Adversarial Evasion Attacks on Computer Vision using SHAP Values

Researchers demonstrate a white-box adversarial attack on computer vision models using SHAP values to identify and exploit critical input features, showing superior robustness compared to the Fast Gradient Sign Method, particularly when gradient information is obscured or hidden.

This research reveals a fundamental vulnerability in deep learning-based computer vision systems through a novel attack vector leveraging SHAP (SHapley Additive exPlanations) values. The attack works by identifying which input features most significantly influence model outputs, then manipulating those features imperceptibly to trigger misclassifications. The significance lies in the attack's effectiveness even when defenders attempt gradient hiding—a common defense mechanism—making traditional countermeasures less reliable.

The broader context involves an ongoing arms race between adversarial machine learning researchers and model defenders. As computer vision models increasingly power critical infrastructure—from autonomous vehicles to biometric systems to medical diagnostics—understanding their failure modes becomes essential. Previous work focused on gradient-based attacks like FGSM, which become less effective when gradients are obscured. This SHAP-based approach introduces a new attack surface by exploiting interpretability methods themselves, turning tools designed for transparency into weapons for manipulation.

For AI developers and deployers, this presents a significant security challenge. Systems relying on computer vision for high-stakes decisions require robust defenses against attacks that don't depend on gradient access. The research suggests that model interpretability, while valuable for transparency, may inadvertently enable adversaries. Organizations deploying vision models in security-sensitive applications should conduct adversarial robustness testing against SHAP-based attacks and reconsider how they integrate interpretability tools into production systems.

Future work should focus on developing defenses specifically targeting explanation-based attacks while maintaining model transparency. This research will likely accelerate investigation into the security implications of popular XAI methods, potentially reshaping how organizations balance interpretability with robustness in critical applications.

• →SHAP-based adversarial attacks can compromise computer vision models more effectively than gradient-based methods, especially under gradient hiding.
• →Adversarial perturbations remain imperceptible to humans while successfully fooling deep learning models, creating a deceptive failure mode.
• →Model interpretability tools like SHAP may introduce new security vulnerabilities that defenders must actively address.
• →Gradient hiding defenses prove insufficient against attacks that exploit input feature importance rankings.
• →Computer vision systems in high-stakes applications require testing against explanation-based attacks, not just traditional adversarial methods.