On the existence of consistent adversarial attacks in high-dimensional linear classification

TL;DR

This paper provides a rigorous theoretical analysis of adversarial attack vulnerability in high-dimensional linear classifiers, distinguishing it from misclassification due to limited data or model capacity, and reveals how overparameterization increases vulnerability.

Contribution

It introduces a new error metric for consistent adversarial attacks and offers an exact asymptotic characterization of model vulnerability in high-dimensional settings.

Findings

Vulnerability to label-preserving perturbations increases with overparameterization.

The new metric accurately captures the distinction between adversarial attacks and misclassification.

Theoretical insights into the mechanisms of model sensitivity to adversarial attacks.

Abstract

What fundamentally distinguishes an adversarial attack from a misclassification due to limited model expressivity or finite data? In this work, we investigate this question in the setting of high-dimensional binary classification, where statistical effects due to limited data availability play a central role. We introduce a new error metric that precisely capture this distinction, quantifying model vulnerability to consistent adversarial attacks -- perturbations that preserve the ground-truth labels. Our main technical contribution is an exact and rigorous asymptotic characterization of these metrics in both well-specified models and latent space models, revealing different vulnerability patterns compared to standard robust error measures. The theoretical results demonstrate that as models become more overparameterized, their vulnerability to label-preserving perturbations grows, offering theoretical insight into the mechanisms underlying model sensitivity to adversarial attacks.