Lower Bounds for Adversarially Robust PAC Learning under Evasion and Hybrid Attacks.

In this work, we study probably approximately correct (PAC) learning under general perturbation-based adversarial attacks. In the most basic setting, referred to as an evasion attack, the adversary's goal is to misclassify an honestly sampled point x by adversarially perturbing it into x̃, i.e., h(x̃) = ≠ c(x̃), where c is the ground truth concept and h is the learned hypothesis. The only limitation on the adversary is that x̃ is not “too far” from x, controlled by a metric measure. We first prove that for many theoretically natural input spaces of high dimension n (e.g., isotropic Gaussian in dimension n under ℓ ₂ perturbations), if the adversary is allowed to apply up to a sublinear amount of perturbations in the expected norm, PAC learning requires sample complexity that is exponential in the data dimension n. We then formalize hybrid attacks in which the evasion attack is preceded by a poisoning attack in which a poisoning phase is followed by specific evasion attacks. Special forms of hybrid attacks include so-called “backdoor attacks” but here we focus on the general setting in which adversary's evasion attack is only controlled by a pre-specified amount of perturbation based on data dimension and aim to misclassifying the perturbed instances. We show that PAC learning is sometimes impossible under such hybrid attacks, while it is possible without the attack (e.g., due to the bounded VC dimension).