A simple defense against adversarial attacks on heatmap explanations

Laura Rieger; Lars Kai Hansen

A simple defense against adversarial attacks on heatmap explanations

Laura Rieger^*, Lars Kai Hansen

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

5 Downloads (Pure)

Abstract

With machine learning models being used for more sensitive applications, we rely on interpretability methods to prove that no discriminating attributes were used for classification. A potential concern is the so-called "fair-washing" - manipulating a model such that the features used in reality are hidden and more innocuous features are shown to be important instead. In our work we present an effective defence against such adversarial attacks on neural networks. By a simple aggregation of multiple explanation methods, the network becomes robust against manipulation. This holds even when the attacker has exact knowledge of the model weights
and the explanation methods used.

Original language	English
Title of host publication	Proceedings of 2020 Workshop on Human Interpretability in Machine Learning
Number of pages	22
Publication date	2020
Publication status	Published - 2020
Event	5^th Annual Workshop on Human Interpretability in Machine Learning - Virtual event Duration: 17 Jul 2020 → 17 Jul 2020

Workshop

Workshop	5^th Annual Workshop on Human Interpretability in Machine Learning
Location	Virtual event
Period	17/07/2020 → 17/07/2020

Access to Document

FulltextAccepted author manuscript, 4.6 MB

Fingerprint Dive into the research topics of 'A simple defense against adversarial attacks on heatmap explanations'. Together they form a unique fingerprint.

Cite this

@inproceedings{d5d041ccac8749a5938e31e5fbb56728,

title = "A simple defense against adversarial attacks on heatmap explanations",

abstract = "With machine learning models being used for more sensitive applications, we rely on interpretability methods to prove that no discriminating attributes were used for classification. A potential concern is the so-called {"}fair-washing{"} - manipulating a model such that the features used in reality are hidden and more innocuous features are shown to be important instead. In our work we present an effective defence against such adversarial attacks on neural networks. By a simple aggregation of multiple explanation methods, the network becomes robust against manipulation. This holds even when the attacker has exact knowledge of the model weightsand the explanation methods used.",

author = "Laura Rieger and Hansen, {Lars Kai}",

year = "2020",

language = "English",

booktitle = "Proceedings of 2020 Workshop on Human Interpretability in Machine Learning",

note = "5<sup>th</sup> Annual Workshop on Human Interpretability in Machine Learning, WHI 2020 ; Conference date: 17-07-2020 Through 17-07-2020",

}

TY - GEN

T1 - A simple defense against adversarial attacks on heatmap explanations

AU - Rieger, Laura

AU - Hansen, Lars Kai

PY - 2020

Y1 - 2020

N2 - With machine learning models being used for more sensitive applications, we rely on interpretability methods to prove that no discriminating attributes were used for classification. A potential concern is the so-called "fair-washing" - manipulating a model such that the features used in reality are hidden and more innocuous features are shown to be important instead. In our work we present an effective defence against such adversarial attacks on neural networks. By a simple aggregation of multiple explanation methods, the network becomes robust against manipulation. This holds even when the attacker has exact knowledge of the model weightsand the explanation methods used.

AB - With machine learning models being used for more sensitive applications, we rely on interpretability methods to prove that no discriminating attributes were used for classification. A potential concern is the so-called "fair-washing" - manipulating a model such that the features used in reality are hidden and more innocuous features are shown to be important instead. In our work we present an effective defence against such adversarial attacks on neural networks. By a simple aggregation of multiple explanation methods, the network becomes robust against manipulation. This holds even when the attacker has exact knowledge of the model weightsand the explanation methods used.

M3 - Article in proceedings

BT - Proceedings of 2020 Workshop on Human Interpretability in Machine Learning

T2 - 5<sup>th</sup> Annual Workshop on Human Interpretability in Machine Learning

Y2 - 17 July 2020 through 17 July 2020

ER -