Is Ordered Weighted \ell_{1} Regularized Regression Robust to Adversarial Perturbation? A Case Study on OSCAR

Is Ordered Weighted Regularized Regression Robust to Adversarial Perturbation? A Case Study on OSCAR


Many state-of-the-art machine learning models such as deep neural networks have recently shown to be vulnerable to adversarial perturbations, especially in classification tasks. Motivated by adversarial machine learning, in this paper we investigate the robustness of sparse regression models with strongly correlated covariates to adversarially designed measurement noises. Specifically, we consider the family of ordered weighted (OWL) regularized regression methods and study the case of OSCAR (octagonal shrinkage clustering algorithm for regression) in the adversarial setting. Under a norm-bounded threat model, we formulate the process of finding a maximally disruptive noise for OWL-regularized regression as an optimization problem and illustrate the steps towards finding such a noise in the case of OSCAR. Experimental results demonstrate that the regression performance of grouping strongly correlated features can be severely degraded under our adversarial setting, even when the noise budget is significantly smaller than the ground-truth signals.

Is Ordered Weighted Regularized Regression Robust to Adversarial Perturbation? A Case Study on OSCAR

Pin-Yu Chen, Bhanukiran Vinzamuri, Sijia Liu thanks: P.-Y. Chen and B. Vinzamuri contribute equally to this work.
IBM Research
{Pin-Yu.Chen, Bhanu.Vinzamuri, Sijia.Liu}

Index Terms—  Adversarial machine learning, ordered weighted norm, OWL-regularized regression, OSCAR

1 Introduction

In recent years, adversarial machine learning has received tremendous attention as it provides new means of improving machine leaning performance and studying model robustness in the adversarial setting, such as generative adversarial networks (GANs) [1] and adversarial examples [2]. In image classification tasks, well-trained machine learning models such as deep convolutional neural networks have shown to be vulnerable to adversarial examples – human-imperceptible perturbations to natural images can be easily crafted to mislead the decision of a target image classifier [3, 4, 5], leading to new challenges on model robustness. The adversarial perturbations are often evaluated by the , and norms [6, 7, 8, 9, su2018robustness]. Beyond image classification, other machine learning tasks such as image captioning [chen2018attacking] or sequence-to-sequence text learning [11] have also shown to be vulnerable to adversarial examples. Moreover, it has been made possible to generate adversarial examples in the so-called black-box setting by simply leveraging the input-output correspondence of a target model and performing zeroth-order optimization [12, 13, 14].

Motivated by the recent studies in adversarial machine learning, in this paper we shift our focus to the robustness of regression models to adversarial perturbations. To the best of our knowledge, regression is a fundamental task in machine learning but little has been explored in the setting of adversarial perturbations. Specifically, we aim to investigate the robustness of the ordinary least-squared regression models regularized by the ordered weighted (OWL) norm [15, 16]. The OWL family of regularizers is a widely adopted method for sparse regression with strongly correlated covariates. It is worth mentioning that the octagonal shrinkage and clustering algorithm for regression [17], which is called as OSCAR, is in fact a special case of the OWL regularizer [21]. OSCAR is known to be more effective in identifying feature groups (i.e., strongly correlated covariates) than other feature selection methods such as LASSO [22].

In this paper, we investigate the robustness of OSCAR to adversarial perturbations by formulating the process of finding the maximally disruptive noise of the measurement model as an optimization problem. Although the recent work in [18] has established a finite-sample error upper bound on the OWL-regularized regression models associated with a norm-bounded noise level, it still remains unclear whether an adversary can disrupt the identified feature groups by intentionally manipulating the measurement error within the same noise budget. In other words, our adversarial formulation is novel in the sense that it provides a worst-case robustness analysis of OSCAR by finding a disruptive measurement error (but still within a specified noise budget) in order to deviate the detected feature groups from the ground truths. More importantly, upon verifying the lack of robustness to adversarial perturbations, our method could be incorporated to devise resilient OWL-regularized regression models via adversarial learning techniques.

Perhaps surprisingly, the experimental results show that using our proposed approach, it is possible to generate small norm-bounded perturbations to the measurement model, in order to deviate the regression results of OSCAR from the ground truths. Consequently, our results offer new insights on the robustness analysis of OWL-regularized regression methods in the adversarial setting.

2 Background

For any real-valued vector , let denote the vector of its element-wise absolute value and let denote the element-permuted vector of such that , where is the -th largest component of . Given a vector such that and , the OWL norm [15, 16] is defined as


The OSCAR regularizer [17] is a special case of the OWL norm in (1) when , where .

We consider the OWL-regularized linear regression problem taking the following form:


where is the vector of noisy measurements, is the design matrix, and is the regularization parameter of the OWL norm.

The seminal work in [18] establishes a finite-sample error bound on the OWL-regularized regression method under the measurement model


where is an -sparse vector (i.e., the signal) and is the measurement error (i.e., the noise). Let denote the vector with identical coefficients corresponding to identical columns in , and assume the entries in each column of are i.i.d. (standard Gaussian random variables) but different columns could be strongly correlated. Consider the -norm bounded measurement error constraint , then the solution to (2) is guaranteed to satisfy the finite-sample error upper bound [18]:


where denotes the norm, the expectation is taken over the random design matrix , and and are some positive constants that we omitted for brevity (see Theorem 1.1 in [18]). Note that in this finite-sample analysis no distributional assumptions are imposed on the measurement error other than its bounded norm. Similar error bound can be obtained when the rows of are i.i.d. Gaussian random vectors [18].

In general, the solution to (2) can be efficiently obtained by leveraging the proximal operator of OWL regularization. As illustrated in [19], one can use the fast iterative shrinkage-thresholding algorithm (FISTA) [20] to obtain , which includes iterating the following optimization steps:

  1. OWL proximal gradient descent –

  2. Momentum –

  3. Update and if not converged

The index denotes the FISTA iteration, and and denote the inverse of the step size and the momentum coefficient, respectively. The notation denotes matrix transpose.

Specifically, when the OWL regularizer reduces to OSCAR, its approximate proximity operator (APO) has a closed-form expression given by [21]


where is the vector of entry-wise sign function ( or ), denotes entry-wise product, denotes entry-wise maximum value between and , and , where is a permutation matrix associated with a given vector satisfying , which can be obtained by taking and sorting its entries in descending order. In addition, for OSCAR the vector in OWL has the relation , where .

3 Main Results

Although a finite-sample analysis for OWL-regularized regression has been established under the -norm constrained measurement error in [18], motivated by the recent advances in adversarial machine learning, we are interested in investigating its robustness to adversarially designed noises satisfying the same error budget . In other words, given an -norm bounded threat model and a design matrix , we aim to find an optimal noise that could maximally degrade the performance of OWL-regularized regression in terms of the detected feature groups. In this paper, we particularly focus on the case of OSCAR with APO as its solver.

Under the same measurement model as in (3), we formulate the problem of finding a norm-bounded noise that could maximally deviate the OWL-regularized regression from the ground-truth feature cluster membership vector by solving


Essentially, our adversarial formulation studies the robustness of OWL-regularized regression in the worst-case scenario by exploring the space of constrained measurement noise to maximize the feature group identification loss in (6). In our setting, we assume the adversary has access to the ground-truth vector so that based on (3), (8) can be written as


Next we specify how to solve the adversarial regression formulation in (6) to (8) in the case of OSCAR with APO as its solver. Let and be the final iterates of the momentum and step size terms in FISTA as described in Section 2. Given the measurement model (3) under OSCAR-APO, (9) becomes


where is defined in (5). With the method of Lagrange multipliers, we are interested in solving the following alternative optimization problem


where is a tunable regularization coefficient such that the solution to (11) will satisfy the norm constraint .

We note that the formulation in (11) falls into the category of LASSO problem [22] and can be efficiently solved by using optimization methods such as iterative shrinkage-thresholding algorithm (ISTA). Specifically, let . Then (possibly a local optimum) can be obtained by iteratively solving


where denotes the -th iterate, is the step size, denotes the gradient of 111We use the subgradient of at points where is not differentiable., and is an entry-wise function defined as


In what follows, we explicitly derive the gradient of with respect to for OSCAR-APO. For clarity, the index specifies the measurement instance, and the index specifies the covariate instance. To simplify the notation, let such that based on (5), where . Rewriting and using chain rule, we can obtain


where is an indicator function such that if event is true; otherwise .

Input: , , , , , , ,
Initialization: , , and
while not converged do
     2. Find the permutation s.t.
          for all
end while
if   then
     Reinitialization with a larger and redo the while loop
end if
Algorithm 1 Adversarial perturbation for OSCAR-APO
Fig. 1: Assessing effect of our proposed adversarial attack on OSCAR (rightmost column) by varying the attack strength with (top row), (second row), (third row) and (fourth row). In each column, the ground truth refers to , OSCAR refers to the regression results without noise, and OSCAR + Attack refers to the regression results against our designed adversarial noises. The feature groups can be adversarially misaligned even for small .

The detailed derivations are as follows. To obtain , we divide the analysis into three cases based on the value of :

  • Case I – If , then and hence .

  • Case II – If , then since . Therefore, We note that technically, is also a function of and hence a function of . As a result, one needs further chain rule factorization . Here we implicitly use the fact that since no matter how we permute the entries of , it is still a constant vector.

  • Case III – If , then . Similar to the analysis of Case II, we obtain .

Summarizing these cases, we have a simplified expression if and otherwise. Next, to obtain , based on the definition of we have . Therefore, . Finally, combining the analysis of and , we obtain the results in (3).

The pipeline of crafting a norm-bounded adversarial perturbation for OSCAR-APO is describe in Algorithm 1. We also note that beyond OSCAR-APO, it is possible to craft an adversarial noise for generic OWL-regularized regression methods by treating (8) as a black-box function, which will be considered in our future work.

4 Performance Evaluation

In this experiment, we generated a synthetic dataset of features and instances with a pre-defined grouping structure among the features. The features (entries in ) were generated using a standard Gaussian distribution and we modeled the response variable using (3). Given a norm-bounded noise strength , we call the adversarial perturbation found using our proposed approach (Algorithm 1) an “attack” on the considered regression method. For the attack parameters, we set and . In Figure 1, the x-axis represents the feature index and the y-axis represents the coefficient values. The left column represents the ground-truth with two defined feature groups. The middle column shows the feature grouping obtained after running OSCAR algorithm in the noiseless setting. The right column shows how the grouping is adversely affected after our attack. We varied the noise budget from 0.05 to 0.3 to assess the effect of the attack. One can observe that although some grouped features are retained up to a certain degree, the true effect of the attack can be seen on the features which are misaligned from their original feature groups, even for relatively small .

5 Conclusion and Future Work

To study the robustness of OWL-regularized regression methods in the adversarial setting, this paper proposes a novel formulation for finding norm-bounded adversarial perturbations in the measurement model and illustrates the pipeline of adversarial noise generation in the case of OSCAR with APO as its solver. In the adversarial setting, the experimental results show that our proposed approach can effectively craft adversarial noises that severely degrade the regression performance in identifying ground-truth grouped features, even in the regime of small noise budgets. Our results indicate the potential risk of lacking robustness to adversarial noises in the tested regression method. One possible extension of our approach is to devise adversary-resilient regression methods. Our future work also includes developing a generic framework for generating adversarial noises for the entire family of OWL-regularized regression methods.


  • [1] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” in Advances in neural information processing systems, 2014, pp. 2672–2680.
  • [2] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” ICLR, arXiv preprint arXiv:1412.6572, 2015.
  • [3] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” ICLR, arXiv preprint arXiv:1312.6199, 2014.
  • [4] B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Šrndić, P. Laskov, G. Giacinto, and F. Roli, “Evasion attacks against machine learning at test time,” in Joint European conference on machine learning and knowledge discovery in databases, 2013, pp. 387–402.
  • [5] B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning,” arXiv preprint arXiv:1712.03141, 2017.
  • [6] A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial machine learning at scale,” ICLR, arXiv preprint arXiv:1611.01236, 2017.
  • [7] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE Symposium on Security and Privacy (SP), 2017, pp. 39–57.
  • [8] P.-Y. Chen, Y. Sharma, H. Zhang, J. Yi, and C.-J. Hsieh, “EAD: elastic-net attacks to deep neural networks via adversarial examples,” AAAI, arXiv preprint arXiv:1709.04114, 2018.
  • [9] T.-W. Weng, H. Zhang, P.-Y. Chen, J. Yi, D. Su, Y. Gao, C.-J. Hsieh, and L. Daniel, “Evaluating the robustness of neural networks: An extreme value theory approach,” ICLR, arXiv preprint arXiv:1801.10578, 2018.
  • [10] H. Chen, H. Zhang, P.-Y. Chen, J. Yi, and C.-J. Hsieh, “Show-and-fool: Crafting adversarial examples for neural image captioning,” arXiv preprint arXiv:1712.02051, 2017.
  • [11] M. Cheng, J. Yi, H. Zhang, P.-Y. Chen, and C.-J. Hsieh, “Seq2sick: Evaluating the robustness of sequence-to-sequence models with adversarial examples,” arXiv preprint arXiv:1803.01128, 2018.
  • [12] P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh, “ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models,” in ACM Workshop on Artificial Intelligence and Security, 2017, pp. 15–26.
  • [13] C.-C. Tu, P. Ting, P.-Y. Chen, S. Liu, H. Zhang, J. Yi, C.-J. Hsieh, and S.-M. Cheng, “Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks,” arXiv preprint arXiv:1805.11770, 2018.
  • [14] S. Liu, B. Kailkhura, P.-Y. Chen, P. Ting, S. Chang, and L. Amini, “Zeroth-order stochastic variance reduction for nonconvex optimization,” arXiv preprint arXiv:1805.10367, 2018.
  • [15] M. Bogdan, E. van den Berg, W. Su, and E. J. Candès, Statistical estimation and testing via the ordered norm.   STANFORD University, 2013.
  • [16] X. Zeng and M. A. Figueiredo, “Decreasing weighted sorted regularization,” IEEE Signal Processing Letters, vol. 21, no. 10, pp. 1240–1244, 2014.
  • [17] H. D. Bondell and B. J. Reich, “Simultaneous regression shrinkage, variable selection, and supervised clustering of predictors with oscar,” Biometrics, vol. 64, no. 1, pp. 115–123, 2008.
  • [18] M. Figueiredo and R. Nowak, “Ordered weighted regularized regression with strongly correlated covariates: Theoretical aspects,” in Artificial Intelligence and Statistics, 2016, pp. 930–938.
  • [19] X. Zeng and M. A. Figueiredo, “The ordered weighted norm: Atomic formulation, projections, and algorithms,” arXiv preprint arXiv:1409.4271, 2014.
  • [20] A. Beck and M. Teboulle, “A fast iterative shrinkage-thresholding algorithm for linear inverse problems,” SIAM journal on imaging sciences, vol. 2, no. 1, pp. 183–202, 2009.
  • [21] X. Zeng and M. A. Figueiredo, “Solving oscar regularization problems by fast approximate proximal splitting algorithms,” Digital Signal Processing, vol. 31, pp. 124–135, 2014.
  • [22] R. Tibshirani, “Regression shrinkage and selection via the lasso,” Journal of the Royal Statistical Society. Series B (Methodological), pp. 267–288, 1996.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description