Class-Bias Enhanced Attack (CBEA) Overview
- The paper shows that CBEA maximizes class bias while imposing utility constraints to maintain stealth, revealing vulnerabilities in fairness mechanisms.
- In federated learning, CBEA induces disparities via poisoned updates and relevance-based regularization, significantly altering fairness metrics.
- For GZSL, CBEA disrupts semantic calibration by perturbing test inputs, causing dramatic performance collapse on unseen classes.
Class-Bias Enhanced Attack (CBEA) is a family of adversarial attack methodologies explicitly designed to exacerbate systematic class or group bias in machine learning models. Unlike classical adversarial attacks, which predominantly target overall model accuracy, CBEA aims to induce or amplify disparities across sensitive groups or distributions of interest, with careful regularization to avoid obvious accuracy degradation. CBEA has been formalized, independently, in both federated learning (FL) and generalized zero-shot learning (GZSL) contexts, with both algorithmic blueprints and comprehensive empirical results demonstrating their distinct mechanisms and impact (Meerza et al., 2024, Peng et al., 21 Dec 2025).
1. Formal Definitions and Attack Objectives
The core principle of CBEA is to maximize an explicit notion of class or group bias, subject to constraints that preserve stealth (via norm bounds, subspace constraints, or utility penalties). In FL, this is instantiated as a poisoning attack on model parameter updates; in GZSL, as an adversarial perturbation of the input. For a model parameterized by (centralized or federated) or an input (GZSL), the attack optimizes
where is a differentiable loss capturing the class or group disparity (e.g., difference in true positive rates, calibrated mean score gaps), is the standard utility loss (e.g., cross-entropy or accuracy), is a trade-off coefficient, and the constraint enforces small norm or restriction to "redundant" parameter subspaces (Meerza et al., 2024, Peng et al., 21 Dec 2025).
2. CBEA in Federated and Centralized Learning
In the PFair-FL/EAB-FL framework for federated learning, CBEA is implemented as a model poisoning attack optimized locally by a small subset of malicious clients. Each attacker computes an update that maximizes a fairness-violation objective, such as the equal-opportunity difference:
while controlling degradation in overall utility via explicit penalty terms and a global -norm constraint. An additional innovative element is the regularization of updates to the network's low-relevance ("redundant space") parameters, as computed by Layer-Wise Relevance Propagation (LRP), further enhancing attack stealth and effectiveness. The overall optimization solved per malicious client is:
where are parameter-wise relevance scores, , are regularization weights, and is the update norm bound. Practical implementations compute gradients via proxy sets or Taylor expansions, and use norm-clipping after each update step (Meerza et al., 2024).
For multiclass or centralized extension, is adjusted to reflect gaps over groups, e.g.,
with analogous procedures for centralized models or direct data poisoning via perturbed examples (Meerza et al., 2024).
3. CBEA in Generalized Zero-Shot Learning (GZSL)
In GZSL, CBEA exploits the structure of semantic alignment models. The attack operates on clean test images , optimizing an adversarial perturbation under an norm constraint , to maximize the difference between mean cosine similarities to seen and unseen class prototypes:
where is the semantic embedding for , are normalized prototypes, , are seen/unseen class sets. The attack iteratively updates
disrupting the calibration curve such that no setting of bias-calibration can recover performance—simultaneously collapsing seen and unseen accuracy (Peng et al., 21 Dec 2025).
4. Empirical Results and Benchmark Performance
Extensive experiments quantify the disruptive capacity of CBEA under various conditions. In FL using the CelebA, Adult Income, and UTK Faces datasets, CBEA (PFair-FL) nearly doubles fairness gaps (e.g., Equal-Opportunity Difference rises from 0.23 to 0.41 on CelebA), with overall accuracy declining by at most 3%. The attack remains effective under advanced defenses (SparseFed, Krum, LoMar, FLDetector, q-FFL, GIFAIR-FL) and persists for 50+ rounds following a single attack injection (Meerza et al., 2024).
Summary of GZSL results for ReZSL/ResNet101 on AWA2 is shown below (after re-calibration):
| Attack | Unseen (%) | Seen (%) | Harmonic Mean (%) | AUSUC (%) |
|---|---|---|---|---|
| Clean | 61.1 | 84.8 | 71.0 | 62.1 |
| CBEA-1 | 60.6 | 84.4 | 70.5 | 61.7 |
| CBEA-5 | 5.9 | 3.2 | 4.1 | 0.4 |
| CBEA-10 | 4.8 | 2.0 | 2.9 | 0.2 |
By contrast, standard non-targeted attacks (clsA-5) only break performance at a fixed calibration while allowing restoration via re-tuning; CBEA eliminates this vulnerability (Peng et al., 21 Dec 2025).
5. Algorithmic and Implementation Details
Practical CBEA realization involves several modular hyperparameters and regularization components:
- Poisoned-update budget (centralized/FL): (L2-norm)
- Fairness-utility tradeoff , tuned to constrain accuracy drop
- Redundant-space regularization weights: ,
- Fraction for privileged group bias subset:
- Attack step sizes: inner-loop (FL), (GZSL)
- Typical attack budgets in GZSL: (normalized inputs), steps
Defenses integrating norm-clipping, sparse aggregation, or parameter filtering prove ineffective since CBEA exploits slow-moving/rank-deficient update directions or operates entirely in semantic input domains (Meerza et al., 2024, Peng et al., 21 Dec 2025).
6. Extensions, Limitations, and Defenses
CBEA generalizes naturally to multiclass partitions, arbitrary sensitive features, and both parameter and data poisoning. Essential ingredients include a differentiable bias objective, constrained perturbation magnitude, and an optimization loop respecting utility and stealth tradeoffs.
Main limitations include the requirement for white-box gradient access (GZSL), computational overhead of full mean score computation (large label spaces), and the risk of less perceptual stealth for larger input norms. Proposed mitigations focus on adversarial training targeting the class-bias loss, consistency regularization under small perturbations, and targeted feature denoising layers (Peng et al., 21 Dec 2025).
7. Relationship to Broader Adversarial Fairness and Robustness Research
CBEA highlights a critical blind spot in adversarial robustness and fairness literature: standard attacks and defenses may fail to reveal or protect against class/group-specific vulnerabilities, especially in models supporting calibration tradeoffs (e.g., GZSL) or decentralized learning protocols (FL). A plausible implication is that robust machine learning should incorporate explicit fairness-adversarial countermeasures, not just accuracy-oriented ones, and reevaluate the efficacy of classical defenses in the presence of CBEA (Meerza et al., 2024, Peng et al., 21 Dec 2025).