Generalized No Free Lunch Theorem for Adversarial Robustness

TL;DR

This paper establishes a generalized impossibility result for adversarial robustness in machine learning, showing that under certain distributional conditions, classifiers can be easily fooled with small perturbations, extending previous no-free-lunch results.

Contribution

It introduces a broad no-free-lunch theorem for adversarial robustness based on transportation inequalities, unifying and extending prior impossibility results.

Findings

Adversarial fooling probability approaches one under certain distributional conditions.

Theoretical bounds are validated on MNIST and simulated data.

The results apply to distributions satisfying the $W_2$ Talagrand inequality.

Abstract

This manuscript presents some new impossibility results on adversarial robustness in machine learning, a very important yet largely open problem. We show that if conditioned on a class label the data distribution satisfies the $W_2$ Talagrand transportation-cost inequality (for example, this condition is satisfied if the conditional distribution has density which is log-concave; is the uniform measure on a compact Riemannian manifold with positive Ricci curvature, any classifier can be adversarially fooled with high probability once the perturbations are slightly greater than the natural noise level in the problem. We call this result The Strong "No Free Lunch" Theorem as some recent results (Tsipras et al. 2018, Fawzi et al. 2018, etc.) on the subject can be immediately recovered as very particular cases. Our theoretical bounds are demonstrated on both simulated and real data (MNIST). We conclude the manuscript with some speculation on possible future research directions.