Intriguing Properties of Robust Classification
This work addresses the fundamental challenge of adversarial robustness in machine learning, offering a theoretical explanation for data inefficiency in robust training, which is incremental but clarifies a critical bottleneck.
The paper tackles the problem of training robust classifiers against adversarial perturbations, showing that robust generalization can require exponentially more data than accurate classification in certain settings, with experiments on CIFAR-10 indicating data quantity as a key factor.
Despite extensive research since the community learned about adversarial examples 10 years ago, we still do not know how to train high-accuracy classifiers that are guaranteed to be robust to small perturbations of their inputs. Previous works often argued that this might be because no classifier exists that is robust and accurate at the same time. However, in computer vision this assumption does not match reality where humans are usually accurate and robust on most tasks of interest. We offer an alternative explanation and show that in certain settings robust generalization is only possible with unrealistically large amounts of data. Specifically, we find a setting where a robust classifier exists, it is easy to learn an accurate classifier, yet it requires an exponential amount of data to learn a robust classifier. Based on this theoretical result, we evaluate the influence of the amount of training data on datasets such as CIFAR-10. Our findings indicate that the amount of training data is the main factor determining the robust performance. Furthermore we show that there are low magnitude directions in the data which are useful for non-robust generalization but are not available for robust classifiers. We provide code at https://github.com/berndprach/IntriguingProperties.