Owing to the success of machine learning (ML) models, there has been an increasing interest in leveraging these models to aid decision makers (e.g., doctors, judges) in critical domains such as healthcare and criminal justice. The successful adoption of these models in domain-specific applications relies heavily on how well decision makers are able to understand and trust their functionality [4, 9]. Only if decision makers have a clear understanding of the model behavior, can they diagnose errors and potential biases in these models, and decide when and how much to rely on them. However, the proprietary nature and increasing complexity of machine learning models makes it challenging for domain experts to understand these complex black boxes, thus, motivating the need for tools that can explain them in a faithful and interpretable manner.
As a result, there has been a recent surge in post hoc techniques for explaining black box models in a human interpretable manner. One of the primary uses of such explanations is to help domain experts detect discriminatory biases in black box models [17, 7]. Most prominent of these techniques include local, model-agnostic methods that focus on explaining individual predictions of a given black box classifier, including LIME  and SHAP 
. These methods estimate the contribution of individual features towards a specific prediction by generating perturbations of a given instance in the data and observing the effect of these perturbations on the output of the black-box classifier. Due to their generality, these methods have been used to explain a number of classifiers, such as neural networks and complex ensemble models, and in various domains ranging from law, medicine, finance, and science[5, 6, 18]. However, there has been little analysis of the reliability and robustness of these explanation techniques, especially in the adversarial setting, making their utility for critical applications unclear.
In this work, we demonstrate significant vulnerabilities in post hoc explanation techniques which can be exploited by an adversary to generate classifiers whose post hoc explanations can be arbitrarily controlled. More specifically, we develop a novel framework that can effectively mask the discriminatory biases of any black box classifier. Our approach exploits the fact that post hoc explanation techniques such as LIME and SHAP are perturbation-based, to create a scaffolding around any given biased black box classifier in such a way that its predictions on input data distribution remain biased, but its behavior on the perturbed data points is controlled to make the post hoc explanations look completely innocuous. For instance, using our framework, we generate highly discriminatory classifiers (such as the ones that only use race to make their decisions) whose post hoc explanations (generated by LIME and SHAP) make them look completely innocuous, effectively hiding their discriminatory biases.
We evaluate the effectiveness of the proposed framework on multiple real world datasets - COMPAS , Communities and Crime , and German loan lending . For each dataset, we craft classifiers that heavily discriminate based on protected attributes such as race (demographic parity ratio = 0), and show that our framework can effectively hide their biases. In particular, our results show that the explanations of these classifiers generated using off-the-shelf implementations of LIME and SHAP do not flag any of the relevant sensitive attributes (e.g., race) as important features of the classifier, thus demonstrating that the adversarial classifiers successfully fooled these explanation methods. These results suggest that it is possible for malicious actors to craft adversarial classifiers that are highly discriminatory, but can effectively fool existing post hoc explanation techniques. This further establishes that existing post hoc explanation techniques are not sufficiently robust for ascertaining discriminatory behavior of classifiers in sensitive applications.
Building Adversarial Classifiers to Fool Explanation Techniques
In this section, we discuss our framework for constructing adversarial classifiers (scaffoldings) that can fool post hoc explanation techniques which rely on input perturbations. We first provide a detailed overview of popular post hoc explanation techniques, namely, LIME  and SHAP , and then present our framework for constructing adversarial classifiers.
Background: LIME and SHAP
While simpler classes of models (e.g., linear models, decision trees) are often readily understood by humans, the same is not true for complex models (e.g., ensemble methods, deep neural networks). Such complex models are essentially black boxes for all practical purposes. One way to understand them is to build simplerexplanation models that are interpretable approximations of these black boxes.
To this end, several techniques have been proposed in existing literature. LIME  and SHAP  are two popular model-agnostic, local explanation approaches designed to explain any given black box classifier. These methods explain individual predictions of any classifier in an interpretable and faithful manner, by learning an interpretable model (e.g., linear model) locally around each prediction. More specifically, LIME and SHAP estimate feature attributions for individual instances, which capture the effect/contribution of each feature on the black box prediction. Below, we provide some details of these approaches, while also highlighting how they relate to each other.
Let denote the input dataset of N data points i.e., where
is a vector that captures the feature values of data point, and is the corresponding class label. Let there be features in the dataset and let denote the set of class labels in i.e., . Let denote the black box classifier that takes a data point as input and returns a class label i.e., . The goal here is to explain in an interpretable and faithful manner. Note that neither LIME nor SHAP assume any knowledge about the internal workings of . Let denote an explanation model that we intend to learn to explain . where is the class of linear models.
Let the complexity of the explanation be denoted as (complexity of a linear model can be measured as the number of non-zero weights), and let denote the proximity measure between inputs and , to define the vicinity (neighborhood) around . With all this notation in place, the objective function for both LIME and SHAP is crafted to generate an explanation that: (1) approximates the behavior of the black box accurately within the vicinity of , and (2) achieves lower complexity and is thereby interpretable.
where the loss functionis defined as:
The set corresponds to a set of inputs constituting the neighborhood of .
The primary difference between LIME and SHAP lies in how and
are chosen. In LIME, these functions are defined heuristically:is the number of non-zero weights in the linear model and is defined using cosine or distance. On the other hand, (Kernel) SHAP grounds these definitions in game theoretic principles to guarantee that the explanations satisfy certain desired properties. More details about the intuition behind the definitions of these functions and their computation can be found in ribeiro16:kdd ribeiro16:kdd and lundberg17:a-unified lundberg17:a-unified.
Our Proposed Framework
In this section, we discuss our framework in detail. First, we discuss some preliminary details about our set up. Then, we discuss the intuition behind our approach. Lastly, we present the technical details of our approach along with a discussion of some of our design choices and implementation details.
Preliminaries Setting: Assume that there is an adversary with an incentive to deploy a biased classifier for making a critical decision (e.g., parole, bail, credit) in the real world. The adversary must provide black box access to customers and regulators , who may use post hoc explanation techniques to better understand and determine if is ready to be used in the real world. If customers and regulators detect that is biased, they are not likely to approve it for deployment. The goal of the adversary is to fool post hoc explanation techniques and hide the underlying biases of .
Input: The adversary provides the following inputs to our framework: 1) the biased classifier which he/she intends to deploy in the real world and, 2) an input dataset which is sampled from the real world input data distribution on which will be applied. Note that neither our framework nor the adversary has access to .
Output: The output of our framework will be a scaffolded classifier (referred to as adversarial classifier henceforth) which behaves exactly like when making predictions on instances sampled from , but will not reveal the underlying biases of when probed with leading post hoc explanation techniques such as LIME and SHAP.
Intuition As discussed in the previous section, LIME and SHAP (and several other post hoc explanation techniques) explain individual predictions of a given black box model by constructing local interpretable approximations (e.g., linear models). Each such local approximation is designed to capture the behavior of the black box within the neighborhood of a given data point. These neighborhoods constitute synthetic data points generated by perturbing features of individual instances in the input data. However, instances generated using such perturbations could potentially be off-manifold or out-of-distribution (OOD) .
To better understand the nature of the synthetic data points generated via perturbations, we carried out the following experiment. First, we perturb input instances using the approach employed by LIME (See previous section). We then run principal component analysis (PCA) on the combined dataset containing original instances as well as the perturbed instances, and reduce the dimensionality to 2. As we can see from Figure1, the synthetic data points generated from input perturbations are distributed significantly differently from the instances in the input data. This result indicates that detecting whether a data point is a result of a perturbation or not is not a challenging task, and thus approaches that rely heavily on these perturbations, such as LIME, can be gamed.
This intuition underlies our proposed approach. By being able to differentiate between data points coming from the input distribution and instances generated via perturbation, an adversary can create an adversarial classifier (scaffolding) that behaves like the original classifier (perhaps be extremely discriminatory) on the input data points, but behaves arbitrarily differently (looks unbiased and fair) on the perturbed instances, thus effectively fooling LIME or SHAP into generating innocuous explanations. Next, we formalize this intuition and explain our framework for building adversarial classifiers that can fool explanation techniques.
Building Adversarial Classifiers Let be the biased classifier described earlier. The adversary would like to design a framework such that if and when end users generate explanations of this black box, post hoc techniques can be fooled into thinking that the model is innocuous.
Recall that the real world data on which this classifier is likely to be applied follows a distribution , and is a set of data points sampled from this distribution that the adversary has access to. To fool the post hoc techniques, the adversary could design an adversarial classifier that exhibits biased behavior on instances sampled from , and remain unbiased on instances that do not come from . Since the feature importances output by LIME and SHAP rely heavily on perturbed instances (which may typically be OOD samples, e.g. Figure 1), the resulting explanations will make the classifier designed by the adversary look innocuous.
Assuming is the classifier that is unbiased (e.g., makes predictions based on innocuous features that are uncorrelated with protected attributes), the adversarial classifier takes the following form (See Algorithm 2 in Appendix):
In order to create such a classifier, we need to be able to decide whether a given data point comes from or not; we discuss how to build such a classifier next.
Detecting OOD Samples To build a classifier is_OOD that detects if a given data point is an out-of-distribution (OOD) sample () or not, we construct a new dataset from the instances in . Specifically, we perturb (more details in Experimental Evaluation) each instance in to generate a new instance . Let us denote the set of all the instances generated via perturbation as . The instances in are then assigned the class label False indicating that they are not OOD samples, while the instances in are assigned the class label True (indicating that they are OOD samples) unless they are very similar to the instances in . We then train an off-the-shelf classifier on the combined dataset and their corresponding class labels (assigned as discussed above). Please refer to Algorithm 1 in Appendix for full pseudocode of is_OOD.
In this section, we discuss the detailed experimental evaluation of our framework. First, we analyze the effectiveness of the adversarial classifiers generated by our framework. More specifically, we test how well these classifiers can mask their biases by fooling multiple post hoc explanation techniques. Next, we evaluate the robustness of our adversarial classifiers by measuring how their effectiveness varies with changes to different parameters (e.g., weighting kernel, background distribution). Lastly, we present examples of post hoc explanations (both LIME and SHAP) of individual instances in the data to demonstrate how the biases of the classifier are successfully hidden.
Datasets We experimented with multiple datasets pertaining to diverse yet critical real world applications such as recidivism risk prediction, violent crime prediction, and credit scoring. Below, we describe these datasets in detail (See Table 2 in Appendix for detailed statistics).
Our first dataset is the COMPAS dataset which was collected by ProPublica . This dataset captures detailed information about the criminal history, jail and prison time, demographic attributes, and COMPAS risk scores for 6172 defendants from Broward Couty, Florida. The sensitive attribute in this dataset is race – 51.4% of the defendants are African-American. Each defendant in the data is labeled either as high-risk or low-risk for recidivism.
Our second dataset is Communities and Crime (CC) that captures various socio-economic and law enforcement aspects, as well as crime across various communities in the US . This dataset contains information about 1994 communities (each community is a data point) in total. The sensitive attribute in this dataset is the percentage of Caucasian population. This percentage varies widely across communities and ranges from 2.68% to 99.63%. Each community (data point) is assigned a label depending on if the violent crime proportion in that community is above the median (violent crime rampant) or not.
The third dataset we use is the German credit dataset from the UCI repository . This dataset captures financial and demographic information (including account information, credit history, employment, gender) of about 1000 loan applicants. The sensitive attribute in this dataset is gender – 69% of the individuals are male. Each individual in the dataset is labeled either as a good customer or a bad one depending on their credit risk.
Experimental Setup Here, we discuss the implementation details of our framework. We randomly split all the datasets into training (90%) and test (10%) sets. We build our framework using the training set and evaluate it on the test set.
Biased Classifier : We construct to be a perfectly discriminatory classifier that uses a sensitive feature i.e., makes predictions purely based on race in the case of COMPAS and Communities and Crime datasets (if race = African American, then predict 1, otherwise set predict 0), and based on gender for the German Credit dataset.
Perturbations & OOD classifier: For LIME, we generate a perturbed instance for every data point in the data set by adding random noise sampled from to each feature value. For SHAP, we randomly choose a subset of features for each data point and mark their values as missing by replacing them with their corresponding values from background distribution111See lundberg17:a-unified lundberg17:a-unified for more details.
.We choose the background distribution for SHAP to be cluster centers from kmeans with 10 clusters. We use these newly generated perturbations as well as the input data points to train the OOD classifier to detect OOD samples (See Section on Our Proposed Framework). We use the standard sklearn implementation of a random forest with 100 tree estimators as our OOD classifier.
Unbiased Classifier : We build the unbiased classifier by constructing synthetic uncorrelated features which have zero correlation with sensitive attributes (e.g., race or gender). We experiment with one or two uncorrelated features. When we only have one uncorrelated feature in a particular experiment, solely uses that to make predictions (if uncorrelated feature = 1, then predict 1, else predict 0). On the other hand, when we have two uncorrelated features in an experiment, we base the predictions on the xor of those two features. Note that does not have to be restricted to always use synthetic uncorrelated features. It can also use any other existing feature in the data to make predictions. We experiment with synthetic uncorrelated features on COMPAS and CC dataset, and with Loan Rate % Income feature on the German credit dataset.
Generating Post hoc Explanations: We use the default LIME tabular implementation without discretization, and use the default Kernel SHAP implementation with background distribution set to kmeans with clusters.
Evaluating Effectiveness of Adversarial Classifiers
To evaluate how successful our attacks are on LIME and SHAP, we compute the percentage of data points for which race, uncorrelated features (in case of COMPAS and CC) or Loan Rate % Income (in case of German credit data) show up in top 3 when features are ranked based on feature attributions output by LIME and SHAP. Results are shown in Figures 2, 3, and 4
In case of LIME, when a single feature is used for the attack i.e., uses a single feature for making predictions, the adversarial classifier successfully shifts the feature importance in LIME from the true informative feature (the sensitive feature used by ) to the uncorrelated feature in 100% of held-out points for COMPAS (Figure 2 - top and middle) and CC (Figure 3 - top and middle), and to the Loan % Income feature in 91% for German (Figure 4 - middle). Furthermore, the sensitive feature appears at 2nd or 3rd rank position roughly only as often as other features. When both uncorrelated features are used to define (for COMPAS and CC), the 1st and 2nd rank positions for nearly all the data points are occupied by these features, with the sensitive feature entering into 3rd place at about the same rate as other features (Figures 2 & 3 - top right). These results demonstrate that the LIME explanation technique has been effectively fooled by the adversarial classifier for all three datasets.
For SHAP, when a single uncorrelated feature is used for the attack, the adversarial classifier successfully shifts the feature importance from the sensitive feature in 100% of data points in CC (Figure 3 - bottom and middle), 84% of data points in COMPAS (Figure 2 - bottom and middle), and 85% of data points in German. When two uncorrelated features are used in the attack (for COMPAS and CC), the adversarial classifier is less successful in removing the bias feature from 1st place in the ranking, succeeding in only 67% and 71% instances for COMPAS and CC respectively (Figures 2 & 3 - bottom right). This is due to SHAP’s local accuracy property that ensures that feature attributions must add up to the difference between a given prediction and the average prediction for the background distribution. This property will tend to distribute feature attributions across several features when it is not possible to identify a single most informative feature.
To ensure that the adversarial classifiers are faithfully approximating the original classifiers on instances from the original dataset, we evaluate the fidelity of w.r.t. by computing the percentage of held-out instances on which their predictions agree. In case of LIME, our adversarial classifiers perfectly reproduce the classifier on all datasets 100% of the time. On the other hand, in case of SHAP, our adversarial classifiers are slightly less effective: 75% for CC, 80% for German, and 91% for COMPAS. These results indicate that our approach has constructed adversarial classifiers that successfully fool LIME and SHAP, making them look like the unbiased classifiers, while behaving like the original biased classifiers on input data.
Assessing the Robustness of Adversarial Classifiers
Here, we investigate the impact of various parameters of our framework on the effectiveness of our attacks.
Perturbation Detection Our approach relies on the OOD classifier to detect whether a given instance is a result of perturbation or not. Here, we investigate how accurate does this classifier need to be for our attacks to be effective. We train a number of different OOD classifiers with varying accuracies on the COMPAS dataset. For each OOD classifier, we evaluate the effectiveness of the resulting attacks (measured as percentage of data points for which race is the most important feature in the post hoc explanations). The results are presented in figure 5. When the OOD classifiers are unable to adequately differentiate between perturbed instances and points from the input dataset, i.e. accuracy is 50%, both LIME and SHAP explanations detect race as the most important feature. However, once the OOD classifier is a bit more accurate, the adversarial attacks are successful, and both LIME and SHAP do not identify race as the most important feature. Between the two, LIME requires the OOD classifier to be slightly more accurate for the attack to be effective, but the difference is not substantial. These results indicate that our attacks can be applied as long as it is possible to differentiate between the perturbed instances and the input data points.
|Uncorrelated feature 1||0.0||0.42|
|Average of other features||0.0||0.0|
Robustness to LIME/SHAP Hyperparameters
Robustness to LIME/SHAP HyperparametersWe analyze the behavior of our framework when different parameters are varied at test time when generating LIME and SHAP explanations for COMPAS; we summarize the key results here, with detailed results in the Appendix. First, we observe that classifiers that are adversarial to LIME are ineffective against SHAP explanations, while adversarial classifiers designed for SHAP have varying effectiveness against LIME. On varying the LIME kernel width between to (default kernel width is , where is the number of features), the attacks remain equally effective. Additionally, changing the LIME kernel to use norm for distance instead of the default
norm also does not impact the effectiveness. For SHAP, we train our adversarial classifier assuming the default background distribution of K-means with 10 clusters; 5 and 15 clusters at test-time are also equally effective. Using a background distribution of all zeroes for SHAP makes our attacks even more pronounced.
Here, we present few example explanations from the COMPAS dataset. In case of LIME explanations in Table 6, we see that Race as a feature is completely hidden from the explanation after the attack, even though it was the sole important feature for the original classifier . Similarly, for SHAP explanations in Fig 7, the sole important feature (race) is considerably hidden in the explanation after the attack, although not completely nullified as in the LIME explanation.
Below, we provide a brief overview of related work.
Perturbation-based Explanation Methods: Perturbation-based methods are a popular tool for post hoc feature attribution. In addition to LIME  and SHAP , a number of other perturbation-based techniques have been proposed in literature. For instance, anchors  use (non-linear) rules to express more actionable local explanations. GAM  interprets local attributions as conjoined weighted rankings and uses k-medoids clustering to identify prototypical explanations.
Criticism of Post hoc Explanations: rudin2019stop rudin2019stop argues that post hoc explanations are not reliable, as these explanations are not necessarily faithful to the underlying models and present correlations rather than information about the original computation. ghorbani2019interpretation ghorbani2019interpretation show that some explanation techniques can be highly sensitive to small perturbations in the input even though the underlying classifier’s predictions remain unchanged. mittelstadt2019explaining mittelstadt2019explaining note that perturbation points created in LIME and SHAP are not at all intuitive, especially in case of structured data.
Adversarial Explanations: There has been some recent research on manipulating explanations in the context of image classification. dombrowski2019explanations dombrowski2019explanations show that by modifying inputs in a way that is imperceptible to humans, they can arbitrarily change saliency maps. heo2019fooling heo2019fooling also propose similar attacks on saliency maps.
Interpretability and Bias Detection: doshi2017towards doshi2017towards argue that interpretability can help us evaluate if a model is biased or discriminatory. On the other hand, lipton2016mythos lipton2016mythos posits that post hoc explanations can never definitively prove or disprove unfairness of any given classifier. selbst2018intuitive selbst2018intuitive and kroll2016accountable kroll2016accountable provide examples showing that even if a model is completely transparent, it is hard to detect and prevent bias due to the existence of correlated variables.
Conclusions and Future Work
We proposed a novel framework that can effectively hide discriminatory biases of any black box classifier. Our approach exploits the fact that post hoc explanation techniques such as LIME and SHAP are perturbation-based to create a scaffolding around the biased classifier such that its predictions on input data distribution remain biased, but its behavior on the perturbed data points is controlled to make the post hoc explanations look completely innocuous. Extensive experimentation with real world data from criminal justice and credit scoring domains demonstrates that our approach is effective at generating adversarial classifiers that can fool post hoc explanation techniques. We also found that LIME is more vulnerable to our adversarial attacks than SHAP. Our findings suggest that existing post hoc explanation techniques are not sufficiently robust for ascertaining discriminatory behavior of classifiers in sensitive applications.
This work paves way for several interesting future research directions in ML explainability. First, it would be interesting to systematically study if other classes of post hoc explanation techniques (e.g., gradient based approaches) are also vulnerable to adversarial attacks. Second, it would be interesting to develop new techniques for building adversarially robust explanations that can withstand attacks such as the ones outlined in this work.
This work is supported in part by the Allen Institute for Artificial Intelligence (AI2) and in part by NSF award #IIS-1756023. The views expressed are those of the authors and do not reflect the official policy or position of the funding agencies
-  (2016) Machine bias. ProPublica. Cited by: Experimental Results.
-  (2007) UCI machine learning repository, 2007. Cited by: Introduction.
-  (1999) Repository of machine learning. University of California at Irvine. Cited by: Experimental Results.
-  (2017) Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608. Cited by: Introduction.
-  (2019) On the interpretability of machine learning-based model for predicting hypertension. BMC medical informatics and decision making 19 (1), pp. 146. Cited by: Introduction.
-  (2019) Global explanations of neural networks: mapping the landscape of predictions. arXiv preprint arXiv:1902.02384. Cited by: Introduction, Related Work.
-  (2017) Interpretability beyond feature attribution: quantitative testing with concept activation vectors (tcav). arXiv preprint arXiv:1711.11279. Cited by: Introduction.
-  (2016) How we analyzed the compas recidivism algorithm. ProPublica (5 2016) 9. Cited by: Introduction.
-  (2016) The mythos of model interpretability. arXiv preprint arXiv:1606.03490. Cited by: Introduction.
-  (2017) A unified approach to interpreting model predictions. In Neural Information Processing Systems (NIPS), I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett (Eds.), pp. 4765–4774. Cited by: Introduction, Background: LIME and SHAP, Building Adversarial Classifiers to Fool Explanation Techniques, Related Work.
-  (2019) Explaining explanations in ai. In Proceedings of the conference on fairness, accountability, and transparency, pp. 279–288. Cited by: Our Proposed Framework.
-  (2011) Communities and crime unnormalized data set. UCI Machine Learning Repository. In website: http://www. ics. uci. edu/mlearn/MLRepository. html. Cited by: Introduction.
-  (2002) A data-driven software tool for enabling cooperative information sharing among police departments. European Journal of Operational Research 141 (3), pp. 660–678. Cited by: Experimental Results.
-  (2016) Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46. Official Journal of the European Union (OJ) 59 (1-88), pp. 294. Cited by: Our Proposed Framework.
-  (2016) ”Why should i trust you?”: explaining the predictions of any classifier. In Knowledge Discovery and Data Mining (KDD), Cited by: Introduction, Background: LIME and SHAP, Building Adversarial Classifiers to Fool Explanation Techniques, Related Work.
-  (2018) Anchors: high-precision model-agnostic explanations. In Thirty-Second AAAI Conference on Artificial Intelligence, Cited by: Related Work.
-  (2018) Distill-and-compare: auditing black-box models using transparent model distillation. In Proceedings of the 2018 AAAI/ACM Conference on AI, Ethics, and Society, pp. 303–310. Cited by: Introduction.
-  (2016) Mapping chemical performance on molecular structures using locally interpretable explanations. arXiv preprint arXiv:1611.07443. Cited by: Introduction.
Appendix A Details of the Algorithms
|Observed attributes of a data point|
|ground truth class label of a data point|
|Set of all the observed attributes of input data points i.e.,|
|Set of all the ground truth class labels of input data points i.e.,|
|Set of input data points|
|Set of class labels in i.e., ,|
|Distribution from which is sampled|
|Distribution from which is sampled|
|Black box model which maps a data point to a class label i.e.,|
|Interpretable model that serves as an explanation of the black box model generated by posthoc explanation techniques|
|Unbiased classification function|
|Set of perturbed data points generated from|
Appendix B Summary of Datasets
|Dataset||Size||Features||Positive Class||Sensitive Feature|
|COMPAS||6172||criminal history, jail and prison time, demographics, COMPAS risk score||High Risk (81.4%)||African-American (51.4%)|
|Communities and Crime||1994||race, age, education, marriage status, citizenship, police demographics||Violent Crime Rate (50%)||White Population (continuous)|
|German Credit||1000||account information, credit history, loan purpose, employment, demographics||Good Customer (70%)||Male (69%)|
Appendix C Detailed Results of Effectiveness Evaluation
|COMPAS LIME Adversarial Classifier|
|Baseline classifier||Attack 1 feature||Attack 2 features|
|Unrelated Feature 1||0||100||0||0||49||51||0|
|Unrelated Feature 2||0||0||9||10||50||49||0|
|COMPAS SHAP Adversarial Classifier|
|Baseline classifier||Attack 1 feature||Attack 2 features|
|Unrelated Feature 1||0||84||12||1||35||31||19|
|Unrelated Feature 2||0||0||0||13||32||31||18|
|Communities and Crime LIME Adversarial Classifier|
|Baseline classifier||Attack 1 feature||Attack 2 features|
|Race % White||100||0||1||1||0||0||2|
|Unrelated Feature 1||0||100||0||0||48||52||0|
|Unrelated Feature 2||0||0||3||3||52||48||0|
|Communities and Crime SHAP Adversarial Classifier|
|Baseline classifier||Attack 1 feature||Attack 2 features|
|Race % White||100||0||78||3||26||26||40|
|Unrelated Feature 1||0||100||0||0||36||25||7|
|Unrelated Feature 2||0||0||0||3||35||30||6|
|German Credit LIME Adversarial Classifier|
|Baseline classifier||With Attack|
|Loan Rate % Income||0||91||0||0|
|German Credit SHAP Adversarial Classifier|
|Baseline classifier||With Attack|
|Loan Rate % Income||0||85||0||0|