Fooling Explanations in Text Classifiers

TL;DR

This paper demonstrates that explanation methods for text classifiers are vulnerable to imperceptible perturbations, which can significantly alter explanations without changing the classifier's predictions, highlighting the fragility of current explanation techniques.

Contribution

Introduces TextExplanationFooler (TEF), a novel attack algorithm that exposes the fragility of explanation methods in text classifiers across multiple models and datasets.

Findings

TEF significantly reduces attribution correlation across models and explanation methods.

Perturbations transfer effectively to unseen models and explanation methods.

A semi-universal attack computes fast, light perturbations without model or explanation knowledge.

Abstract

State-of-the-art text classification models are becoming increasingly reliant on deep neural networks (DNNs). Due to their black-box nature, faithful and robust explanation methods need to accompany classifiers for deployment in real-life scenarios. However, it has been shown in vision applications that explanation methods are susceptible to local, imperceptible perturbations that can significantly alter the explanations without changing the predicted classes. We show here that the existence of such perturbations extends to text classifiers as well. Specifically, we introduceTextExplanationFooler (TEF), a novel explanation attack algorithm that alters text input samples imperceptibly so that the outcome of widely-used explanation methods changes considerably while leaving classifier predictions unchanged. We evaluate the performance of the attribution robustness estimation performance in TEF on five sequence classification datasets, utilizing three DNN architectures and three transformer architectures for each dataset. TEF can significantly decrease the correlation between unchanged and perturbed input attributions, which shows that all models and explanation methods are susceptible to TEF perturbations. Moreover, we evaluate how the perturbations transfer to other model architectures and attribution methods, and show that TEF perturbations are also effective in scenarios where the target model and explanation method are unknown. Finally, we introduce a semi-universal attack that is able to compute fast, computationally light perturbations with no knowledge of the attacked classifier nor explanation method. Overall, our work shows that explanations in text classifiers are very fragile and users need to carefully address their robustness before relying on them in critical applications.