Robustness of Sketched Linear Classifiers to Adversarial Attacks


Linear classifiers are well-known to be vulnerable to adversarial attacks: they may predict incorrect labels for input data that are adversarially modified with small perturbations. However, this phe- nomenon has not been properly understood in the context of sketch- based linear classifiers, typically used in memory-constrained para- digms, which rely on random projections of the features for model compression. In this paper, we propose novel Fast-Gradient-Sign Method (FGSM) attacks for sketched classifiers in full, partial, and black-box information settings with regards to their internal param- eters. We perform extensive experiments on the MNIST dataset to characterize their robustness as a function of perturbation budget. Our results suggest that, in the full-information setting, these clas- sifiers are less accurate on unaltered input than their uncompressed counterparts but just as susceptible to adversarial attacks. But in more realistic partial and black-box information settings, sketching improves robustness while having lower memory footprint.

International Conference on Information and Knowledge Management
Ananth Mahadevan
Ananth Mahadevan
Machine Learning PhD Student

My research interests include systems for Machine Learning and network science.