DiffGradCAM: A Class Activation Map Using the Full Model Decision to Solve Unaddressed Adversarial Attacks

TL;DR

This paper introduces DiffGradCAM and DiffGradCAM++, contrastive class activation mapping methods that are resistant to passive fooling attacks, enhancing the robustness of CNN explanations.

Contribution

The paper proposes novel contrastive CAM methods that are immune to passive fooling and introduces SHAM as a benchmark for CAM robustness under adversarial conditions.

Findings

DiffGradCAM matches GradCAM in non-adversarial settings.

DiffGradCAM is resistant to passive fooling attacks.

SHAM provides a new benchmark for CAM robustness.

Abstract

Class Activation Mapping (CAM) and its gradient-based variants (e.g., GradCAM) have become standard tools for explaining Convolutional Neural Network (CNN) predictions. However, these approaches typically focus on individual logits, while for neural networks using softmax, the class membership probability estimates depend only on the differences between logits, not on their absolute values. This disconnect leaves standard CAMs vulnerable to adversarial manipulation, such as passive fooling, where a model is trained to produce misleading CAMs without affecting decision performance. To address this vulnerability, we propose DiffGradCAM and its higher-order derivative version DiffGradCAM++, as novel, lightweight, contrastive approaches to class activation mapping that are not susceptible to passive fooling and match the output of standard methods such as GradCAM and GradCAM++ in the non-adversarial case. To test our claims, we introduce Salience-Hoax Activation Maps (SHAMs), a more advanced, entropy-aware form of passive fooling that serves as a benchmark for CAM robustness under adversarial conditions. Together, SHAM and DiffGradCAM establish a new framework for probing and improving the robustness of saliency-based explanations. We validate both contributions across multi-class tasks with few and many classes.