Adversarial Examples Are Not Bugs, They Are Features

  • 2019-08-12 14:36:10
  • Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, Aleksander Madry
  • 0

Abstract

Adversarial examples have attracted significant attention in machinelearning, but the reasons for their existence and pervasiveness remain unclear.We demonstrate that adversarial examples can be directly attributed to thepresence of non-robust features: features derived from patterns in the datadistribution that are highly predictive, yet brittle and incomprehensible tohumans. After capturing these features within a theoretical framework, weestablish their widespread existence in standard datasets. Finally, we presenta simple setting where we can rigorously tie the phenomena we observe inpractice to a misalignment between the (human-specified) notion of robustnessand the inherent geometry of the data.

 

Quick Read (beta)

Adversarial Examples Are Not Bugs, They Are Features

Andrew Ilyas11 1 Equal contribution
MIT
[email protected]
   Shibani Santurkar11footnotemark: 1
MIT
[email protected]
   Dimitris Tsipras11footnotemark: 1
MIT
[email protected]

   Brandon Tran
MIT
[email protected]
   Aleksander Mądry
MIT
[email protected]
Abstract

Adversarial examples have attracted significant attention in machine learning, but the reasons for their existence and pervasiveness remain unclear. We demonstrate that adversarial examples can be directly attributed to the presence of non-robust features: features (derived from patterns in the data distribution) that are highly predictive, yet brittle and (thus) incomprehensible to humans. After capturing these features within a theoretical framework, we establish their widespread existence in standard datasets. Finally, we present a simple setting where we can rigorously tie the phenomena we observe in practice to a misalignment between the (human-specified) notion of robustness and the inherent geometry of the data.

\addbibresource

bibliography/bib.bib \newfloatcommandcapbtabboxtable[][\FBwidth]

1 Introduction

The pervasive brittleness of deep neural networks \citepszegedy2014intriguing,engstrom2019rotation,hendrycks2019benchmarking,athalye2018synthesizing has attracted significant attention in recent years. Particularly worrisome is the phenomenon of adversarial examples \citepbiggio2013evasion,szegedy2014intriguing, imperceptibly perturbed natural inputs that induce erroneous predictions in state-of-the-art classifiers. Previous work has proposed a variety of explanations for this phenomenon, ranging from theoretical models \citepschmidt2018adversarially,bubeck2018adversarial to arguments based on concentration of measure in high-dimensions \citepgilmer2018adversarial,mahloujifar2018curse,shafahi2019are. These theories, however, are often unable to fully capture behaviors we observe in practice (we discuss this further in Section 5).

More broadly, previous work in the field tends to view adversarial examples as aberrations arising either from the high dimensional nature of the input space or statistical fluctuations in the training data [szegedy2014intriguing, goodfellow2015explaining, gilmer2018adversarial]. From this point of view, it is natural to treat adversarial robustness as a goal that can be disentangled and pursued independently from maximizing accuracy \citepmadry2018towards,stutz2019disentangling,suggala2019adversarial, either through improved standard regularization methods \citeptanay2016boundary or pre/post-processing of network inputs/outputs [uesato2018adversarial, carlini2017adversarial, he2017adversarial].

In this work, we propose a new perspective on the phenomenon of adversarial examples. In contrast to the previous models, we cast adversarial vulnerability as a fundamental consequence of the dominant supervised learning paradigm. Specifically, we claim that:

Adversarial vulnerability is a direct result of our models’ sensitivity to well-generalizing features in the data.

Recall that we usually train classifiers to solely maximize (distributional) accuracy. Consequently, classifiers tend to use any available signal to do so, even those that look incomprehensible to humans. After all, the presence of “a tail” or “ears” is no more natural to a classifier than any other equally predictive feature. In fact, we find that standard ML datasets do admit highly predictive yet imperceptible features. We posit that our models learn to rely on these “non-robust” features, leading to adversarial perturbations that exploit this dependence.22 2 It is worth emphasizing that while our findings demonstrate that adversarial vulnerability does arise from non-robust features, they do not preclude the possibility of adversarial vulnerability also arising from other phenomena [tanay2016boundary, schmidt2018adversarially]. For example, \citetnakkiran2019bugs constructs adversarial examples that do not exploit non-robust features (and hence do not allow one to learn a generalizing model from them). Still, the mere existence of useful non-robust features suffices to establish that without explicitly discouraging models from utilizing these features, adversarial vulnerability will remain an issue.

Our hypothesis also suggests an explanation for adversarial transferability: the phenomenon that adversarial perturbations computed for one model often transfer to other, independently trained models. Since any two models are likely to learn similar non-robust features, perturbations that manipulate such features will apply to both. Finally, this perspective establishes adversarial vulnerability as a human-centric phenomenon, since, from the standard supervised learning point of view, non-robust features can be as important as robust ones. It also suggests that approaches aiming to enhance the interpretability of a given model by enforcing “priors” for its explanation [mahendran2015understanding, olah2017feature, smilkov2017smoothgrad] actually hide features that are “meaningful” and predictive to standard models. As such, producing human-meaningful explanations that remain faithful to underlying models cannot be pursued independently from the training of the models themselves.

To corroborate our theory, we show that it is possible to disentangle robust from non-robust features in standard image classification datasets. Specifically, given any training dataset, we are able to construct:

  1. 1.

    A “robustified” version for robust classification (Figure 0(a))33 3 The corresponding datasets for CIFAR-10 are publicly available at http://git.io/adv-datasets. . We demonstrate that it is possible to effectively remove non-robust features from a dataset. Concretely, we create a training set (semantically similar to the original) on which standard training yields good robust accuracy on the original, unmodified test set. This finding establishes that adversarial vulnerability is not necessarily tied to the standard training framework, but is also a property of the dataset.

  2. 2.

    A “non-robust” version for standard classification (Figure 0(b))22footnotemark: 2 . We are also able to construct a training dataset for which the inputs are nearly identical to the originals, but all appear incorrectly labeled. In fact, the inputs in the new training set are associated to their labels only through small adversarial perturbations (and hence utilize only non-robust features). Despite the lack of any predictive human-visible information, training on this dataset yields good accuracy on the original, unmodified test set. This demonstrates that adversarial perturbations can arise from flipping features in the data that are useful for classification of correct inputs (hence not being purely aberrations).

Finally, we present a concrete classification task where the connection between adversarial examples and non-robust features can be studied rigorously. This task consists of separating Gaussian distributions, and is loosely based on the model presented in \citettsipras2019robustness, while expanding upon it in a few ways. First, adversarial vulnerability in our setting can be precisely quantified as a difference between the intrinsic data geometry and that of the adversary’s perturbation set. Second, robust training yields a classifier which utilizes a geometry corresponding to a combination of these two. Lastly, the gradients of standard models can be significantly more misaligned with the inter-class direction, capturing a phenomenon that has been observed in practice in more complex scenarios \citeptsipras2019robustness.

(a)
(b)
Figure 1: A conceptual diagram of the experiments of Section 3. In (a) we disentangle features into combinations of robust/non-robust features (Section 3.1). In (b) we construct a dataset which appears mislabeled to humans (via adversarial examples) but results in good accuracy on the original test set (Section 3.2).

2 The Robust Features Model

We begin by developing a framework, loosely based on the setting proposed by \citettsipras2019robustness, that enables us to rigorously refer to “robust” and “non-robust” features. In particular, we present a set of definitions which allow us to formally describe our setup, theoretical results, and empirical evidence.

Setup.

We consider binary classification44 4 Our framework can be straightforwardly adapted though to the multi-class setting., where input-label pairs (x,y)𝒳×{±1} are sampled from a (data) distribution 𝒟; the goal is to learn a classifier C:𝒳{±1} which predicts a label y corresponding to a given input x.

We define a feature to be a function mapping from the input space 𝒳 to the real numbers, with the set of all features thus being ={f:𝒳}. For convenience, we assume that the features in are shifted/scaled to be mean-zero and unit-variance (i.e., so that 𝔼(x,y)𝒟[f(x)]=0 and 𝔼(x,y)𝒟[f(x)2]=1), in order to make the following definitions scale-invariant55 5 This restriction can be straightforwardly removed by simply shifting/scaling the definitions.. Note that this formal definition also captures what we abstractly think of as features (e.g., we can construct an f that captures how “furry” an image is).

Useful, robust, and non-robust features.

We now define the key concepts required for formulating our framework. To this end, we categorize features in the following manner:

  • ρ-useful features: For a given distribution 𝒟, we call a feature f ρ-useful (ρ>0) if it is correlated with the true label in expectation, that is if

    𝔼(x,y)𝒟[yf(x)]ρ. (1)

    We then define ρ𝒟(f) as the largest ρ for which feature f is ρ-useful under distribution 𝒟. (Note that if a feature f is negatively correlated with the label, then -f is useful instead.) Crucially, a linear classifier trained on ρ-useful features can attain non-trivial generalization performance.

  • γ-robustly useful features: Suppose we have a ρ-useful feature f (ρ𝒟(f)>0). We refer to f as a robust feature (formally a γ-robustly useful feature for γ>0) if, under adversarial perturbation (for some specified set of valid perturbations Δ), f remains γ-useful. Formally, if we have that

    𝔼(x,y)𝒟[infδΔ(x)yf(x+δ)]γ. (2)
  • Useful, non-robust features: A useful, non-robust feature is a feature which is ρ-useful for some ρ bounded away from zero, but is not a γ-robust feature for any γ0. These features help with classification in the standard setting, but may hinder accuracy in the adversarial setting, as the correlation with the label can be flipped.

Classification.

In our framework, a classifier C=(F,w,b) is comprised of a set of features F, a weight vector w, and a scalar bias b. For a given input x, the classifier predicts the label y as

C(x)=sgn(b+fFwff(x)).

For convenience, we denote the set of features learned by a classifier C as FC.

Standard Training.

Training a classifier is performed by minimizing a loss function (via empirical risk minimization (ERM)) that decreases with the correlation between the weighted combination of the features and the label. The simplest example of such a loss is 66 6 Just as for the other parts of this model, we use this loss for simplicity only—it is straightforward to generalize to more practical loss function such as logistic or hinge loss.

𝔼(x,y)𝒟[θ(x,y)]=-𝔼(x,y)𝒟[y(b+fFwff(x))]. (3)

When minimizing classification loss, no distinction exists between robust and non-robust features: the only distinguishing factor of a feature is its ρ-usefulness. Furthermore, the classifier will utilize any ρ-useful feature in F to decrease the loss of the classifier.

Robust training.

In the presence of an adversary, any useful but non-robust features can be made anti-correlated with the true label, leading to adversarial vulnerability. Therefore, ERM is no longer sufficient to train classifiers that are robust, and we need to explicitly account for the effect of the adversary on the classifier. To do so, we use an adversarial loss function that can discern between robust and non-robust features \citepmadry2018towards:

𝔼(x,y)𝒟[maxδΔ(x)θ(x+δ,y)], (4)

for an appropriately defined set of perturbations Δ. Since the adversary can exploit non-robust features to degrade classification accuracy, minimizing this adversarial loss (as in adversarial training \citepgoodfellow2015explaining,madry2018towards) can be viewed as explicitly preventing the classifier from learning a useful but non-robust combination of features.

Remark.

We want to note that even though the framework above enables us to formally describe and predict the outcome of our experiments, it does not necessarily capture the notion of non-robust features exactly as we intuitively might think of them. For instance, in principle, our theoretical framework would allow for useful non-robust features to arise as combinations of useful robust features and useless non-robust features [goh2019discussion]. These types of constructions, however, are actually precluded by our experimental results (in particular, the classifiers trained in Section 3 would not generalize). This shows that our experimental findings capture a stronger, more fine-grained statement than our formal definitions are able to express. We view bridging this gap as an interesting direction for future work.

3 Finding Robust (and Non-Robust) Features

The central premise of our proposed framework is that there exist both robust and non-robust features that constitute useful signals for standard classification. We now provide evidence in support of this hypothesis by disentangling these two sets of features.

On one hand, we will construct a “robustified” dataset, consisting of samples that primarily contain robust features. Using such a dataset, we are able to train robust classifiers (with respect to the standard test set) using standard (i.e., non-robust) training. This demonstrates that robustness can arise by removing certain features from the dataset (as, overall, the new dataset contains less information about the original training set). Moreover, it provides evidence that adversarial vulnerability is caused by non-robust features and is not inherently tied to the standard training framework.

On the other hand, we will construct datasets where the input-label association is based purely on non-robust features (and thus the corresponding dataset appears completely mislabeled to humans). We show that this dataset suffices to train a classifier with good performance on the standard test set. This indicates that natural models use non-robust features to make predictions, even in the presence of robust features. These features alone are actually sufficient for non-trivial generalizations performance on natural images, which indicates that they are indeed valuable features, rather than artifacts of finite-sample overfitting.

A conceptual description of these experiments can be found in Figure 1.

(a)
(b)
Figure 2: Left: Random samples from our variants of the CIFAR-10 [krizhevsky2009learning] training set: the original training set; the robust training set 𝒟^R, restricted to features used by a robust model; and the non-robust training set 𝒟^NR, restricted to features relevant to a standard model (labels appear incorrect to humans). Right: Standard and robust accuracy on the CIFAR-10 test set (𝒟) for models trained with: (i) standard training (on 𝒟) ; (ii) standard training on 𝒟^NR; (iii) adversarial training (on 𝒟); and (iv) standard training on 𝒟^R. Models trained on 𝒟^R and 𝒟^NR reflect the original models used to create them: notably, standard training on 𝒟^R yields nontrivial robust accuracy. Results for Restricted-ImageNet \citeptsipras2019robustness are in  D.8 Figure 12.

3.1 Disentangling robust and non-robust features

Recall that the features a classifier learns to rely on are based purely on how useful these features are for (standard) generalization. Thus, under our conceptual framework, if we can ensure that only robust features are useful, standard training should result in a robust classifier. Unfortunately, we cannot directly manipulate the features of very complex, high-dimensional datasets. Instead, we will leverage a robust model and modify our dataset to contain only the features that are relevant to that model.

In terms of our formal framework (Section 2), given a robust (i.e., adversarially trained [madry2018towards]) model C we aim to construct a distribution 𝒟^R which satisfies:

𝔼(x,y)𝒟^R[f(x)y]={𝔼(x,y)𝒟[f(x)y]if fFC0otherwise, (5)

where FC again represents the set of features utilized by C. Conceptually, we want features used by C to be as useful as they were on the original distribution 𝒟 while ensuring that the rest of the features are not useful under 𝒟^NR.

We will construct a training set for 𝒟^R via a one-to-one mapping xxr from the original training set for 𝒟. In the case of a deep neural network, FC corresponds to exactly the set of activations in the penultimate layer (since these correspond to inputs to a linear classifier). To ensure that features used by the model are equally useful under both training sets, we (approximately) enforce all features in FC to have similar values for both x and xr through the following optimization:

minxrg(xr)-g(x)2, (6)

where x is the original input and g is the mapping from x to the representation layer. We optimize this objective using gradient descent in input space77 7 We follow [madry2018towards] and normalize gradient steps during this optimization. Experimental details are provided in Appendix C..

Since we don’t have access to features outside FC, there is no way to ensure that the expectation in (5) is zero for all fFC. To approximate this condition, we choose the starting point of gradient descent for the optimization in (6) to be an input x0 which is drawn from 𝒟 independently of the label of x (we also explore sampling x0 from noise in Appendix D.1). This choice ensures that any feature present in that input will not be useful since they are not correlated with the label in expectation over x0. The underlying assumption here is that, when performing the optimization in (6), features that are not being directly optimized (i.e., features outside FC) are not affected. We provide pseudocode for the construction in Figure 5 (Appendix C).

Given the new training set for 𝒟^R (a few random samples are visualized in Figure 1(a)), we train a classifier using standard (non-robust) training. We then test this classifier on the original test set (i.e. 𝒟). The results (Figure 1(b)) indicate that the classifier learned using the new dataset attains good accuracy in both standard and adversarial settings 88 8 In an attempt to explain the gap in accuracy between the model trained on 𝒟^R and the original robust classifier C, we test distributional shift, by reporting results on the “robustified” test set in Appendix D.3. 99 9 In order to gain more confidence in the robustness of the resulting model, we attempt several diverse attacks in Appendix D.2..

As a control, we repeat this methodology using a standard (non-robust) model for C in our construction of the dataset. Sample images from the resulting “non-robust dataset” 𝒟^NR are shown in Figure 1(a)—they tend to resemble more the source image of the optimization x0 than the target image x. We find that training on this dataset leads to good standard accuracy, yet yields almost no robustness (Figure 1(b)). We also verify that this procedure is not simply a matter of encoding the weights of the original model—we get the same results for both 𝒟^R and 𝒟^NR if we train with different architectures than that of the original models.

Overall, our findings corroborate the hypothesis that adversarial examples can arise from (non-robust) features of the data itself. By filtering out non-robust features from the dataset (e.g. by restricting the set of available features to those used by a robust model), one can train a significantly more robust model using standard training.

3.2 Non-robust features suffice for standard classification

The results of the previous section show that by restricting the dataset to only contain features that are used by a robust model, standard training results in classifiers that are significantly more robust. This suggests that when training on the standard dataset, non-robust features take on a large role in the resulting learned classifier. Here we set out to show that this role is not merely incidental or due to finite-sample overfitting. In particular, we demonstrate that non-robust features alone suffice for standard generalization— i.e., a model trained solely on non-robust features can perform well on the standard test set.

To show this, we construct a dataset where the only features that are useful for classification are non-robust features (or in terms of our formal model from Section 2, all features f that are ρ-useful are non-robust). To accomplish this, we modify each input-label pair (x,y) as follows. We select a target class t either (a) uniformly at random among classes (hence features become uncorrelated with the labels) or (b) deterministically according to the source class (e.g. using a fixed permutation of labels). Then, we add a small adversarial perturbation to x in order to ensure it is classified as t by a standard model. Formally:

xadv=argminx-xεLC(x,t), (7)

where LC is the loss under a standard (non-robust) classifier C and ε is a small constant. The resulting inputs are nearly indistinguishable from the originals (Appendix D Figure 9)—to a human observer, it thus appears that the label t assigned to the modified input is simply incorrect. The resulting input-label pairs (xadv,t) make up the new training set (pseudocode in Appendix C Figure 6).

Now, since xadv-x is small, by definition the robust features of xadv are still correlated with class y (and not t) in expectation over the dataset. After all, humans still recognize the original class. On the other hand, since every xadv is strongly classified as t by a standard classifier, it must be that some of the non-robust features are now strongly correlated with t (in expectation).

In the case where t is chosen at random, the robust features are originally uncorrelated with the label t (in expectation), and after the adversarial perturbation can be only slightly correlated (hence being significantly less useful for classification than before) 1010 10 \citetgoh2019leakage provides an approach to quantifying this “robust feature leakage” and finds that one can obtain a (small) amount of test accuracy by leveraging robust feature leakage on 𝒟^rand.. Formally, we aim to construct a dataset 𝒟^rand where 1111 11 Note that the optimization procedure we describe aims to merely approximate this condition, where we once again use trained models to simulate access to robust and non-robust features. :

𝔼(x,y)𝒟^rand[yf(x)]{>0if f non-robustly useful under 𝒟,0otherwise. (8)

In contrast, when t is chosen deterministically based on y, the robust features actually point away from the assigned label t. In particular, all of the inputs labeled with class t exhibit non-robust features correlated with t, but robust features correlated with the original class y. Thus, robust features on the original training set provide significant predictive power on the training set, but will actually hurt generalization on the standard test set. Viewing this case again using the formal model, our goal is to construct 𝒟^det such that

𝔼(x,y)𝒟^det[yf(x)]{>0if f non-robustly useful under 𝒟,<0if f robustly useful under 𝒟otherwise (f not useful under 𝒟)1212 12 Note that regardless how useful a feature is on ^ D d e t , since it is useless on D it cannot provide any generalization benefit on the unaltered test set. (9)

We find that standard training on these datasets actually generalizes to the original test set, as shown in Table 1). This indicates that non-robust features are indeed useful for classification in the standard setting. Remarkably, even training on 𝒟^det (where all the robust features are correlated with the wrong class), results in a well-generalizing classifier. This indicates that non-robust features can be picked up by models during standard training, even in the presence of robust features that are predictive 1313 13 Additional results and analysis (e.g. training curves, generating 𝒟^rand and 𝒟^det with a robust model, etc.) are in App.  D.6 and D.51414 14 We also show that the models trained on 𝒟^rand and 𝒟^det generalize to CIFAR-10.1 [recht2018cifar10] in Appendix D.7..

Figure 3: Transfer rate of adversarial examples from a ResNet-50 to different architectures alongside test set performance of these architecture when trained on the dataset generated in Section 3.2. Architectures more susceptible to transfer attacks also performed better on the standard test set supporting our hypothesis that adversarial transferability arises from utilizing similar non-robust features.
Source Dataset Dataset
CIFAR-10 ImageNetR
𝒟 95.3% 96.6%
𝒟^rand 63.3% 87.9%
𝒟^det 43.7% 64.4%
Table 1: Test accuracy (on 𝒟) of classifiers trained on the 𝒟, 𝒟^rand, and 𝒟^det training sets created using a standard (non-robust) model. For both 𝒟^rand and 𝒟^det, only non-robust features correspond to useful features on both the train set and 𝒟. These datasets are constructed using adversarial perturbations of x towards a class t (random for 𝒟^rand and deterministic for 𝒟^det); the resulting images are relabeled as t.

3.3 Transferability can arise from non-robust features

One of the most intriguing properties of adversarial examples is that they transfer across models with different architectures and independently sampled training sets \citepszegedy2014intriguing,papernot2016transferability,charles2019geometric. Here, we show that this phenomenon can in fact be viewed as a natural consequence of the existence of non-robust features. Recall that, according to our main thesis, adversarial examples can arise as a result of perturbing well-generalizing, yet brittle features. Given that such features are inherent to the data distribution, different classifiers trained on independent samples from that distribution are likely to utilize similar non-robust features. Consequently, an adversarial example constructed by exploiting the non-robust features learned by one classifier will transfer to any other classifier utilizing these features in a similar manner.

In order to illustrate and corroborate this hypothesis, we train five different architectures on the dataset generated in Section 3.2 (adversarial examples with deterministic labels) for a standard ResNet-50 [he2016deep]. Our hypothesis would suggest that architectures which learn better from this training set (in terms of performance on the standard test set) are more likely to learn similar non-robust features to the original classifier. Indeed, we find that the test accuracy of each architecture is predictive of how often adversarial examples transfer from the original model to standard classifiers with that architecture (Figure 3). In a similar vein, \citetnakkiran2019bugs constructs a set of adversarial perturbations that is explicitly non-transferable and finds that these perturbations cannot be used to learn a good classifier. These findings thus corroborate our hypothesis that adversarial transferability arises when models learn similar brittle features of the underlying dataset.

4 A Theoretical Framework for Studying (Non)-Robust Features

The experiments from the previous section demonstrate that the conceptual framework of robust and non-robust features is strongly predictive of the empirical behavior of state-of-the-art models on real-world datasets. In order to further strengthen our understanding of the phenomenon, we instantiate the framework in a concrete setting that allows us to theoretically study various properties of the corresponding model. Our model is similar to that of \citettsipras2019robustness in the sense that it contains a dichotomy between robust and non-robust features, but extends upon it in a number of ways:

  1. 1.

    The adversarial vulnerability can be explicitly expressed as a difference between the inherent data metric and the 2 metric.

  2. 2.

    Robust learning corresponds exactly to learning a combination of these two metrics.

  3. 3.

    The gradients of adversarially trained models align better with the adversary’s metric.

Setup.

We study a simple problem of maximum likelihood classification between two Gaussian distributions. In particular, given samples (x,y) sampled from 𝒟 according to

yu.a.r.{-1,+1},x𝒩(y𝝁*,𝚺*), (10)

our goal is to learn parameters Θ=(𝝁,𝚺) such that

Θ=argmin𝝁,𝚺𝔼(x,y)𝒟[(x;y𝝁,𝚺)], (11)

where (x;𝝁,𝚺) represents the Gaussian negative log-likelihood (NLL) function. Intuitively, we find the parameters 𝝁,𝚺 which maximize the likelihood of the sampled data under the given model. Classification under this model can be accomplished via likelihood test: given an unlabeled sample x, we predict y as

y=argmaxy(x;y𝝁,𝚺)=sign(x𝚺-1𝝁).

In turn, the robust analogue of this problem arises from replacing (x;y𝝁,𝚺) with the NLL under adversarial perturbation. The resulting robust parameters Θr can be written as

Θr=argmin𝝁,𝚺𝔼(x,y)𝒟[maxδ2ε(x+δ;y𝝁,𝚺)], (12)

A detailed analysis of this setting is in Appendix E—here we present a high-level overview of the results.

(1) Vulnerability from metric misalignment (non-robust features).

Note that in this model, one can rigorously make reference to an inner product (and thus a metric) induced by the features. In particular, one can view the learned parameters of a Gaussian Θ=(𝝁,𝚺) as defining an inner product over the input space given by x,yΘ=(x-𝝁)𝚺-1(y-𝝁). This in turn induces the Mahalanobis distance, which represents how a change in the input affects the features learned by the classifier. This metric is not necessarily aligned with the metric in which the adversary is constrained, the 2-norm. Actually, we show that adversarial vulnerability arises exactly as a misalignment of these two metrics.

Theorem 1 (Adversarial vulnerability from misalignment).

Consider an adversary whose perturbation is determined by the “Lagrangian penalty” form of (12), i.e.

maxδ(x+δ;y𝝁,𝚺)-Cδ2,

where C1σmin(Σ*) is a constant trading off NLL minimization and the adversarial constraint1515 15 The constraint on C is to ensure the problem is concave.. Then, the adversarial loss Ladv incurred by the non-robustly learned (𝛍,Σ) is given by:

adv(Θ)-(Θ) =𝑡𝑟[(I+(C𝚺*-I)-1)2]-d,

and, for a fixed 𝑡𝑟(Σ*)=k the above is minimized by Σ*=kd𝐈.

In fact, note that such a misalignment corresponds precisely to the existence of non-robust features, as it indicates that “small” changes in the adversary’s metric along certain directions can cause large changes under the data-dependent notion of distance established by the parameters. This is illustrated in Figure 4, where misalignment in the feature-induced metric is responsible for the presence of a non-robust feature in the corresponding classification problem.

(2) Robust Learning.

The optimal (non-robust) maximum likelihood estimate is Θ=Θ*, and thus the vulnerability for the standard MLE estimate is governed entirely by the true data distribution. The following theorem characterizes the behaviour of the learned parameters in the robust problem. 1616 16 Note: as discussed in Appendix E.3.3, we study a slight relaxation of (12) that approaches exactness exponentially fast as d. In fact, we can prove (Section E.3.4) that performing (sub)gradient descent on the inner maximization (also known as adversarial training \citepgoodfellow2015explaining,madry2018towards) yields exactly Θr. We find that as the perturbation budget ε is increased, the metric induced by the learned features mixes 2 and the metric induced by the features.

Theorem 2 (Robustly Learned Parameters).

Just as in the non-robust case, 𝛍r=𝛍*, i.e. the true mean is learned. For the robust covariance Σr, there exists an ε0>0, such that for any ε[0,ε0),

𝚺r=12𝚺*+1λ𝑰+1λ𝚺*+14𝚺*2, where   Ω(1+ε1/2ε1/2+ε3/2)λO(1+ε1/2ε1/2).

The effect of robust optimization under an 2-constrained adversary is visualized in Figure 4. As ϵ grows, the learned covariance becomes more aligned with identity. For instance, we can see that the classifier learns to be less sensitive in certain directions, despite their usefulness for natural classification.

Figure 4: An empirical demonstration of the effect illustrated by Theorem 2—as the adversarial perturbation budget ε is increased, the learned mean 𝝁 remains constant, but the learned covariance “blends” with the identity matrix, effectively adding more and more uncertainty onto the non-robust feature.
(3) Gradient Interpretability.
\citet

tsipras2019robustness observe that gradients of robust models tend to look more semantically meaningful. It turns out that under our model, this behaviour arises as a natural consequence of Theorem 2. In particular, we show that the resulting robustly learned parameters cause the gradient of the linear classifier and the vector connecting the means of the two distributions to better align (in a worst-case sense) under the 2 inner product.

Theorem 3 (Gradient alignment).

Let f(x) and fr(x) be monotonic classifiers based on the linear separator induced by standard and 2-robust maximum likelihood classification, respectively. The maximum angle formed between the gradient of the classifier (wrt input) and the vector connecting the classes can be smaller for the robust model:

min𝝁𝝁,xfr(x)𝝁xfr(x)>min𝝁𝝁,xf(x)𝝁xf(x).

Figure 4 illustrates this phenomenon in the two-dimensional case. With 2-bounded adversarial training the gradient direction (perpendicular to the decision boundary) becomes increasingly aligned under the 2 inner product with the vector between the means (𝝁).

Discussion.

Our theoretical analysis suggests that rather than offering any quantitative classification benefits, a natural way to view the role of robust optimization is as enforcing a prior over the features learned by the classifier. In particular, training with an 2-bounded adversary prevents the classifier from relying heavily on features which induce a metric dissimilar to the 2 metric. The strength of the adversary then allows for a trade-off between the enforced prior, and the data-dependent features.

Robustness and accuracy.

Note that in the setting described so far, robustness can be at odds with accuracy since robust training prevents us from learning the most accurate classifier (a similar conclusion is drawn in \citeptsipras2019robustness). However, we note that there are very similar settings where non-robust features manifest themselves in the same way, yet a classifier with perfect robustness and accuracy is still attainable. Concretely, consider the distributions pictured in Figure 14 in Appendix  D.10. It is straightforward to show that while there are many perfectly accurate classifiers, any standard loss function will learn an accurate yet non-robust classifier. Only when robust training is employed does the classifier learn a perfectly accurate and perfectly robust decision boundary.

5 Related Work

Several models for explaining adversarial examples have been proposed in prior work, utilizing ideas ranging from finite-sample overfitting to high-dimensional statistical phenomena  \citepgilmer2018adversarial,fawzi2018adversarial,ford2019adversarial,tanay2016boundary, shafahi2019are,mahloujifar2018curse, shamir2019simple,goodfellow2015explaining,bubeck2018adversarial. The key differentiating aspect of our model is that adversarial perturbations arise as well-generalizing, yet brittle, features, rather than statistical anomalies or effects of poor statistical concentration. In particular, adversarial vulnerability does not stem from using a specific model class or a specific training method, since standard training on the “robustified” data distribution of Section 3.1 leads to robust models. At the same time, as shown in Section 3.2, these non-robust features are sufficient to learn a good standard classifier. We discuss the connection between our model and others in detail in Appendix A. We discuss additional related work in Appendix B.

6 Conclusion

In this work, we cast the phenomenon of adversarial examples as a natural consequence of the presence of highly predictive but non-robust features in standard ML datasets. We provide support for this hypothesis by explicitly disentangling robust and non-robust features in standard datasets, as well as showing that non-robust features alone are sufficient for good generalization. Finally, we study these phenomena in more detail in a theoretical setting where we can rigorously study adversarial vulnerability, robust training, and gradient alignment.

Our findings prompt us to view adversarial examples as a fundamentally human phenomenon. In particular, we should not be surprised that classifiers exploit highly predictive features that happen to be non-robust under a human-selected notion of similarity, given such features exist in real-world datasets. In the same manner, from the perspective of interpretability, as long as models rely on these non-robust features, we cannot expect to have model explanations that are both human-meaningful and faithful to the models themselves. Overall, attaining models that are robust and interpretable will require explicitly encoding human priors into the training process.

7 Acknowledgements

We thank Preetum Nakkiran for suggesting the experiment of Appendix D.9 (i.e. replicating Figure 3 but with targeted attacks). We also are grateful to the authors of \citetengstrom2019discussion (Chris Olah, Dan Hendrycks, Justin Gilmer, Reiichiro Nakano, Preetum Nakkiran, Gabriel Goh, Eric Wallace)—for their insights and efforts replicating, extending, and discussing our experimental results.

Work supported in part by the NSF grants CCF-1553428, CCF-1563880, CNS-1413920, CNS-1815221, IIS-1447786, IIS-1607189, the Microsoft Corporation, the Intel Corporation, the MIT-IBM Watson AI Lab research grant, and an Analog Devices Fellowship.

\printbibliography

Appendix A Connections to and Disambiguation from Other Models

Here, we describe other models for adversarial examples and how they relate to the model presented in this paper.

Concentration of measure in high-dimensions.

An orthogonal line of work \citepgilmer2018adversarial,fawzi2018adversarial, mahloujifar2018curse,shafahi2019are, argues that the high dimensionality of the input space can present fundamental barriers on classifier robustness. At a high level, one can show that, for certain data distributions, any decision boundary will be close to a large fraction of inputs and hence no classifier can be robust against small perturbations. While there might exist such fundamental barriers to robustly classifying standard datasets, this model cannot fully explain the situation observed in practice, where one can train (reasonably) robust classifiers on standard datasets \citepmadry2018towards,raghunathan2018certified, wong2018provable,xiao2019training,cohen2019certified.

Insufficient data.
\citet

schmidt2018adversarially propose a theoretical model under which a single sample is sufficient to learn a good, yet non-robust classifier, whereas learning a good robust classifier requires O(d) samples. Under this model, adversarial examples arise due to insufficient information about the true data distribution. However, unless the adversary is strong enough (in which case no robust classifier exists), adversarial inputs cannot be utilized as inputs of the opposite class (as done in our experiments in Section 3.2). We note that our model does not explicitly contradict the main thesis of \citetschmidt2018adversarially. In fact, this thesis can be viewed as a natural consequence of our conceptual framework. In particular, since training models robustly reduces the effective amount of information in the training data (as non-robust features are discarded), more samples should be required to generalize robustly.

Boundary Tilting.
\citet

tanay2016boundary introduce the “boundary tilting” model for adversarial examples, and suggest that adversarial examples are a product of over-fitting. In particular, the model conjectures that “adversarial examples are possible because the class boundary extends beyond the submanifold of sample data and can be—under certain circumstances—lying close to it.” Consequently, the authors suggest that mitigating adversarial examples may be a matter of regularization and preventing finite-sample overfitting. In contrast, our empirical results in Section 3.2 suggest that adversarial inputs consist of features inherent to the data distribution, since they can encode generalizing information about the target class.

Inspired by this hypothesis and concurrently to our work, \citetkim2019bridging present a simple classification task comprised of two Gaussian distributions in two dimensions. They experimentally show that the decision boundary tends to better align with the vector between the two means for robust models. This is a special case of our theoretical results in Section 4. (Note that this exact statement is not true beyond two dimensions, as discussed in Section 4.)

Test Error in Noise.
\citet

fawzi2016robustness and \citetford2019adversarial argue that the adversarial robustness of a classifier can be directly connected to its robustness under (appropriately scaled) random noise. While this constitutes a natural explanation of adversarial vulnerability given the classifier robustness to noise, these works do not attempt to justify the source of the latter.

At the same time, recent work [lecuyer2018certified, cohen2019certified, ford2019adversarial] utilizes random noise during training or testing to construct adversarially robust classifiers. In the context of our framework, we can expect the added noise to disproportionately affect non-robust features and thus hinder the model’s reliance on them.

Local Linearity.
\citet

goodfellow2015explaining suggest that the local linearity of DNNs is largely responsible for the existence of small adversarial perturbations. While this conjecture is supported by the effectiveness of adversarial attacks exploiting local linearity (e.g., FGSM \citepgoodfellow2015explaining), it is not sufficient to fully characterize the phenomena observed in practice. In particular, there exist adversarial examples that violate the local linearity of the classifier \citepmadry2018towards, while classifiers that are less linear do not exhibit greater robustness \citepathalye2018obfuscated.

Piecewise-linear decision boundaries.
\citet

shamir2019simple prove that the geometric structure of the classifier’s decision boundaries can lead to sparse adversarial perturbations. However, this result does not take into account the distance to the decision boundary along these direction or feasibility constraints on the input domain. As a result, it cannot meaningfully distinguish between classifiers that are brittle to small adversarial perturbations and classifiers that are moderately robust.

Theoretical constructions which incidentally exploit non-robust features.
\citet

bubeck2018adversarial and \citetnakkiran2019adversarial propose theoretical models where the barrier to learning robust classifiers is, respectively, due to computational constraints or model complexity. In order to construct distributions that admit accurate yet non-robust classifiers they (implicitly) utilize the concept of non-robust features. Namely, they add a low-magnitude signal to each input that encodes the true label. This allows a classifier to achieve perfect standard accuracy, but cannot be utilized in an adversarial setting as this signal is susceptible to small adversarial perturbations.

Appendix B Additional Related Work

We describe previously proposed models for the existence of adversarial examples in the previous section. Here we discuss other work that is methodologically or conceptually similar to ours.

Distillation.

The experiments performed in Section 3.1 can be seen as a form of distillation. There is a line of work, known as model distillation \citephinton2015distilling,furlanello2018born, bucilua2006model, where the goal is to train a new model to mimic another already trained model. This is typically achieved by adding some regularization terms to the loss in order to encourage the two models to be similar, often replacing training labels with some other target based on the already trained model. While it might be possible to successfully distill a robust model using these methods, our goal was to achieve it by only modifying the training set (leaving the training process unchanged), hence demonstrating that adversarial vulnerability is mainly a property of the dataset. Closer to our work is dataset distillation \citepwang2018dataset which considers the problem of reconstructing a classifier from an alternate dataset much smaller than the original training set. This method aims to produce inputs that directly encode the weights of the already trained model by ensuring that the classifier’s gradient with respect to these inputs approximates the desired weights. (As a result, the inputs constructed do not resemble natural inputs.) This approach is orthogonal to our goal since we are not interested in encoding the particular weights into the dataset but rather in imposing a structure to its features.

Adversarial Transferabiliy.

In our work, we posit that a potentially natural consequence of the existence of non-robust features is adversarial transferability \citeppapernot2017practical,liu2017delving,papernot2016transferability. A recent line of work has considered this phenomenon from a theoretical perspective, confined to simple models, or unbounded perturbations [charles2019geometric, zou2017geometric].  \citettramer2017space study transferability empirically, by finding adversarial subspaces, (orthogonal vectors whose linear combinations are adversarial perturbations). The authors find that there is a significant overlap in the adversarial subspaces between different models, and identify this as a source of transferability. In our work, we provide a potential reason for this overlap—these directions correspond to non-robust features utilized by models in a similar manner.

Universal Adversarial Perturbations
\citet

moosavi2017universal construct perturbations that can cause misclassification when applied to multiple different inputs. More recently, \citetjetley2018friends discover input patterns that are meaningless to humans and can induce misclassification, while at the same time being essential for standard classification. These findings can be naturally cast into our framework by considering these patterns as non-robust features, providing further evidence about their pervasiveness.

Manipulating dataset features
\citet

ding2018on perform synthetic transformations on the dataset (e.g., image saturation) and study the performance of models on the transformed dataset under standard and robust training. While this can be seen as a method of restricting the features available to the model during training, it is unclear how well these models would perform on the standard test set. \citetgeirhos2018imagenettrained aim to quantify the relative dependence of standard models on shape and texture information of the input. They introduce a version of ImageNet where texture information has been removed and observe an improvement to certain corruptions.

Appendix C Experimental Setup

C.1 Datasets

For our experimental analysis, we use the CIFAR-10 [krizhevsky2009learning] and (restricted) ImageNet  [russakovsky2015imagenet] datasets. Attaining robust models for the complete ImageNet dataset is known to be a challenging problem, both due to the hardness of the learning problem itself, as well as the computational complexity. We thus restrict our focus to a subset of the dataset which we denote as restricted ImageNet. To this end, we group together semantically similar classes from ImageNet into 9 super-classes shown in Table 2. We train and evaluate only on examples corresponding to these classes.

Table 2: Classes used in the Restricted ImageNet model. The class ranges are inclusive.
Class Corresponding ImageNet Classes
“Dog” 151 to 268
“Cat” 281 to 285
“Frog” 30 to 32
“Turtle” 33 to 37
“Bird” 80 to 100
“Primate” 365 to 382
“Fish” 389 to 397
“Crab” 118 to 121
“Insect” 300 to 319

C.2 Models

We use the ResNet-50 architecture for our baseline standard and adversarially trained classifiers on CIFAR-10 and restricted ImageNet. For each model, we grid search over three learning rates (0.1, 0.01, 0.05), two batch sizes (128, 256) including/not including a learning rate drop (a single order of magnitude) and data augmentation. We use the standard training parameters for the remaining parameters. The hyperparameters used for each model are given in Table 3.

Table 3: Hyperparameters for the models trained in the main paper. All hyperparameters were obtained through a grid search.
Dataset LR Batch Size LR Drop Data Aug. Momentum Weight Decay
𝒟^R (CIFAR) 0.1 128 Yes Yes 0.9 510-4
𝒟^R (Restricted ImageNet) 0.01 128 No Yes 0.9 510-4
𝒟^NR (CIFAR) 0.1 128 Yes Yes 0.9 510-4
𝒟^rand (CIFAR) 0.01 128 Yes Yes 0.9 510-4
𝒟^rand (Restricted ImageNet) 0.01 256 No No 0.9 510-4
𝒟^det (CIFAR) 0.1 128 Yes No 0.9 510-4
𝒟^det (Restricted ImageNet) 0.05 256 No No 0.9 510-4

C.3 Adversarial training

To obtain robust classifiers, we employ the adversarial training methodology proposed in [madry2018towards]. Specifically, we train against a projected gradient descent (PGD) adversary constrained in 2-norm starting from the original image. Following \citetmadry2018towards we normalize the gradient at each step of PGD to ensure that we move a fixed distance in 2-norm per step. Unless otherwise specified, we use the values of ϵ provided in Table 4 to train/evaluate our models. We used 7 steps of PGD with a step size of ε/5.

Table 4: Value of ϵ used for 2 adversarial training/evaluation of each dataset.
Adversary CIFAR-10 Restricted Imagenet
2 0.5 3

C.4 Constructing a Robust Dataset

In Section 3.1, we describe a procedure to construct a dataset that contains features relevant only to a given (standard/robust) model. To do so, we optimize the training objective in (6). Unless otherwise specified, we initialize xr as a different randomly chosen sample from the training set. (For the sake of completeness, we also try initializing with a Gaussian noise instead as shown in Table 7.) We then perform normalized gradient descent (2-norm of gradient is fixed to be constant at each step). At each step we clip the input xr to in the [0,1] range so as to ensure that it is a valid image. Details on the optimization procedure are shown in Table 5. We provide the pseudocode for the construction in Figure 5.

GetRobustDataset(D) 1. CR AdversarialTraining(D) gR mapping learned by CR from the input to the representation layer 2. DR{} 3. For (x,y)D xD xRargminz[0,1]dgR(z)-gR(x)2 \eqparboxCOMMENT# Solved using 2-PGD starting from x DRDR{(xR,y)} 4. Return DR

Figure 5: Algorithm to construct a “robust” dataset, by restricting to features used by a robust model.
Table 5: Parameters used for optimization procedure to construct dataset in Section 3.1.
CIFAR-10 Restricted Imagenet
step size 0.1 1
iterations 1000 2000

C.5 Non-robust features suffice for standard classification

To construct the dataset as described in Section 3.2, we use the standard projected gradient descent (PGD) procedure described in [madry2018towards] to construct an adversarial example for a given input from the dataset (7). Perturbations are constrained in 2-norm while each PGD step is normalized to a fixed step size. The details for our PGD setup are described in Table 6. We provide pseudocode in Figure 6.

GetNonRobustDataset(D,ε) 1. DNR{} 2. C StandardTraining(D) 3. For (x,y)D tuar[C] \eqparboxCOMMENT# or t(y+1)modC xNRmin||x-x||εLC(x,t) \eqparboxCOMMENT# Solved using 2 PGD DNRDNR{(xNR,t)} 4. Return DNR

Figure 6: Algorithm to construct a dataset where input-label association is based entirely on non-robust features.
Table 6: Projected gradient descent parameters used to construct constrained adversarial examples in Section 3.2.
Attack Parameters CIFAR-10 Restricted Imagenet
ε 0.5 3
step size 0.1 0.1
iterations 100 100

Appendix D Omitted Experiments and Figures

D.1 Detailed evaluation of models trained on “robust” dataset

In Section 3.1, we generate a “robust” training set by restricting the dataset to only contain features relevant to a robust model (robust dataset) or a standard model (non-robust dataset). This is performed by choosing either a random input from the training set or random noise1717 17 We use 10k steps to construct the dataset from noise, instead to using 1k steps done when the input is a different training set image (cf. Table 5). and then performing the optimization procedure described in (6). The performance of these classifiers along with various baselines is shown in Table 7. We observe that while the robust dataset constructed from noise resembles the original, the corresponding non-robust does not (Figure 7). This also leads to suboptimal performance of classifiers trained on this dataset (only 46% standard accuracy) potentially due to a distributional shift.

Table 7: Standard and robust classification performance on the CIFAR-10 test set of: an (i) ERM classifier; (ii) ERM classifier trained on a dataset obtained by distilling features relevant to ERM classifier in (i); (iii) adversarially trained classifier (ε=0.5); (iv) ERM classifier trained on dataset obtained by distilling features used by robust classifier in (iii). Simply restricting the set of available features during ERM to features used by a standard model yields non-trivial robust accuracy.
Robust Accuracy
Model Accuracy ε=0.25 ε=0.5
Standard Training 95.25 % 4.49% 0.0%
Robust Training 90.83% 82.48% 70.90%
Trained on non-robust dataset (constructed from images) 87.68% 0.82% 0.0%
Trained on non-robust dataset (constructed from noise) 45.60% 1.50% 0.0%
Trained on robust dataset (constructed from images) 85.40% 48.20 % 21.85%
Trained on robust dataset (constructed from noise) 84.10% 48.27 % 29.40%
Figure 7: Robust and non-robust datasets for CIFAR-10 when the process starts from noise (as opposed to random images as in Figure 1(a)).

D.2 Adversarial evaluation

To verify the robustness of our classifiers trained on the ‘robust” dataset, we evaluate them with strong attacks \citepcarlini2019on. In particular, we try up to 2500 steps of projected gradient descent (PGD), increasing steps until the accuracy plateaus, and also try the CW-2 loss function \citepcarlini2017towards with 1000 steps. For each attack we search over step size. We find that over all attacks and step sizes, the accuracy of the model does not drop by more than 2%, and plateaus at 48.27% for both PGD and CW-2 (the value given in Figure 2). We show a plot of accuracy in terms of the number of PGD steps used in Figure 8.

Figure 8: Robust accuracy as a function of the number of PGD steps used to generate the attack. The accuracy plateaus at 48.27%.

D.3 Performance of “robust” training and test set

In Section 3.1, we observe that an ERM classifier trained on a “robust” training dataset 𝒟^R (obtained by restricting features to those relevant to a robust model) attains non-trivial robustness (cf. Figure 1 and Table 7). In Table 8, we evaluate the adversarial accuracy of the model on the corresponding robust training set (the samples which the classifier was trained on) and test set (unseen samples from 𝒟^R, based on the test set). We find that the drop in robustness comes from a combination of generalization gap (the robustness on the 𝒟^R test set is worse than it is on the robust training set) and distributional shift (the model performs better on the robust test set consisting of unseen samples from 𝒟^R than on the standard test set containing unseen samples from 𝒟).

Table 8: Performance of model trained on the robust dataset on the robust training and test sets as well as the standard CIFAR-10 test set. We observe that the drop in robust accuracy stems from a combination of generalization gap and distributional shift. The adversary is constrained to ε=0.25 in 2-norm.
Dataset Robust Accuracy
Robust training set 77.33%
Robust test set 62.49%
Standard test set 48.27%

D.4 Classification based on non-robust features

Figure 9 shows sample images from 𝒟, 𝒟^rand and 𝒟^det constructed using a standard (non-robust) ERM classifier, and an adversarially trained (robust) classifier.

(a) 𝒟^rand
(b) 𝒟^det
Figure 9: Random samples from datasets where the input-label correlation is entirely based on non-robust features. Samples are generated by performing small adversarial perturbations using either random (𝒟^rand) or deterministic (𝒟^det) label-target mappings for every sample in the training set. Each image shows: top: original; middle: adversarial perturbations using a standard ERM-trained classifier; bottom: adversarial perturbations using a robust classifier (adversarially trained against ε=0.5).

In Table 9, we repeat the experiments in Table 1 based on datasets constructed using a robust model. Note that using a robust model to generate the 𝒟^det and 𝒟^rand datasets will not result in non-robust features that are strongly predictive of t (since the prediction of the classifier will not change). Thus, training a model on these datasets leads to poor accuracy on the standard test set from 𝒟.

Observe from Figure 10 that models trained on datasets derived from the robust model show a decline in test accuracy as training progresses. In Table 9, the accuracy numbers reported correspond to the last iteration, and not the best performance. This is because we have no way to cross-validate in a meaningful way as the validation set itself comes from 𝒟^rand or 𝒟^det, and not from the true data distribution D. Thus, validation accuracy will not be predictive of the true test accuracy, and thus will not help determine when to early stop.

Table 9: Repeating the experiments of Table 1 using a robust model to construct the datasets 𝒟, 𝒟^rand and 𝒟^det. Results in Table 1 are reiterated for comparison.
Model used to construct dataset Dataset used in training
𝒟 𝒟^rand 𝒟^det
Robust 95.3% 25.2 % 5.8%
Standard 95.3% 63.3 % 43.7%

D.5 Accuracy curves

(a) Trained using 𝒟^rand training set
(b) Trained using 𝒟^det training set
Figure 10: Test accuracy on 𝒟 of standard classifiers trained on datasets where input-label correlation is based solely on non-robust features as in Section 3.2. The datasets are constructed using either a non-robust/standard model (left column) or a robust model (right column). The labels used are either random (𝒟^rand; top row) or correspond to a deterministic permutation (𝒟^det; bottom row).

D.6 Performance of ERM classifiers on relabeled test set

In Table 10), we evaluate the performance of classifiers trained on 𝒟^det on both the original test set drawn from 𝒟, and the test set relabelled using t(y)=(y+1)modC. Observe that the classifier trained on 𝒟^det constructed using a robust model actually ends up learning permuted labels based on robust features (indicated by high test accuracy on the relabelled test set).

Table 10: Performance of classifiers trained using 𝒟^det training set constructed using either standard or robust models. The classifiers are evaluated both on the standard test set from 𝒟 and the test set relabeled using t(y)=(y+1)modC. We observe that using a robust model for the construction results in a model that largely predicts the permutation of labels, indicating that the dataset does not have strongly predictive non-robust features.
Model used to construct training dataset for D^det Dataset used in testing
𝒟 relabelled-𝒟
Standard 43.7% 16.2%
Robust 5.8% 65.5%

D.7 Generalization to CIFAR-10.1

\citet

recht2018cifar10 have constructed an unseen but distribution-shifted test set for CIFAR-10. They show that for many previously proposed models, accuracy on the CIFAR-10.1 test set can be predicted as a linear function of performance on the CIFAR-10 test set.

As a sanity check (and a safeguard against any potential adaptive overfitting to the test set via hyperparameters, historical test set reuse, etc.) we note that the classifiers trained on 𝒟^det and 𝒟^rand achieve 44% and 55% generalization on the CIFAR-10.1 test set, respectively. This demonstrates non-trivial generalization, and actually perform better than the linear fit would predict (given their accuracies on the CIFAR-10 test set).

D.8 Omitted Results for Restricted ImageNet

Figure 11: Repeating the experiments shown in Figure 2 for the Restricted ImageNet dataset. Sample images from the resulting dataset.
Figure 12: Repeating the experiments shown in Figure 2 for the Restricted ImageNet dataset. Standard and robust accuracy of models trained on these datasets.

D.9 Targeted Transferability

Figure 13: Transfer rate of targeted adversarial examples (measured in terms of attack success rate, not just misclassification) from a ResNet-50 to different architectures alongside test set performance of these architecture when trained on the dataset generated in Section 3.2. Architectures more susceptible to transfer attacks also performed better on the standard test set supporting our hypothesis that adversarial transferability arises from utilizing similar non-robust features.

D.10 Robustness vs. Accuracy

Figure 14: An example where adversarial vulnerability can arise from ERM training on any standard loss function due to non-robust features (the green line shows the ERM-learned decision boundary). There exists, however, a classifier that is both perfectly robust and accurate, resulting from robust training, which forces the classifier to ignore the x2 feature despite its predictiveness.

Appendix E Gaussian MLE under Adversarial Perturbation

In this section, we develop a framework for studying non-robust features by studying the problem of maximum likelihood classification between two Gaussian distributions. We first recall the setup of the problem, then present the main theorems from Section 4. First we build the techniques necessary for their proofs.

E.1 Setup

We consider the setup where a learner receives labeled samples from two distributions, 𝒩(𝝁*,𝚺*), and 𝒩(-𝝁*,𝚺*). The learner’s goal is to be able to classify new samples as being drawn from 𝒟1 or 𝒟2 according to a maximum likelihood (MLE) rule.

A simple coupling argument demonstrates that this problem can actually be reduced to learning the parameters 𝝁^, 𝚺^ of a single Gaussian 𝒩(-𝝁*,𝚺*), and then employing a linear classifier with weight 𝚺^-1𝝁^. In the standard setting, maximum likelihoods estimation learns the true parameters, 𝝁* and 𝚺*, and thus the learned classification rule is C(x)=𝟙{x𝚺-1𝝁>0}.

In this work, we consider the problem of adversarially robust maximum likelihood estimation. In particular, rather than simply being asked to classify samples, the learner will be asked to classify adversarially perturbed samples x+δ, where δΔ is chosen to maximize the loss of the learner. Our goal is to derive the parameters 𝝁,𝚺 corresponding to an adversarially robust maximum likelihood estimate of the parameters of 𝒩(𝝁*,𝚺*). Note that since we have access to 𝚺* (indeed, the learner can just run non-robust MLE to get access), we work in the space where 𝚺* is a diagonal matrix, and we restrict the learned covariance 𝚺 to the set of diagonal matrices.

Notation.

We denote the parameters of the sampled Gaussian by 𝝁*d, and 𝚺*{diag(𝒖)|𝒖d}. We use σmin(X) to represent the smallest eigenvalue of a square matrix X, and (;x) to represent the Gaussian negative log-likelihood for a single sample x. For convenience, we often use 𝒗=x-𝝁, and R=𝝁*. We also define the operator to represent the vectorization of the diagonal of a matrix. In particular, for a matrix Xd×d, we have that X=vd if vi=Xii.

E.2 Outline and Key Results

We focus on the case where Δ=2(ϵ) for some ϵ>0, i.e. the 2 ball, corresponding to the following minimax problem:

min𝝁,𝚺𝔼x𝒩(𝝁*,𝚺*)[maxδ:δ=ε(𝝁,𝚺;x+δ)] (13)

We first derive the optimal adversarial perturbation for this setting (Section E.3.1), and prove Theorem 1 (Section E.3.2). We then propose an alternate problem, in which the adversary picks a linear operator to be applied to a fixed vector, rather than picking a specific perturbation vector (Section E.3.3). We argue via Gaussian concentration that the alternate problem is indeed reflective of the original model (and in particular, the two become equivalent as d). In particular, we propose studying the following in place of (13):

min𝝁,𝚺maxM𝔼x𝒩(𝝁*,𝚺*)[(𝝁,𝚺;x+M(x-𝝁))] (14)
where ={Md×d:Mij=0ij,𝔼x𝒩(𝝁*,𝚺*)[M𝒗22]=ϵ2}.

Our goal is to characterize the behavior of the robustly learned covariance 𝚺 in terms of the true covariance matrix 𝚺* and the perturbation budget ε. The proof is through Danskin’s Theorem, which allows us to use any maximizer of the inner problem M* in computing the subgradient of the inner minimization. After showing the applicability of Danskin’s Theorem (Section E.3.4) and then applying it (Section E.3.5) to prove our main results (Section E.3.7). Our three main results, which we prove in the following section, are presented below.

First, we consider a simplified version of (13), in which the adversary solves a maximization with a fixed Lagrangian penalty, rather than a hard 2 constraint. In this setting, we show that the loss contributed by the adversary corresponds to a misalignment between the data metric (the Mahalanobis distance, induced by 𝚺-1), and the 2 metric: See 1

We then return to studying (14), where we provide upper and lower bounds on the learned robust covariance matrix 𝚺: See 2

Finally, we show that in the worst case over mean vectors 𝝁*, the gradient of the adversarial robust classifier aligns more with the inter-class vector: See 3

E.3 Proofs

In the first section, we have shown that the classification between two Gaussian distributions with identical covariance matrices centered at 𝝁* and -𝝁* can in fact be reduced to learning the parameters of a single one of these distributions.

Thus, in the standard setting, our goal is to solve the following problem:

min𝝁,𝚺𝔼x𝒩(𝝁*,𝚺*)[(𝝁,𝚺;x)]:=min𝝁,𝚺𝔼x𝒩(𝝁*,𝚺*)[-log(𝒩(𝝁,𝚺;x))].

Note that in this setting, one can simply find differentiate with respect to both 𝝁 and 𝚺, and obtain closed forms for both (indeed, these closed forms are, unsurprisingly, 𝝁* and 𝚺*). Here, we consider the existence of a malicious adversary who is allowed to perturb each sample point x by some δ. The goal of the adversary is to maximize the same loss that the learner is minimizing.

E.3.1 Motivating example: 2-constrained adversary

We first consider, as a motivating example, an 2-constrained adversary. That is, the adversary is allowed to perturb each sampled point by δ:δ2=ε. In this case, the minimax problem being solved is the following:

min𝝁,𝚺𝔼x𝒩(𝝁*,𝚺*)[maxδ=ε(𝝁,𝚺;x+δ)]. (15)

The following Lemma captures the optimal behaviour of the adversary:

Lemma 1.

In the minimax problem captured in (15) (and earlier in (13)), the optimal adversarial perturbation δ* is given by

δ*=(λ𝑰-𝚺-1)-1𝚺-1𝒗=(λ𝚺-𝑰)-1𝒗, (16)

where 𝐯=x-𝛍, and λ is set such that δ*2=ε.

Proof.

In this context, we can solve the inner maximization problem with Lagrange multipliers. In the following we write Δ=2(ε) for brevity, and discard terms not containing δ as well as constant factors freely:

argmaxδΔ(𝝁,𝚺;x+δ)- =argmaxδΔ(x+δ-𝝁)𝚺-1(x+δ-𝝁)
=argmaxδΔ(x-𝝁)𝚺-1(x-𝝁)+2δ𝚺-1(x-𝝁)+δ𝚺-1δ
=argmaxδΔδ𝚺-1(x-𝝁)+12δ𝚺-1δ. (17)

Now we can solve (17) using the aforementioned Lagrange multipliers. In particular, note that the maximum of (17) is attained at the boundary of the 2 ball Δ. Thus, we can solve the following system of two equations to find δ, rewriting the norm constraint as 12δ22=12ε2:

{δ(δ𝚺-1(x-𝝁)+12δ𝚺-1δ)=λδ(δ22-ε2)𝚺-1(x-𝝁)+𝚺-1δ=λδδ22=ε2. (18)

For clarity, we write 𝒗=x-𝝁: then, combining the above, we have that

δ*=(λ𝑰-𝚺-1)-1𝚺-1𝒗=(λ𝚺-𝑰)-1𝒗, (19)

our final result for the maximizer of the inner problem, where λ is set according to the norm constraint. ∎

E.3.2 Variant with Fixed Lagrangian (Theorem 1)

To simplify the analysis of Theorem 1, we consider a version of (15) with a fixed Lagrangian penalty, rather than a norm constraint:

max(x+δ;y𝝁,𝚺)-Cδ2.

Note then, that by Lemma 1, the optimal perturbation δ* is given by

δ*=(C𝚺-𝑰)-1.

We now proceed to the proof of Theorem 1. See 1

Proof.

We begin by expanding the Gaussian negative log-likelihood for the relaxed problem:

adv(Θ)-(Θ) =𝔼x𝒩(𝝁*,𝚺*)[2𝒗(C𝚺-𝑰)-𝚺-1𝒗+𝒗(C𝚺-𝑰)-𝚺-1(C𝚺-𝑰)-1𝒗]
=𝔼x𝒩(𝝁*,𝚺*)[2𝒗(C𝚺𝚺-𝚺)-1𝒗+𝒗(C𝚺-𝑰)-𝚺-1(C𝚺-𝑰)-1𝒗]

Recall that we are considering the vulnerability at the MLE parameters 𝝁* and 𝚺*:

adv(Θ)-(Θ) =𝔼𝒗𝒩(0,I)[2𝒗𝚺*1/2(C𝚺*2-𝚺*)-1𝚺*1/2𝒗
  +𝒗𝚺*1/2(C𝚺*-𝑰)-𝚺*-1(C𝚺*-𝑰)-1𝚺*1/2𝒗]
=𝔼𝒗𝒩(0,I)[2𝒗(C𝚺*-𝑰)-1𝒗+𝒗𝚺*1/2(C2𝚺*3-2C𝚺*2+𝚺*)-1𝚺*1/2𝒗]
=𝔼𝒗𝒩(0,I)[2𝒗(C𝚺*-𝑰)-1𝒗+𝒗(C𝚺*-𝑰)-2𝒗]
=𝔼𝒗𝒩(0,I)[-v22+𝒗𝑰𝒗+2𝒗(C𝚺*-𝑰)-1𝒗+𝒗(C𝚺*-𝑰)-2𝒗]
=𝔼𝒗𝒩(0,I)[-v22+𝒗(𝑰+(C𝚺*-𝑰)-1)2𝒗]
=tr[(𝑰+(C𝚺*-𝑰)-1)2]-d

This shows the first part of the theorem. It remains to show that for a fixed k=tr(𝚺*), the adversarial risk is minimized by 𝚺*=kd𝑰:

min𝚺*adv(Θ)-(Θ) =min𝚺*tr[(𝑰+(C𝚺*-𝑰)-1)2]
=min{σi}i=1d(1+1Cσi-1)2,

where {σi} are the eigenvalues of 𝚺*. Now, we have that σi=k by assumption, so by optimality conditions, we have that 𝚺* minimizes the above if {σi}1, i.e. if σi=σj for all i,j. Now,

σi =-2(1+1Cσi-1)C(Cσi-1)2
=-2C2σi(Cσi-1)3.

Then, by solving analytically, we find that

-2C2σi(Cσi-1)3=-2C2σj(Cσj-1)3

admits only one real solution, σi=σj. Thus, 𝚺*𝑰. Scaling to satisfy the trace constraint yields 𝚺*=kd𝑰, which concludes the proof. ∎

E.3.3 Real objective

Our motivating example (Section E.3.1) demonstrates that the optimal perturbation for the adversary in the 2-constrained case is actually a linear function of 𝒗, and in particular, that the optimal perturbation can be expressed as D𝒗 for a diagonal matrix D. Note, however, that the problem posed in (15) is not actually a minimax problem, due to the presence of the expectation between the outer minimization and the inner maximization. Motivated by this and (19), we define the following robust problem:

min𝝁,𝚺maxM𝔼x𝒩(𝝁*,𝚺*)[(𝝁,𝚺;x+M𝒗)], (20)
where ={Md×d:Mij=0ij,𝔼x𝒩(𝝁*,𝚺*)[M𝒗22]=ϵ2}.

First, note that this objective is slightly different from that of (15). In the motivating example, δ is constrained to always have ε-norm, and thus is normalizer on a per-sample basis inside of the expectation. In contrast, here the classifier is concerned with being robust to perturbations that are linear in 𝒗, and of ε2 squared norm in expectation.

Note, however, that via the result of \citetlaurent2000adaptive showing strong concentration for the norms of Gaussian random variables, in high dimensions this bound on expectation has a corresponding high-probability bound on the norm. In particular, this implies that as d, M𝒗2=ε almost surely, and thus the problem becomes identical to that of (15). We now derive the optimal M for a given (𝝁,𝚺):

Lemma 2.

Consider the minimax problem described by (20), i.e.

min𝝁,𝚺maxM𝔼x𝒩(𝝁*,𝚺*)[(𝝁,𝚺;x+M𝒗)].

Then, the optimal action M* of the inner maximization problem is given by

M=(λ𝚺-𝑰)-1, (21)

where again λ is set so that MM.

Proof.

We accomplish this in a similar fashion to what was done for δ*, using Lagrange multipliers:

M𝔼x𝒩(𝝁*,𝚺*)[𝒗M𝚺-1𝒗+12𝒗M𝚺-1M𝒗] =λM𝔼x𝒩(𝝁*,𝚺*)[M𝒗22-ε2]
𝔼x𝒩(𝝁*,𝚺*)[𝚺-1𝒗𝒗+𝚺-1M𝒗𝒗] =𝔼x𝒩(𝝁*,𝚺*)[λM𝒗𝒗]
𝚺-1𝚺*+𝚺-1M𝚺* =λM𝚺*
M =(λ𝚺-𝑰)-1,

where λ is a constant depending on 𝚺 and 𝝁 enforcing the expected squared-norm constraint. ∎

Indeed, note that the optimal M for the adversary takes a near-identical form to the optimal δ (19), with the exception that λ is not sample-dependent but rather varies only with the parameters.

E.3.4 Danskin’s Theorem

The main tool in proving our key results is Danskin’s Theorem \citepdanskin1967theory, a powerful theorem from minimax optimization which contains the following key result:

Theorem 4 (Danskin’s Theorem).

Suppose ϕ(x,z):R×ZR is a continuous function of two arguments, where ZRm is compact. Define f(x)=maxzZϕ(x,z). Then, if for every zZ, ϕ(x,z) is convex and differentiable in x, and ϕx is continuous:

The subdifferential of f(x) is given by

f(x)=conv{ϕ(x,z)x:zZ0(x)},

where conv() represents the convex hull operation, and Z0 is the set of maximizers defined as

Z0(x)={z¯:ϕ(x,z¯)=maxzZϕ(x,z)}.

In short, given a minimax problem of the form minxmaxyCf(x,y) where C is a compact set, if f(,y) is convex for all values of y, then rather than compute the gradient of g(x):=maxyCf(x,y), we can simply find a maximizer y* for the current parameter x; Theorem 4 ensures that xf(x,y*)xg(x). Note that is trivially compact (by the Heine-Borel theorem), and differentiability/continuity follow rather straightforwardly from our reparameterization (c.f. (22)), and so it remains to show that the outer minimization is convex for any fixed M.

Convexity of the outer minimization.

Note that even in the standard case (i.e. non-adversarial), the Gaussian negative log-likelihood is not convex with respect to (𝝁,𝚺). Thus, rather than proving convexity of this function directly, we employ the parameterization used by [daskalakis2019efficient]: in particular, we write the problem in terms of 𝑻=𝚺-1 and 𝒎=𝚺-1𝝁. Under this parameterization, we show that the robust problem is convex for any fixed M.

Lemma 3.

Under the aforementioned parameterization of 𝐓=Σ-1 and 𝐦=Σ-1𝛍, the following “Gaussian robust negative log-likelihood” is convex:

𝔼x𝒩(𝝁*,𝚺*)[(𝒎,𝑻;x+M𝒗)].
Proof.

To prove this, we show that the likelihood is convex even with respect to a single sample x; the result follows, since a convex combination of convex functions remains convex. We begin by looking at the likelihood of a single sample x𝒩(𝝁*,𝚺*):

(𝝁,𝚺;x+M(x-𝝁)) =1(2π)k|𝚺|exp(-12(x-𝝁)(I+M)2𝚺-1(x-𝝁))
=1(2π)k|𝚺|exp(-12(x-𝝁)(I+M)2𝚺-1(x-𝝁))1(2π)k|(𝑰+𝑴)-𝟐𝚺|exp(-12(x-𝝁)(I+M)2𝚺-1(x-𝝁))
=|I+M|-1exp(-12x(I+M)2𝚺-1x+𝝁(I+M)2𝚺-1x)exp(-12x(I+M)2𝚺-1x+𝝁(I+M)2𝚺-1x)

In terms of the aforementioned 𝑻 and 𝒎, and for convenience defining A=(I+M)2:

(x) =|A|-1/2+(12xA𝑻x-𝒎Ax)-log(exp(12xA𝑻x-𝒎Ax))
(x) =[12(Axx)-Ax]-[12(Axx)-Ax]exp(12xA𝑻x-𝒎Ax)exp(12xA𝑻x-𝒎Ax)
=[12(Axx)-Ax]-𝔼z𝒩(𝑻-1𝒎,(𝑨𝑻)-1)[12(Azz)-Az]. (22)

From here, following an identical argument to [daskalakis2019efficient] Equation (3.7), we find that

𝑯=Covz𝒩(𝑻-1𝒎,(A𝑻)-1)[((-12AzzT)z),((-12AzzT)z)]𝟎,

i.e. that the log-likelihood is indeed convex with respect to [𝑻𝒎], as desired. ∎

E.3.5 Applying Danskin’s Theorem

The previous two parts show that we can indeed apply Danskin’s theorem to the outer minimization, and in particular that the gradient of f at M=M* is in the subdifferential of the outer minimization problem. We proceed by writing out this gradient explicitly, and then setting it to zero (note that since we have shown f is convex for all choices of perturbation, we can use the fact that a convex function is globally minimized its subgradient contains zero). We continue from above, plugging in (21) for M and using (22) to write the gradients of with respect to 𝑻 and 𝒎.

0=[𝑻𝒎] =𝔼x𝒩(𝝁*,𝚺*)[[12(Axx)-Ax]-𝔼z𝒩(𝑻-1𝒎,(𝑨𝑻)-1)[12(Azz)-Az]]
=𝔼x𝒩(𝝁*,𝚺*)[12(Axx)-Ax]-𝔼z𝒩(𝑻-1𝒎,(𝑨𝑻)-1)[12(Azz)-Az]
=[12(A𝚺*)-A𝝁*]-𝔼z𝒩(𝑻-1𝒎,(𝑨𝑻)-1)[12(A(A𝑻)-1)-A𝑻-1𝒎]
=[12A𝚺*-A𝝁*]-[12A(A𝑻)-1-A𝑻-1𝒎]
=[12A𝚺*-12𝑻-1A𝑻-1𝒎-A𝝁*] (23)

Using this fact, we derive an implicit expression for the robust covariance matrix 𝚺. Note that for the sake of brevity, we now use M to denote the optimal adversarial perturbation (previously defined as M* in (21)). This implicit formulation forms the foundation of the bounds given by our main results.

Lemma 4.

The minimax problem discussed throughout this work admits the following (implicit) form of solution:

𝚺 =1λI+12𝚺*+1λ𝚺*+14𝚺*2,

where λ is such that MM, and is thus dependent on Σ.

Proof.

Rewriting (23) in the standard parameterization (with respect to 𝝁,𝚺) and re-expanding A=(I+M)2 yields:

0=[𝑻𝒎]=[12(I+M)2𝚺*-12𝚺(I+M)2𝝁-(I+M)2𝝁*]

Now, note that the equations involving 𝝁 and 𝚺 are completely independent, and thus can be solved separately. In terms of 𝝁, the relevant system of equations is A𝝁-A𝝁*=0, where multiplying by the inverse A gives that

𝝁=𝝁*. (24)

This tells us that the mean learned via 2-robust maximum likelihood estimation is precisely the true mean of the distribution.

Now, in the same way, we set out to find 𝚺 by solving the relevant system of equations:

𝚺*-1 =𝚺-1(M+I)2. (25)

Now, we make use of the Woodbury Matrix Identity in order to write (I+M) as

I+(λ𝚺-I)-1=I+(-I-(1λ𝚺-1-I)-1)=-(1λ𝚺-1-I)-1.

Thus, we can revisit (25) as follows:

𝚺*-1 =𝚺-1(1λ𝚺-1-I)-2
1λ2𝚺*-1𝚺-2-(2λ𝚺*-1+I)𝚺-1+𝚺*-1 =0
1λ2𝚺*-1-(2λ𝚺*-1+I)𝚺+𝚺*-1𝚺2 =0

We now apply the quadratic formula to get an implicit expression for 𝚺 (implicit since technically λ depends on 𝚺):

𝚺 =(2λ𝚺*-1+I±4λ𝚺*-1+I)12𝚺*
=1λI+12𝚺*+1λ𝚺*+14𝚺*2. (26)

This concludes the proof. ∎

E.3.6 Bounding λ

We now attempt to characterize the shape of λ as a function of ε. First, we use the fact that 𝔼[Xv2]=tr(X2) for standard normally-drawn v. Thus, λ is set such that tr(𝚺*M2)=ε, i.e:

i=0𝚺ii*(λ𝚺ii-1)2=ε (27)

Now, consider ε2 as a function of λ. Observe that for λ1σmin(𝚺), we have that M must be positive semi-definite, and thus ε2 decays smoothly from (at λ=1σmin) to zero (at λ=). Similarly, for λ1σmax(𝚺), ε decays smoothly as λ decreases. Note, however, that such values of λ would necessarily make M negative semi-definite, which would actually help the log-likelihood. Thus, we can exclude this case; in particular, for the remainder of the proofs, we can assume λ1σmax(𝚺).

Also observe that the zeros of ε in terms of λ are only at λ=±. Using this, we can show that there exists some ε0 for which, for all ε<ε0, the only corresponding possible valid value of λ is where λ1σmin. This idea is formalized in the following Lemma.

Lemma 5.

For every Σ*, there exists some ε0>0 for which, for all ε[0,ε0) the only admissible value of λ is such that λ1σmin(Σ), and thus such that M is positive semi-definite.

Proof.

We prove the existence of such an ε0 by lower bounding ε (in terms of λ) for any finite λ>0 that does not make M PSD. Providing such a lower bound shows that for small enough ε (in particular, less than this lower bound), the only corresponding values of λ are as desired in the statement1818 18 Since our only goal is existence, we lose many factors from the analysis that would give a tighter bound on ε0..

In particular, if M is not PSD, then there must exist at least one index k such that λ𝚺kk<1, and thus (λ𝚺kk-1)21 for all λ>0. We can thus lower bound (27) as:

ε=i=0𝚺ii*(λ𝚺ii-1)2𝚺kk*(λ𝚺kk-1)2𝚺kk*σmin(𝚺*)>0 (28)

By contradiction, it follows that for any ε<σmin(𝚺*)2, the only admissible λ is such that M is PSD, i.e. according to the statement of the Lemma. ∎

In the regime ε[0,ε0), note that λ is inversely proportional to ε (i.e. as ε grows, λ decreases). This allows us to get a qualitative view of (26): as the allowed perturbation value increases, the robust covariance 𝚺 resembles the identity matrix more and more, and thus assigns more and more variance on initially low-variance features. The 𝚺* term indicates that the robust model also adds uncertainty proportional to the square root of the initial variance—thus, low-variance features will have (relatively) more uncertainty in the robust case. Indeed, our main result actually follows as a (somewhat loose) formalization of this intuition.

E.3.7 Proof of main theorems

First, we give a proof of Theorem 2, providing lower and upper bounds on the learned robust covariance 𝚺 in the regime ε[0,ε0).

See 2

Proof.

We have already shown that 𝝁=𝝁* in the robust case (c.f. (24)). We choose ε0 to be as described, i.e. the largest ε for which the set {λ:tr(𝚺*2M)=ε,λ1/σmax(𝚺)} has only one element λ (which, as we argued, must not be less than 1/σmin(𝚺)). We have argued that such an ε0 must exist.

We prove the result by combining our early derivation (in particular, (25) and (26)) with upper and lower bound on λ, which we can compute based on properties of the trace operator. We begin by deriving a lower bound on λ. By linear algebraic manipulation (given in Appendix E.3.8), we get the following bound:

λdtr(𝚺)(1+dσmin(𝚺*)ε) (29)

Now, we can use (25) in order to remove the dependency of λ on 𝚺:

𝚺 =𝚺*(M+I)2
tr(𝚺) =tr[(𝚺*1/2M+𝚺*1/2)2]
2tr[(𝚺*1/2M)2+(𝚺*1/2)2]
2(ε+tr(𝚺*)).

Applying this to (29) yields:

λ d/2ε+tr(𝚺*)(1+dσmin(𝚺*)ε).

Note that we can simplify this bound significantly by writing ε=dσmin(𝚺*)εtr(𝚺*)ε, which does not affect the result (beyond rescaling the valid regime (0,ε0)), and gives:

λ d/2(1+ε)tr(𝚺*)(1+1ε)d(1+ε)2ε(1+ε)tr(𝚺*)

Next, we follow a similar methodology (Appendix E.3.8) in order to upper bound λ:

λ1σmin(𝚺)(𝚺*Fdε+1).

Note that by (25) and positive semi-definiteness of M, it must be that σmin(𝚺)σmin(𝚺*). Thus, we can simplify the previous expression, also substituting ε=dσmin(𝚺*)ε:

λ1σmin(𝚺*)(𝚺*Fσmin(𝚺*)ε+1)=𝚺*F+εσmin(𝚺*)σmin(𝚺*)3/2ε

These bounds can be straightforwardly combined with Lemma 4, which concludes the proof. ∎

Using this theorem, we can now show Theorem 3: See 3

Proof.

To prove this, we make use of the following Lemmas:

Lemma 6.

For two positive definite matrices A and B with κ(A)>κ(B), we have that κ(A+B)max{κ(A),κ(B)}.

Proof.

We proceed by contradiction:

κ(A+B) =λmax(A)+λmax(B)λmin(A)+λmin(B)
κ(A) =λmax(A)λmin(A)
κ(A) κ(A+B)
λmax(A)(λmin(A)+λmin(B)) λmin(A)(λmax(A)+λmax(B))
λmax(A)λmin(B) λmin(A)λmax(B)
λmax(A)λmin(A) λmin(A)λmax(B),

which is false by assumption. This concludes the proof. ∎

Lemma 7 (Straightforward).

For a positive definite matrix A and k>0, we have that

κ(A+kI)<κ(A)  κ(A+kA)κ(A).
Lemma 8 (Angle induced by positive definite matrix; folklore).
1919 19 A proof can be found in https://bit.ly/2L6jdAT

For a positive definite matrix A0 with condition number κ, we have that

minxxAxAx2x2=2κ1+κ. (30)

These two results can be combined to prove the theorem. First, we show that κ(𝚺)κ(𝚺*):

κ(𝚺) =κ(1λI+12𝚺*+1λ𝚺*+14𝚺*2)
<max{κ(1λI+12𝚺*),κ(1λ𝚺*+14𝚺*2)}
<max{κ(𝚺*),κ(1λ𝚺*+14𝚺*2)}
=max{κ(𝚺*),κ(2λ14𝚺*2+14𝚺*2)}
κ(𝚺*).

Finally, note that (30) is a strictly decreasing function in κ, and as such, we have shown the theorem. ∎

E.3.8 Bounds for λ

Lower bound.
ε =tr(𝚺*M2)
σmin(𝚺*)tr(M2) by the definition of tr()
σmin(𝚺*)dtr(M)2 by Cauchy-Schwarz
σmin(𝚺*)d[tr((λ𝚺-𝑰)-1)]2 Expanding M (21)
σmin(𝚺*)d[tr(λ𝚺-𝑰)-1d2]2 AM-HM inequality
d3σmin(𝚺*)[λtr(𝚺)-d]-2
[λtr(𝚺)-d]2 d3σmin(𝚺*)ε
λtr(𝚺)-d d3/2σmin(𝚺*)ε since M is PSD
λ dtr(𝚺)(1+dσmin(𝚺*)ε)
Upper bound
ε =tr(𝚺*M2)
𝚺*Fdσmax(M)2
𝚺*Fdσmin(M)-2
λσmin(𝚺)-1 𝚺*Fdε
λ 1σmin(𝚺)(𝚺*Fdε+1).