Fooling LIME and SHAP: Adversarial Attacks on Post hoc Explanation Methods

TL;DR

This paper reveals that popular explanation methods like LIME and SHAP can be easily fooled by adversarial techniques that hide biases, raising concerns about their reliability in critical domains.

Contribution

The authors introduce a novel scaffolding approach that can manipulate explanations of any classifier without altering its biased predictions, exposing vulnerabilities in explanation methods.

Findings

Adversarial scaffolding can hide biases from explanations

LIME and SHAP can be fooled into providing innocuous explanations

Biased classifiers can be made to appear unbiased in explanations

Abstract

As machine learning black boxes are increasingly being deployed in domains such as healthcare and criminal justice, there is growing emphasis on building tools and techniques for explaining these black boxes in an interpretable manner. Such explanations are being leveraged by domain experts to diagnose systematic errors and underlying biases of black boxes. In this paper, we demonstrate that post hoc explanations techniques that rely on input perturbations, such as LIME and SHAP, are not reliable. Specifically, we propose a novel scaffolding technique that effectively hides the biases of any given classifier by allowing an adversarial entity to craft an arbitrary desired explanation. Our approach can be used to scaffold any biased classifier in such a way that its predictions on the input data distribution still remain biased, but the post hoc explanations of the scaffolded classifier look innocuous. Using extensive evaluation with multiple real-world datasets (including COMPAS), we demonstrate how extremely biased (racist) classifiers crafted by our framework can easily fool popular explanation techniques such as LIME and SHAP into generating innocuous explanations which do not reflect the underlying biases.