AI Security

How Saliency Attacks Quietly Trick Your AI Models

Artificial Intelligence (AI) models have permeated virtually every sector of modern life, revolutionizing healthcare with predictive analytics and personalized treatments, empowering autonomous vehicles to navigate complex environments, and even reshaping the financial landscape through algorithmic trading and risk assessment. Despite these groundbreaking contributions, there’s a disconcerting Achilles’ heel to these achievements: their susceptibility to various forms of attacks. Among these vulnerabilities, “Saliency Attacks” represent a particularly challenging category that undermines the very core of how AI models understand and interact with data. These attacks subtly manipulate the important features, or “saliencies,” within the data to deceive the model, often without detection. Therefore, as we increasingly rely on AI to make critical decisions, understanding and defending against saliency attacks becomes critical for the responsible and secure deployment of AI systems across industries.

The Basics of AI and Model Vulnerability

AI models serve as the computational brains behind a wide range of applications, employing various architectures like neural networks, decision trees, support vector machines, and more. Take neural networks as an example: they are inspired by human brain function and consist of interconnected layers of nodes or “neurons.” Data flows from the input layer through hidden layers, where it undergoes transformations and computations before arriving at the output layer that provides the final prediction or classification. Decision trees, on the other hand, make decisions by following a tree-like model of possible outcomes based on features in the input data. Despite their differences, all AI models aim to generalize well from the data they’re trained on to make accurate predictions on new, unseen data.

This brings us to the concept of model robustness. A robust AI model not only performs well on average but also maintains high performance when faced with unexpected or altered inputs. The importance of robustness becomes clear when AI is deployed in critical, high-stakes environments like healthcare or autonomous driving, where even a single error can have catastrophic consequences.

But AI models are not invulnerable. They face a spectrum of threats that exploit their vulnerabilities. One well-known category of such threats is “adversarial attacks,” where minute alterations to the input data, often indistinguishable from humans, can lead the model to make incorrect predictions. Other common attacks include data poisoning, where the training data is manipulated to compromise the model, and model inversion attacks, which attempt to reverse-engineer sensitive information from the model’s outputs.

The landscape of potential attacks is massive and continually evolving, making the robustness of AI models a necessity. Given the increasing sophistication of these attacks, it becomes critical to understand specific vulnerabilities like saliency attacks, which pose nuanced but equally damaging threats to AI systems.

What are Saliency Attacks?

“Saliency” refers to the extent to which specific features or dimensions in the input data contribute to the final decision made by the model. Mathematically, this is often quantified by analyzing the gradients of the model’s loss function with respect to the input features; these gradients represent how much a small change in each feature would affect the model’s output. Some sophisticated techniques like Layer-wise Relevance Propagation (LRP) and Class Activation Mapping (CAM) can also be used to understand feature importance in complex models like convolutional neural networks.

A saliency attack operates by perturbing these critical features to mislead the model into making an incorrect prediction or classification. The attacker usually has access to the model’s architecture and possibly its parameters (white-box attack) but can also operate without such detailed knowledge (black-box attack). In the white-box scenario, the attacker may directly manipulate the gradients during the backward pass of the training or inference, targeting the salient features. In a black-box attack, the attacker could use surrogate models or optimization algorithms to approximate the salient features and introduce perturbations. The changes are often subtle and designed to be imperceptible or irrelevant to human observers, thereby making the attack stealthy and hard to detect.

The impact of a successful saliency attack can be significant and multi-faceted. At the most basic level, the model’s predictive accuracy drops for the manipulated inputs, leading to incorrect decisions. This is a straightforward but critical point: models that have undergone saliency attacks can’t be trusted to perform as expected, which in sensitive applications like medical diagnosis or financial fraud detection can lead to severe consequences. Moreover, repeated successful attacks can erode trust in AI systems, potentially stalling their adoption in mission-critical roles. Additionally, these attacks can reveal insights into what the model considers “important,” information that can be exploited in further attacks or even for competitive intelligence. Therefore, defending against saliency attacks becomes imperative in maintaining not just the performance but also the integrity and trustworthiness of AI models.

Guarding Against Saliency Attacks

Defending against saliency attacks requires a multi-pronged approach that employs both general and specialized countermeasures to fortify AI models.

Adversarial Training: This involves retraining the model on a mix of original and adversarially perturbed examples to increase its resilience against attacks. While primarily designed for traditional adversarial attacks, this technique can also improve resistance against saliency-based manipulations.

Regularization Methods: Techniques such as dropout, weight decay, or Bayesian neural networks can make the model less sensitive to the specific training data, thereby reducing its susceptibility to overfitting to perturbed data.

Input Validation: Preprocessing steps like feature normalization and outlier detection can be implemented to recognize and filter anomalous inputs, though this can be less effective against sophisticated saliency attacks that are carefully crafted to avoid detection.

Suggestions for Techniques Specifically Designed to Detect Saliency Attacks

Saliency Map Monitoring: Since saliency attacks target critical features, continuously monitoring the saliency maps for sudden or unexpected changes can serve as an alert system.

Defensive Distillation: This technique involves training a secondary model to imitate the output probabilities of the original model but with a “smoothed” version of the decision boundaries. The secondary model, in some cases, becomes less sensitive to alterations in salient features.

Reverse Engineering Attacks: Employ techniques to predict potential saliency perturbations by attackers, thereby creating a model to recognize such attacks when they occur. This is akin to “fighting fire with fire” by understanding the attacker’s methodology.

Recommendations for Future Research Directions

Automated Saliency Attack Detection: The development of AI systems that can automatically detect and adapt to saliency attacks in real time could provide a robust line of defense.

Interdisciplinary Approaches: Integrating insights from cybersecurity, data science, and cognitive psychology to develop more human-like discernment capabilities in AI models.

Ethical and Regulatory Frameworks: Research on creating universal standards for AI robustness, particularly focusing on areas like healthcare, finance, and public safety, where the implications of saliency attacks can be severe.

By integrating these countermeasures and pursuing the recommended research directions, we can aim to build AI systems that are not only highly accurate but also robust and secure against the increasingly sophisticated landscape of saliency attacks.

Recent Research on Saliency Attacks

Recent research on saliency attacks has made significant strides in both understanding the vulnerabilities and developing countermeasures. For example, the study [1] dives deep into the stability properties of neural networks against saliency attacks by modeling the network as a closed-loop control system. Similarly, the study [2] explores how saliency attacks can compromise models in the domain of visual language grounding. Another groundbreaking study [3] challenges the conventional wisdom by arguing that adversarial vulnerabilities, including those from saliency attacks, are not bugs but rather intrinsic features of the model. This paper suggests that understanding these “features” could be key to defending against such attacks. Additionally, the study [4] investigates the susceptibility of generative models to saliency attacks, shedding light on the vulnerabilities in unsupervised learning paradigms. These studies collectively point to a dynamic and rapidly evolving field, urging both caution and proactive defense strategies in the deployment of AI systems.


As the use of AI expands across various sectors, the need to address its vulnerabilities, such as saliency attacks, becomes increasingly urgent. These subtle attacks manipulate key features in data to mislead AI models, posing a threat to their accuracy and our trust in them. Guarding against these threats isn’t straightforward; it requires a combination of robust training, vigilant monitoring, and ongoing research. The growing body of work in this area gives us hope for building more secure AI systems. For anyone involved in AI, from researchers to policymakers, the message is clear: prioritizing security and robustness is as important as enhancing performance and utility. Only by achieving this balance can we fully harness the potential of AI.


  1. Chen, Z., Li, Q., & Zhang, Z. (2021). Towards robust neural networks via close-loop control. arXiv preprint arXiv:2102.01862.
  2. Chen, H., Zhang, H., Chen, P. Y., Yi, J., & Hsieh, C. J. (2017). Attacking visual language grounding with adversarial examples: A case study on neural image captioning. arXiv preprint arXiv:1712.02051.
  3. Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., & Madry, A. (2019). Adversarial examples are not bugs, they are features. Advances in neural information processing systems32.
  4. Sun, H., Zhu, T., Zhang, Z., Jin, D., Xiong, P., & Zhou, W. (2021). Adversarial attacks against deep generative models on data: a survey. IEEE Transactions on Knowledge and Data Engineering.

For 30+ years, I've been committed to protecting people, businesses, and the environment from the physical harm caused by cyber-kinetic threats, blending cybersecurity strategies and resilience and safety measures. Lately, my worries have grown due to the rapid, complex advancements in Artificial Intelligence (AI). Having observed AI's progression for two decades and penned a book on its future, I see it as a unique and escalating threat, especially when applied to military systems, disinformation, or integrated into critical infrastructure like 5G networks or smart grids. More about me.

Luka Ivezic
Luka Ivezic

Luka Ivezic is the Lead Cybersecurity Consultant for Europe at the Information Security Forum (ISF), a leading global, independent, and not-for-profit organisation dedicated to cybersecurity and risk management. Before joining ISF, Luka served as a cybersecurity consultant and manager at PwC and Deloitte. His journey in the field began as an independent researcher focused on cyber and geopolitical implications of emerging technologies such as AI, IoT, 5G. He co-authored with Marin the book "The Future of Leadership in the Age of AI". Luka holds a Master's degree from King's College London's Department of War Studies, where he specialized in the disinformation risks posed by AI.

Related Articles

Share via
Copy link
Powered by Social Snap