Certified $\ell_2$ Attribution Robustness via Uniformly Smoothed Attributions
This provides a certified defense method for attribution robustness, addressing a specific security issue in explainable AI, but it is incremental as it builds on existing smoothing techniques.
The paper tackles the vulnerability of model attributions to adversarial perturbations by proposing a uniform smoothing technique that guarantees a lower bound on the cosine similarity between smoothed attributions of perturbed and unperturbed samples, with evaluations showing effective protection across datasets, network architectures, and training schemes.
Model attribution is a popular tool to explain the rationales behind model predictions. However, recent work suggests that the attributions are vulnerable to minute perturbations, which can be added to input samples to fool the attributions while maintaining the prediction outputs. Although empirical studies have shown positive performance via adversarial training, an effective certified defense method is eminently needed to understand the robustness of attributions. In this work, we propose to use uniform smoothing technique that augments the vanilla attributions by noises uniformly sampled from a certain space. It is proved that, for all perturbations within the attack region, the cosine similarity between uniformly smoothed attribution of perturbed sample and the unperturbed sample is guaranteed to be lower bounded. We also derive alternative formulations of the certification that is equivalent to the original one and provides the maximum size of perturbation or the minimum smoothing radius such that the attribution can not be perturbed. We evaluate the proposed method on three datasets and show that the proposed method can effectively protect the attributions from attacks, regardless of the architecture of networks, training schemes and the size of the datasets.