A Fundamental Performance Limitation for Adversarial Classification
Abed AlRahman Al Makdah, Vaibhav Katewa, and Fabio Pasqualetti

TL;DR
This paper proves a fundamental tradeoff in adversarial classification, showing that optimizing accuracy inherently increases sensitivity to data manipulation, and this tradeoff is dictated solely by data statistics, not algorithm tuning.
Contribution
It establishes a formal, fundamental limit on the accuracy-sensitivity tradeoff in adversarial classification, independent of specific algorithm choices.
Findings
Accuracy-sensitivity tradeoff is unavoidable in adversarial settings.
The tradeoff depends only on data statistics, not on algorithm complexity.
Tuning algorithms cannot surpass this fundamental limit.
Abstract
Despite the widespread use of machine learning algorithms to solve problems of technological, economic, and social relevance, provable guarantees on the performance of these data-driven algorithms are critically lacking, especially when the data originates from unreliable sources and is transmitted over unprotected and easily accessible channels. In this paper we take an important step to bridge this gap and formally show that, in a quest to optimize their accuracy, binary classification algorithms -- including those based on machine-learning techniques -- inevitably become more sensitive to adversarial manipulation of the data. Further, for a given class of algorithms with the same complexity (i.e., number of classification boundaries), the fundamental tradeoff curve between accuracy and sensitivity depends solely on the statistics of the data, and cannot be improved by tuning the…
| Classifier | ||||||
| 3.65 | 18.78 | 0.0334 | 0.7891 | 0.6857 | 0.6808 | |
| 1.83 | 20.60 | 0.0201 | 0.7766 | 0.6947 | 0.6939 | |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Machine Learning and Data Classification
A Fundamental Performance Limitation for Adversarial
Classification
Abed AlRahman Al Makdah, Vaibhav Katewa, and Fabio Pasqualetti This work was supported in part by ARO award 71603NSYIP. The authors are with the Departments of Department of Electrical and Computer Engineering and Mechanical Engineering at the University of California, Riverside, {abedam,vkatewa, fabiopas}@engr.ucr.edu.
Abstract
Despite the widespread use of machine learning algorithms to solve problems of technological, economic, and social relevance, provable guarantees on the performance of these data-driven algorithms are critically lacking, especially when the data originates from unreliable sources and is transmitted over unprotected and easily accessible channels. In this paper we take an important step to bridge this gap and formally show that, in a quest to optimize their accuracy, binary classification algorithms – including those based on machine-learning techniques – inevitably become more sensitive to adversarial manipulation of the data. Further, for a given class of algorithms with the same complexity (i.e., number of classification boundaries), the fundamental tradeoff curve between accuracy and sensitivity depends solely on the statistics of the data, and cannot be improved by tuning the algorithm.
I Introduction
Artificial intelligence and machine learning algorithms, including neural networks, are used widely in technological, social and economic applications, such as computer vision [1, 2], speech recognition [3, 4], and malware detection [5]. While these algorithms typically achieve high performance under nominal and well-modeled conditions, they are also very sensitive to small, targeted, and possibly malicious manipulations of the training and execution data [6]. The reasons for this unreliable behavior are still largely unknown, thus motivating the critical need for novel theories and tools to deploy robust, reliable, and safe data-driven algorithms.
In this paper we formally reveal a fundamental and previously unknown tradeoff between the accuracy of a binary classification algorithm and its sensitivity to arbitrary manipulation of the data. In particular, we cast a binary classification problem into an hypothesis testing framework, parametrize classification algorithms – including those based on machine learning techniques – using their decision boundaries, and show that the accuracy of the algorithm can be maximized only at the expenses of its sensitivity. This tradeoff, which applies to general classification algorithms, depends on the statistics of the data, and cannot be improved by simply tuning the algorithm. Our theory explains quantitatively how simple algorithms can outperform more complex implementations when operating in adversarial environments.
Related work: Recent work has shown that classification based on neural networks is vulnerable to adversarial perturbations [6, 7], and that these perturbations are universal and affect a large number of classification algorithms. While heuristic explanations of this phenomenon and heuristic techniques have been proposed, including adversarial learning [7, 8, 9, 10, 11, 12], black-box [8], and gradient-based [7, 9], a fundamental analytical understanding of the limitations of classification algorithms under adversarial perturbations is critically lacking. We identify these limitations for a binary classification problem in a Bayesian setting. While in simple setting, our analysis formally shows that a fundamental tradeoff exists between accuracy and sensitivity of any classification algorithm, independently of the complexity of the algorithm. The papers [10, 13, 14] are also related to this study, which derive methods to measure robustness of different classifiers against adversarial perturbations and obtain guarantees against bounded perturbations, as well as [11], which shows how adversarial training improves the classifier’s performance against adversarial perturbations while deteriorating its performance under nominal conditions. Our approach provides rigorous mathematical support to the empirical evidence obtained in these works.
Contribution: This paper features three main contributions. First, we propose metrics to quantify the accuracy of a classification algorithm and its sensitivity to arbitrary manipulation of the data. We prove that, under a set of mild technical assumptions, the accuracy of a classification algorithm can only be maximized at the expenses of its sensitivity. Thus, a fundamental tradeoff exists between the performance of a classification algorithm in nominal and adversarial settings. While our results formally apply to binary classification problems, we conjecture that this fundamental tradeoff in fact applies to more general classification problems. Second, we show that a tradeoff between accuracy and sensitivity exists for different classes of classification algorithms, and that simpler algorithms can sometimes outperform more complex one in adversarial settings. Third, for a fixed complexity of the classification algorithm, we numerically show that the accuracy versus robustness tradeoff depends solely on the statistics of the data, and cannot be arbitrarily improved by tuning the classification algorithm, including using sophisticated adversarial learning techniques. Taken together, our results suggest that performance and robustness of data-driven algorithms are dictated by the properties of the data, and not by the sophistication or intelligence of the algorithm.
II Problem setup and preliminary notions
To reveal a fundamental tradeoff between the accuracy of a classification algorithm and its robustness against malicious data manipulation, we consider a binary classification problem where the objective is to decide whether a scalar observation belongs to one of the classes and . We assume that the distribution of the observations satisfy
[TABLE]
where and are arbitrary, yet known, probability density functions with parameters and , respectively. We assume that the partial derivatives of with respect to and exist and are continuous over the domain of the distributions, for . Let and denote the prior probabilities of the observations belonging to the classes and , respectively. Different (machine learning) algorithms can be used to solve the above binary classification problem. Yet, because of the binary nature of the problem, any classification algorithm can be represented by a suitable partition of the real line, and it can be written as
[TABLE]
where111For simplicity and without affecting generality, we assume that is even. Further, an alternative configuration of the classifier (2) assigns and to and , respectively. However, because accuracy and sensitivity of the two configurations can be obtained from each other, we consider only the configuration in (2) without affecting the generality of our analysis. denotes a set of boundary points, with , , , and
[TABLE]
We refer to (2) as general classifier. We measure the performance of a classification algorithm through its accuracy, that is, its probability of making a correct classification.
Definition 1
(Accuracy of a classifier)* The accuracy of the classification algorithm is*
[TABLE]
where contains the distribution parameters.
Using Equation (3) and the distributions in (1), we obtain
[TABLE]
Clearly, the accuracy of a classification algorithm depends on the position of its boundaries, which can be selected to maximize the accuracy of the classification algorithm. To this aim, let denote the Likelihood Ratio defined as
[TABLE]
The Maximum Likelihood (ML) classifier is
[TABLE]
where the threshold is a design parameter that determines the boundary points and, thus, the accuracy of the classifier. As a known result in statistical hypothesis testing [15], the accuracy of the ML classifier with is the largest among all possible classifiers. The value and the number of boundary points of the ML classifier depend on the distributions and , the threshold , and the prior probabilities through the equation
[TABLE]
Another important class of classifiers is the class of linear classifiers, which are less complex and often achieve a competitive performance compared to nonlinear classifiers (see [16] for more details). In our setting, a linear classifier consists of one decision boundary , and is given by
[TABLE]
Following Definition 1, the accuracy of is
[TABLE]
The optimal boundary that maximizes is
[TABLE]
While the boundaries are difficult to compute for general distributions, they can be computed explicitly when the observations are Gaussian (see below). Let be the p.d.f. of a normal random variable with mean and variance , and the c.d.f. of the standard normal distribution.
Remark 1
(ML and linear classifiers for Gaussian distributions)* For the Gaussian distributions , , the boundaries of ML classifier satisfy*
[TABLE]
Equation (10) has at most two real solutions, implying that the ML classifier has at most two decision boundaries (see Fig. 1). The ML classifier with boundaries corresponding to the solutions of (10) with has maximum accuracy [15]. The solution of (10) which maximizes the accuracy in (8) is the boundary for the optimal linear classifier.
To characterize the robustness of a classifier to adversarial manipulation of the observations, we define the following sensitivity metric, which capture the degradations of the classification accuracy following data manipulation. It should be noticed that, by manipulating the observations, the adversary effectively changes the parameters of the distributions in (1).
Definition 2
(Sensitivity of a classifier)* The sensitivity of the classification algorithm222Definition 2 is also valid for the ML and the linear classifier. is*
[TABLE]
where contains the parameters of the distributions in (1), and denotes the accuracy of .
From Definition 2, a higher value of sensitivity implies that the adversary can affect the classifier’s performance to a larger extent, whereas a lower sensitivity implies that the classifier is more robust to adversarial manipulation. Further, the norm captures the worst case scenario in terms of the largest sensitivity with respect to the components of .
Remark 2
(Accuracy and sensitivity of the ML classifier for Gaussian distributions)* The accuracy and the sensitivity of the ML classifier are obtained by substituting the expression of the normal distributions in (3) and (11):*
[TABLE]
where and .
A classification algorithm should be designed to have high accuracy and low sensitivity, so as to exhibit robust satisfactory performance in the face of adversarial manipulation. Unfortunately, in this paper we show that accuracy and sensitivity are directly related, so that optimizing the accuracy of a classifier inevitably also increases its sensitivity.
III A fundamental tradeoff between accuracy and sensitivity of
classification algorithms
In this section, we characterize the tradeoff between accuracy and sensitivity of a classification algorithm for a given binary classification problem as described in (1). In particular, we prove that under some mild conditions, there exist a classifier that is less accurate than , yet more robust to adversarial manipulation of the observations. This shows that there exist a tradeoff between accuracy and sensitivity at the the maximum accuracy configuration.
Let be the vector of the boundaries of , which maximizes . Let be the component of . We make the following assumptions:
- A1:
The vector \frac{\partial\mathcal{A}(y;\theta)}{\partial\theta}\Bigr{|}_{y^{*}} has a unique largest absolute element, located at index .
- A2:
There exist at least one boundary such that
[TABLE]
Assumptions A1 is specific to our definition of sensitivity in (11), and is not required if norm is used (see Remark 4). Further, A2 is mild and typically satisfied in most problems.
Theorem III.1
(Accuracy vs. sensitivity tradeoff for classifier (2))* Let contain the boundaries of the classifier . Then, under Assumptions A1 and A2, it holds*
[TABLE]
Proof:
Assumption A1 guarantees that sensitivity is differentiable with respect to at . Let g\big{(}y;\theta\big{)}\triangleq\frac{\partial\mathcal{A}(y;\theta)}{\partial y}. Since maximizes , we have g\big{(}y^{*};\theta\big{)}=0. Differentiating g\big{(}y^{*};\theta\big{)} with respect to , and noting that depends on , we get:
[TABLE]
where the last equation follows by substituting g\big{(}y;\theta\big{)}=\frac{\partial\mathcal{A}(y;\theta)}{\partial y} and switching the order of partial differentiation. Using (11), it can be easily observed that the left side of (III) equals \pm\frac{\partial\mathcal{S}(y;\theta)}{\partial y}\Big{|}_{y^{*}}. Further, differentiating (4) twice, we get , where
[TABLE]
Assumption A2 guarantees that there exist a boundary such that . The reult follows from (III). ∎
Theorem III.1 implies that the sensitivity of the classifier can be decreased by modifying the boundaries . Yet, because exhibits the largest classification accuracy among all classifiers, the reduction of sensitivity inevitably decreases the accuracy of classification. In other words, for any classification problem (1) satisfying Assumption A1 and A2 and for any classification algorithm (2), there exists an arbitrarily small such that333The inequality for accuracy is strict for most distributions.
[TABLE]
This result also implies that the robustness of a classification algorithm to adversarial manipulation of the data can be increased only at the expense of its accuracy of classification. Thus, a fundamental tradeoff exists between the accuracy of a classifier and its robustness to adversarial manipulation.
Corollary III.2
(Accuracy and sensitivity of the linear classifier (7))* Let be the boundary given in (9) that maximizes the accuracy (in (8)) of the linear classifier . Then, under Assumptions A1 and A2, it holds*
[TABLE]
Proof:
Since corresponds to one of the boundaries contained in , the proof follows from Theorem III.1. ∎
Next, we show that this tradeoff also exists for the Maximum Likelihood classifier. This fact does not follow trivially from Theorem III.1, because the general classifier in Theorem has independent boundaries, while the boundaries of the Maximum Likelihood are dependent from one another via (6). We make the following mild technical assumption.
- A3:
The vectors and are not orthogonal, where contains the boundaries of .
Lemma III.3
(Accuracy and sensitivity of the ML classifier (5))* Let contain the boundaries of the classifier . Then, under Assumptions A1, A2 and A3, it holds*
[TABLE]
Proof:
Let contain the boundaries of the classifier . The derivative of \mathcal{S}\big{(}y(\eta,\theta);\theta\big{)} with respect to can be written as:
[TABLE]
We conclude following Theorem III.1 and Assumption A3. ∎
In what follows we numerically show that a tradeoff between accuracy and sensitivity also exists when the classification boundaries are not selected to maximize the accuracy of the classifier. To this aim, first we compute the accuracy and sensitivity of the ML classifier , for different values of . Notice that, by varying , Equation (6) returns different classification boundaries and, thus, different classification algorithms. Similarly, we compute the accuracy and sensitivity of linear classifier by varying the single boundary . Second, we numerically solve
[TABLE]
for different values of ranging from to . Notice that the minimization problem (15) returns the classifier with lowest sensitivity and accuracy equal to , and that the boundaries solving the minimization problem (15) may not satisfy (6). Further, for a given number of classification boundaries, the minimization problem (15) returns a fundamental tradeoff curve relating accuracy and sensitivity over the range of , which is independent of the choice of classification algorithm. Finally, the minimization problem (15) is not convex, because of its nonlinear equality constraint.
Fig. 2(a) shows the accuracy-sensitivity tradeoff for the Gaussian hypothesis testing problem discussed in Remark 2. In this case, since the ML classifier has boundaries, we also consider general classifiers with boundaries. We observe that the general classifier exhibits the tradeoff at the maximum accuracy point (identified by the red dot) in accordance with Theorem III.1. Several comments are in order. First, the ML and linear classifiers also exhibit tradeoff at their respective maximum accuracy points in accordance with Lemmas III.3 and III.2. Second, the tradeoff for the ML classifier is not strict and there exist points where reducing accuracy increases sensitivity (green dot in the figure). On the other hand, the tradeoff for the general classifier is strict. This is because the decision boundaries of the general classifier can be varied independently, whereas the boundaries of the ML classifier are related to each other since they are the solutions of (6). Thus, the general classifier provides more flexibility in choosing the boundaries. Similarly, the tradeoff for the linear classifier is not strict. Third, the tradeoff curve for the general classifier is below the tradeoff curves for the ML and linear classifier, again, due to the aforementioned reason.444ML and linear classifiers are particular instances of the general classifier. Fourth, the maximum accuracy of the linear classifier (corresponding to red square) is smaller than that of ML classifier (corresponding to the red dot), but its sensitivity at the maximum accuracy configuration is also smaller than that of the ML classifier. This explains the observed phenomena that in some cases, linear models are more robust to adversarial attacks than nonlinear models (for example, neural networks) [17]. Finally, the curves are not smooth because of the -norm in the definition (2).
We conclude with two remarks on using the -norm to define sensitivity and on the necessity of Assumption A1.
Remark 3
(Classification sensitivity using the norm)* In Definition 2, the -norm captures the largest change in accuracy with respect to a change in a single component of parameters vector . Instead, using the -norm to define the sensitivity of a classification algorithm leads to*
[TABLE]
which captures the change in accuracy with respect to changes in all the components of . Fig. 2(b) shows the sensitivity versus accuracy tradeoff when sensitivity is defined using (16) instead of (11). Here, a strict tradeoff exists for the general, ML and linear classifiers. Further, the tradeoff curves are smooth since the -norm is a smooth function.
Remark 4
(Necessity of Assumption A1)* Theorem III.1 may not hold when Assumption A1 is not satisfied, and we illustrate this fact in Fig. 2(c). In this case, the vector has two elements with maximum absolute value, violating Assumption A1. As a result, a tradeoff at the maximum accuracy point (denoted by red dot) does not exists as shown in the figure. Yet, a tradeoff still exist for sensitivity defined as in (16), indicating that A1 might be required only for definition (11). *
IV An illustrative example
In this section we illustrate numerically the implications of Theorem III.1. In particular, we consider two classification algorithms with different accuracy and sensitivity, and show how their performance degrades differently when the observations are corrupted by an adversary. This implies that, when robustness to adversarial manipulation of the observations is a concern, classification algorithms should be designed to simultaneously optimize accuracy and sensitivity, and should not operate at their point of maximum accuracy.
Consider the classification problem (1), and let
[TABLE]
Let and be the classification algorithms identified by the red and green points in Fig. 2(a), respectively. Notice that, when the observations are not manipulated and follow the distributions (17), achieves higher accuracy and sensitivity than . This is also the case when using definition (16), as illustrated in Fig. 2(b). While the nominal distributions (17) are used to design the classifiers and , we consider an adversary that manipulates the observations so that their true distributions are
[TABLE]
where , , , and are unknown parameters selected by the adversary to deteriorate the accuracy of the classifiers.
To evaluate the accuracy of and to classify the manipulated observations, we generate observations obeying the modified distributions (18), and compute the accuracy of the classifiers as the ratio of the number of correct predictions to the total number of observations. We repeat this experiment times, and then compute the average accuracy of the classifiers over all trials.
Table I summarizes the results of the classification problems with and on the altered observations. In particular, and are the decision boundaries of the classifiers, while and denote their nominal sensitivity and accuracy. Instead, and denote the average accuracy of the classifiers when, respectively, the adversarial parameters are , , and , , , . The results show that, although exhibits higher accuracy that when the observations follow the nominal distributions (17), outperforms in both adversarial scenarios, as supported by our analysis.
V Dependency of Accuracy and Sensitivity on the parameters of
the distributions
In this section we analyze the effect of the parameters on the accuracy and sensitivity of the classifiers. We consider the Maximum Likelihood classifier for the analysis since it maximizes the accuracy.555A similar analysis can also be performed for general and linear classifiers. However, we omit this analysis due to space constraints. Specifically, we wish to determine the distribution parameters that minimize the sensitivity while providing a given level of accuracy. We consider the following problem:
[TABLE]
where denotes the boundaries of the ML classifier , which depend on via (6), denotes the accuracy level, and denotes the set of admissible parameters of the distributions. The optimization problem (19) captures the fundamental limit of sensitivity that can be achieved by a ML classifier with a desired level of accuracy. Note that, similarly to (15), the optimization problem in (19) is not convex due to the nonlinear equality constraint.
Let and denote the optimal parameters and minimum sensitivity of the optimization problem in (19). Fig. 3(a) shows the variation of as a function of accuracy level for the Gaussian hypothesis testing problem detailed in Remark 2. It can be observed that is a decreasing function of . This is due to the fact that, to achieve a higher level of accuracy, the “separation” between the two distributions should be larger, as evident in Fig. 3(b). At a larger separation, the effect of changes in the distribution parameters on the accuracy of the classifier is smaller, thereby resulting in a smaller sensitivity.
Lemma V.1
(Accuracy and sensitivity for Gaussian testing)* Consider an hypothesis testing problem with and , with and . Assume that is fixed. Then, for classifier , is a decreasing function of accuracy .*
Proof:
For the Gaussian testing problem with , , Equation (6) has a single solution for given by . Using (8), the accuracy is given by . Since is fixed, we take the derivative of with respect to the means:
[TABLE]
To conclude, and are increasing and decreasing functions of , respectively. ∎
Lemma V.2
(Accuracy and sensitivity for Exponential testing)* Consider an hypothesis testing problem with and , with , , and . Then, for classifier and a fixed , is a decreasing function of accuracy .*
Proof:
Without loss of generality, we assume . For , Equation (6) has a single solution for given by . Using (8),
[TABLE]
where . The sensitivity is given by
[TABLE]
To conclude, by inspecting the derivatives of and with respect to , it can be seen that they are increasing and decreasing functions of , respectively. ∎
VI Conclusion and future work
In this paper we show that a fundamental tradeoff exists between the accuracy of a binary classification algorithm and its sensitivity to adversarial manipulation of the data. Thus, accuracy can only be maximized at the expenses of the sensitivity to data manipulation, and this tradeoff cannot be arbitrarily improved by tuning the algorithm’s parameters. Directions of future interest include the extension to M-ary testing problems, as well as the formal characterization of the relationships between the complexity of the classification algorithm and its accuracy versus sensitivity tradeoff.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Y. Le Cun, K. Kavukcuoglu, and C. Farabet. Convolutional networks and applications in vision. In International Symposium on Circuits and Systems , pages 253–256, Paris, France, May 2010.
- 2[2] A. Krizhevsky, I. Sutskever, and G. E. Hinton. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems , pages 1097–1105, Lake Tahoe, NV, USA, Dec 2012.
- 3[3] G. E. Dahl, D. Yu, L. Deng, and A. Acero. Context-dependent pre-trained deep neural networks for large-vocabulary speech recognition. IEEE Transactions on audio, speech, and language processing , 20(1):30–42, 2012.
- 4[4] G. Hinton, L. Deng, D. Yu, G. E. Dahl, A. Mohamed, N. Jaitly, A. Senior, V. Vanhoucke, P. Nguyen, T. N. Sainath, and B. Kingsbury. Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Signal processing magazine , 29(6):82–97, 2012.
- 5[5] G. E. Dahl, J. W. Stokes, L. Deng, and D. Yu. Large-scale malware classification using random projections and neural networks. In International Conference on Acoustics, Speech and Signal Processing , pages 3422–3426, Vancouver, BC, Canada, May 2013.
- 6[6] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. In International Conference on Learning Representations , Banff, Canada, Apr 2014.
- 7[7] I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. In International Conference on Learning Representations , San Diego, CA, USA, May 2015.
- 8[8] D. Lowd and C. Meek. Adversarial learning. In International Conference on Knowledge Discovery in Data Mining , pages 641–647, Chicago, IL, USA, Aug 2005.
