ML Security PapersAdversarial Robustness in Zero-Shot Learning:An Empirical Study on Class and Concept-Level Vulnerabilities
Zhiyuan Peng 1, Zihan Ye 2, Shreyank N Gowda 3, Yuping Yan 4, Haotian Xu 5, Ling Shao 2
Published on arXiv
2512.18651
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
CBEA completely eliminates GZSL accuracy across all calibration points, exposing the spurious nature of prior class-level attacks, while concept-level attacks further reveal that ZSL models are vulnerable to semantic concept manipulation.
CBEA (Class-Bias Enhanced Attack) / CPconA / NCPconA
Novel technique introduced
Zero-shot Learning (ZSL) aims to enable image classifiers to recognize images from unseen classes that were not included during training. Unlike traditional supervised classification, ZSL typically relies on learning a mapping from visual features to predefined, human-understandable class concepts. While ZSL models promise to improve generalization and interpretability, their robustness under systematic input perturbations remain unclear. In this study, we present an empirical analysis about the robustness of existing ZSL methods at both classlevel and concept-level. Specifically, we successfully disrupted their class prediction by the well-known non-target class attack (clsA). However, in the Generalized Zero-shot Learning (GZSL) setting, we observe that the success of clsA is only at the original best-calibrated point. After the attack, the optimal bestcalibration point shifts, and ZSL models maintain relatively strong performance at other calibration points, indicating that clsA results in a spurious attack success in the GZSL. To address this, we propose the Class-Bias Enhanced Attack (CBEA), which completely eliminates GZSL accuracy across all calibrated points by enhancing the gap between seen and unseen class probabilities.Next, at concept-level attack, we introduce two novel attack modes: Class-Preserving Concept Attack (CPconA) and NonClass-Preserving Concept Attack (NCPconA). Our extensive experiments evaluate three typical ZSL models across various architectures from the past three years and reveal that ZSL models are vulnerable not only to the traditional class attack but also to concept-based attacks. These attacks allow malicious actors to easily manipulate class predictions by erasing or introducing concepts. Our findings highlight a significant performance gap between existing approaches, emphasizing the need for improved adversarial robustness in current ZSL models.
Key Contributions
- Identifies spurious attack success in GZSL settings: standard non-targeted class attacks shift the optimal calibration point rather than truly defeating the model across all calibration points.
- Proposes Class-Bias Enhanced Attack (CBEA) that completely eliminates GZSL accuracy across all calibration points by amplifying the seen/unseen class probability gap.
- Introduces two novel concept-level attack modes — Class-Preserving Concept Attack (CPconA) and Non-Class-Preserving Concept Attack (NCPconA) — that manipulate ZSL predictions by erasing or injecting semantic concepts.
🛡️ Threat Analysis
Paper proposes adversarial input perturbation attacks (CBEA, CPconA, NCPconA) that cause misclassification in ZSL/GZSL image classifiers at inference time, both at class-level and concept-level — core adversarial example attack research.