Rademacher Complexity for Adversarially Robust Generalization Supplementary Material

A recent line of work analyzes the convergence and generalization problems in distributional robust optimization (DRO) [5, 14, 19]. The notion of DRO differs from ours, since DRO considers the setting where the distribution of the input data is being perturbed, while we consider the perturbation in the feature space. Farnia et al. [6] study the generalization problem when the attack algorithm of the adversary is provided to the learner, which is also a weaker notion than our problem. A few other lines of work have been trying to conduct theoretical analysis of adversarial examples. Wang et al. [21] analyze the adversarial robustness of nearest neighbors estimator. Papernot et al. [17] try to demonstrate the unavoidable trade-offs between accuracy in the natural setting and the resilience to adversarial attacks, and this trade-off is further studied by Tsipras et al. [20] through some constructive examples of distributions. Fawzi et al. [7] analyze adversarial robustness of fixed classifiers, in contrast to our generalization analysis. Fawzi et al. [8] construct examples of distributions with large latent variable space such that adversarially robust classifiers do not exist; here we argue that these examples may not explain the fact that adversarially perturbed images can usually be recognized by humans. Bubeck et al. [3] try to explain the hardness of learning an adversarially robust model from the computational constraints under the statistical query model. Another recent line of work explains the existence of adversarial examples via high dimensional geometry and concentration of measure [9, 4, 15]. These works provide examples where adversarial examples provably exist as long as the test error of a classifier is non-zero. Our results show that adding `1 constraints on the weights of neural networks can improve the generalization gap in the adversarial setting. This is consistent with some recent works which show that sparsified neural networks may improve adversarial robustness [11, 10]. In earlier work, Bagnell proposed a concept of robust supervised learning [1]; robust optimization has been studied in Lasso [23] and SVM [24] problems. Xu and Mannor [22] make the connection between algorithmic robustness and generalization property in the natural setting, whereas our work focus on generalization in the adversarial setting.

[1]  David Tse,et al.  Generalizable Adversarial Training via Spectral Normalization , 2018, ICLR.

[2]  Saeed Mahloujifar,et al.  The Curse of Concentration in Robust Learning: Evasion and Poisoning Attacks from Concentration of Measure , 2018, AAAI.

[3]  Aleksander Madry,et al.  Robustness May Be at Odds with Accuracy , 2018, ICLR.

[4]  Ilya P. Razenshteyn,et al.  Adversarial examples from computational constraints , 2018, ICML.

[5]  Upamanyu Madhow,et al.  Toward Robust Neural Networks via Sparsification , 2018, ArXiv.

[6]  Changshui Zhang,et al.  Sparse DNNs with Improved Adversarial Robustness , 2018, NeurIPS.

[7]  Elvis Dohmatob,et al.  Limitations of adversarial robustness: strong No Free Lunch Theorem , 2018, ArXiv.

[8]  Hamza Fawzi,et al.  Adversarial vulnerability for any classifier , 2018, NeurIPS.

[9]  Aditi Raghunathan,et al.  Certified Defenses against Adversarial Examples , 2018, ICLR.

[10]  John C. Duchi,et al.  Certifying Some Distributional Robustness with Principled Adversarial Training , 2017, ICLR.

[11]  Somesh Jha,et al.  Analyzing the Robustness of Nearest Neighbors to Adversarial Examples , 2017, ICML.

[12]  Jaeho Lee,et al.  Minimax Statistical Learning with Wasserstein distances , 2017, NeurIPS.

[13]  Matus Telgarsky,et al.  Spectrally-normalized margin bounds for neural networks , 2017, NIPS.

[14]  Michael P. Wellman,et al.  Towards the Science of Security and Privacy in Machine Learning , 2016, ArXiv.

[15]  Seyed-Mohsen Moosavi-Dezfooli,et al.  Robustness of classifiers: from adversarial to random noise , 2016, NIPS.

[16]  David Tse,et al.  A Minimax Approach to Supervised Learning , 2016, NIPS.

[17]  M. Mohri,et al.  Rademacher Complexity Margin Bounds for Learning with a Large Number of Classes , 2015 .

[18]  Ameet Talwalkar,et al.  Foundations of Machine Learning , 2012, Adaptive computation and machine learning.

[19]  Shie Mannor,et al.  Robustness and generalization , 2010, Machine Learning.

[20]  Shie Mannor,et al.  Robust Regression and Lasso , 2008, IEEE Transactions on Information Theory.

[21]  Shie Mannor,et al.  Robustness and Regularization of Support Vector Machines , 2008, J. Mach. Learn. Res..

[22]  J. Andrew Bagnell,et al.  Robust Supervised Learning , 2005, AAAI.

[23]  M. Talagrand,et al.  Probability in Banach Spaces: Isoperimetry and Processes , 1991 .