Bilevel Models for Adversarial Learning and A Case Study

Adversarial learning has been attracting more and more attention thanks to the fast development of machine learning and artificial intelligence. However, due to the complicated structure of most machine learning models, the mechanism of adversarial attacks is not well interpreted. How to measure the effect of attacks is still not quite clear. In this paper, we investigate the adversarial learning from the perturbation analysis point of view. We characterize the robustness of learning models through the calmness of the solution mapping. In the case of convex clustering models, we identify the conditions under which the clustering results remain the same under perturbations. When the noise level is large, it leads to an attack. Therefore, we propose two bilevel models for adversarial learning where the effect of adversarial learning is measured by some deviation function. Specifically, we systematically study the so-called $δ$-measure and show that under certain conditions, it can be used as a deviation function in adversarial learning for convex clustering models. Finally, we conduct numerical tests to verify the above theoretical results as well as the efficiency of the two proposed bilevel models.

Key Contributions

Characterizes robustness of convex clustering models through calmness of the solution mapping under perturbations
Proposes two bilevel optimization models for adversarial learning with deviation functions measuring attack effect
Establishes conditions under which the δ-measure can serve as a valid deviation function for adversarial attacks on convex clustering

🛡️ Threat Analysis

Input Manipulation Attack

Proposes two bilevel optimization models to craft adversarial perturbations that cause convex clustering models to change their output — a direct adversarial evasion/input manipulation attack at inference time on an ML model.