Interpreting Vulnerabilities of Multi-Instance Learning to Adversarial Perturbations

TL;DR

This paper investigates the vulnerability of Multi-Instance Learning (MIL) models to adversarial attacks by proposing two perturbation methods, demonstrating their effectiveness, and discussing strategies to mitigate such vulnerabilities.

Contribution

The paper introduces two novel adversarial perturbation algorithms tailored for MIL, one customizable per bag and one universal, to analyze and demonstrate MIL vulnerabilities.

Findings

Proposed algorithms effectively fool state-of-the-art MIL methods.

Universal perturbation affects all bags in a dataset.

Simple strategies can mitigate adversarial effects.

Abstract

Multi-Instance Learning (MIL) is a recent machine learning paradigm which is immensely useful in various real-life applications, like image analysis, video anomaly detection, text classification, etc. It is well known that most of the existing machine learning classifiers are highly vulnerable to adversarial perturbations. Since MIL is a weakly supervised learning, where information is available for a set of instances, called bag and not for every instances, adversarial perturbations can be fatal. In this paper, we have proposed two adversarial perturbation methods to analyze the effect of adversarial perturbations to interpret the vulnerability of MIL methods. Out of the two algorithms, one can be customized for every bag, and the other is a universal one, which can affect all bags in a given data set and thus has some generalizability. Through simulations, we have also shown the effectiveness of the proposed algorithms to fool the state-of-the-art (SOTA) MIL methods. Finally, we have discussed through experiments, about taking care of these kind of adversarial perturbations through a simple strategy. Source codes are available at https://github.com/InkiInki/MI-UAP.