When Causal Intervention Meets Adversarial Examples and Image Masking for Deep Neural Networks

02/09/2019
by   Chao-Han Huck Yang, et al.
0

Discovering and exploiting the causality in deep neural networks (DNNs) are crucial challenges for understanding and reasoning causal effects (CE) on an explainable visual model. "Intervention" has been widely used for recognizing a causal relation ontologically. In this paper, we propose a causal inference framework for visual reasoning via do-calculus. To study the intervention effects on pixel-level features for causal reasoning, we introduce pixel-wise masking and adversarial perturbation. In our framework, CE is calculated using features in a latent space and perturbed prediction from a DNN-based model. We further provide the first look into the characteristics of discovered CE of adversarially perturbed images generated by gradient-based methods [  https://github.com/jjaacckkyy63/Causal-Intervention-AE-wAdvImg]. Experimental results show that CE is a competitive and robust index for understanding DNNs when compared with conventional methods such as class-activation mappings (CAMs) on the Chest X-Ray-14 dataset for human-interpretable feature(s) (e.g., symptom) reasoning. Moreover, CE holds promises for detecting adversarial examples as it possesses distinct characteristics in the presence of adversarial perturbations.

READ FULL TEXT VIEW PDF

Authors

page 4

02/09/2019

When Causal Intervention Meets Image Masking and Adversarial Perturbation for Deep Neural Networks

Discovering and exploiting the causality in deep neural networks (DNNs) ...
10/14/2020

GreedyFool: An Imperceptible Black-box Adversarial Example Attack against Neural Networks

Deep neural networks (DNNs) are inherently vulnerable to well-designed i...
03/16/2018

Semantic Adversarial Examples

Deep neural networks are known to be vulnerable to adversarial examples,...
07/14/2020

Patch-wise Attack for Fooling Deep Neural Network

By adding human-imperceptible noise to clean images, the resultant adver...
06/17/2021

Adversarial Visual Robustness by Causal Intervention

Adversarial training is the de facto most promising defense against adve...
05/24/2022

Certified Robustness Against Natural Language Attacks by Causal Intervention

Deep learning models have achieved great success in many fields, yet the...
10/08/2021

Causal ImageNet: How to discover spurious features in Deep Learning?

A key reason for the lack of reliability of deep neural networks in the ...

Code Repositories

Causal-Intervention-AE-wAdvImg

None


view repo
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In recent years, deep neural networks (DNNs) based models have demonstrated a significant improvement in state-of-the-art results for several vision tasks [1, 2]

. Despite their effectiveness, DNNs are notoriously cryptic for their complexity, opacity, and lacking apparent relationship between neural architecture and the function being evaluated by the network. These challenges are amplified especially when DNN models show superior performance over conventional methods (e.g., decision-trees) on human-interpretable feature learning tasks, such as clinical (i.e., cancer recognition

[3]), emotional (i.e., violence detection [4]), and social (i.e., behavior reasoning [5]

) patterns recognition, where even experts did not fully reach a proper consensus. Therefore, interpretability

[6] and explainable reasoning features of DNNs remain challenging. From regulatory aspects (e.g., GDPR [7]

), human-interpretable feature selection is crucial for administrative decision-making, as current DNNs highly depend on supervised labels generated by human knowledge but barely explain the learned relationship between its labeled input-feature(s) and predicted output(s). The importance of reasoning is also motivated by demystifying the vulnerable properties of DNNs against adversarial examples

[8, 9, 10].

This paper studies the problems of causal interpretability on DNNs for vision tasks. We propose a new visual reasoning method inspired by causal inference embedded DNNs and verify its sensitivity on input masking and adversarial perturbations. We summarize some input intervention-based explanation methods for DNNs as follows.

Figure 1: Visual intervention in three classical causal conditions [11]: (I) for single class counterfactual reasoning; (II) for multi-classes counterfactual reasoning, and (III) for conditional multitasking counterfactual reasoning of a visual perceptual-model.

Saliency map based method. Many works employ saliency map for visual explanations. Class activation mappings [12] (CAMs) have provided visual explanations via tracing gradient-based localization. Gradient information from a penultimate convolutional layer was used in GradCAM [13] to identify discriminating patterns in input images. However, CAM-based methods have some limitations on causal reaonsing. They could only conclude that a DNN model would feature with certain localized patterns. Denoting a trained DNNs model as and input data as , CAM-based mothods can be viewed as a reverse causation (e.g., ). Saliency maps [12, 13]

only establish a correlation for interpretability while it is possible to trace a particular image region that is responsible for it to be correctly classified; it cannot elucidate what would happen if a certain portion of the image was masked out. See

[11] for a What If question, when a classifier is used in the wild. In addition to this causal reasoning weakness, recent study also shows CAMs barely preserve robustness from a gradient adversarial attacks as a secure reasoning index [14].
Adversarial robustness. Although there has recently been a great deal of research in adversarial defenses, many of these methods are later shown to be broken [15]. The most common, “brute force” solution is adversarial training, where we simply include a mixture of normal and adversarially-generated examples in the training set [16]. One obvious limitation of previous work is the robustness generalizability for adversarial examples beyond the pre-defined norm or distributional constraints.
Causal reasoning. Building causal interpretations toward evaluating a robust and interpretable DNNs are still largely unexplored. Causality as a means of explanation has deep roots for factor selection and has received many attentions. The rest of this paper is presented as follows. First, we describe a general framework to build a causal inference to reason over a targeted DNN model via intervention. Second, we discover adversarial robustness between causal factor. Lastly, we propose an adversary-sensitive feature-map to visualize the causal effects of interpreterable features (e.g., symptoms) toward large-scale medical datasets by using DenseNet [2]. Our contributions include:

  • The design of a causal inference framework for calculating CE on single task, multi-labels, and multitasking vision tasks. An autoencoder network has been introduced for intervening interpretable feature(s).

  • The investigation of CE toward highlighting counterfactual intervention by pixel-wise masking and adversarial settings.

  • A case study for learning the causal effects from a large-scale medical dataset (Chest X-Ray-14) for reasoning related chest symptoms by Causal Effect Map (CEM).

2 Related Works

Causal models have been advocated as a proper method [17] for parameter reasoning in a complex system. Modeling bias and fairness as a counterfactual [17] is a new way to quantify the bias of models. Ideas from causal inference have also been used in providing comprehensive explanations of deep learning models. In [18], a method is developed to build a causal model over human-centric image-based abstractions of the model, which helps provide the ability to allow users to propose comprehensive queries. With an interpretable concept, the method could learn a causal model relating to network activations and features for classifications. Moreover, as DNNs can be viewed as a graphical model for inference, recent work in [19]

proposed using Structural Causal Models (SCM) to reason over a deep-learning model. The technique includes building the direct acyclic graph (DAG) structure from the DNN, applying a suitable transformation and estimating the causal effect using causal inference.

3 Visual Causal Intervention

3.1 Causal Theory

We adopt the widely-accepted Causal Effect (CE) from Pearl’s do-calculus222We use do-operator as conditional intervention following by the original definition in Pearl 2009 [11]. for , where are the parents of variable in a graph,

. Selecting two disjoint sets of random variables,

and , the causal effect of on is denoted as , which is a function from

to the space of probability distributions on

. As an illustration, here we introduce a graph including random variables in Figure 1 for constructing elemental causal networks for this study.
Computing the Effect of Intervention An atomic intervention do() has been used in the previous study [18] as a

for feature selection in a latent space of a targeted DNN system for causal reasoning. Given a joint distribution P(

), over a set of DNN with outputs , inputs , and intermediate variables , from the definition in [20], measuring CE of an intervention on on with all of the evidence could be computed as:

(1)

The excepted casual effect from Eqn. 6 in [18] has been defined as:

(2)

Then, we adapt the method in (2) on DNN model with (I) single task, (II) multiple tasks, and (III) multiple labels from Figure.1 for computing expected-CE analysis, where is a counterfactual setting.
Interventions as Variables Different from previous approaches to directly measuring the intervened result for calculating CE, alternatively, an intervention could be encoded by adding to a link , where is a new variable taking values in . Here, the notion of means “no intervention” following Pearl’s Eqn. 3.8 [11]. In this paper, we adapt this concept by introducing masking and adversarial intervention as variables for discovering CE within the DNN in a zero-out evident state, . This conditional probability could be calculated by:

(3)

The advantages of this augmented causal graph in (3) are its capability for showing the ramification of spontaneous change in from instead of merely replacing by a constant.

Figure 2: Framework and deep network topology. We use pixel-wise masking as and adversarial examples as intervention variables in the (zero-out) counterfactual setting.

3.2 Concept extraction by Autoencoder

Autoencoder networks Our autoencoder consists of five convolutional layers. The encoder and decoder each have two symmetrical layers, and they aim to capture the textural features corresponding to human visual perception. However, our decoder reconstructs slightly altered network activations while ensuring significant downstream network activations are unaffected. We mainly designed a low-dimensional layer in the middle to integrate scattered features into concepts. This is inspired by how our brain pays attention, processes information and interpretsthe perceived inputs.
Build up a Causal Baseline

To attain better causality measurement, we trained our model with a designed loss function composed of three parts from the existing studies

[18] as casual baseline: interpretability loss, shallow reconstruction loss, and deep reconstruction loss. Shallow reconstruction loss is simply the norm of the difference between the input and output of autoencoder to represent the activations of the network. Also, we applied the deep reconstruction loss in the form of the KL-divergence between the output probability distribution of original and autoencoder-inserted network. Our total loss function for the causality model is (from Harradon et al. 2018 Eqn. 7 in [18]):
(3)
Our method is based on the proposed loss in the previous work [18] to reproduce the measurement of causality.

3.3 Intervention Methods

In the zero-out () setting, we discuss two types of perturbation as independent intervention variables for computing expected-CE: (1) pixel-wise masking (PWM) and (2) adversarial noise. The purpose of pixel-wise perturbation, , is to recognize the causal relationship between a local pixel and the final output result of a DNN. We apply the following adversarial noises on images as another intervention .
Fast Gradient Sign Method (FGSM) Fast Gradient Sign Method (FGSM) [21] is a gradient-based adversarial noise to generate adversarial examples by one step gradient update along the direction of the sign of gradient at each pixel.
Jacobian-Based Saliency Map (JBSM) Attack Papernot et al. [22] designed an efficient saliency adversarial map, called Jacobian-based Saliency Map Attack by saturating a few pixels in a given image to their maximum or minimum values.
BIM and PGD Attacks Kurakin et al. [16] applied extended Fast Gradient Sign method by running a finer optimization (smaller change) for multiple iterations Basic Iterative Method (BIM) attack. Projected gradient descent (PGD) attack has been introduced by subjecting to a constraint [16].

4 Experiments

We use three benchmark image datasets which have been proved robust to reassure that the causal effect would not be compromised by the defect of data. The datasets are fashion-MNIST, ImageNet and NIH-ChestX-Ray-14. We investigate

for single feature causal intervention. For adversarial setting in our experiments, we use maximum perturabtion strength = and iterative steps = 10.
Numerical Validation on Bird Dataset In previous work, the VGG19 [23] model applied to bird200 [24] had significant causal effect with intervention at layer 18 feature 2. In our work, we also use VGG19 to reproduce the procedure and test the causality by intervening the same position. The expect causal effect is , which suffices to validate our method and proved the potential of better interpretability.

4.1 Quantitative Study on NIH-ChestX-Ray-14

NIH-ChestX-Ray-14 [25] is the largest available chest Xray dataset. Despite of anatomical obstacles, CheXNet model could attain competitive classification performance with radiologists [26]. Different from various classes in ImageNet, the interpretable patterns in ChestX-ray14 are clinical symptoms, which could only be recognized by radiologists and hardly identified by CAM against adversarial setting in Figure 3.
CheXNet We implemented CheXNet [26]

as a 121-layer convolutional neural network trained on ChestX-ray14 dataset contains frontal-view chest X-ray images and labeled with up to 14 different thoracic diseases. We modified the DenseNet121 model by replacing the final fully connected layer and apply a sigmoid layer. We use Adam with 0.001 learning rate,

as 0.9, as 0.999. We choose binary cross entropy, and the classifier ended up achieved 85.08% accuracy. Besides, we investigate by masking the known symptoms and generate negative Expected-CE as , which provides inference. For , we zero-out the nodes which activate additional feature identified as a pulmonary disease as an additional label suggested by a pulmonologist. However, CE of this multitasking reasoning is not obvious. Intervention by pixel-wise Masking For PWM, we intervene with the visual traits of inputs. We mask 10 % area of the images randomly to explore the impact of masking on the causal effect. We could assure the intervention without bias with a chance to observe the region of interest of the causal model. The results in Table 1, 3, and 4 show the value of Expected-CE deceases by PWM, which indicate a declined causal importance inferences by pixel-wise perturbation.
Intervention by Adversarial Attacks From Table 2., we observe a numerical difference of Expected-CE by four gradient-based adversarial attacks, where FGSM has a larger negative causal effect with -5.6129 . We then adapt FGSM to evaluate generic datasets in Section 4.2.

The presence of malicious adversarial-noise via CAMs such as (I) in Fig. 3 is often hardly to detect if the dataset has similar visual patterns (e.g., clinical patterns). We propose an adversary-sensitive causal effect map (CEM) by activated weights of CE in Eqn. 1 on each pixel toward classifying a specific class.

Level(L), Node(N) = PWM
3,4 4.5076 7.2356
6,5 2.843 1.2154
6,10 3.1939 9.0066
8,5 3.1939 1.1536
10,7 1.3775 -1.1506
Table 1: Expected-CE on CheXNet
= Types of Adversarial Attack Expected-CE
FSGM -5.6129
BIM 4.3435
JBSM 7.7548
PGD -3.9605
Table 2: CheXNet ( on L = 10, N = 7)
Figure 3: Sensitivity for adversarial setting between (I) Class Activation Map (CAM) [12] and (II) Causal Effect Map (CEM) on ChestX-ray 14 for clinical symptoms labels [26].

4.2 Other Image Classification Datasets

Fashion-MNIST The fashion-MNIST dataset comprises of 2828 grayscale images of 70,000 fashion products from 10 categories, with 7,000 images per category. [27]. We use shallow model consists of 2 convolutional layers. The weights are trained using Adam with initial learning rate 0.001. We train the model using minibatches of size 100. The classifier with lowest validation loss has 89.6% accuracy.

L, N = PWM = FGSM
2,3 4.9543 -1.8947 -8.0042
2,7 2.4600 -4.1068 -2.5742
Table 3: Expected-CE on Fashion-MNIST

ImageNet The ImageNet [28] 2012 classification dataset consists 1.2 million images for training, and 50,000 for validation, from 1, 000 classes. As a benchmark dataset, we use it to demonstrate visual causality. We use VGG16 model which has 16 convolutional layers and is pretrained by ImageNet with 86% top-1 accuracy.

L, N = PWM = FGSM
3,2 4.2027 6.0993 -5.1834
9,10 8.9322 7.2438 - 2.8862
13,6 6.7643 2.3943 -6.8749
Table 4: Expected-CE on ImageNet

4.3 Evaluation of Causal Effect

To validate the reliability of our approach, we also implemented our causal inference framework on Fashion-MNIST and ImageNet. We applied random pixel-wise feature masking and adversarial noise separately to the input images with coded feature map. Table 3 and 4 show that comparing to , Expected-CE of these two datasets decreased drastically once we applied random masking and adversarial noise, which are similar to the results of CheXNet. The results suggest that our causality framework is generic and can be applied to different datasets (please refer our reproducible code.)

5 Conclusion

With our proposed framework, experimental results on Fashion-MNIST, ImageNet, and ChestX-ray14 datasets show that CE is a competitive and robust index for understanding DNNs for generic and human-interpretable feature(s) reasoning. CE also shows high sensitivity in the presence of adversarial perturbations and could be used to identify adversarial examples.

References