How does zero-shot learning deal with adversarial examples?

Zero-shot learning (ZSL) addresses adversarial examples by leveraging its unique ability to generalize to unseen classes, but this approach also introduces specific vulnerabilities. In ZSL, models classify data from classes they were never explicitly trained on by using auxiliary information like semantic attributes or textual descriptions. For example, a ZSL model trained on animals might infer a new species by aligning visual features with textual attributes like “stripes” or “aquatic.” This reliance on semantic relationships can create a natural defense against some adversarial attacks, as perturbations designed for seen classes may not transfer effectively to unseen ones. However, ZSL models still depend on feature representations that adversarial examples can exploit, such as small pixel-level changes in images or manipulated text embeddings.

A key challenge arises because adversarial attacks in ZSL often target the model’s semantic alignment mechanism. For instance, an attacker might subtly alter an image’s features to misalign it with its correct semantic description. Suppose a ZSL model uses word embeddings to link images of “zebras” (seen class) to “okapis” (unseen class) based on shared attributes like “striped” and “four-legged.” An adversarial example could modify the image to reduce the prominence of stripes, causing the model to incorrectly associate it with a different unseen class, like a “giraffe.” Similarly, in text-based ZSL, adversarial perturbations to class descriptions (e.g., swapping “striped” with “spotted” in metadata) could mislead the model. These attacks highlight the need to secure both the input data and the semantic space used for generalization.

To mitigate adversarial risks, ZSL systems often employ techniques like robust feature extraction and adversarial training tailored to unseen classes. For example, a model might use disentangled representations to separate invariant features (e.g., shape) from noise, reducing sensitivity to adversarial perturbations. Another approach involves augmenting training data with synthetic adversarial examples for seen classes, which can indirectly improve robustness for unseen ones by strengthening the semantic alignment process. However, these methods are not foolproof. Developers must rigorously test ZSL models against attacks like FGSM (Fast Gradient Sign Method) or PGD (Projected Gradient Descent) adapted for cross-class scenarios. By focusing on both the visual and semantic components of ZSL, developers can build models that balance generalization with resistance to adversarial manipulation.