Adversarial vulnerability for any classifier

Despite achieving impressive performance, state-of-the-art classifiers remain highly vulnerable to small, imperceptible, adversarial perturbations. This vulnerability has proven empirically to be very intricate to address. In this paper, we study the phenomenon of adversarial perturbations under the assumption that the data is generated with a smooth generative model. We derive fundamental upper bounds on the robustness to perturbations of any classification function, and prove the existence of adversarial perturbations that transfer well across different classifiers with small risk. Our analysis of the robustness also provides insights onto key properties of generative models, such as their smoothness and dimensionality of latent space. We conclude with numerical experimental results showing that our bounds provide informative baselines to the maximal achievable robustness on several datasets.

💡 Research Summary

This paper, “Adversarial vulnerability for any classifier,” provides a theoretical framework for understanding the fundamental limits of classifier robustness to adversarial examples. The core premise is that natural data (like images) is generated by applying a smooth function g to a latent vector z drawn from a standard Gaussian distribution in a d-dimensional space. Under this generative model assumption, the authors prove that any classification function f mapping from the data space to labels is inherently vulnerable to small, imperceptible perturbations.

The key contribution is a set of fundamental upper bounds on what the authors term “in-distribution robustness” (r_in), where the perturbed sample is constrained to remain within the support of the data distribution (i.e., the range of g). Theorem 1, leveraging the Gaussian isoperimetric inequality, shows that the probability a data point has robustness less than a value η is bounded from below. This bound depends critically on the smoothness of the generator g (quantified by a modulus of continuity function ω) and the dimensionality d of the latent space. The analysis reveals that if the latent space is high-dimensional (large d) and the generator is smooth (so that ω(t) is relatively large for small t), then there exist adversarial perturbations of norm η that are vanishingly small compared to the typical norm of a data point (which scales with √d). This vulnerability holds for any classifier, regardless of its architecture or training method. The bound also tightens as the number of classes K increases, explaining why multiclass problems are often more vulnerable.

A second significant result (Theorem 2) bridges the concepts of in-distribution robustness and the more commonly studied “unconstrained robustness” (r_unc), where perturbations are not required to stay on the data manifold. The authors show that for any classifier f, one can construct a modified classifier (specifically, a nearest-neighbor classifier based on the generator g) whose unconstrained robustness is at least half of the original classifier’s in-distribution robustness. This implies that the fundamental limits derived for r_in also essentially apply to r_unc, and suggests a constructive method to improve a classifier’s practical robustness using a generative model.

The paper further proves the existence of transferable adversarial perturbations—perturbations crafted for one classifier that also fool another—under the same generative model assumptions. Finally, the theoretical bounds are validated empirically on datasets like CIFAR-10 and SVHN, where they provide informative baselines for the best achievable robustness.

The implications are profound. The analysis turns the problem of adversarial vulnerability into a question about the properties of the data distribution itself, as modeled by g. It suggests that if the human visual system is robust to small ℓ_p-norm perturbations, then the true generative process for natural images cannot be both smooth and high-dimensional. Therefore, to accurately model real-world distributions and develop inherently robust systems, future generative models may need to prioritize low-dimensional or non-smooth representations. The work shifts the perspective from solely hardening classifiers to also considering the fundamental geometric constraints of the data we are trying to classify.