已知机器学习模型易于对抗对抗攻击，这可以通过引入小而设计的扰动来导致错误分类。在本文中，我们考虑了经典假设检测问题，以便在防止这种对抗扰动的捍卫方面发展基本的洞察力。我们将对抗扰动作为滋扰参数来解释对抗性扰动，并提出基于将广义似然比测试（GLRT）应用于所得复合假说检测问题的防御，共同估计兴趣类和对抗扰动。虽然GLRT方法适用于一般多级假设检测，但我们首先在$ \ ell _ {\ infty} $ norm-fundersarial扰动下对白高斯噪声中的二元假设检测进行评估，这是一个已知的最低限度防御优化最糟糕的攻击提供基准。我们派生了GLRT防御的最坏情况攻击，并表明其渐近性能（随着数据的维度增加）接近MIMIMAX防御。对于非渐近制度，我们通过模拟显示GLRT防御与最坏情况下的最小攻击性能竞争，同时在较弱的攻击下产生更好的稳健性准确性权衡。我们还说明了多级假设检测问题的GLRT方法，其中尚不清楚最少的策略，通过提供一种找到最佳噪声感知攻击的方法，评估其在噪声无神不可知和噪声感知的逆势环境下的性能和启发式攻击，发现在高SNR制度中接近最佳的噪声无关攻击。

Classical asymptotic theory for statistical inference usually involves calibrating a statistic by fixing the dimension $d$ while letting the sample size $n$ increase to infinity. Recently, much effort has been dedicated towards understanding how these methods behave in high-dimensional settings, where $d$ and $n$ both increase to infinity together. This often leads to different inference procedures, depending on the assumptions about the dimensionality, leaving the practitioner in a bind: given a dataset with 100 samples in 20 dimensions, should they calibrate by assuming $n \gg d$, or $d/n \approx 0.2$? This paper considers the goal of dimension-agnostic inference; developing methods whose validity does not depend on any assumption on $d$ versus $n$. We introduce an approach that uses variational representations of existing test statistics along with sample splitting and self-normalization to produce a new test statistic with a Gaussian limiting distribution, regardless of how $d$ scales with $n$. The resulting statistic can be viewed as a careful modification of degenerate U-statistics, dropping diagonal blocks and retaining off-diagonal blocks. We exemplify our technique for some classical problems including one-sample mean and covariance testing, and show that our tests have minimax rate-optimal power against appropriate local alternatives. In most settings, our cross U-statistic matches the high-dimensional power of the corresponding (degenerate) U-statistic up to a $\sqrt{2}$ factor.

成功的深度学习模型往往涉及培训具有比训练样本数量更多的参数的神经网络架构。近年来已经广泛研究了这种超分子化的模型，并且通过双下降现象和通过优化景观的结构特性，从统计的角度和计算视角都建立了过分统计化的优点。尽管在过上分层的制度中深入学习架构的显着成功，但也众所周知，这些模型对其投入中的小对抗扰动感到高度脆弱。即使在普遍培训的情况下，它们在扰动输入（鲁棒泛化）上的性能也会比良性输入（标准概括）的最佳可达到的性能更糟糕。因此，必须了解如何从根本上影响稳健性的情况下如何影响鲁棒性。在本文中，我们将通过专注于随机特征回归模型（具有随机第一层权重的两层神经网络）来提供超分度化对鲁棒性的作用的精确表征。我们考虑一个制度，其中样本量，输入维度和参数的数量彼此成比例地生长，并且当模型发生前列地训练时，可以为鲁棒泛化误差导出渐近精确的公式。我们的发达理论揭示了过分统计化对鲁棒性的非竞争效果，表明对于普遍训练的随机特征模型，高度公正化可能会损害鲁棒泛化。

While neural networks have achieved high accuracy on standard image classification benchmarks, their accuracy drops to nearly zero in the presence of small adversarial perturbations to test inputs. Defenses based on regularization and adversarial training have been proposed, but often followed by new, stronger attacks that defeat these defenses. Can we somehow end this arms race? In this work, we study this problem for neural networks with one hidden layer. We first propose a method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value. Second, as this certificate is differentiable, we jointly optimize it with the network parameters, providing an adaptive regularizer that encourages robustness against all attacks. On MNIST, our approach produces a network and a certificate that no attack that perturbs each pixel by at most = 0.1 can cause more than 35% test error.

Machine learning models are often susceptible to adversarial perturbations of their inputs. Even small perturbations can cause state-of-the-art classifiers with high "standard" accuracy to produce an incorrect prediction with high confidence. To better understand this phenomenon, we study adversarially robust learning from the viewpoint of generalization. We show that already in a simple natural data model, the sample complexity of robust learning can be significantly larger than that of "standard" learning. This gap is information theoretic and holds irrespective of the training algorithm or the model family. We complement our theoretical results with experiments on popular image classification datasets and show that a similar gap exists here as well. We postulate that the difficulty of training robust classifiers stems, at least partially, from this inherently larger sample complexity.

We show how to turn any classifier that classifies well under Gaussian noise into a new classifier that is certifiably robust to adversarial perturbations under the 2 norm. This "randomized smoothing" technique has been proposed recently in the literature, but existing guarantees are loose. We prove a tight robustness guarantee in 2 norm for smoothing with Gaussian noise. We use randomized smoothing to obtain an ImageNet classifier with e.g. a certified top-1 accuracy of 49% under adversarial perturbations with 2 norm less than 0.5 (=127/255). No certified defense has been shown feasible on ImageNet except for smoothing. On smaller-scale datasets where competing approaches to certified 2 robustness are viable, smoothing delivers higher certified accuracies. Our strong empirical results suggest that randomized smoothing is a promising direction for future research into adversarially robust classification. Code and models are available at http: //github.com/locuslab/smoothing.

最近的研究表明，深神经网络（DNN）易受对抗性攻击的影响，包括逃避和后门（中毒）攻击。在防守方面，有密集的努力，改善了对逃避袭击的经验和可怜的稳健性;然而，对后门攻击的可稳健性仍然很大程度上是未开发的。在本文中，我们专注于认证机器学习模型稳健性，反对一般威胁模型，尤其是后门攻击。我们首先通过随机平滑技术提供统一的框架，并展示如何实例化以证明对逃避和后门攻击的鲁棒性。然后，我们提出了第一个强大的培训过程Rab，以平滑训练有素的模型，并证明其稳健性对抗后门攻击。我们派生机学习模型的稳健性突出了培训的机器学习模型，并证明我们的鲁棒性受到紧张。此外，我们表明，可以有效地训练强大的平滑模型，以适用于诸如k最近邻分类器的简单模型，并提出了一种精确的平滑训练算法，该算法消除了从这种模型的噪声分布采样采样的需要。经验上，我们对MNIST，CIFAR-10和Imagenet数据集等DNN，差异私有DNN和K-NN模型等不同机器学习（ML）型号进行了全面的实验，并为反卧系攻击提供认证稳健性的第一个基准。此外，我们在SPAMBase表格数据集上评估K-NN模型，以展示所提出的精确算法的优点。对多元化模型和数据集的综合评价既有关于普通训练时间攻击的进一步强劲学习策略的多样化模型和数据集的综合评价。

We study a family of adversarial multiclass classification problems and provide equivalent reformulations in terms of: 1) a family of generalized barycenter problems introduced in the paper and 2) a family of multimarginal optimal transport problems where the number of marginals is equal to the number of classes in the original classification problem. These new theoretical results reveal a rich geometric structure of adversarial learning problems in multiclass classification and extend recent results restricted to the binary classification setting. A direct computational implication of our results is that by solving either the barycenter problem and its dual, or the MOT problem and its dual, we can recover the optimal robust classification rule and the optimal adversarial strategy for the original adversarial problem. Examples with synthetic and real data illustrate our results.

在本讨论文件中，我们调查了有关机器学习模型鲁棒性的最新研究。随着学习算法在数据驱动的控制系统中越来越流行，必须确保它们对数据不确定性的稳健性，以维持可靠的安全至关重要的操作。我们首先回顾了这种鲁棒性的共同形式主义，然后继续讨论训练健壮的机器学习模型的流行和最新技术，以及可证明这种鲁棒性的方法。从强大的机器学习的这种统一中，我们识别并讨论了该地区未来研究的迫切方向。

从外界培训的机器学习模型可能会被数据中毒攻击损坏，将恶意指向到模型的培训集中。对这些攻击的常见防御是数据消毒：在培训模型之前首先过滤出异常培训点。在本文中，我们开发了三次攻击，可以绕过广泛的常见数据消毒防御，包括基于最近邻居，训练损失和奇异值分解的异常探测器。通过增加3％的中毒数据，我们的攻击成功地将Enron垃圾邮件检测数据集的测试错误从3％增加到24％，并且IMDB情绪分类数据集从12％到29％。相比之下，没有明确占据这些数据消毒防御的现有攻击被他们击败。我们的攻击基于两个想法：（i）我们协调我们的攻击将中毒点彼此放置在彼此附近，（ii）我们将每个攻击制定为受限制的优化问题，限制旨在确保中毒点逃避检测。随着这种优化涉及解决昂贵的Bilevel问题，我们的三个攻击对应于基于影响功能的近似近似这个问题的方式; minimax二元性;和karush-kuhn-tucker（kkt）条件。我们的结果强调了对数据中毒攻击产生更强大的防御的必要性。

当前，随机平滑被认为是获得确切可靠分类器的最新方法。尽管其表现出色，但该方法仍与各种严重问题有关，例如``认证准确性瀑布''，认证与准确性权衡甚至公平性问题。已经提出了依赖输入的平滑方法，目的是克服这些缺陷。但是，我们证明了这些方法缺乏正式的保证，因此所产生的证书是没有道理的。我们表明，一般而言，输入依赖性平滑度遭受了维数的诅咒，迫使方差函数具有低半弹性。另一方面，我们提供了一个理论和实用的框架，即使在严格的限制下，即使在有维度的诅咒的情况下，即使在存在维度的诅咒的情况下，也可以使用依赖输入的平滑。我们提供平滑方差功能的一种混凝土设计，并在CIFAR10和MNIST上进行测试。我们的设计减轻了经典平滑的一些问题，并正式下划线，但仍需要进一步改进设计。

这项教程调查概述了统计学习理论中最新的非征血性进步与控制和系统识别相关。尽管在所有控制领域都取得了重大进展，但在线性系统的识别和学习线性二次调节器时，该理论是最发达的，这是本手稿的重点。从理论的角度来看，这些进步的大部分劳动都在适应现代高维统计和学习理论的工具。虽然与控制对机器学习的工具感兴趣的理论家高度相关，但基础材料并不总是容易访问。为了解决这个问题，我们提供了相关材料的独立介绍，概述了基于最新结果的所有关键思想和技术机械。我们还提出了许多开放问题和未来的方向。

由于机器学习（ML）系统变得普遍存在，因此保护其安全性至关重要。然而，最近已经证明，动机的对手能够通过使用语义转换扰乱测试数据来误导ML系统。虽然存在丰富的研究机构，但为ML模型提供了可提供的稳健性保证，以防止$ \ ell_p $ norm界限对抗对抗扰动，抵御语义扰动的保证仍然很广泛。在本文中，我们提供了TSS - 一种统一的框架，用于针对一般对抗性语义转换的鲁棒性认证。首先，根据每个转换的性质，我们将常见的变换划分为两类，即可解决的（例如，高斯模糊）和差异可解的（例如，旋转）变换。对于前者，我们提出了特定于转型的随机平滑策略并获得强大的稳健性认证。后者类别涵盖涉及插值错误的变换，我们提出了一种基于分层采样的新方法，以证明稳健性。我们的框架TSS利用这些认证策略并结合了一致性增强的培训，以提供严谨的鲁棒性认证。我们对十种挑战性语义转化进行了广泛的实验，并表明TSS显着优于现有技术。此外，据我们所知，TSS是第一种在大规模想象数据集上实现非竞争认证稳健性的方法。例如，我们的框架在ImageNet上实现了旋转攻击的30.4％认证的稳健准确性（在$ \ PM 30 ^ \ CIC $）。此外，要考虑更广泛的转换，我们展示了TSS对自适应攻击和不可预见的图像损坏，例如CIFAR-10-C和Imagenet-C。

我们研究了基于分布强大的机会约束的对抗性分类模型。我们表明，在Wasserstein模糊性下，该模型旨在最大限度地减少距离分类距离的条件值 - 风险，并且我们探讨了前面提出的对抗性分类模型和最大限度的分类机的链接。我们还提供了用于线性分类的分布鲁棒模型的重构，并且表明它相当于最小化正则化斜坡损失目标。数值实验表明，尽管这种配方的非凸起，但是标准的下降方法似乎会聚到全球最小值器。灵感来自这种观察，我们表明，对于某一类分布，正则化斜坡损失最小化问题的唯一静止点是全球最小化器。

Adversarial examples that fool machine learning models, particularly deep neural networks, have been a topic of intense research interest, with attacks and defenses being developed in a tight back-and-forth. Most past defenses are best effort and have been shown to be vulnerable to sophisticated attacks. Recently a set of certified defenses have been introduced, which provide guarantees of robustness to normbounded attacks. However these defenses either do not scale to large datasets or are limited in the types of models they can support. This paper presents the first certified defense that both scales to large networks and datasets (such as Google's Inception network for ImageNet) and applies broadly to arbitrary model types. Our defense, called PixelDP, is based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism, that provides a rigorous, generic, and flexible foundation for defense.

Testing the significance of a variable or group of variables $X$ for predicting a response $Y$, given additional covariates $Z$, is a ubiquitous task in statistics. A simple but common approach is to specify a linear model, and then test whether the regression coefficient for $X$ is non-zero. However, when the model is misspecified, the test may have poor power, for example when $X$ is involved in complex interactions, or lead to many false rejections. In this work we study the problem of testing the model-free null of conditional mean independence, i.e. that the conditional mean of $Y$ given $X$ and $Z$ does not depend on $X$. We propose a simple and general framework that can leverage flexible nonparametric or machine learning methods, such as additive models or random forests, to yield both robust error control and high power. The procedure involves using these methods to perform regressions, first to estimate a form of projection of $Y$ on $X$ and $Z$ using one half of the data, and then to estimate the expected conditional covariance between this projection and $Y$ on the remaining half of the data. While the approach is general, we show that a version of our procedure using spline regression achieves what we show is the minimax optimal rate in this nonparametric testing problem. Numerical experiments demonstrate the effectiveness of our approach both in terms of maintaining Type I error control, and power, compared to several existing approaches.

许多最近的作品表明，过度分辨率隐含地降低了MIN-NORM Interpolator和Max-Maxifiers的方差。这些调查结果表明，RIDGE正则化在高维度下具有消失的益处。我们通过表明，即使在没有噪声的情况下，避免通过脊正则化的插值可以显着提高泛化。我们证明了这种现象，用于线性回归和分类的强大风险，因此提供了强大的过度装备的第一个理论结果。

对于高维和非参数统计模型，速率最优估计器平衡平方偏差和方差是一种常见的现象。虽然这种平衡被广泛观察到，但很少知道是否存在可以避免偏差和方差之间的权衡的方法。我们提出了一般的策略，以获得对任何估计方差的下限，偏差小于预先限定的界限。这表明偏差差异折衷的程度是不可避免的，并且允许量化不服从其的方法的性能损失。该方法基于许多抽象的下限，用于涉及关于不同概率措施的预期变化以及诸如Kullback-Leibler或Chi-Sque-diversence的信息措施的变化。其中一些不平等依赖于信息矩阵的新概念。在该物品的第二部分中，将抽象的下限应用于几种统计模型，包括高斯白噪声模型，边界估计问题，高斯序列模型和高维线性回归模型。对于这些特定的统计应用，发生不同类型的偏差差异发生，其实力变化很大。对于高斯白噪声模型中集成平方偏置和集成方差之间的权衡，我们将较低界限的一般策略与减少技术相结合。这允许我们将原始问题与估计的估计器中的偏差折衷联动，以更简单的统计模型中具有额外的对称性属性。在高斯序列模型中，发生偏差差异的不同相位转换。虽然偏差和方差之间存在非平凡的相互作用，但是平方偏差的速率和方差不必平衡以实现最小估计速率。

We identify a trade-off between robustness and accuracy that serves as a guiding principle in the design of defenses against adversarial examples. Although this problem has been widely studied empirically, much remains unknown concerning the theory underlying this trade-off. In this work, we decompose the prediction error for adversarial examples (robust error) as the sum of the natural (classification) error and boundary error, and provide a differentiable upper bound using the theory of classification-calibrated loss, which is shown to be the tightest possible upper bound uniform over all probability distributions and measurable predictors. Inspired by our theoretical analysis, we also design a new defense method, TRADES, to trade adversarial robustness off against accuracy. Our proposed algorithm performs well experimentally in real-world datasets. The methodology is the foundation of our entry to the NeurIPS 2018 Adversarial Vision Challenge in which we won the 1st place out of ~2,000 submissions, surpassing the runner-up approach by 11.41% in terms of mean 2 perturbation distance.

在这项工作中，我们研究了在回归设置中训练浅神经网络时捍卫抗数据量攻击的可能性。我们专注于为一类Depth-2有限宽度神经网络进行监督学习，其中包括单滤波器卷积网络。在这类网络中，我们尝试在训练过程中真实输出的随机，有限和加性对抗性扭曲的情况下，在存在恶意的甲骨文的情况下学习网络权重。对于我们构建的非梯度随机算法，我们证明了对抗性攻击的大小，重量近似准确性以及所提出算法所达到的置信度最差的近距离权衡。当我们的算法使用迷你批次时，我们分析了微型批量大小如何影响收敛。我们还展示了如何利用外层权重的缩放缩放来根据攻击的概率来对抗输出毒作攻击。最后，我们提供实验证据，证明我们的算法在不同的输入数据分布（包括重型分布的实例）下如何优于随机梯度下降。