Adversarial Examples for $k$-Nearest Neighbor Classifiers Based on Higher-Order Voronoi Diagrams

TL;DR

This paper introduces a geometric algorithm to evaluate the adversarial robustness of $k$-nearest neighbor classifiers by expanding Voronoi cells, demonstrating improved perturbation minimization and analyzing dataset properties affecting performance.

Contribution

It presents a novel geometric search algorithm for $k$-NN robustness evaluation, including approximation techniques for large $k$, and analyzes dataset structures influencing effectiveness.

Findings

The algorithm finds smaller-norm adversarial examples than baselines.

Approximation steps enable scalability to large $k$.

Dataset properties impact the algorithm's performance.

Abstract

Adversarial examples are a widely studied phenomenon in machine learning models. While most of the attention has been focused on neural networks, other practical models also suffer from this issue. In this work, we propose an algorithm for evaluating the adversarial robustness of $k$-nearest neighbor classification, i.e., finding a minimum-norm adversarial example. Diverging from previous proposals, we take a geometric approach by performing a search that expands outwards from a given input point. On a high level, the search radius expands to the nearby Voronoi cells until we find a cell that classifies differently from the input point. To scale the algorithm to a large $k$, we introduce approximation steps that find perturbations with smaller norm, compared to the baselines, in a variety of datasets. Furthermore, we analyze the structural properties of a dataset where our approach outperforms the competition.