We consider a model of robust learning in an adversarial environment. The learner gets uncorrupted training data with access to possible corruptions that may be effected by the adversary during testing. The learner's goal is to build a robust classifier, which will be tested on future adversarial examples. The adversary is limited to $k$ possible corruptions for each input. We model the learner-adversary interaction as a zero-sum game. This model is closely related to the adversarial examples model of Schmidt et al. (2018); Madry et al. (2017). Our main results consist of generalization bounds for the binary and multiclass classification, as well as the real-valued case (regression). For the binary classification setting, we both tighten the generalization bound of Feige, Mansour, and Schapire (2015), and are also able to handle infinite hypothesis classes. The sample complexity is improved from $O(\frac{1}{\epsilon^4}\log(\frac{|\mathcal{H}|}{\delta}))$ to $O\big(\frac{1}{\epsilon^2}(\sqrt{k \mathrm{VC}(\mathcal{H})}\log^{\frac{3}{2}+\alpha}(k\mathrm{VC}(\mathcal{H}))+\log(\frac{1}{\delta})\big)$ for any $\alpha > 0$. Additionally, we extend the algorithm and generalization bound from the binary to the multiclass and real-valued cases. Along the way, we obtain results on fat-shattering dimension and Rademacher complexity of $k$-fold maxima over function classes; these may be of independent interest. For binary classification, the algorithm of Feige et al. (2015) uses a regret minimization algorithm and an ERM oracle as a black box; we adapt it for the multiclass and regression settings. The algorithm provides us with near-optimal policies for the players on a given training sample.

翻译：我们考虑在敌对环境中进行强力学习的模式。 学习者在测试期间获得不受干扰的培训数据, 并接触对手可能实施的腐败。 学习者的目标是建立一个强大的分类器, 在未来的敌对实例中测试。 对手仅限于每个输入可能发生的腐败 $k美元 。 我们将学习者- 反向互动作为零和游戏来模拟。 这个模型与Schmidt et al. (2018); Madry et al. (2017) 的对抗性范例非常相关。 我们的主要结果包括二进制和多级分类的通用框; 学习者的目标是建立一个强大的分类器, 在未来的对抗实例中测试。 我们同时收紧了Fege、 Mansour 和 Schaptire(2015) 的通用框框框。 样本的复杂性从 $( forc) { 1\\\ psilcial_ reckal_ dirqal_ bal_ hal_ blickr} a. slock_ blickr} a. slock_ a (lock) a. (lock) a (lock) a (lick) a (lick) a. (lick) a. (l) a (lick) a. (l) a. (l) a. (l) a (l) a (l) a. g) a (l) a (l) a. g) a. (l) a. (l) a (l) a. (l) a. (l) a. (l) a. (l) a. (l) a. (l) a (l) a (l) a. (l) a. (l) a(l) a(l) a(l) a(l) a (l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l) a(l)