Sharp Statistical Guarantees for Adversarially Robust Gaussian Classification

TL;DR

This paper establishes the first optimal minimax statistical guarantees for adversarially robust Gaussian classification, providing theoretical bounds and efficient estimators under broad perturbation models.

Contribution

It introduces the Adversarial Signal-to-Noise Ratio (AdvSNR) and derives optimal excess risk bounds for adversarial Gaussian classifiers, covering various perturbation types.

Findings

Optimal excess risk lower bound of order e^{-(1/8+o(1)) r^2} * d/n

Efficient estimator achieving the optimal rate

Results applicable to broad adversarial perturbations including _p balls

Abstract

Adversarial robustness has become a fundamental requirement in modern machine learning applications. Yet, there has been surprisingly little statistical understanding so far. In this paper, we provide the first result of the optimal minimax guarantees for the excess risk for adversarially robust classification, under Gaussian mixture model proposed by \cite{schmidt2018adversarially}. The results are stated in terms of the Adversarial Signal-to-Noise Ratio (AdvSNR), which generalizes a similar notion for standard linear classification to the adversarial setting. For the Gaussian mixtures with AdvSNR value of $r$, we establish an excess risk lower bound of order $\Theta(e^{-(\frac{1}{8}+o(1)) r^2} \frac{d}{n})$ and design a computationally efficient estimator that achieves this optimal rate. Our results built upon minimal set of assumptions while cover a wide spectrum of adversarial perturbations including $\ell_p$ balls for any $p \ge 1$.