Accuracy is Not Enough: Poisoning Interpretability in Federated Learning via Color Skew

TL;DR

This paper uncovers a novel attack in federated learning where small color perturbations can mislead interpretability tools without affecting model accuracy, exposing a new security vulnerability.

Contribution

It introduces the Chromatic Perturbation Module, a systematic method for poisoning explanations in federated learning through subtle color changes.

Findings

Saliency maps can be significantly distorted without accuracy loss.

Standard defenses are ineffective against color-based explanation attacks.

The attack reduces explanation fidelity by up to 35%.

Abstract

As machine learning models are increasingly deployed in safety-critical domains, visual explanation techniques have become essential tools for supporting transparency. In this work, we reveal a new class of attacks that compromise model interpretability without affecting accuracy. Specifically, we show that small color perturbations applied by adversarial clients in a federated learning setting can shift a model's saliency maps away from semantically meaningful regions while keeping the prediction unchanged. The proposed saliency-aware attack framework, called Chromatic Perturbation Module, systematically crafts adversarial examples by altering the color contrast between foreground and background in a way that disrupts explanation fidelity. These perturbations accumulate across training rounds, poisoning the global model's internal feature attributions in a stealthy and persistent manner. Our findings challenge a common assumption in model auditing that correct predictions imply faithful explanations and demonstrate that interpretability itself can be an attack surface. We evaluate this vulnerability across multiple datasets and show that standard training pipelines are insufficient to detect or mitigate explanation degradation, especially in the federated learning setting, where subtle color perturbations are harder to discern. Our attack reduces peak activation overlap in Grad-CAM explanations by up to 35% while preserving classification accuracy above 96% on all evaluated datasets.