In recent years, advancements in Artificial Intelligence (AI) have expanded beyond the primary objective of predictive capabilities. Although accurate predictions are crucial, an equally important goal has emerged: ensuring explainability. Explainability in Machine Learning (ML) models has become a critical objective for making clear and justifiable predictions, especially in high-stakes social decisions. It is essential for these models to offer clear and comprehensible reasons for their predictions and decisions [1]. In this context, Explainable AI (XAI) has emerged as a crucial field of investigation. XAI methodologies are specifically designed to unveil the decision-making processes of complex, opaque models, often referred to as black boxes. With the use of XAI techniques, researchers can gain valuable insights into the reasoning behind model decisions, after they have already been made [2]. XAI techniques employ various methods to interpret the inner workings of complex ML models. These methods generate different types of explanations, e.g., feature importance, counterfactual explanations, etc. To generate tailored explanations, XAI requires a combination of data, interpretable models, and explanatory techniques and often incorporates user interaction. Therefore, XAI starts with the foundational element of data, which needs to be diverse and of high quality. This data is not only used to train AI models but also to create explainers. This combination of data, interpretable models, explanatory techniques, and user interaction builds the XAI.
In many applications, the data used to train AI and XAI models contain sensitive information about individuals, such as medical records, or financial transactions, which the GDPR [3] seeks to safeguard. Different approaches are proposed to safeguard sensitive information in data, such as differential privacy (DP) and federated learning (FL). These approaches affect predictive performance to some extent, resulting in a drop in performance, yet they manage to uphold an acceptable level of it. Subsequently, a conflict between ensuring transparency through XAI and ensuring privacy emerges due to their opposing goals. XAI aims to provide insights into model behavior for transparency, while privacy-preserving solutions obscure data to prevent data leakage. Moreover, the output of XAI can unintentionally expose model decision boundaries, leading to potential attacks on privacy [4,5]. For instance, attackers can exploit XAI explanations such as CFs, which describe the minimal feature value change to alter the model decision and return instances that are close to the decision boundary. FI, which scores the contribution and impact of each feature to the model output exposes information about the gradients in Deep Neural Networks (DNNs) or about the values of the features in ML. In this context, attackers can initiate attacks from these explanations to perform model extraction, inference, and membership attacks [6], especially when the model is shared or deployed publicly on the cloud as ML as a Service (MLaaS). This dilemma underscores the challenge of finding the right equilibrium between explainability and safeguarding private information [4].
In order to enhance transparency, XAI techniques provide the necessary tools to open up complex black boxes and shed light on how AI decisions are made [7], promoting fairness, transparency, and accountability within real-world organizations. Moreover, XAI has proven to play a pivotal role in ensuring that AI is trusted and used responsibly. By answering essential "How?" and "Why?" inquiries regarding AI systems, XAI serves as a valuable tool for tackling the increasing ethical and legal issues associated with them. XAI targets diverse entities and includes various stakeholders, such as researchers, model developers like engineers and data scientists, as well as practitioners.
Post-hoc explainability is a technique used to gain insight into the decision-making process of a trained ML model. In this context, post-hoc means that the model's interpretability is addressed after its training, regardless of its complexity or the algorithms used. The approach primarily revolves around the act of querying the model with diverse sets of input data to observe how it reacts to different scenarios. Through these interactions, we can effectively map out the decision boundaries the model uses, shedding light on what factors influence its predictions.
Visualizations and explanations can then be applied to make these insights more accessible and human-friendly, ultimately enabling a better understanding of the model's predictions. These visual aids are essential in making the insights gained more accessible to data scientists, end users, and domain experts who are willing to understand why the model is making specific predictions. By going through this process, post-hoc explainability serves a vital role in improving model transparency and building trust in its performance.
Understanding an AI system with XAI relies on its training data, process, and model. Therefore, XAI can be applied throughout the entire AI development pipeline. Specifically, it can be applied in different stages of modeling, such as before, during, and after (post-modeling explainability). In this work, the primary emphasis will be on post-modeling XAI (Post-hoc), since ML models are often developed with only predictive performance in mind.
Feature Importance Feature Importance (FI) explanations involve assigning a quantitative measure in the form of a numerical score to each input feature within a given model. The primary goal of calculating FI is to discern which features have influential effects on the model's predictions and which ones have a relatively lesser impact. These importance scores help practitioners and data scientists gain insights into which factors are most critical in influencing those decisions. Features that, when modified, cause more substantial shifts in the model's output are considered more important because they have a greater influence on the final prediction. For deep learning models, many feature-based explanation functions are gradientbased techniques that analyze the gradient flow through a model. Approaches such as Layer-wise Relevance Propagation (LRP) [8], and Deep Learning Important FeaTures (DeepLIFT) [9] exist. Counterfactual Explanations CFs leverage the concept of potential outcomes to assess causal relationships within a data-model framework. CFs empower informed decision-making and the implementation of explainable, accountable, and ultimately more ethically responsible AI [10]. It achieves this by constructing a hypothetical scenario, distinct from the observed data, and evaluating the corresponding model output under this scenario. The generation of informative and interpretable CFs necessitates the optimization of well-defined metrics [11] such as diversity, validity, proximity, and user constraints. Conversely, model-specific methods tailor the cost function optimization process to leverage the inherent characteristics of the employed model. For instance, in the case of differentiable models, gradients play a critical role in guiding the optimization towards finding CFs [12]. Conversely, model-agnostic methods achieve generalization across diverse model architectures [13,14].
Data protection and privacy is one of the primary dimensions in ML and AI. It involves ensuring that the data used to train and test ML models does not expose sensitive information about individuals or entities. This is particularly critical when dealing with datasets that contain personally identifiable information or confidential details. Techniques like anonymization and DP have emerged as valuable tools in the data privacy field. They allow us to protect the privacy of individuals represented in the data, even as we leverage it to train models. Beyond data privacy, model privacy is also a pressing concern. The architecture of ML models can be 1). However, privacy is not included in the default behavior of most ML algorithms. They tend to learn not just the general trends but also the specifics of the data, potentially revealing sensitive information when the model is made public. In an ideal scenario, we want these algorithms to focus on extracting general trends and patterns from the data while deliberately avoiding the inclusion of specific details about the data. This emphasis on distilling general patterns means that the algorithms should primarily capture the fundamental, common insights that are valuable for decision-making, aligning with privacy concerns, as they identify important details without risking individual privacy. XAI can inadvertently compromise privacy by revealing sensitive information about the model's decision boundaries. Moreover, the process of returning real data points with CFs can inadvertently expose specific instances from the training set or behaviors. Also, the process of assigning FI scores exposes the values of gradients and the feature values themselves. This conflict makes striking the right balance between model explainability and data privacy crucial to ensuring that XAI enhances our understanding of AI systems without leaking individual privacy.
A membership inference attack (MIA) is a privacy-related threat in ML where an adversary attempts to determine whether a specific data point was part of the training dataset of a deployed model [15,16]. MIA are particularly concerning because they can compromise the privacy of individuals whose data was part of the training dataset. If an attacker can determine that a specific data point was included in the training data, it may reveal sensitive information about that individual, even if the model's output does not directly disclose such information. To perform membership attacks, [15] proposes a shadow training process that mimics the target model with shadow models, and trains the attack model using data that is extracted using data synthesis. Also, [17] discusses and proves that points with a very high loss tend to be far from the decision boundary and are more likely to be non-members. Regarding how explanation can facilitate performing MIA, [4] quantifies information leakage in model predictions when explanations are provided. The authors evaluate feature-based explanations, highlighting how back-propagation-based explanations reveal decision boundaries.
Model extraction (MEA) is a class of attacks where an adversary tries to reverse-engineer a target model by observing its behavior and querying it. MEA can potentially lead to the theft of intellectual property compromising proprietary models [18,19]. Authors in [19] discuss the weakness in ML services that take incomplete data with confidence levels and show successful attacks on different ML models like decision trees, SVMs, and DNNs by using equation-solving, path-finding algorithms. Regarding how explanations can facilitate MEA, FIs, and CFs have proved their ability to reveal the decision boundary of a target model [20].
[21] perform the attack by minimizing task-classification loss and task-explanation loss. Authors in [22] show how gradient-based explanations quickly reveal the model itself and highlight the power of gradients. Regarding CFs, [23] proposes a strategy to target the decision boundary shift by taking not only the CF but also the CF of the CF as pairs of training samples.
A model inversion attack (MINA) is a privacy-related threat in ML where an adversary attempts to reconstruct sensitive or private information about individual data points from trained model predictions. In other words, the MINA task is to predict the input data, that is, the original dataset for the target model. In [24] discusses how providing explanations harms privacy and studies this risk for image-based MINA on private image data from model explanations. The authors developed several CNN architectures that achieve significantly higher inversion performance than using only the target model prediction. To minimize the risk of MINA, [25] presents a generative noise injector for model FI explanations by perturbing model explanations.
We pose the following research questions (RQs):
1. To what extent does the utilization of known privacy-preserving techniques, such as DP, effectively safeguard privacy and prevent information leakage when combined with explanations provided by XAI?
2. Can we produce high-quality XAI explanations while safeguarding privacy to mitigate potential vulnerabilities to attacks? 3. Which approach, privacy-preserving XAI or privacy-preserving ML, offers a more effective solution for safeguarding sensitive information in XAI systems?
To address RQ1, we aim to evaluate the trade-off and assess the effectiveness of existing privacy-preserving techniques (e.g., DP) in mitigating information leakage when combined with XAI explanations for CFs and FI. This will involve investigating the extent to which explanations can be exploited for privacy attacks like MIA, MEA, or MENA.
To address RQ2, we aim to explore the possibility of generating high-fidelity XAI explanations while simultaneously safeguarding privacy.
Such approaches aim to develop an XAI framework that concurrently optimizes two objectives: i) generating high-quality CFS, and ii) adhering to pre-defined privacy constraints. Furthermore, the integration of DP during the backpropagation of gradients for FI computation is another promising avenue for investigation.
To address RQ3, we will conduct a comparative analysis of privacy-preserving XAI and privacy-preserving ML techniques. This analysis will evaluate their strengths and weaknesses in safeguarding sensitive information within XAI systems. By comprehensively assessing these aspects, we aim to identify the approach that offers a more robust and enduring mechanism for privacy protection within XAI applications, covering different types of data.
In the initial research, I explored CF generation through RL, with the specific goal of constructing an explainer that operates independently of input data. The investigation then progressed to a more in-depth examination of CFs, focusing on their potential for information leakage and their ability to reveal the decision boundaries of ML models. To reach this aim, a new methodology is proposed to carry out MEA through a concept known as knowledge distillation (KD). I also delved into the domain of explainable deep learning methods within distributed systems, such as Vertical Split Learning (VSL), aiming to evaluate the potential information disclosure resulting from FI across various entities. In addition, I analyzed the impact of DP on the explainability of anomaly detection (AD) models. More specifically:
1. Explored how RL can be leveraged to generate CF explanations without relying on the dataset as input to the explainer. The main aim is to let the CF generator learn generalizable patterns from the training data without exposing it. The explainer determines which features to modify and by how much, by maximizing a custom reward function designed to jointly optimize various metrics.
where CFs are given to an attacker. I benefit from the property of KD and the process of transferring knowledge from a large model to a smaller one. The findings reveal that employing KD with the presence of CFs can indeed yield successful MEA. 3. Proposed an approach to generate private CFs I introduce the concept of DP within the GANs CF generation pipeline to generate CFs that deviate from the statistical properties of the confidential dataset, offering a layer of protection against potential privacy breaches.
4. Explored VSL strategies and performed experiments to explore the risk of information leakage regarding the original features using gradient-based explanations (IG and DeepLIFT). My application of VSL focused on a use case related to Network Function Virtualization. My findings highlight how an attacker on the server side can exploit XAI techniques to achieve additional tasks, without access to the original features. 5. Explored DP with AD Analyzed the trade-off between privacy achieved by DP and explainability achieved using SHAP.
This PhD research aims to achieve significant advancements in bridging the critical gap between XAI and data privacy. We will address the inherent conflict between providing users with clear explanations of AI models and protecting their sensitive data (privacy). We aim to develop a defense mechanism in the form of high-quality explanations while simultaneously ensuring privacy.