Evaluating the Robustness of Nearest Neighbor Classifiers: A Primal-Dual Perspective
This work addresses robustness evaluation for machine learning models, specifically for security-critical applications, but it is incremental as it builds on prior heuristic methods.
The paper tackles the problem of computing the minimum adversarial perturbation for Nearest Neighbor classifiers, proposing the first algorithm to achieve this for 1-NN models and providing bounds for K-NN models.
We study the problem of computing the minimum adversarial perturbation of the Nearest Neighbor (NN) classifiers. Previous attempts either conduct attacks on continuous approximations of NN models or search for the perturbation by some heuristic methods. In this paper, we propose the first algorithm that is able to compute the minimum adversarial perturbation. The main idea is to formulate the problem as a list of convex quadratic programming (QP) problems that can be efficiently solved by the proposed algorithms for 1-NN models. Furthermore, we show that dual solutions for these QP problems could give us a valid lower bound of the adversarial perturbation that can be used for formal robustness verification, giving us a nice view of attack/verification for NN models. For $K$-NN models with larger $K$, we show that the same formulation can help us efficiently compute the upper and lower bounds of the minimum adversarial perturbation, which can be used for attack and verification.