Counterfactual explanations and adversarial attacks have a related goal: flipping output labels with minimal perturbations regardless of their characteristics. Yet, adversarial attacks cannot be used directly in a counterfactual explanation perspective, as such perturbations are perceived as noise and not as actionable and understandable image modifications. Building on the robust learning literature, this paper proposes an elegant method to turn adversarial attacks into semantically meaningful perturbations, without modifying the classifiers to explain. The proposed approach hypothesizes that Denoising Diffusion Probabilistic Models are excellent regularizers for avoiding high-frequency and out-of-distribution perturbations when generating adversarial attacks. The paper's key idea is to build attacks through a diffusion model to polish them. This allows studying the target model regardless of its robustification level. Extensive experimentation shows the advantages of our counterfactual explanation approach over current State-of-the-Art in multiple testbeds.

翻译：反事实解释与对抗性攻击具有一个共同目标：在不考虑扰动特征的情况下，通过最小化扰动来翻转输出标签。然而，对抗性攻击无法直接用于反事实解释的视角，因为此类扰动被视为噪声，而非可操作且可理解的图像修改。基于鲁棒学习文献，本文提出了一种优雅的方法，将对抗性攻击转化为语义上有意义的扰动，同时无需修改待解释的分类器。所提出的方法假设去噪扩散概率模型是生成对抗性攻击时避免高频和分布外扰动的优秀正则化器。本文的关键思想是通过扩散模型构建攻击以对其进行优化。这使得能够研究目标模型，无论其鲁棒性水平如何。广泛实验表明，我们的反事实解释方法在多个测试平台上相较于当前最先进技术具有优势。