The Interplay between Distribution Parameters and the Accuracy-Robustness Tradeoff in Classification

TL;DR

This paper analyzes how distribution parameters influence the accuracy-robustness tradeoff in classification, deriving theoretical bounds and conditions under which optimal classifiers can achieve high accuracy despite adversarial perturbations.

Contribution

It provides a theoretical analysis of the accuracy gap between optimal standard and adversarial classifiers in Gaussian mixture models, highlighting the impact of distributional parameters.

Findings

Optimal adversarial classifier error minimized at class balance.

The accuracy gap scales as  for small  perturbations.

Under certain conditions, near-perfect accuracy is theoretically achievable with small adversarial budgets.

Abstract

Adversarial training tends to result in models that are less accurate on natural (unperturbed) examples compared to standard models. This can be attributed to either an algorithmic shortcoming or a fundamental property of the training data distribution, which admits different solutions for optimal standard and adversarial classifiers. In this work, we focus on the latter case under a binary Gaussian mixture classification problem. Unlike earlier work, we aim to derive the natural accuracy gap between the optimal Bayes and adversarial classifiers, and study the effect of different distributional parameters, namely separation between class centroids, class proportions, and the covariance matrix, on the derived gap. We show that under certain conditions, the natural error of the optimal adversarial classifier, as well as the gap, are locally minimized when classes are balanced, contradicting the performance of the Bayes classifier where perfect balance induces the worst accuracy. Moreover, we show that with an $\ell_\infty$ bounded perturbation and an adversarial budget of $\epsilon$, this gap is $\Theta(\epsilon^2)$ for the worst-case parameters, which for suitably small $\epsilon$ indicates the theoretical possibility of achieving robust classifiers with near-perfect accuracy, which is rarely reflected in practical algorithms.