Yan Scholten

Hey 👋 I am a PhD student in the Data Analytics and Machine Learning group at the Technical University of Munich (TUM) located in Munich 🇩🇪, supervised by Prof. Stephan Günnemann.
My research focuses on enhancing the reliability and safety of machine learning. My broader research interests include adversarial robustness, robustness certification, conformal prediction, uncertainty quantification, machine unlearning, alignment, large language models (LLMs), and machine learning for graphs.
I further enjoy traveling, language learning, swimming and dancing. Feel free to reach out! 😊

Selected Publications (full list)

1. A Probabilistic Perspective on Unlearning and Alignment for Large Language Models
   

   Yan Scholten, Stephan Günnemann, and Leo Schwinn
   arXiv preprint, 2024.

   Abs Web PDF Code BibTeX

   Comprehensive evaluation of Large Language Models (LLMs) is an open research problem. Existing evaluations rely on deterministic point estimates generated via greedy decoding. However, we find that deterministic evaluations fail to capture the whole output distribution of a model, yielding inaccurate estimations of model capabilities. This is particularly problematic in critical contexts such as unlearning and alignment, where precise model evaluations are crucial. To remedy this, we introduce the first formal probabilistic evaluation framework in LLMs. Namely, we derive novel metrics with high-probability guarantees concerning the output distribution of a model. Our metrics are application-independent and allow practitioners to make more reliable estimates about model capabilities before deployment. Through a case study focused on unlearning, we reveal that deterministic evaluations falsely indicate successful unlearning, whereas our probabilistic evaluations demonstrate that most if not all of the supposedly unlearned information remains accessible in these models. Additionally, we propose a novel unlearning loss based on entropy optimization and adaptive temperature scaling, which significantly improves unlearning in probabilistic settings on recent benchmarks. Our proposed shift from point estimates to probabilistic evaluations of output distributions represents an important step toward comprehensive evaluations of LLMs.
2. Provably Reliable Conformal Prediction Sets in the Presence of Data Poisoning
   

   Yan Scholten, and Stephan Günnemann
   arXiv preprint, 2024.

   Abs Web PDF BibTeX

   Conformal prediction provides model-agnostic and distribution-free uncertainty quantification through prediction sets that are guaranteed to include the ground truth with any user-specified probability. Yet, conformal prediction is not reliable under poisoning attacks where adversaries manipulate both training and calibration data, which can significantly alter prediction sets in practice. As a solution, we propose reliable prediction sets (RPS): the first efficient method for constructing conformal prediction sets with provable reliability guarantees under poisoning. To ensure reliability under training poisoning, we introduce smoothed score functions that reliably aggregate predictions of classifiers trained on distinct partitions of the training data. To ensure reliability under calibration poisoning, we construct multiple prediction sets, each calibrated on distinct subsets of the calibration data. We then aggregate them into a majority prediction set, which includes a class only if it appears in a majority of the individual sets. Both proposed aggregations mitigate the influence of datapoints in the training and calibration data on the final prediction set. We experimentally validate our approach on image classification tasks, achieving strong reliability while maintaining utility and preserving coverage on clean data. Overall, our approach represents an important step towards more trustworthy uncertainty quantification in the presence of data poisoning.
3. Hierarchical Randomized Smoothing
   

   Yan Scholten, Jan Schuchardt, Aleksandar Bojchevski, and Stephan Günnemann
   Conference on Neural Information Processing Systems, NeurIPS 2023.

   Abs Web PDF Talk Slides Poster Code BibTeX

   Real-world data is complex and often consists of objects that can be decomposed into multiple entities (e.g. images into pixels, graphs into interconnected nodes). Randomized smoothing is a powerful framework for making models provably robust against small changes to their inputs – by guaranteeing robustness of the majority vote when randomly adding noise before classification. Yet, certifying robustness on such complex data via randomized smoothing is challenging when adversaries do not arbitrarily perturb entire objects (e.g. images) but only a subset of their entities (e.g. pixels). As a solution, we introduce hierarchical randomized smoothing: We partially smooth objects by adding random noise only on a randomly selected subset of their entities. By adding noise in a more targeted manner than existing methods we obtain stronger robustness guarantees while maintaining high accuracy. We initialize hierarchical smoothing using different noising distributions, yielding novel robustness certificates for discrete and continuous domains. We experimentally demonstrate the importance of hierarchical smoothing in image and node classification, where it yields superior robustness-accuracy trade-offs. Overall, hierarchical smoothing is an important contribution towards models that are both – certifiably robust to perturbations and accurate.
4. Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks
   

   Yan Scholten, Jan Schuchardt, Simon Geisler, Aleksandar Bojchevski, and Stephan Günnemann
   Conference on Neural Information Processing Systems, NeurIPS 2022.

   Abs Web PDF Talk Slides Poster Code BibTeX

   Randomized smoothing is one of the most promising frameworks for certifying the adversarial robustness of machine learning models, including Graph Neural Networks (GNNs). Yet, existing randomized smoothing certificates for GNNs are overly pessimistic since they treat the model as a black box, ignoring the underlying architecture. To remedy this, we propose novel gray-box certificates that exploit the message-passing principle of GNNs: We randomly intercept messages and carefully analyze the probability that messages from adversarially controlled nodes reach their target nodes. Compared to existing certificates, we certify robustness to much stronger adversaries that control entire nodes in the graph and can arbitrarily manipulate node features. Our certificates provide stronger guarantees for attacks at larger distances, as messages from farther-away nodes are more likely to get intercepted. We demonstrate the effectiveness of our method on various models and datasets. Since our gray-box certificates consider the underlying graph structure, we can significantly improve certifiable robustness by applying graph sparsification.

Education

• 2022-now: PhD student in Computer Science, Technical University of Munich
• 2019-2022: M.Sc. Informatics, Technical University of Munich (with high distinction)
• 2015-2019: B.Sc. Computer Science (Math Minor), Paderborn University (with distinction)

Academic Honors and Awards

• 2023: Admission to the Konrad Zuse School of Excellence in Reliable AI
• 2019: Deutschlandstipendium awarded by the Technical University of Munich
• 2018: RISE worldwide scholarship awarded by DAAD
• 2018: Deutschlandstipendium awarded by Studienfonds OWL
• 2017: Admission to elite program of the EIM-faculty at Paderborn University