The susceptibility of modern machine learning classifiers to adversarial examples has motivated theoretical results suggesting that these might be unavoidable. However, these results can be too general to be applicable to natural data distributions. Indeed, humans are quite robust for tasks involving vision. This apparent conflict motivates a deeper dive into the question: Are adversarial examples truly unavoidable? In this work, we theoretically demonstrate that a key property of the data distribution -- concentration on small-volume subsets of the input space -- determines whether a robust classifier exists. We further demonstrate that, for a data distribution concentrated on a union of low-dimensional linear subspaces, exploiting data structure naturally leads to classifiers that enjoy good robustness guarantees, improving upon methods for provable certification in certain regimes.

翻译：现代机器学习分类器对对抗样本的敏感性催生了理论结果，表明这些样本可能不可避免。然而，这些结果可能过于泛化，难以适用于自然数据分布。事实上，人类在涉及视觉的任务中表现出相当强的鲁棒性。这种明显的矛盾促使我们深入探讨一个问题：对抗样本真的不可避免吗？在本文中，我们从理论上证明，数据分布的一个关键属性——在输入空间的小体积子集上的集中性——决定了鲁棒分类器是否存在。我们进一步表明，对于集中于低维线性子空间并集上的数据分布，利用数据结构自然会产生具有良好鲁棒性保证的分类器，并在某些场景下改进了可证明认证的方法。