Bilevel Models for Adversarial Learning and A Case Study

TL;DR

This paper investigates adversarial learning through perturbation analysis, characterizing model robustness and proposing bilevel models to measure attack effects, with theoretical insights and numerical verification for convex clustering models.

Contribution

It introduces bilevel models for adversarial learning based on perturbation analysis and the $ ext{delta}$-measure, providing new theoretical and practical tools for robustness assessment.

Findings

Characterized robustness via calmness of solution mapping.

Identified conditions for clustering stability under perturbations.

Validated models through numerical experiments.

Abstract

Adversarial learning has been attracting more and more attention thanks to the fast development of machine learning and artificial intelligence. However, due to the complicated structure of most machine learning models, the mechanism of adversarial attacks is not well interpreted. How to measure the effect of attacks is still not quite clear. In this paper, we investigate the adversarial learning from the perturbation analysis point of view. We characterize the robustness of learning models through the calmness of the solution mapping. In the case of convex clustering models, we identify the conditions under which the clustering results remain the same under perturbations. When the noise level is large, it leads to an attack. Therefore, we propose two bilevel models for adversarial learning where the effect of adversarial learning is measured by some deviation function. Specifically, we systematically study the so-called $\delta$-measure and show that under certain conditions, it can be used as a deviation function in adversarial learning for convex clustering models. Finally, we conduct numerical tests to verify the above theoretical results as well as the efficiency of the two proposed bilevel models.