On the Adversarial Robustness of Multi-Kernel Clustering

We sincerely appreciate Reviewer HijP’s thorough and constructive review. We provide point-by-point responses to the raised weaknesses as follows:

---

W1: In Table I, some cases show improved MKC method performance under adversarial conditions. The authors should clarify why this phenomenon occurs.

R1: We appreciate the reviewer’s insightful comments. As noted in Subsection 6.1, to ensure the stealthiness of adversarial attacks, we introduce the hyperparameter $\epsilon$ to constrain the magnitude of injected noise. To ensure its effectiveness, $\epsilon$ is set to a very low value. However, these slight perturbations may lead the victim MKC method to learn more robust representations, resulting in a slight improvement in clustering performance. We will clarify this point in the revision.

W2: In Eq. (16), the authors introduce two hyperparameters to balance three loss terms. However, they do not conduct sensitivity analysis in the evaluation section to demonstrate how these parameters impact the attack performance.

R2: Thank you for the reviewer’s comments. Based on your suggestion, we conduct a sensitivity analysis on the hyperparameters $\alpha$, $\beta$, and $\gamma$ in Eq. (16), which regulate the balance among loss terms. To ensure comparable magnitudes across these terms, we select $\alpha$ from $\lbrace 0.1, 0.2, 0.3, 0.4, 0.5, 0.6\rbrace$, $\beta$ from $\lbrace e^{-5}, e^{-4}, e^{-3} \rbrace$, and $\gamma$ from $\lbrace e^{-5}, 2 e^{-5}, 3 e^{-5}, 4 e^{-5}, 5 e^{-5}, 6 e^{-5}\rbrace$. The analysis is conducted on the MSRCv1 and BBCSport datasets, with results shown in the following eight figures. We conducted a total of 216 evaluations. Due to the limitations of OpenReview.net, we present the evaluations on the following anonymous GitHub repository. For example, as shown in Figure 13, changes in $\alpha$, $\beta$, and $\gamma$ have no significant effect on the MNI metric for the BBCSport dataset. These results suggest that as long as the loss terms remain balanced in magnitude, variations in these parameters have minimal impact on attack performance.

Experimental results are presented at https://anonymous.4open.science/r/AdvMKC-rebuttal-CC14/sensitivity_analysis.png.

W3: Considering this is the first work to assess the adversarial robustness of MKC methods, the authors should release their source code to promote further research.

R3: We appreciate the reviewer’s comments and acknowledge the concern. The code will be released upon the paper’s acceptance.

We sincerely appreciate Reviewer rAQk's thorough and constructive review. We provide point-by-point responses to the raised weaknesses as follows:

---

W1: Although the generator-clusterer framework is claimed to reduce computational costs, prior research has already enhanced multi-view clustering efficiency, and clustering processes typically do not entail significant runtime overhead. It would be beneficial for the authors to report the actual running times of each algorithm to substantiate this claim.

R1: We appreciate the reviewer’s insightful comments. We evaluate the time consumption of AdvMKC compared to two baseline methods under the same experimental settings as in Table 1. The results, presented in the following table, show that AdvMKC requires less time while achieving the highest attack performance among all methods. We conducted a total of 126 evaluations. Due to the rebuttal's space limitations, we provide the evaluations via the following anonymous GitHub link. For example, when attacking the SMKKM MKC method on the MSRCv1 dataset, AdvMKC completes in 640.28 seconds, which is significantly lower than the 1259.92 seconds and 1162.00 seconds required by RAMKC and EAMKC, respectively. We will include these experimental results in the revision.

Experimental results are presented at https://anonymous.4open.science/r/AdvMKC-rebuttal-CC14/running_time.png.

W2: While the effects of parameters such as the selected sample count ($N_d^p$), perturbed view count ($N_k^p$), and perturbation magnitude ($\epsilon$) on attack performance are examined, the loss function in Equation (16), which comprises four terms and three hyper-parameters, lacks a comprehensive sensitivity analysis.

R2: Thank you for the reviewer’s comments. Based on your suggestion, we conduct a sensitivity analysis on the hyperparameters $\alpha$, $\beta$, and $\gamma$ in Eq. (16), which regulate the balance among loss terms. To ensure comparable magnitudes across these terms, we select $\alpha$ from $\lbrace 0.1, 0.2, 0.3, 0.4, 0.5, 0.6 \rbrace$, $\beta$ from $\lbrace e^{-5}, e^{-4}, e^{-3} \rbrace$, and $\gamma$ from $\lbrace e^{-5}, 2 e^{-5}, 3 e^{-5}, 4 e^{-5}, 5 e^{-5}, 6 e^{-5} \rbrace$. The analysis is conducted on the MSRCv1 and BBCSport datasets, with results shown in the following eight figures. We conducted a total of 216 evaluations. Due to the limitations of OpenReview.net, we present the evaluations on the following anonymous GitHub repository. For example, as shown in Figure 13, changes in $\alpha$, $\beta$, and $\gamma$ have no significant effect on the MNI metric for the BBCSport dataset. These results suggest that as long as the loss terms remain balanced in magnitude, variations in these parameters have minimal impact on attack performance.

Experimental results are presented at https://anonymous.4open.science/r/AdvMKC-rebuttal-CC14/sensitivity_analysis.png.

W3: The occurrence of negative values in the ARI metric, as illustrated in Table 2, requires clarification on whether these outcomes are expected.

R3: We appreciate the reviewer’s comments. The ARI can take negative values because it accounts for randomness in clustering assignments. It adjusts the Rand Index by considering the expected similarity between two random clusterings. If the observed clustering is worse than a random assignment, the ARI can be negative. We will include this clarification in the revision.

We sincerely appreciate Reviewer W7KP’s thorough and constructive review. We provide point-by-point weaknesses to the raised questions as follows:

---

W1: The authors do not provide the code. If released, it would enhance reproducibility and be beneficial for the research community.

R1: We appreciate the reviewer’s comments and acknowledge the concern. The code will be released upon the paper’s acceptance.

W2: When evaluating the transferability of adversarial perturbations generated by the proposed method, the authors should clarify the meaning of the surrogate MKC method referenced in Table 3.

R2: Thank you for the reviewer’s insightful comments. In Subsection 6.4, we consider a scenario where frequent queries to the victim MKC method are impractical. To address this, the attacker can utilize an alternative MKC method, referred to as the surrogate MKC method, to approximate the victim MKC method’s functionality. This allows the attacker to optimize the perturbation generator to produce adversarial noise. We will clarify the surrogate MKC method in the revision.

W3: The authors should provide further details on the experimental setup, such as the specific view IDs used in adversarial attacks, given that each dataset comprises multiple data views.

R3: We appreciate the reviewer’s comments. The evaluation details, including datasets, MKC methods, and compared methods, are provided in Appendix C. We conduct evaluations across seven datasets: MSRCv1, BBCSport, Caltech101-7, HW-6Views, Citeseer, NUS-WIDE-SCENE, and ProteinFold. To ensure a balanced evaluation, we select data views with low dimensionality and limit the total number of perturbed views to less than 50%. Specifically, for the MSRCv1 dataset, we perturb the first and fourth views, while for BBCSport and Citeseer, only the first view is perturbed. In the ProteinFold dataset, we perturb the first, second, third, and fourth views, whereas, in Caltech101-7, only the first and second views are affected. For HW-6Views, the perturbation is applied to the third and fourth views, and for NUS-WIDE-SCENE, the second and fifth views are perturbed. Additional details can be found in Table 4. We will further clarify this information and provide additional evaluation details in the revision.

W4: In figures such as Figure 2 and Figure 3, the ACC metric curve is not clearly presented. However, in certain figures, such as Figure 10, it is clear that the four lines represent four distinct metrics. The authors should address this issue and provide clarification.

R4: Thank you for the reviewer’s insightful comments. As shown in Tables 3 and 4, the accuracy and purity metrics coincide in some cases. Since clustering is an unsupervised task, both metrics rely on the best possible label assignment. The accuracy metric determines the optimal one-to-one mapping between cluster IDs and ground truth labels using the Hungarian algorithm [1], whereas the purity metric assigns each cluster to the most frequent ground truth label. When clusters closely align with single ground truth classes (i.e., each cluster predominantly contains data points from one class), both metrics yield identical values. In such cases, the best mapping in Hungarian accuracy and the dominant-class assignment in purity produce the same results. We will include further explanations in the revision.

[1] Kuhn et al. The Hungarian Method for the Assignment Problem. 1955.

We sincerely appreciate Reviewer yajj’s thorough and constructive review. We provide point-by-point responses to the raised weaknesses as follows:

---

W1: This paper assumes the victim MKC method operates as a black box with no direct access. Given this realistic constraint, where frequent queries are not feasible, how does the proposed attack function effectively in such a scenario?

R1: We appreciate the reviewer’s insightful comments. Conducting attacks on multi-view clustering requires extensive queries to the victim MKC method, resulting in high resource consumption. To mitigate this, we propose two countermeasures:

1. We design a clusterer that emulates MKC behavior. During attacks, this clusterer provides rewards, eliminating the need to query the victim black-box MKC method. As demonstrated in Appendix D, AdvMKC achieves the highest attack performance with the same number of victim MKC queries.
2. When querying the victim MKC method is excessively costly, we propose an alternative approach: querying a surrogate MKC method under the attacker's control. As shown in Table 3, optimizing the generator using the surrogate MKC method enables the crafted perturbations to effectively mislead the victim MKC method.

We will clarify this issue in the revision.

W2: Figures 11–14 show that as the number of clustering operations increases, AdvMKC outperforms the two baseline methods in attack effectiveness. However, in some cases, AdvMKC does not achieve the best performance during the initial attack phase. The authors should provide clarification on these observations.

R2: We appreciate the reviewer’s comments. The performance difference stems from the distinct generation methods used in AdvMKC compared to the other two approaches. As shown in Appendix C, RAMKC injects Gaussian noise into the original data, while EAMKC optimizes the mean and variance of noise distributions using the LM-CMA strategy and a reward function. In contrast, AdvMKC employs a neural network to generate perturbations. Due to the initial parameter settings, the perturbation magnitude may be small at the beginning, limiting AdvMKC’s performance in the early attack phase. However, once the memory buffer $\mathcal{B}$ is filled, the attacker can optimize the generator’s parameters, resulting in improved attack performance. We will address this concern in the revision.