Adversarial Attacks on Classifiers for Eye-based User Modelling

TL;DR

This paper reveals that current eye-based user classifiers are highly susceptible to small, artificial perturbations in gaze data, which can significantly alter their predictions, highlighting a critical vulnerability in such systems.

Contribution

The study demonstrates the vulnerability of state-of-the-art eye-based classifiers to adversarial attacks and explores defense strategies like adversarial training.

Findings

Adversarial examples can drastically change classifier predictions.

White-box attacks are more effective than black-box attacks.

Adversarial training improves classifier robustness.

Abstract

An ever-growing body of work has demonstrated the rich information content available in eye movements for user modelling, e.g. for predicting users' activities, cognitive processes, or even personality traits. We show that state-of-the-art classifiers for eye-based user modelling are highly vulnerable to adversarial examples: small artificial perturbations in gaze input that can dramatically change a classifier's predictions. We generate these adversarial examples using the Fast Gradient Sign Method (FGSM) that linearises the gradient to find suitable perturbations. On the sample task of eye-based document type recognition we study the success of different adversarial attack scenarios: with and without knowledge about classifier gradients (white-box vs. black-box) as well as with and without targeting the attack to a specific class, In addition, we demonstrate the feasibility of defending against adversarial attacks by adding adversarial examples to a classifier's training data.