Sample Complexity of Robust Learning against Evasion Attacks

TL;DR

This paper investigates the sample complexity required for robust machine learning under evasion attacks, analyzing various models and assumptions, and establishing bounds for learning monotone conjunctions and decision lists.

Contribution

It provides theoretical bounds on the sample complexity of robust learning against evasion attacks, considering different access models and distributional assumptions.

Findings

Robust learning of monotone conjunctions requires exponential samples in the adversary's budget.

Logarithmic perturbation budgets allow robust learning of conjunctions and decision lists.

Local query models still face exponential complexity in the adversary's budget for robust learning.

Abstract

It is becoming increasingly important to understand the vulnerability of machine learning models to adversarial attacks. One of the fundamental problems in adversarial machine learning is to quantify how much training data is needed in the presence of evasion attacks, where data is corrupted at test time. In this thesis, we work with the exact-in-the-ball notion of robustness and study the feasibility of adversarially robust learning from the perspective of learning theory, considering sample complexity. We first explore the setting where the learner has access to random examples only, and show that distributional assumptions are essential. We then focus on learning problems with distributions on the input data that satisfy a Lipschitz condition and show that robustly learning monotone conjunctions has sample complexity at least exponential in the adversary's budget (the maximum number of bits it can perturb on each input). However, if the adversary is restricted to perturbing $O(\log n)$ bits, then one can robustly learn conjunctions and decision lists w.r.t. log-Lipschitz distributions. We then study learning models where the learner is given more power. We first consider local membership queries, where the learner can query the label of points near the training sample. We show that, under the uniform distribution, the exponential dependence on the adversary's budget to robustly learn conjunctions remains inevitable. We then introduce a local equivalence query oracle, which returns whether the hypothesis and target concept agree in a given region around a point in the training sample, and a counterexample if it exists. We show that if the query radius is equal to the adversary's budget, we can develop robust empirical risk minimization algorithms in the distribution-free setting. We give general query complexity upper and lower bounds, as well as for concrete concept classes.