Adversarial Attacks on Machine Learning-Aided Visualizations

TL;DR

This work investigates the potential vulnerabilities of ML-aided visualizations from adversarial attacks using a holistic lens of both visualization and ML perspectives and underline the importance of comprehensive studies of security issues and defense mechanisms as a call of urgency for the ML4VIS community.

Abstract

Research in ML4VIS investigates how to use machine learning (ML) techniques to generate visualizations, and the field is rapidly growing with high societal impact. However, as with any computational pipeline that employs ML processes, ML4VIS approaches are susceptible to a range of ML-specific adversarial attacks. These attacks can manipulate visualization generations, causing analysts to be tricked and their judgments to be impaired. Due to a lack of synthesis from both visualization and ML perspectives, this security aspect is largely overlooked by the current ML4VIS literature. To bridge this gap, we investigate the potential vulnerabilities of ML-aided visualizations from adversarial attacks using a holistic lens of both visualization and ML perspectives. We first identify the attack surface (i.e., attack entry points) that is unique in ML-aided visualizations. We then exemplify five different adversarial attacks. These examples highlight the range of possible attacks when considering the attack surface and multiple different adversary capabilities. Our results show that adversaries can induce various attacks, such as creating arbitrary and deceptive visualizations, by systematically identifying input attributes that are influential in ML inferences. Based on our observations of the attack surface characteristics and the attack examples, we underline the importance of comprehensive studies of security issues and defense mechanisms as a call of urgency for the ML4VIS community.

Figures (10)

• Figure 1: An ML4VIS pipeline introduced by Wang et al. wang2022ml4vis. This pipeline links seven visualization processes (gray blocks) that can benefit from ML. The processes are further categorized based on their main aim: processing data, producing visualization, or helping and understanding users.
• Figure 2: Pipelines for (a) conventional UMAP and (b) parametric UMAP (PUMAP). Unlike UMAP, PUMAP uses a multilayer perceptron (MLP) to learn a parametric mapping from high-dimensional (HD) data to its low-dimensional (LD) representation. PUMAP requires the graph representation only for the training phase, as indicated by the dotted lines in (b)
• Figure 3: Investigation of a one-attribute attack on the visualizations using PUMAP: (a) a scatterplot obtained by applying the default PUMAP to the Wine dataset uci_mlr and the adversarial input; (b) the value distribution of flavanoids for each cultivar and the adversarial input; and (c) the input coordinate migration in response to the perturbations to flavanoids.
• Figure 4: The architecture of the substitute model. By referring to the attack target's low-dimensional (LD) representation, the substitute model learns a parametric mapping that can reconstruct a similar LD representation from the input high-dimensional (HD) data.
• Figure 5: Comparison of adversarial inputs crafted with the substitute model. In (a1--c1), all attributes of the benign input, flavanoids & hue, and alcohol & proline are respectively manipulated to place the adversarial inputs near the coordinate (-2.5, -2.5). (a2--c2) show the PUMAP results corresponding to (a1--c1).