Certified $\ell_2$ Attribution Robustness via Uniformly Smoothed Attributions

TL;DR

This paper introduces a certified defense method for model attribution robustness using uniform smoothing, guaranteeing attribution stability against small input perturbations across various models and datasets.

Contribution

It proposes a novel uniform smoothing technique for attribution robustness and provides theoretical certification bounds for perturbation sizes.

Findings

Effective protection of attributions from attacks across different architectures.

The certification guarantees hold within a defined perturbation region.

Method demonstrates robustness on three diverse datasets.

Abstract

Model attribution is a popular tool to explain the rationales behind model predictions. However, recent work suggests that the attributions are vulnerable to minute perturbations, which can be added to input samples to fool the attributions while maintaining the prediction outputs. Although empirical studies have shown positive performance via adversarial training, an effective certified defense method is eminently needed to understand the robustness of attributions. In this work, we propose to use uniform smoothing technique that augments the vanilla attributions by noises uniformly sampled from a certain space. It is proved that, for all perturbations within the attack region, the cosine similarity between uniformly smoothed attribution of perturbed sample and the unperturbed sample is guaranteed to be lower bounded. We also derive alternative formulations of the certification that is equivalent to the original one and provides the maximum size of perturbation or the minimum smoothing radius such that the attribution can not be perturbed. We evaluate the proposed method on three datasets and show that the proposed method can effectively protect the attributions from attacks, regardless of the architecture of networks, training schemes and the size of the datasets.