Monotone Adversarial Corruption Model

• Monotone adversarial corruption model is a formal framework that defines structured adversarial data insertions under monotonicity constraints and label preservation.
• The model differentiates coordinate-limited feature corruptions from label-honest insertions, offering clear theoretical guarantees for ERM and ensemble-based methods.
• Empirical studies demonstrate that ensemble strategies, such as random subspace methods, markedly enhance robustness against feature corruptions compared to traditional approaches.

The monotone adversarial corruption model is a conceptual framework in learning theory and robust machine learning that formalizes how an adversary may introduce additional or altered data into a learning scenario under monotonicity constraints. Unlike classical corruption models that may include arbitrary label or value changes, monotone adversarial corruptions are restricted—either to label-preserving insertions (where new data is consistent with the ground truth) or to coordinate-wise, budget-limited feature corruptions. This paradigm has yielded precise theoretical insights into the robustness and limitations of learning algorithms under structured yet adversarial interventions, highlighting subtle separations between empirical risk minimization (ERM), exchangeability-dependent methods, and ensemble strategies.

1. Formal Definitions of Monotone Adversarial Corruption

Two principal frameworks define monotone adversarial corruption, distinguished by the direction of adversarial action and the nature of monotonicity.

1.1 Coordinate-limited Feature Corruption

Let $X = \mathbb{R}^n$ be the instance space and $Y = \{1, \ldots, d\}$ the label set. Training occurs on an i.i.d. sample from $P(X, Y)$. At test time, an adversary may choose, for each new instance, any $l$ features and arbitrarily corrupt their values (unbounded, zero-norm noise). The set of all possible $l$-corruptions of $x$ is $S_l(x) = \{x': \|x'-x\|_0 \leq l\}$. Monotonicity requires that as the corruption budget $l$ increases, the set of accessible corruptions expands: $S_{l_1}(x) \subseteq S_{l_2}(x)$ for $l_1 \leq l_2$ (Mesterharm et al., 2019).

1.2 Monotone Label-honest Insertion

Given a hypothesis class $Y = \{1, \ldots, d\}$0 of VC-dimension $Y = \{1, \ldots, d\}$1 and an unknown true classifier $Y = \{1, \ldots, d\}$2, draw $Y = \{1, \ldots, d\}$3 clean points from a distribution $Y = \{1, \ldots, d\}$4. The adversary, knowing $Y = \{1, \ldots, d\}$5, $Y = \{1, \ldots, d\}$6, and $Y = \{1, \ldots, d\}$7, inserts $Y = \{1, \ldots, d\}$8 additional samples with labels consistent with $Y = \{1, \ldots, d\}$9. This data-dependent process, denoted $P(X, Y)$0, disrupts exchangeability and independence while preserving label honesty (Larsen et al., 5 Jan 2026). A weaker variant is the oblivious monotone adversary, which selects insertions independently of the clean sample.

2. Theoretical Guarantees and Failure Modes

2.1 Robustness of ERM

Any ERM-based learner applied to the full sample (clean plus monotone insertions) retains standard statistical learning guarantees. For hypothesis class VC-dimension $P(X, Y)$1, with probability $P(X, Y)$2, all ERMs $P(X, Y)$3 satisfy

$P(X, Y)$4

Hence, even with an unbounded number of monotone corruptions, the error rate is dominated by the clean sample size, and VC theory applies without degradation (Larsen et al., 5 Jan 2026).

2.2 Breakdown of Optimal Exchangeability-dependent Methods

Algorithms such as One-Inclusion Graph (OIG) orientation and majority-voting over ERMs, which achieve optimal rates in i.i.d. settings, can be made to incur strictly larger errors under adaptive monotone corruption. Constructed examples with VC-dimension-1 or $P(X, Y)$5 classes show that the monotone adversary can trap these learners into error rates of at least $P(X, Y)$6 or $P(X, Y)$7, respectively, by leveraging knowledge of the clean sample and the allowed insertion points (Larsen et al., 5 Jan 2026). In contrast, if the adversary is oblivious, such algorithms can recover optimal $P(X, Y)$8 rates by restoring exchangeability.

2.3 Coordinate-limited Subspace Voting Bounds

For feature corruption, robustness is ensured by constructing subspace ensembles such that no more than $P(X, Y)$9 fraction of base hypotheses are affected. The voting margin shifts by at most $l$0 (where $l$1 is the number of corrupted base predictors). The shifted-margin test loss,

$l$2

can be used to certify high-confidence upper bounds on error rates under worst-case $l$3-coordinate corruptions via Hoeffding's inequality (Mesterharm et al., 2019).

3. Methodologies: Ensemble Constructions and Parameter Choices

The defense against monotone adversarial corruption often leverages feature redundancy via subspace ensembles:

Ensemble Construction Approaches:

Method	Subset Construction	Corrupt Hypothesis Fraction
Fixed-split	Disjoint partition of $l$4 features	$l$5
Random Subspace (RSM)	$l$6 random subsets of size $l$7	$l$8
Modulus-subspace	Cyclic groups via modulo $l$9 patterns	$l$0

The key monotonic relationship: to ensure a strict majority of uncorrupted classifiers, set $l$1. Optimal values for $l$2 and $l$3 are selected via held-out validation, minimizing the shifted-margin risk under the anticipated corruption level (Mesterharm et al., 2019).

4. Empirical Insights and Practical Implications

Empirical validation on datasets—e.g., EM side-channel corpora (Arduino UNO, Raspberry Pi, smart meter, with $l$4 or $l$5) and public UCI classification tasks—demonstrates:

• Random Forest (RF) accuracy collapses for $l$6–$l$7 of features, approaching random guessing.
• Fixed-split voting extends the error threshold by approximately a factor of 2 in $l$8.
• RSM ensembles outperform fixed-split, tolerating up to $l$9–$x$0 feature corruption before significant error inflation.
• For instance, on Arduino UNO ($x$1): RF error $x$2 for $x$3; fixed-split error remained $x$4 for $x$5; RSM held near $x$6 error up to $x$7.

The robustness arises from ensuring that a majority of votes come from uncorrupted feature sets—even as the adversary targets up to $x$8 features. Data-dependent margin shift bounds can certify worst-case robustness without accessing adversarial examples (Mesterharm et al., 2019).

5. Mechanistic Origins and Technical Constructions

The impact of monotone corruption arises from its effect on the combinatorial structure of the data:

• For OIG, the corruption destroys leave-one-out independence by "mirroring" each observed $x$9 with a paired adversarial point, ensuring that any orientation will err with constant probability.
• For majority-voting strategies, the adversary leverages the coupon collector effect: after ensuring the absence of certain $S_l(x) = \{x': \|x'-x\|_0 \leq l\}$0-tuples in the clean sample, the adversary floods the data with specific "special labels" that force every majority sub-learner to commit systematic errors on previously unseen regions.

In each case, monotone corruption exploits the methods’ reliance on dataset exchangeability, undermining the classic mistake–to–batch linkage and optimal error rates (Larsen et al., 5 Jan 2026).

6. Connections, Open Questions, and Broader Implications

A core dichotomy emerges: uniform-convergence-based learners (e.g., ERM) are robust to monotone adversarial corruption, while optimal or ensemble-based approaches reliant on exchangeability can fail, even when all labelings are honest. Key open questions include:

• Existence or impossibility of algorithms achieving the optimal $S_l(x) = \{x': \|x'-x\|_0 \leq l\}$1 rate in the adaptive monotone regime, without the $S_l(x) = \{x': \|x'-x\|_0 \leq l\}$2 factor.
• Extension to multiclass or partial concept classes, where uniform convergence may fail even absent adversarial action.
• Preservation or breakdown of Littlestone dimension-based rates under monotone corruption.
• Behavior in computationally efficient, distribution-dependent settings when the adversary inspects clean data (Larsen et al., 5 Jan 2026).

This research exposes the centrality of exchangeability in classical generalization theory and highlights the risks of adaptive data augmentation, even when all inserted data is label-honest. A plausible implication is a need for caution and deeper analysis when deploying ensemble or data-curation-dependent algorithms in adversarially contaminated or adaptively curated environments.