Improved generalization bounds for robust learning

We consider a model of robust learning in an adversarial environment. The learner gets uncorrupted training data with access to possible corruptions that may be affected by the adversary during testing. The learner's goal is to build a robust classifier that would be tested on future adversarial examples. We use a zero-sum game between the learner and the adversary as our game theoretic framework. The adversary is limited to $k$ possible corruptions for each input. Our model is closely related to the adversarial examples model of Schmidt et al. (2018); Madry et al. (2017). Our main results consist of generalization bounds for the binary and multi-class classification, as well as the real-valued case (regression). For the binary classification setting, we both tighten the generalization bound of Feige, Mansour, and Schapire (2015), and also are able to handle an infinite hypothesis class $H$. The sample complexity is improved from $O(\frac{1}{\epsilon^4}\log(\frac{|H|}{\delta}))$ to $O(\frac{1}{\epsilon^2}(k\log(k)VC(H)+\log\frac{1}{\delta}))$. Additionally, we extend the algorithm and generalization bound from the binary to the multiclass and real-valued cases. Along the way, we obtain results on fat-shattering dimension and Rademacher complexity of $k$-fold maxima over function classes; these may be of independent interest. For binary classification, the algorithm of Feige et al. (2015) uses a regret minimization algorithm and an ERM oracle as a blackbox; we adapt it for the multi-class and regression settings. The algorithm provides us with near-optimal policies for the players on a given training sample.

[1]  D. Angluin,et al.  Learning From Noisy Examples , 1988, Machine Learning.

[2]  Leslie G. Valiant,et al.  Learning Disjunction of Conjunctions , 1985, IJCAI.

[3]  Seyed-Mohsen Moosavi-Dezfooli,et al.  DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[4]  Robert S. Chen,et al.  Robust Optimization for Non-Convex Objectives , 2017, NIPS.

[5]  Philip M. Long,et al.  Characterizations of Learnability for Classes of {0, ..., n}-Valued Functions , 1995, J. Comput. Syst. Sci..

[6]  Richard Lippmann,et al.  Machine learning in adversarial environments , 2010, Machine Learning.

[7]  Uriel Feige,et al.  Robust Inference for Multiclass Classification , 2018, ALT.

[8]  Uriel Feige,et al.  Learning and inference in the presence of corrupted inputs , 2015, COLT.

[9]  Kannan Ramchandran,et al.  Rademacher Complexity for Adversarially Robust Generalization , 2018, ICML.

[10]  Samy Bengio,et al.  Adversarial Machine Learning at Scale , 2016, ICLR.

[11]  Aleksander Madry,et al.  Adversarially Robust Generalization Requires More Data , 2018, NeurIPS.

[12]  Dan Boneh,et al.  The Space of Transferable Adversarial Examples , 2017, ArXiv.

[13]  Saeed Mahloujifar,et al.  Can Adversarially Robust Learning Leverage Computational Hardness? , 2018, ALT.

[14]  Saeed Mahloujifar,et al.  The Curse of Concentration in Robust Learning: Evasion and Poisoning Attacks from Concentration of Measure , 2018, AAAI.

[15]  Peter L. Bartlett,et al.  Rademacher and Gaussian Complexities: Risk Bounds and Structural Results , 2003, J. Mach. Learn. Res..

[16]  Ming Li,et al.  Learning in the presence of malicious errors , 1993, STOC '88.

[17]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[18]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[19]  Moshe Tennenholtz,et al.  Robust Probabilistic Inference , 2015, SODA.

[20]  R. Dudley The Sizes of Compact Subsets of Hilbert Space and Continuity of Gaussian Processes , 1967 .

[21]  Po-Ling Loh,et al.  Adversarial Risk Bounds for Binary Classification via Function Transformation , 2018, ArXiv.

[22]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[23]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[24]  Lee-Ad Gottlieb,et al.  Efficient Classification for Metric Data , 2014, IEEE Trans. Inf. Theory.

[25]  Saeed Mahloujifar,et al.  Adversarial Risk and Robustness: General Definitions and Implications for the Uniform Distribution , 2018, NeurIPS.

[26]  Shie Mannor,et al.  Robustness and generalization , 2010, Machine Learning.

[27]  Ameet Talwalkar,et al.  Foundations of Machine Learning , 2012, Adaptive computation and machine learning.

[28]  David Haussler,et al.  Learnability and the Vapnik-Chervonenkis dimension , 1989, JACM.

[29]  Prateek Mittal,et al.  PAC-learning in the presence of adversaries , 2018, NeurIPS.

[30]  S. Boucheron,et al.  Theory of classification : a survey of some recent advances , 2005 .

[31]  W. Lockau,et al.  Contents , 2015 .

[32]  Alexander J. Smola,et al.  Convex Learning with Invariances , 2007, NIPS.

[33]  Ilya P. Razenshteyn,et al.  Adversarial examples from computational constraints , 2018, ICML.

[34]  Y. Freund,et al.  Adaptive game playing using multiplicative weights , 1999 .

[35]  Yishay Mansour,et al.  Improved second-order bounds for prediction with expert advice , 2006, Machine Learning.

[36]  Amir Globerson,et al.  Nightmare at test time: robust learning by feature deletion , 2006, ICML.

[37]  S. Mendelson,et al.  Entropy and the combinatorial dimension , 2002, math/0203275.

[38]  John Shawe-Taylor,et al.  Generalization Performance of Support Vector Machines and Other Pattern Classifiers , 1999 .

[39]  Ohad Shamir,et al.  Learning to classify with missing and corrupted features , 2008, ICML.

[40]  Nabil H. Mustafa,et al.  Optimal Bounds on the VC-dimension , 2018, ArXiv.