Adversarial Examples Might be Avoidable: The Role of Data Concentration in Adversarial Robustness

TL;DR

This paper investigates how data distribution properties, specifically concentration on low-dimensional structures, influence the existence of robust classifiers against adversarial examples, challenging the notion that such examples are inherently unavoidable.

Contribution

The paper theoretically links data concentration on low-dimensional subspaces to the possibility of achieving adversarial robustness, providing data-dependent guarantees.

Findings

Data concentration on small-volume sets affects adversarial robustness.

Structured data on low-dimensional subspaces enables provable robustness.

Improved certification methods for classifiers on structured data.

Abstract

The susceptibility of modern machine learning classifiers to adversarial examples has motivated theoretical results suggesting that these might be unavoidable. However, these results can be too general to be applicable to natural data distributions. Indeed, humans are quite robust for tasks involving vision. This apparent conflict motivates a deeper dive into the question: Are adversarial examples truly unavoidable? In this work, we theoretically demonstrate that a key property of the data distribution -- concentration on small-volume subsets of the input space -- determines whether a robust classifier exists. We further demonstrate that, for a data distribution concentrated on a union of low-dimensional linear subspaces, utilizing structure in data naturally leads to classifiers that enjoy data-dependent polyhedral robustness guarantees, improving upon methods for provable certification in certain regimes.