Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Causal Interpretability for Adversarial Robustness: A Hybrid Generative Classification Approach

Chunheng Zhao, Pierluigi Pisu, Gurcan Comert, Negash Begashaw, Varghese Vaidyan, Nina Christine Hubig

TL;DR

This work tackles the vulnerability of discriminative image classifiers to adversarial inputs by introducing a hybrid architecture that couples a pre-trained discriminative feature extractor with a top-level generative classifier implemented as a deep latent-variable model trained via variational Bayes. By modeling adversarial perturbations within a causal latent-variable framework and training on clean data, the approach achieves strong adversarial robustness without requiring adversarial training, demonstrated on CIFAR-10/100 and preliminarily on Tiny-ImageNet. The authors also show that interpretability, assessed via counterfactual and ROAR-based metrics, correlates with robustness, underscoring the value of a causal, generative perspective. The method scales to larger datasets and offers a practical path toward robust, interpretable image classification in real-world settings.

Abstract

Deep learning-based discriminative classifiers, despite their remarkable success, remain vulnerable to adversarial examples that can mislead model predictions. While adversarial training can enhance robustness, it fails to address the intrinsic vulnerability stemming from the opaque nature of these black-box models. We present a deep ensemble model that combines discriminative features with generative models to achieve both high accuracy and adversarial robustness. Our approach integrates a bottom-level pre-trained discriminative network for feature extraction with a top-level generative classification network that models adversarial input distributions through a deep latent variable model. Using variational Bayes, our model achieves superior robustness against white-box adversarial attacks without adversarial training. Extensive experiments on CIFAR-10 and CIFAR-100 demonstrate our model's superior adversarial robustness. Through evaluations using counterfactual metrics and feature interaction-based metrics, we establish correlations between model interpretability and adversarial robustness. Additionally, preliminary results on Tiny-ImageNet validate our approach's scalability to more complex datasets, offering a practical solution for developing robust image classification models.

Causal Interpretability for Adversarial Robustness: A Hybrid Generative Classification Approach

TL;DR

This work tackles the vulnerability of discriminative image classifiers to adversarial inputs by introducing a hybrid architecture that couples a pre-trained discriminative feature extractor with a top-level generative classifier implemented as a deep latent-variable model trained via variational Bayes. By modeling adversarial perturbations within a causal latent-variable framework and training on clean data, the approach achieves strong adversarial robustness without requiring adversarial training, demonstrated on CIFAR-10/100 and preliminarily on Tiny-ImageNet. The authors also show that interpretability, assessed via counterfactual and ROAR-based metrics, correlates with robustness, underscoring the value of a causal, generative perspective. The method scales to larger datasets and offers a practical path toward robust, interpretable image classification in real-world settings.

Abstract

Deep learning-based discriminative classifiers, despite their remarkable success, remain vulnerable to adversarial examples that can mislead model predictions. While adversarial training can enhance robustness, it fails to address the intrinsic vulnerability stemming from the opaque nature of these black-box models. We present a deep ensemble model that combines discriminative features with generative models to achieve both high accuracy and adversarial robustness. Our approach integrates a bottom-level pre-trained discriminative network for feature extraction with a top-level generative classification network that models adversarial input distributions through a deep latent variable model. Using variational Bayes, our model achieves superior robustness against white-box adversarial attacks without adversarial training. Extensive experiments on CIFAR-10 and CIFAR-100 demonstrate our model's superior adversarial robustness. Through evaluations using counterfactual metrics and feature interaction-based metrics, we establish correlations between model interpretability and adversarial robustness. Additionally, preliminary results on Tiny-ImageNet validate our approach's scalability to more complex datasets, offering a practical solution for developing robust image classification models.
Paper Structure (11 sections, 10 equations, 5 figures, 2 tables)

This paper contains 11 sections, 10 equations, 5 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Latent Variable Model
  5. VAE-based Generative Classifier
  6. Experiments
  7. Experimental Setup
  8. Evaluation of Adversarial Robustness
  9. Evaluation of Model Interpretability
  10. Ablation Study
  11. Conclusion

Figures (5)

  • Figure 1: Bottom-up discriminative generative architecture. The overall model consists of both a feature extractor and a generative classifier.
  • Figure 2: Causal graph. Solid lines represent the causal reasoning of input data.
  • Figure 3: VAE architecture. Each individual neural net in the encoder and decoder estimates independent probabilities for $q$ and $p$, respectively.
  • Figure 4: Classification accuracy, adversarial example proximity, and adversarial example speed for FGSM and PGD on CIFAR-10 dataset. Dashed lines represent discriminative classifiers while solid lines represent generative classifiers. $\epsilon$ controls the attack strength.
  • Figure 5: Classification accuracy, adversarial example proximity, and adversarial example speed for FGSM and PGD on CIFAR-100 dataset. Dashed lines represent discriminative classifiers while solid lines represent generative classifiers. $\epsilon$ controls the attack strength.