Yet Meta Learning Can Adapt Fast, It Can Also Break Easily

TL;DR

Meta learning, while enabling rapid adaptation in few-shot tasks, is vulnerable to adversarial attacks that can compromise its reliability and robustness, raising concerns for safety-critical applications.

Contribution

This paper formally defines adversarial attacks specific to meta learning and introduces the first attacking algorithm demonstrating meta learning's vulnerability.

Findings

Proposed attack strategy effectively breaks meta learners.

Meta learning algorithms are susceptible to adversarial manipulation.

Experimental results confirm vulnerability across various settings.

Abstract

Meta learning algorithms have been widely applied in many tasks for efficient learning, such as few-shot image classification and fast reinforcement learning. During meta training, the meta learner develops a common learning strategy, or experience, from a variety of learning tasks. Therefore, during meta test, the meta learner can use the learned strategy to quickly adapt to new tasks even with a few training samples. However, there is still a dark side about meta learning in terms of reliability and robustness. In particular, is meta learning vulnerable to adversarial attacks? In other words, would a well-trained meta learner utilize its learned experience to build wrong or likely useless knowledge, if an adversary unnoticeably manipulates the given training set? Without the understanding of this problem, it is extremely risky to apply meta learning in safety-critical applications. Thus, in this paper, we perform the initial study about adversarial attacks on meta learning under the few-shot classification problem. In particular, we formally define key elements of adversarial attacks unique to meta learning and propose the first attacking algorithm against meta learning under various settings. We evaluate the effectiveness of the proposed attacking strategy as well as the robustness of several representative meta learning algorithms. Experimental results demonstrate that the proposed attacking strategy can easily break the meta learner and meta learning is vulnerable to adversarial attacks. The implementation of the proposed framework will be released upon the acceptance of this paper.