Adversarial Attacks on Classifiers for Eye-based User Modelling
This addresses security risks in eye-based user modelling systems, which are increasingly used for predicting user activities and traits, but it is incremental as it applies existing adversarial attack methods to a new domain.
The paper tackled the vulnerability of state-of-the-art classifiers for eye-based user modelling to adversarial attacks, showing that small perturbations in gaze input can dramatically change predictions, with specific scenarios like white-box vs. black-box attacks studied on document type recognition tasks.
An ever-growing body of work has demonstrated the rich information content available in eye movements for user modelling, e.g. for predicting users' activities, cognitive processes, or even personality traits. We show that state-of-the-art classifiers for eye-based user modelling are highly vulnerable to adversarial examples: small artificial perturbations in gaze input that can dramatically change a classifier's predictions. We generate these adversarial examples using the Fast Gradient Sign Method (FGSM) that linearises the gradient to find suitable perturbations. On the sample task of eye-based document type recognition we study the success of different adversarial attack scenarios: with and without knowledge about classifier gradients (white-box vs. black-box) as well as with and without targeting the attack to a specific class, In addition, we demonstrate the feasibility of defending against adversarial attacks by adding adversarial examples to a classifier's training data.