Exploring Causal Information Bottleneck for Adversarial Defense

Thumbnail Image

Files

Exploring_Causal_Information_Bottleneck_for_Adversarial_Defense.pdf (2.75 MB)

Access rights

openAccess
acceptedVersion

URL

Journal Title

Journal ISSN

Volume Title

A1 Alkuperäisartikkeli tieteellisessä aikakauslehdessä
This publication is imported from Aalto University research portal.
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-09

Department

ELLIS Institute
Department of Electrical Engineering and Automation

Major/Subject

Mcode

Degree programme

Language

en

Pages

14

Series

IEEE Transactions on Information Forensics and Security, Volume 20, pp. 9979-9992

Abstract

Information bottleneck (IB) is a promising defense solution against adversarial attacks on deep neural networks. However, these methods often suffer from spurious correlations. A correlation exists between the prediction and the non-robust features, yet it does not reflect the causal relationship well. Such spurious correlations induce the neural networks to learn fragile and incomprehensible (non-robust) features. This issue limits its potential for further improving adversarial robustness. This paper addresses this issue by incorporating causal inference into the IB-based defense framework. Specifically, we propose a novel defense method that use the instrumental variables to enhance the adversarial robustness. Our proposed method divides the features into two parts for causal effect estimation: robust and non-robust features. The robust features relate to understanding semantic information, and the non-robust features link to the vulnerable style information. By employing this framework, the IB method can mitigate the influence of non-robust features and extract the robust features linking to the semantic information of objects. We conduct a thorough analysis of the effectiveness of our proposed method. Notably, the experiments on MNIST, FashionMNIST, CIFAR-10, CIFAR-100, and Tiny-ImageNet demonstrate that our method significantly boosts the adversarial robustness against multiple adversarial attacks compared to previous methods. Our regularization method can improve adversarial robustness in both natural and adversarial training frameworks. Besides, CausalIB can be applied to both Convolutional Neural Networks and Vision Transformers as a plug-and-play module.

Description

Publisher Copyright: © 2005-2012 IEEE.

Keywords

adversarial robustness, causal theory, Deep learning, information bottleneck

Other note

DOI

10.1109/TIFS.2025.3611108

Citation

Yan, J, Hua, H, Huang, W, Fang, X, Ge, W, Yang, J & Wang, Y 2025, 'Exploring Causal Information Bottleneck for Adversarial Defense', IEEE Transactions on Information Forensics and Security, vol. 20, pp. 9979-9992. https://doi.org/10.1109/TIFS.2025.3611108

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202601141230

Collections

[article-cris] Sähkötekniikan korkeakoulu / ELEC