Recent studies demonstrated that the adversarially robust learning under $\ell_\infty$ attack is harder to generalize to different domains than standard domain adaptation. How to transfer robustness across different domains has been a key question in domain adaptation field. To investigate the fundamental difficulty behind adversarially robust domain adaptation (or robustness transfer), we propose to analyze a key complexity measure that controls the cross-domain generalization: the adversarial Rademacher complexity over {\em symmetric difference hypothesis space} $\mathcal{H} \Delta \mathcal{H}$. For linear models, we show that adversarial version of this complexity is always greater than the non-adversarial one, which reveals the intrinsic hardness of adversarially robust domain adaptation. We also establish upper bounds on this complexity measure. Then we extend them to the ReLU neural network class by upper bounding the adversarial Rademacher complexity in the binary classification setting. Finally, even though the robust domain adaptation is provably harder, we do find positive relation between robust learning and standard domain adaptation. We explain \emph{how adversarial training helps domain adaptation in terms of standard risk}. We believe our results initiate the study of the generalization theory of adversarially robust domain adaptation, and could shed lights on distributed adversarially robust learning from heterogeneous sources, e.g., federated learning scenario.

翻译：最近研究表明，在$\ell_\infty$攻击下的对抗鲁棒学习比标准域适应更难推广到不同领域。如何跨领域迁移鲁棒性已成为域适应领域的关键问题。为探究对抗鲁棒域适应（即鲁棒性迁移）背后的根本困难，我们提出分析一个控制跨领域泛化的关键复杂度度量：在{\em对称差异假设空间}$\mathcal{H} \Delta \mathcal{H}$上的对抗Rademacher复杂度。对于线性模型，我们证明该复杂度的对抗版本始终大于非对抗版本，这揭示了对抗鲁棒域适应固有的困难性。我们还建立了该复杂度度量的上界。随后，通过推导二分类场景下ReLU神经网络类的对抗Rademacher复杂度上界，我们将结果扩展到该网络类。最后，尽管鲁棒域适应被证明更困难，我们仍发现鲁棒学习与标准域适应之间存在正相关关系。我们解释了{\em对抗训练在标准风险意义上如何帮助域适应}。我们相信，本研究开创了对抗鲁棒域适应泛化理论的研究，并可为异构源分布式对抗鲁棒学习（如联邦学习场景）提供启示。