Fooling Neural Network Interpretations via Adversarial Model Manipulation

TL;DR

This paper demonstrates that state-of-the-art neural network interpretation methods can be easily fooled through adversarial model manipulation, raising concerns about their robustness and reliability.

Contribution

It introduces a novel adversarial fine-tuning approach that significantly alters explanations without affecting model accuracy, exposing vulnerabilities in interpretation methods.

Findings

Saliency map interpretability methods can be fooled with simple fine-tuning.

Fooling techniques transfer across different interpretation methods.

The proposed fooling methods are effective on multiple neural network architectures.

Abstract

We ask whether the neural network interpretation methods can be fooled via adversarial model manipulation, which is defined as a model fine-tuning step that aims to radically alter the explanations without hurting the accuracy of the original models, e.g., VGG19, ResNet50, and DenseNet121. By incorporating the interpretation results directly in the penalty term of the objective function for fine-tuning, we show that the state-of-the-art saliency map based interpreters, e.g., LRP, Grad-CAM, and SimpleGrad, can be easily fooled with our model manipulation. We propose two types of fooling, Passive and Active, and demonstrate such foolings generalize well to the entire validation set as well as transfer to other interpretation methods. Our results are validated by both visually showing the fooled explanations and reporting quantitative metrics that measure the deviations from the original explanations. We claim that the stability of neural network interpretation method with respect to our adversarial model manipulation is an important criterion to check for developing robust and reliable neural network interpretation method.