Agnostic Learning under Targeted Poisoning: Optimal Rates and the Role of Randomness
This work addresses a key open problem in adversarial machine learning for researchers, providing optimal error bounds and insights into the role of randomness, though it is incremental as it extends prior results from the realizable to the agnostic setting.
The paper tackles the problem of learning under instance-targeted poisoning attacks in the agnostic setting, showing that the optimal excess error is $ ilde{\Theta}(\sqrt{d\eta})$, where $d$ is the VC dimension and $\eta$ is the fraction of corrupted examples, and proving that randomized learners are necessary to achieve this rate.
We study the problem of learning in the presence of an adversary that can corrupt an $η$ fraction of the training examples with the goal of causing failure on a specific test point. In the realizable setting, prior work established that the optimal error under such instance-targeted poisoning attacks scales as $Θ(dη)$, where $d$ is the VC dimension of the hypothesis class arXiv:2210.02713. In this work, we resolve the corresponding question in the agnostic setting. We show that the optimal excess error is $\tildeΘ(\sqrt{dη})$, answering one of the main open problems left by Hanneke et al. To achieve this rate, it is necessary to use randomized learners: Hanneke et al. showed that deterministic learners can be forced to suffer error close to 1, even under small amounts of poisoning. Perhaps surprisingly, our upper bound remains valid even when the learner's random bits are fully visible to the adversary . In the other direction, our lower bound is stronger than standard PAC-style bounds: instead of tailoring a hard distribution separately for each sample size, we exhibit a single fixed distribution under which the adversary can enforce an excess error of $Ω(\sqrt{dη})$ infinitely often.