On the adversarial robustness of robust estimators

TL;DR

This paper analyzes the adversarial robustness of estimators by introducing an adversarial influence function, characterizing optimal attack strategies, and designing estimators that balance robustness against adversarial attacks and outliers.

Contribution

It introduces the adversarial influence function (AIF), characterizes optimal adversarial attacks, and designs estimators that optimize robustness tradeoffs.

Findings

AIF quantifies estimator sensitivity to adversarial attacks.

Optimal estimators minimize AIF, enhancing robustness.

Tradeoff identified between AIF and classical influence function.

Abstract

Motivated by recent data analytics applications, we study the adversarial robustness of robust estimators. Instead of assuming that only a fraction of the data points are outliers as considered in the classic robust estimation setup, in this paper, we consider an adversarial setup in which an attacker can observe the whole dataset and can modify all data samples in an adversarial manner so as to maximize the estimation error caused by his attack. We characterize the attacker's optimal attack strategy, and further introduce adversarial influence function (AIF) to quantify an estimator's sensitivity to such adversarial attacks. We provide an approach to characterize AIF for any given robust estimator, and then design optimal estimator that minimizes AIF, which implies it is least sensitive to adversarial attacks and hence is most robust against adversarial attacks. From this characterization, we identify a tradeoff between AIF (i.e., robustness against adversarial attack) and influence function, a quantity used in classic robust estimators to measure robustness against outliers, and design estimators that strike a desirable tradeoff between these two quantities.