Abstract.

We propose a general approach to evaluating the performance of robust estimators based on adversarial losses under misspecified models. We first show that adversarial risk is equivalent to the risk induced by a distributional adversarial attack under certain smoothness conditions. This ensures that the adversarial training procedure is well-defined. To evaluate the generalization performance of the adversarial estimator, we study the adversarial excess risk. Our proposed analysis method includes investigations on both generalization error and approximation error. We then establish nonasymptotic upper bounds for the adversarial excess risk associated with Lipschitz loss functions. In addition, we apply our general results to adversarial training for classification and regression problems. For the quadratic loss in nonparametric regression, we show that the adversarial excess risk bound can be improved over that for a general loss.

Keywords

  1. adversarial attack
  2. approximation error
  3. generalization
  4. misspecified model
  5. robustness

MSC codes

  1. 62G05
  2. 62G35
  3. 68T07

Get full access to this article

View all available purchase options and get full access to this article.

Acknowledgments.

We are grateful to the AE and two anonymous reviewers for their constructive comments that helped improve the quality of the paper.

Supplementary Materials

PLEASE NOTE: These supplementary files have not been peer-reviewed.
Index of Supplementary Materials
Title of paper: Nonasymptotic Bounds for Adversarial Excess Risk under Misspecified Models
Authors: Changyu Liu, Yuling Jiao, Junhui Wang and Jian Huang
File: supplement.pdf
Type: PDF
Contents: Proofs

References

1.
A. Athalye, N. Carlini, and D. Wagner, Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples, in Proceedings of the 35th International Conference on Machine Learning, Vol. 80, PMLR, 2018, pp. 274–283.
2.
P. Awasthi, N. Frank, A. Mao, M. Mohri, and Y. Zhong, Calibration and consistency of adversarial surrogate losses, in Advances in Neural Information Processing Systems, Vol. 34, Curran Associates, 2021, pp. 9804–9815.
3.
P. Awasthi, N. Frank, and M. Mohri, Adversarial learning guarantees for linear hypotheses and neural networks, in Proceedings of the 37th International Conference on Machine Learning, Vol. 119, PMLR, 2020, pp. 431–441.
4.
P. Awasthi, N. Frank, and M. Mohri, On the existence of the adversarial Bayes classifier, in Advances in Neural Information Processing Systems, Vol. 34, Curran Associates, 2021, pp. 2978–2990.
5.
P. Awasthi, A. Mao, M. Mohri, and Y. Zhong, A finer calibration analysis for adversarial robustness, in Proceedings of the 40th International Conference on Machine Learning, Vol. 202, PMLR, 2023, pp. 1373–1391.
6.
H. Bao, C. Scott, and M. Sugiyama, Calibrated surrogate losses for adversarially robust classification, in Proceedings of the 33rd Conference on Learning Theory, Vol. 125, PMLR, 2020, pp. 408–451.
7.
B. Bauer and M. Kohler, On deep learning as a remedy for the curse of dimensionality in nonparametric regression, Ann. Statist., 47 (2019), pp. 2261–2285.
8.
W. Brendel, J. Rauber, and M. Bethge, Decision-based adversarial attacks: Reliable attacks against black-box machine learning models, in International Conference on Learning Representations, 2018.
9.
S. Bubeck and M. Sellke, A universal law of robustness via isoperimetry, in Advances in Neural Information Processing Systems, Vol. 34, Curran Associates, 2021, pp. 28811–28822.
10.
L. Bungert, N. García Trillos, and R. Murray, The geometry of adversarial training in binary classification, Inf. Inference, 12 (2023), pp. 921–968.
11.
N. Carlini and D. Wagner, Towards evaluating the robustness of neural networks, in 2017 IEEE Symposium on Security and Privacy (SP), IEEE Computer Society, Los Alamitos, CA, 2017, pp. 39–57.
12.
M. Cisse, P. Bojanowski, E. Grave, Y. Dauphin, and N. Usunier, Parseval networks: Improving robustness to adversarial examples, in Proceedings of the 34th International Conference on Machine Learning, Vol. 70, PMLR, 2017, pp. 854–863.
13.
J. Cohen, E. Rosenfeld, and Z. Kolter, Certified adversarial robustness via randomized smoothing, in Proceedings of the 36th International Conference on Machine Learning, Vol. 97, PMLR, 2019, pp. 1310–1320.
14.
C. Dan, Y. Wei, and P. Ravikumar, Sharp statistical guarantees for adversarially robust Gaussian classification, in Proceedings of the 37th International Conference on Machine Learning, Vol. 119, PMLR, 2020, pp. 2345–2355.
15.
E. Dobriban, H. Hassani, D. Hong, and A. Robey, Provable tradeoffs in adversarially robust classification, in Proceedings of the 37th Conference on Machine Learning, Vol. 119, PMLR, 2020, pp. 2595–2605.
16.
N. S. Frank, Existence and minimax theorems for adversarial surrogate risks in binary classification, J. Mach. Learn. Res., 25 (2024), 58.
17.
I. J. Goodfellow, J. Shlens, and C. Szegedy, Explaining and harnessing adversarial examples, in 3rd International Conference on Learning Representations, ICLR 2015.
18.
M. Hein and M. Andriushchenko, Formal guarantees on the robustness of a classifier against adversarial manipulation, in Advances in Neural Information Processing Systems, Vol. 30, Curran Associates, 2017, pp. 2263–2273.
19.
A. Javanmard and M. Soltanolkotabi, Precise statistical analysis of classification accuracies for adversarial training, Ann. Statist., 50 (2022), pp. 2127–2156.
20.
A. Javanmard, M. Soltanolkotabi, and H. Hassani, Precise tradeoffs in adversarial training for linear regression, in Proceedings of the 33rd Conference on Learning Theory, Vol. 125, PMLR, 2020, pp. 2034–2078.
21.
Y. Jiao, G. Shen, Y. Lin, and J. Huang, Deep nonparametric regression on approximate manifolds: Nonasymptotic error bounds with polynomial prefactors, Ann. Statist., 51 (2023), pp. 691–716.
22.
Y. Jiao, Y. Wang, and Y. Yang, Approximation bounds for norm constrained neural networks with applications to regression and GANs, Appl. Comput. Harmon. Anal., 65 (2023), pp. 249–278.
23.
J. Khim and P.-L. Loh, Adversarial risk bounds via function transformation, in Proceedings of the 35th International Conference on Machine Learning, Vol. 80, PMLR, 2018, pp. 2621–2630.
24.
A. N. Kolmogorov and V. M. Tikhomirov, \(\varepsilon\)-entropy and \(\varepsilon\)-capacity of sets in function spaces, Uspekhi Mat. Nauk, 14 (1959), pp. 3–86.
25.
J. Lee and M. Raginsky, Minimax statistical learning with Wasserstein distances, in Advances in Neural Information Processing Systems, Vol. 31, Curran Associates, 2018, pp. 2692–2701.
26.
J. Lu, Z. Shen, H. Yang, and S. Zhang, Deep network approximation for smooth functions, SIAM J. Math. Anal., 53 (2021), pp. 5465–5506, https://doi.org/10.1137/20M134695X.
27.
X. Ma, Z. Wang, and W. Liu, On the tradeoff between robustness and fairness, in Advances in Neural Information Processing Systems, Vol. 34, Curran Associates, 2021, pp. 26230–26241.
28.
A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, Towards deep learning models resistant to adversarial attacks, in International Conference on Learning Representations, 2018.
29.
L. Meunier, R. Ettedgui, R. Pinot, Y. Chevaleyre, and J. Atif, Towards consistency in adversarial classification, in Advances in Neural Information Processing Systems, Vol. 35, Curran Associates, 2022, pp. 29947–29959.
30.
S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, DeepFool: A simple and accurate method to fool deep neural networks, in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, IEEE, 2016, pp. 2574–2582.
31.
W. Mustafa, Y. Lei, and M. Kloft, On the generalization analysis of adversarial learning, in Proceedings of the 39th International Conference on Machine Learning, Vol. 162, PMLR, 2022, pp. 16174–16196.
32.
N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, The limitations of deep learning in adversarial settings, in 2016 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE, 2016, pp. 372–387.
33.
N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, Distillation as a defense to adversarial perturbations against deep neural networks, in 2016 IEEE Symposium on Security and Privacy (SP), IEEE, 2016, pp. 582–597.
34.
M. S. Pydi and V. Jog, Adversarial risk via optimal transport and optimal couplings, IEEE Trans. Inform. Theory, 67 (2021), pp. 6031–6052.
35.
M. S. Pydi and V. Jog, The many faces of adversarial risk, in Advances in Neural Information Processing Systems, Vol. 34, Curran Associates, 2021, pp. 10000–10012.
36.
A. Raghunathan, J. Steinhardt, and P. Liang, Certified defenses against adversarial examples, in International Conference on Learning Representations, 2018.
37.
A. Raghunathan, S. M. Xie, F. Yang, J. Duchi, and P. Liang, Adversarial training can hurt generalization, in ICML 2019 Workshop on Identifying and Understanding Deep Learning Phenomena, 2019.
38.
L. Schmidt, S. Santurkar, D. Tsipras, K. Talwar, and A. Madry, Adversarially robust generalization requires more data, in Advances in Neural Information Processing Systems, Vol. 31, Curran Associates, 2018, pp. 5026–5041.
39.
J. Schmidt-Hieber, Nonparametric regression using deep neural networks with ReLU activation function, Ann. Statist., 48 (2020), pp. 1875–1897.
40.
I. Steinwart and A. Christmann, Support Vector Machines, Inf. Sci. Stat., Springer, New York, 2008.
41.
C. J. Stone, Optimal global rates of convergence for nonparametric regression, Ann. Statist., 10 (1982), pp. 1040–1053.
42.
J. Su, D. V. Vargas, and K. Sakurai, One pixel attack for fooling deep neural networks, IEEE Trans. Evol. Comput., 23 (2019), pp. 828–841.
43.
C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, Intriguing properties of neural networks, in 2nd International Conference on Learning Representations, ICLR 2014.
44.
D. Tsipras, S. Santurkar, L. Engstrom, A. Turner, and A. Madry, Robustness may be at odds with accuracy, in International Conference on Learning Representations, 2019.
45.
Y. Tsuzuku, I. Sato, and M. Sugiyama, Lipschitz-margin training: Scalable certification of perturbation invariance for deep neural networks, Adv. Neural Inf. Process. Syst., 31 (2018).
46.
Z. Tu, J. Zhang, and D. Tao, Theoretical analysis of adversarial learning: A minimax approach, in Advances in Neural Information Processing Systems, Vol. 32, Curran Associates, 2019, pp. 12280–12290.
47.
R. Vershynin, High-Dimensional Probability: An Introduction with Applications in Data Science, Cambridge Series in Statistical and Probabilistic Mathematics, Cambridge University Press, 2018.
48.
T.-W. Weng, H. Zhang, P.-Y. Chen, J. Yi, D. Su, Y. Gao, C.-J. Hsieh, and L. Daniel, Evaluating the robustness of neural networks: An extreme value theory approach, in International Conference on Learning Representations, 2018.
49.
Y. Xing, R. Zhang, and G. Cheng, Adversarially robust estimate and risk analysis in linear regression, in Proceedings of the 24th International Conference on Artificial Intelligence and Statistics, Vol. 130, PMLR, 2021, pp. 514–522.
50.
Y.-Y. Yang, C. Rashtchian, H. Zhang, R. R. Salakhutdinov, and K. Chaudhuri, A closer look at accuracy vs. robustness, in Advances in Neural Information Processing Systems, Vol. 33, Curran Associates, 2020, pp. 8588–8601.
51.
D. Yarotsky, Optimal approximation of continuous functions by very deep ReLU networks, in Proceedings of the 31st Conference On Learning Theory, Vol. 75, PMLR, 2018, pp. 639–649.
52.
D. Yin, R. Kannan, and P. Bartlett, Rademacher complexity for adversarially robust generalization, in Proceedings of the 36th International Conference on Machine Learning, Vol. 97, PMLR, 2019, pp. 7085–7094.
53.
H. Zhang, Y. Yu, J. Jiao, E. Xing, L. E. Ghaoui, and M. Jordan, Theoretically principled trade-off between robustness and accuracy, in Proceedings of the 36th International Conference on Machine Learning, Vol. 97, PMLR, 2019, pp. 7472–7482.

Information & Authors

Information

Published In

cover image SIAM Journal on Mathematics of Data Science
SIAM Journal on Mathematics of Data Science
Pages: 847 - 868
ISSN (online): 2577-0187

History

Submitted: 1 September 2023
Accepted: 22 April 2024
Published online: 1 October 2024

Keywords

  1. adversarial attack
  2. approximation error
  3. generalization
  4. misspecified model
  5. robustness

MSC codes

  1. 62G05
  2. 62G35
  3. 68T07

Authors

Affiliations

Changyu Liu
Department of Statistics, The Chinese University of Hong Kong, Hong Kong SAR, China.
Yuling Jiao
School of Mathematics and Statistics, and Hubei Key Laboratory of Computational Science, Wuhan University, Wuhan 430072, China.
Junhui Wang
Department of Statistics, The Chinese University of Hong Kong, Hong Kong SAR, China.
Department of Applied Mathematics, The Hong Kong Polytechnic University, Hong Kong SAR, China.

Funding Information

HK RGC: GRF-14306523
CUHK: 4937091
Funding: The work of the second author was supported by the National Nature Science Foundation of China (grant 12371441), by the Fundamental Research Funds for the Central Universities, and by the research fund of KLATASDSMOE of China. The work of the third author was supported in part by HK RGC GRF-14306523 and CUHK Startup Grant 4937091. The work of the fourth author was supported by the National Natural Science Foundation of China (grant 72331005) and research grants from The Hong Kong Polytechnic University.

Metrics & Citations

Metrics

Citations

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.

Cited By

There are no citations for this item

View Options

View options

PDF

View PDF

Full Text

View Full Text

Figures

Tables

Media

Share

Share

Copy the content Link

Share with email

Email a colleague

Share on social media