Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bilevel Models for Adversarial Learning and A Case Study

Yutong Zheng, Qingna Li

TL;DR

The paper develops a calmness-based perturbation framework to study adversarial learning, focusing on convex clustering as a tractable case. It introduces two bilevel models to quantify and optimize perturbations and proposes the δ-measure as a deviation function, deriving explicit formulas for 2-, 3-, and general K-way clustering. Numerical experiments on UCI data validate robustness under moderate perturbations, reveal staircase behavior with larger perturbations, and compare deviation measures like δ, RI, and NMI. The work highlights both the viability of bilevel attacks in white-box settings and the need for future work on algorithms and black-box scenarios.

Abstract

Adversarial learning has been attracting more and more attention thanks to the fast development of machine learning and artificial intelligence. However, due to the complicated structure of most machine learning models, the mechanism of adversarial attacks is not well interpreted. How to measure the effect of attacks is still not quite clear. In this paper, we investigate the adversarial learning from the perturbation analysis point of view. We characterize the robustness of learning models through the calmness of the solution mapping. In the case of convex clustering models, we identify the conditions under which the clustering results remain the same under perturbations. When the noise level is large, it leads to an attack. Therefore, we propose two bilevel models for adversarial learning where the effect of adversarial learning is measured by some deviation function. Specifically, we systematically study the so-called $δ$-measure and show that under certain conditions, it can be used as a deviation function in adversarial learning for convex clustering models. Finally, we conduct numerical tests to verify the above theoretical results as well as the efficiency of the two proposed bilevel models.

Bilevel Models for Adversarial Learning and A Case Study

TL;DR

The paper develops a calmness-based perturbation framework to study adversarial learning, focusing on convex clustering as a tractable case. It introduces two bilevel models to quantify and optimize perturbations and proposes the δ-measure as a deviation function, deriving explicit formulas for 2-, 3-, and general K-way clustering. Numerical experiments on UCI data validate robustness under moderate perturbations, reveal staircase behavior with larger perturbations, and compare deviation measures like δ, RI, and NMI. The work highlights both the viability of bilevel attacks in white-box settings and the need for future work on algorithms and black-box scenarios.

Abstract

Adversarial learning has been attracting more and more attention thanks to the fast development of machine learning and artificial intelligence. However, due to the complicated structure of most machine learning models, the mechanism of adversarial attacks is not well interpreted. How to measure the effect of attacks is still not quite clear. In this paper, we investigate the adversarial learning from the perturbation analysis point of view. We characterize the robustness of learning models through the calmness of the solution mapping. In the case of convex clustering models, we identify the conditions under which the clustering results remain the same under perturbations. When the noise level is large, it leads to an attack. Therefore, we propose two bilevel models for adversarial learning where the effect of adversarial learning is measured by some deviation function. Specifically, we systematically study the so-called -measure and show that under certain conditions, it can be used as a deviation function in adversarial learning for convex clustering models. Finally, we conduct numerical tests to verify the above theoretical results as well as the efficiency of the two proposed bilevel models.

Paper Structure

This paper contains 17 sections, 6 theorems, 72 equations, 8 figures, 1 table.

Table of Contents

  1. Introduction
  2. Perturbation of Learning Models
  3. Learning Model
  4. Perturbation of Learning Models
  5. Perturbation Analysis for Convex Clustering
  6. Bilevel Model for Adversarial Learning
  7. A Case Study on Deviation Functions
  8. Analysis on 2-Way Clustering
  9. Analysis on 3-Way Clustering
  10. Analysis on K-Way Clustering
  11. Numerical Results
  12. Robustness Verification of the Convex Clustering Model
  13. Numerical Results on Deviation Functions
  14. Verification of Bilevel Models
  15. Other Measurements for Deviation Functions
  16. ...and 2 more sections

Key Result

Theorem 1

sun2021convex Consider the input data $X=\left[{x}_1, \cdots, {x}_n\right]\in \mathbb{R}^{d \times n}$ and its partitioning $\mathcal{V}=\left\{V_1, V_2, \ldots, V_K\right\}$. Assume that all centroids $\left\{{x}^{(1)}, {x}^{(2)}, \ldots, {x}^{(K)}\right\}$ are distinct. Let $q \geq 1$ be the conju Assume that Let If and $\gamma$ is chosen such that $\gamma \in\left[\gamma_{\min }, \gamma_{\ma

Figures (8)

  • Figure 1: The original one-dimensional dataset $X=[0,\ 2,\ 10,\ 14]$ to illustrate convex clustering and its robustness to data perturbations.
  • Figure 2: Perturbed dataset $X(\varepsilon)$ with $x_3(\varepsilon) \in \left(\tfrac{44}{5}, \tfrac{68}{3}\right)$, where the conditions \ref{['eq-cond1']} and \ref{['eq-cond2']} hold and the clustering results remain unchanged.
  • Figure 3: Perturbed dataset $X(\varepsilon) = [0,\ 2,\ -4,\ 14]$, where condition \ref{['eq-cond2']} fails and the convex clustering result changes from $\left\{ \{1,2\},\{3,4\}\right\}$ to $\left\{ \{1,2,3\},\{4\}\right\}$.
  • Figure 4: The number of changed labels $N_{\mathrm{chg}}(\varepsilon)$ and deviation $\delta(\varepsilon)$ on Fisher Iris dataset.
  • Figure 5: The number of changed labels $N_{\mathrm{chg}}(\varepsilon)$ and deviation $\delta(\varepsilon)$ on Fisher Iris dataset.
  • ...and 3 more figures

Theorems & Definitions (25)

  • Example 1
  • Example 2
  • Remark 1
  • Definition 1: Calmness
  • Definition 2: Calmness at ${\varepsilon=0}$
  • Theorem 1
  • Theorem 2
  • Example 3
  • Example 4
  • Corollary 1
  • ...and 15 more