Adversarial robustness for latent models: Revisiting the robust-standard accuracies tradeoff

TL;DR

This paper investigates the tradeoff between standard and robust accuracy in adversarial training, showing that low-dimensional data structures can mitigate this tradeoff and enable models to perform well on both metrics.

Contribution

The paper demonstrates that low-dimensional manifold structures in data can reduce the robustness-accuracy tradeoff, providing theoretical insights and empirical validation.

Findings

Low-dimensional data structures mitigate the robustness-accuracy tradeoff.

Models on low-dimensional manifolds achieve near-optimal standard and robust accuracy.

Numerical experiments confirm the theory on MNIST with Mixture of Factor Analyzers.

Abstract

Over the past few years, several adversarial training methods have been proposed to improve the robustness of machine learning models against adversarial perturbations in the input. Despite remarkable progress in this regard, adversarial training is often observed to drop the standard test accuracy. This phenomenon has intrigued the research community to investigate the potential tradeoff between standard accuracy (a.k.a generalization) and robust accuracy (a.k.a robust generalization) as two performance measures. In this paper, we revisit this tradeoff for latent models and argue that this tradeoff is mitigated when the data enjoys a low-dimensional structure. In particular, we consider binary classification under two data generative models, namely Gaussian mixture model and generalized linear model, where the features data lie on a low-dimensional manifold. We develop a theory to show that the low-dimensional manifold structure allows one to obtain models that are nearly optimal with respect to both, the standard accuracy and the robust accuracy measures. We further corroborate our theory with several numerical experiments, including Mixture of Factor Analyzers (MFA) model trained on the MNIST dataset.