Latest empirical and theoretical research have established the generalization
capabilities of enormous machine studying fashions which are skilled to
(roughly or precisely) match noisy information. On this work, we show a stunning
consequence that even when the bottom reality itself is strong to adversarial examples,
and the benignly overfitted mannequin is benign by way of the “customary”
out-of-sample threat goal, this benign overfitting course of might be dangerous
when out-of-sample information are topic to adversarial manipulation. Extra
particularly, our essential outcomes include two elements: (i) the min-norm estimator in
overparameterized linear mannequin all the time results in adversarial vulnerability within the
“benign overfitting” setting; (ii) we confirm an asymptotic trade-off consequence
between the usual threat and the “adversarial” threat of each ridge
regression estimator, implying that below appropriate situations these two objects
can’t each be small on the identical time by any single alternative of the ridge
regularization parameter. Moreover, below the lazy coaching regime, we
exhibit parallel outcomes on two-layer neural tangent kernel (NTK) mannequin,
which align with empirical observations in deep neural networks. Our discovering
offers theoretical insights into the puzzling phenomenon noticed in
observe, the place the true goal perform (e.g., human) is strong towards
adverasrial assault, whereas beginly overfitted neural networks result in fashions
that aren’t sturdy.