We study robustness to test-time adversarial attacks in the regression setting with $\ell_p$ losses and arbitrary perturbation sets. We address the question of which function classes are PAC learnable in this setting. We show that classes of finite fat-shattering dimension are learnable in both realizable and agnostic settings. Moreover, for convex function classes, they are even properly learnable. In contrast, some non-convex function classes provably require improper learning algorithms. Our main technique is based on a construction of an adversarially robust sample compression scheme of a size determined by the fat-shattering dimension. Along the way, we introduce a novel agnostic sample compression scheme for real-valued functions, which may be of independent interest.

翻译：我们研究了回归设置中针对测试时对抗攻击的鲁棒性，关注$\ell_p$损失和任意扰动集。我们探讨了在此设置下哪些函数类具有PAC可学习性。结果表明，有限fat-shattering维度的函数类在可实现和不可知两种设置下都是可学习的。此外，对于凸函数类，它们甚至能实现恰当可学习性。相比之下，某些非凸函数类被证明必须使用非恰当学习算法。我们的主要技术基于一种由fat-shattering维度确定大小的对抗性鲁棒样本压缩方案。在此过程中，我们提出了一种新颖的实值函数不可知样本压缩方案，该方案可能具有独立的研究价值。