Finding classifiers robust to adversarial examples is critical for their safe deployment. Determining the robustness of the best possible classifier under a given threat model for a given data distribution and comparing it to that achieved by state-of-the-art training methods is thus an important diagnostic tool. In this paper, we find achievable information-theoretic lower bounds on loss in the presence of a test-time attacker for multi-class classifiers on any discrete dataset. We provide a general framework for finding the optimal 0-1 loss that revolves around the construction of a conflict hypergraph from the data and adversarial constraints. We further define other variants of the attacker-classifier game that determine the range of the optimal loss more efficiently than the full-fledged hypergraph construction. Our evaluation shows, for the first time, an analysis of the gap to optimal robustness for classifiers in the multi-class setting on benchmark datasets.

翻译：寻找对对抗样本具有鲁棒性的分类器是其安全部署的关键。因此，在给定数据分布和威胁模型下，确定最佳可能分类器的鲁棒性，并将其与先进训练方法所达到的鲁棒性进行比较，是一项重要的诊断工具。本文在任意离散数据集上，针对多类分类器在面临测试时攻击者时，推导了可达到的信息论下界损失。我们提出了一个通用框架，通过从数据和对抗约束构建冲突超图来寻找最优0-1损失。此外，我们定义了攻击者-分类器博弈的其他变体，这些变体比完整的超图构建方法更高效地确定了最优损失的范围。实验评估首次展示了基准数据集上多类分类器鲁棒性最优性差距的分析。