Where and How to Attack? A Causality-Inspired Recipe for Generating Counterfactual Adversarial Examples

TL;DR

This paper introduces a causality-inspired framework called CADE for generating realistic counterfactual adversarial examples by considering the causal data generation process, improving attack relevance and effectiveness.

Contribution

It presents a novel causality-based approach to identify where and how to attack neural networks with more realistic adversarial examples, addressing limitations of traditional methods.

Findings

CADE achieves competitive attack success across various scenarios.

The causality-based approach improves the realism of adversarial examples.

Theoretical analysis clarifies the vulnerability sources of DNNs.

Abstract

Deep neural networks (DNNs) have been demonstrated to be vulnerable to well-crafted \emph{adversarial examples}, which are generated through either well-conceived $\mathcal{L}_p$-norm restricted or unrestricted attacks. Nevertheless, the majority of those approaches assume that adversaries can modify any features as they wish, and neglect the causal generating process of the data, which is unreasonable and unpractical. For instance, a modification in income would inevitably impact features like the debt-to-income ratio within a banking system. By considering the underappreciated causal generating process, first, we pinpoint the source of the vulnerability of DNNs via the lens of causality, then give theoretical results to answer \emph{where to attack}. Second, considering the consequences of the attack interventions on the current state of the examples to generate more realistic adversarial examples, we propose CADE, a framework that can generate \textbf{C}ounterfactual \textbf{AD}versarial \textbf{E}xamples to answer \emph{how to attack}. The empirical results demonstrate CADE's effectiveness, as evidenced by its competitive performance across diverse attack scenarios, including white-box, transfer-based, and random intervention attacks.