Robust Optimization for Adversarial Learning with Finite Sample Complexity Guarantees

Proposing a novel adversarial training method inspired by SVM margins to enhance robustness in classifiers.

The content discusses decision making and learning under uncertainty, focusing on adversarial attacks. It introduces a novel adversarial training method for robust classifiers inspired by SVM margins. The paper derives finite sample complexity bounds for linear and non-linear classifiers in binary and multi-class scenarios. The proposed algorithm minimizes worst-case surrogate loss using LP and SOCP for linear and non-linear models. Numerical experiments on MNIST and CIFAR10 datasets show comparable performance to state-of-the-art methods without needing adversarial examples during training. The introduction highlights the importance of robust solutions due to adversaries manipulating data, leading to the need for further research in unifying attacks and defense mechanisms through robust optimization frameworks. The relationship between robust optimization and adversarial machine learning is explored, emphasizing the probabilistic framework balancing average and worst-case scenarios. Methodology and contributions include establishing sample complexity bounds within a PAC-learning framework, introducing data-driven optimization-based adversarial training procedures, and validating the approach on benchmark datasets. Related work is discussed, showcasing how sample complexity bounds match existing literature without assuming adversary tampering per input. Learning in the presence of an adversary is detailed, along with considerations of adversarial attacks after learning involving common modeling assumptions. Proposed approaches focus on margin-inspired adversarial training for binary classifiers, considering confidence margins for accurate classification. Sample complexity bounds are provided for binary classifiers, linear binary classifiers with bounded inputs, kernel-based non-linear binary classifiers, and multi-class classifiers. Classifier computation methods are discussed using linear programming formulation for linear binary classifiers and second-order cone programming formulation for kernel-based binary classifiers. Numerical experiments evaluate the proposed methodology's performance on MNIST and CIFAR10 datasets, showcasing competitive accuracy even under challenging scenarios like distinguishing between airplane/dog or cat/dog pairs. Robustness measurement using RoMA procedure demonstrates comparable robustness between margin-based training methods and conventional ones against various adversaries.

Notably, linear classifiers’ sample complexity scales as m ∼O( 1 ϵ2 log 2 δ ). Our algorithm minimizes a worst-case surrogate loss using Linear Programming (LP) and Second Order Cone Programming (SOCP) for linear and non-linear models. Numerical experiments on the benchmark MNIST and CIFAR10 datasets show our approach’s comparable performance to state-of-the-art methods. For any γ > 1and r > 0, with probability at least 1 −δ , Rζ rob h ≤1 m X i=1 ϕ2 ζ(yi · h(xi)) + 2γ ζ Rm(H) + s log logγ γr ζ m + s log 2 δ 2m .

"Our work offers a comprehensive framework for enhancing binary linear and non-linear classifier robustness." "Recent studies have introduced a probabilistic framework that effectively balances average and worst-case scenarios."