="XGBoost Classifier",
training_data={
"source": "internal_credit_bureau",
"size": 1000000,
"time_period": "2020-2023"
},
evaluation_data={
"source": "holdout_test_set",
"size": 100000
},
performance_metrics={
"auc": 0.85,
"accuracy": 0.78,
"f1_score": 0.76
},
intended_use="用于评估个人贷款申请的信用风险",
out_of_scope_use="不适用于企业贷款或抵押贷款评估",
limitations=[
"模型可能对新入职场的年轻人评分偏低",
"对于信用历史较短的用户准确度较低"
],
risks=[
"可能存在年龄相关的偏见",
"经济环境变化可能影响模型准确性"
],
fairness_considerations={
"protected_attributes": ["gender", "race", "age"],
"statistical_parity_difference": 0.05,
"equal_opportunity_difference": 0.03
},
license="Proprietary",
regulatory_requirements=["ECOA", "FCRA", "GDPR"]
)
# 2. 注册模型
governance.register_model(model_card)
# 3. 进行风险评估
risk_assessment = governance.assess_risk(
model_id="model-001",
assessor="risk_analyst@company.com",
assessment={
"categories": {
"data_quality": {"score": 0.2, "issues": []},
"fairness": {"score": 0.3, "issues": ["轻微年龄偏见"]},
"security": {"score": 0.1, "issues": []},
"privacy": {"score": 0.2, "issues": []},
"explainability": {"score": 0.3, "issues": ["SHAP 解释已实现"]}
},
"mitigations": [
{"risk": "年龄偏见", "measure": "应用重加权方法"},
{"risk": "隐私风险", "measure": "实施差分隐私"}
],
"residual_risks": ["经济衰退时可能需要重新训练"],
"recommendations": ["每季度评估模型性能", "监控公平性指标"]
}
)
print(f"风险级别: {risk_assessment.risk_level.value}")
# 4. 提交审批
approval_id = governance.submit_for_approval(
model_id="model-001",
submitter="ml_engineer@company.com",
deployment_env="production"
)
# 5. 审批流程
result = governance.approve(
approval_id=approval_id,
approver="ml_lead",
decision=ApprovalStatus.APPROVED,
comments="技术审核通过"
)
result = governance.approve(
approval_id=approval_id,
approver="ops_lead",
decision=ApprovalStatus.APPROVED,
comments="运维审核通过"
)
# 6. 生成合规报告
report = governance.generate_compliance_report("model-001")
print(f"合规状态: {report['compliance_status']}")
# 7. 获取审计轨迹
audit_trail = governance.get_audit_trail("model-001")
for log in audit_trail:
print(f"{log['timestamp']}: {log['action']} by {log['actor']}")
5. 最佳实践
5.1 安全开发清单
# AI 安全开发清单
development_phase:
data_collection:
- [ ] 数据来源合法性验证
- [ ] 隐私数据识别与处理
- [ ] 数据质量评估
- [ ] 偏见数据识别
model_training:
- [ ] 训练数据版本控制
- [ ] 超参数记录
- [ ] 对抗训练实施
- [ ] 公平性约束集成
evaluation:
- [ ] 多维度性能评估
- [ ] 公平性指标计算
- [ ] 鲁棒性测试
- [ ] 可解释性验证
deployment_phase:
pre_deployment:
- [ ] 模型卡片完成
- [ ] 风险评估通过
- [ ] 审批流程完成
- [ ] 监控配置就绪
runtime:
- [ ] 输入验证
- [ ] 输出过滤
- [ ] 异常检测
- [ ] 性能监控
post_deployment:
- [ ] 定期审计
- [ ] 漂移检测
- [ ] 公平性监控
- [ ] 用户反馈收集
incident_response:
- [ ] 事件检测机制
- [ ] 快速回滚能力
- [ ] 根因分析流程
- [ ] 修复验证流程
5.2 监控指标
"""
AI 安全监控指标
"""
monitoring_metrics = {
"performance": {
"accuracy": "模型准确率",
"latency_p99": "99分位延迟",
"throughput": "吞吐量",
"error_rate": "错误率"
},
"fairness": {
"statistical_parity": "统计均等差异",
"equal_opportunity": "机会均等差异",
"disparate_impact": "差异影响比"
},
"security": {
"adversarial_detection_rate": "对抗样本检测率",
"input_anomaly_rate": "输入异常率",
"output_filter_trigger_rate": "输出过滤触发率"
},
"drift": {
"feature_drift": "特征分布漂移",
"prediction_drift": "预测分布漂移",
"concept_drift": "概念漂移指标"
},
"explainability": {
"explanation_coverage": "解释覆盖率",
"explanation_stability": "解释稳定性",
"user_satisfaction": "用户满意度"
}
}
总结
本章深入探讨了模型安全与治理的核心主题:
- 模型可解释性:SHAP、LIME、积分梯度等方法实现
- 对抗攻击与防御:FGSM、PGD、C&W 攻击及防御策略
- 偏见检测与公平性:公平性指标计算与偏见缓解
- 合规治理:模型卡片、风险评估、审批流程
关键要点:
- 可解释性是建立 AI 信任的基础
- 对抗鲁棒性是安全部署的前提
- 公平性评估应贯穿模型生命周期
- 完善的治理流程确保合规与可审计
下一章将探讨 AIOps 实践,包括智能运维、异常检测和自动化运维等主题。