EU Horizon 2020
Horizon 2020
HomeNewsCase StudiesPeopleKey Prior PublicationsPublications
[GKK+21] Pascale Gourdeau, Varun Kanade, Marta Kwiatkowska and James Worrell. On the Hardness of Robust Classification. Journal of Machine Learning Research (JMLR), 22(273), pages 1-29. October 2021. [pdf] [bib]
Downloads:  pdf pdf (853 KB)  bib bib
Notes: The original publication is available here: http://jmlr.org/papers/v22/20-285.html
Abstract. It is becoming increasingly important to understand the vulnerability of machine learning models to adversarial attacks. In this paper we study the feasibility of adversarially robust learning from the perspective of computational learning theory, considering both sample and computational complexity. In particular, our definition of robust learnability requires polynomial sample complexity. We start with two negative results. We show that no non-trivial concept class can be robustly learned in the distribution-free setting against an adversary who can perturb just a single input bit. We show, moreover, that the class of monotone conjunctions cannot be robustly learned under the uniform distribution against an adversary who can perturb πœ”(log 𝑛) input bits. However, we also show that if the adversary is restricted to perturbing 𝑂(log 𝑛) bits, then one can robustly learn the class of 1-decision lists (which subsumes monotone conjunctions) with respect to the class of log-Lipschitz distributions. We then extend this result to show learnability of 2-decision lists and monotone π‘˜-decision lists in the same distributional and adversarial setting. Finally, we provide a simple proof of the computational hardness of robust learning on the boolean hypercube. Unlike previous results of this nature, our result does not rely on a more restricted model of learning, such as the statistical query model, nor on any hardness assumption other than the existence of an (average-case) hard learning problem in the PAC framework; this allows us to have a clean proof of the reduction, and the assumption is no stronger than assumptions that are used to build cryptographic primitives.