Papers
Topics
Authors
Recent
Search
2000 character limit reached

Class-Bias Enhanced Attack (CBEA) Overview

Updated 28 December 2025
  • The paper shows that CBEA maximizes class bias while imposing utility constraints to maintain stealth, revealing vulnerabilities in fairness mechanisms.
  • In federated learning, CBEA induces disparities via poisoned updates and relevance-based regularization, significantly altering fairness metrics.
  • For GZSL, CBEA disrupts semantic calibration by perturbing test inputs, causing dramatic performance collapse on unseen classes.

Class-Bias Enhanced Attack (CBEA) is a family of adversarial attack methodologies explicitly designed to exacerbate systematic class or group bias in machine learning models. Unlike classical adversarial attacks, which predominantly target overall model accuracy, CBEA aims to induce or amplify disparities across sensitive groups or distributions of interest, with careful regularization to avoid obvious accuracy degradation. CBEA has been formalized, independently, in both federated learning (FL) and generalized zero-shot learning (GZSL) contexts, with both algorithmic blueprints and comprehensive empirical results demonstrating their distinct mechanisms and impact (Meerza et al., 2024, Peng et al., 21 Dec 2025).

1. Formal Definitions and Attack Objectives

The core principle of CBEA is to maximize an explicit notion of class or group bias, subject to constraints that preserve stealth (via norm bounds, subspace constraints, or utility penalties). In FL, this is instantiated as a poisoning attack on model parameter updates; in GZSL, as an adversarial perturbation of the input. For a model parameterized by ww (centralized or federated) or an input xx (GZSL), the attack optimizes

max  Lbias(w or x)λLutil(w or x)s.t. budget\max \; \mathcal{L}_{bias}(w' \text{ or } x') - \lambda\,\mathcal{L}_{util}(w' \text{ or } x') \quad \text{s.t. } \|\cdot\|\leq \text{budget}

where Lbias\mathcal{L}_{bias} is a differentiable loss capturing the class or group disparity (e.g., difference in true positive rates, calibrated mean score gaps), Lutil\mathcal{L}_{util} is the standard utility loss (e.g., cross-entropy or accuracy), λ\lambda is a trade-off coefficient, and the constraint enforces small norm or restriction to "redundant" parameter subspaces (Meerza et al., 2024, Peng et al., 21 Dec 2025).

2. CBEA in Federated and Centralized Learning

In the PFair-FL/EAB-FL framework for federated learning, CBEA is implemented as a model poisoning attack optimized locally by a small subset of malicious clients. Each attacker computes an update Δk\Delta_k that maximizes a fairness-violation objective, such as the equal-opportunity difference:

Lbias(w)=P(y^=1Y=1,G=1)P(y^=1Y=1,G=0)\mathcal{L}_{bias}(w) = |\mathbb{P}(\hat y = 1|Y=1, G=1) - \mathbb{P}(\hat y = 1|Y=1, G=0)|

while controlling degradation in overall utility via explicit penalty terms and a global 2\ell_2-norm constraint. An additional innovative element is the regularization of updates to the network's low-relevance ("redundant space") parameters, as computed by Layer-Wise Relevance Propagation (LRP), further enhancing attack stealth and effectiveness. The overall optimization solved per malicious client is:

maxΔk  Lbias(wt+Δk)λLutil(wt+Δk)γjhj(wt)Δk,j2ρΔk22s.t.  Δk2B\max_{\Delta_k}\; \mathcal{L}_{bias}(w^t+\Delta_k) -\lambda\,\mathcal{L}_{util}(w^t+\Delta_k) -\gamma\,\sum_j h_j(w^t)\Delta_{k,j}^2 -\rho\,\|\Delta_k\|_2^2 \quad \text{s.t.}\; \|\Delta_k\|_2\leq B

where hj(wt)h_j(w^t) are parameter-wise relevance scores, γ\gamma, ρ\rho are regularization weights, and BB is the update norm bound. Practical implementations compute gradients via proxy sets or Taylor expansions, and use norm-clipping after each update step (Meerza et al., 2024).

For multiclass or centralized extension, Lbias\mathcal{L}_{bias} is adjusted to reflect gaps over KK groups, e.g.,

Lbias(w)=maxi,jP(y^=1G=i)P(y^=1G=j)\mathcal{L}_{bias}(w) = \max_{i,j} |\mathbb{P}(\hat y = 1|G=i) - \mathbb{P}(\hat y = 1|G=j)|

with analogous procedures for centralized models or direct data poisoning via perturbed examples (Meerza et al., 2024).

3. CBEA in Generalized Zero-Shot Learning (GZSL)

In GZSL, CBEA exploits the structure of semantic alignment models. The attack operates on clean test images xx, optimizing an adversarial perturbation δ\delta under an \ell_\infty norm constraint δϵ\|\delta\|_\infty\leq\epsilon, to maximize the difference between mean cosine similarities to seen and unseen class prototypes:

LCB(x)=1YsyYscos(s~,sy)1YuyYucos(s~,sy)\mathcal{L}_{CB}(x) = \frac{1}{|Y^s|}\sum_{y\in Y^s}\cos(\tilde s, s_y) - \frac{1}{|Y^u|}\sum_{y\in Y^u}\cos(\tilde s, s_y)

where s~=fcon(fbb(x))\tilde s = f_{con}(f_{bb}(x)) is the semantic embedding for xx, sys_y are normalized prototypes, YsY^s, YuY^u are seen/unseen class sets. The attack iteratively updates

xt+1=Clipxxϵ(xt+αsign(xLCB(xt)))x_{t+1}^\star = \mathrm{Clip}_{\|x'-x\|_\infty \leq \epsilon}(x_t^\star + \alpha\,\mathrm{sign}(\nabla_x \mathcal{L}_{CB}(x_t^\star)))

disrupting the calibration curve such that no setting of bias-calibration γ\gamma can recover performance—simultaneously collapsing seen and unseen accuracy (Peng et al., 21 Dec 2025).

4. Empirical Results and Benchmark Performance

Extensive experiments quantify the disruptive capacity of CBEA under various conditions. In FL using the CelebA, Adult Income, and UTK Faces datasets, CBEA (PFair-FL) nearly doubles fairness gaps (e.g., Equal-Opportunity Difference rises from 0.23 to 0.41 on CelebA), with overall accuracy declining by at most 3%. The attack remains effective under advanced defenses (SparseFed, Krum, LoMar, FLDetector, q-FFL, GIFAIR-FL) and persists for 50+ rounds following a single attack injection (Meerza et al., 2024).

Summary of GZSL results for ReZSL/ResNet101 on AWA2 is shown below (after re-calibration):

Attack Unseen (%) Seen (%) Harmonic Mean (%) AUSUC (%)
Clean 61.1 84.8 71.0 62.1
CBEA-1 60.6 84.4 70.5 61.7
CBEA-5 5.9 3.2 4.1 0.4
CBEA-10 4.8 2.0 2.9 0.2

By contrast, standard non-targeted attacks (clsA-5) only break performance at a fixed calibration while allowing restoration via re-tuning; CBEA eliminates this vulnerability (Peng et al., 21 Dec 2025).

5. Algorithmic and Implementation Details

Practical CBEA realization involves several modular hyperparameters and regularization components:

  • Poisoned-update budget (centralized/FL): B=0.5B = 0.5 (L2-norm)
  • Fairness-utility tradeoff λ[0.1,1.0]\lambda \in [0.1, 1.0], tuned to constrain accuracy drop
  • Redundant-space regularization weights: γ=0.1\gamma=0.1, ρ=0.01\rho=0.01
  • Fraction for privileged group bias subset: κ=10%\kappa=10\%
  • Attack step sizes: inner-loop α=0.005\alpha = 0.005 (FL), α=ϵ/T\alpha=\epsilon/T (GZSL)
  • Typical attack budgets in GZSL: ϵ=8/255\epsilon = 8/255 (normalized inputs), T=1,5,10T=1, 5, 10 steps

Defenses integrating norm-clipping, sparse aggregation, or parameter filtering prove ineffective since CBEA exploits slow-moving/rank-deficient update directions or operates entirely in semantic input domains (Meerza et al., 2024, Peng et al., 21 Dec 2025).

6. Extensions, Limitations, and Defenses

CBEA generalizes naturally to multiclass partitions, arbitrary sensitive features, and both parameter and data poisoning. Essential ingredients include a differentiable bias objective, constrained perturbation magnitude, and an optimization loop respecting utility and stealth tradeoffs.

Main limitations include the requirement for white-box gradient access (GZSL), computational overhead of full mean score computation (large label spaces), and the risk of less perceptual stealth for larger input norms. Proposed mitigations focus on adversarial training targeting the class-bias loss, consistency regularization under small perturbations, and targeted feature denoising layers (Peng et al., 21 Dec 2025).

7. Relationship to Broader Adversarial Fairness and Robustness Research

CBEA highlights a critical blind spot in adversarial robustness and fairness literature: standard attacks and defenses may fail to reveal or protect against class/group-specific vulnerabilities, especially in models supporting calibration tradeoffs (e.g., GZSL) or decentralized learning protocols (FL). A plausible implication is that robust machine learning should incorporate explicit fairness-adversarial countermeasures, not just accuracy-oriented ones, and reevaluate the efficacy of classical defenses in the presence of CBEA (Meerza et al., 2024, Peng et al., 21 Dec 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Class-Bias Enhanced Attack (CBEA).