Adversarial Examples for $k$-Nearest Neighbor Classifiers Based on Higher-Order Voronoi Diagrams
This work addresses the problem of evaluating adversarial robustness for k-NN classifiers, which is important for users of these non-neural network models, offering an incremental improvement over existing methods.
This paper proposes a geometric algorithm to find minimum-norm adversarial examples for k-nearest neighbor (k-NN) classifiers. By expanding outwards from an input point using higher-order Voronoi diagrams, the method identifies perturbations that achieve different classifications. The algorithm, with approximation steps for large k, finds smaller norm perturbations compared to baselines on various datasets.
Adversarial examples are a widely studied phenomenon in machine learning models. While most of the attention has been focused on neural networks, other practical models also suffer from this issue. In this work, we propose an algorithm for evaluating the adversarial robustness of $k$-nearest neighbor classification, i.e., finding a minimum-norm adversarial example. Diverging from previous proposals, we take a geometric approach by performing a search that expands outwards from a given input point. On a high level, the search radius expands to the nearby Voronoi cells until we find a cell that classifies differently from the input point. To scale the algorithm to a large $k$, we introduce approximation steps that find perturbations with smaller norm, compared to the baselines, in a variety of datasets. Furthermore, we analyze the structural properties of a dataset where our approach outperforms the competition.