key: cord-0575160-leiugdgl
authors: Sundaram, Ravi; Vullikanti, Anil; Xu, Haifeng; Yao, Fan
title: PAC-Learning for Strategic Classification
date: 2020-12-06
journal: nan
DOI: nan
sha: a47ad2fdc640db6c55690def4fa3bc59a3aafdc4
doc_id: 575160
cord_uid: leiugdgl

The study of strategic or adversarial manipulation of testing data to fool a classifier has attracted much recent attention. Most previous works have focused on two extreme situations where any testing data point either is completely adversarial or always equally prefers the positive label. In this paper, we generalize both of these through a unified framework for strategic classification, and introduce the notion of strategic VC-dimension (SVC) to capture the PAC-learnability in our general strategic setup. SVC provably generalizes the recent concept of adversarial VC-dimension (AVC) introduced by Cullina et al. arXiv:1806.01471. We instantiate our framework for the fundamental strategic linear classification problem. We fully characterize: (1) the statistical learnability of linear classifiers by pinning down its SVC; (2) its computational tractability by pinning down the complexity of the empirical risk minimization problem. Interestingly, the SVC of linear classifiers is always upper bounded by its standard VC-dimension. This characterization also strictly generalizes the AVC bound for linear classifiers in arXiv:1806.01471.

In today's increasingly connected world, it is rare that an algorithm will act alone. When a machine learning algorithm is used to make predictions or decisions about others who have their own preferences over the learning outcomes, it is well known (e.g., Goodhart's law) that gaming behaviors may arise-these have been observed in a variety of domains such as finance (Tearsheet), online retailing (Hannak et al., 2014) , education (Hardt et al., 2016) as well as during the ongoing COVID-19 pandemic (Bryan & Crossroads; Williams & Haire) . In the early months of the pandemic, simple decision rules were designed for COVID-19 testing (COVID) by the CDC. However, people had different preferences for getting tested. Those with work-from-home jobs and leave benefits preferred to get tested in order to know their true health status whereas some of the people with lower income, and without leave benefits preferred not to get tested (with fears of losing their income) (Williams & Haire) . Policy makers sometimes prefer to make classification rules confidential (Citron & Pasquale, 2014) to mitigate such gaming. However, this is not fool-proof in general since the methods may be reverse engineered in some cases, and transparency of ML methods is sometimes mandated by law, e.g., (Goodman & Flaxman, 2016) . Such concerns have led to a lot of interest in designing learning algorithms that are robust to strategic gaming behaviors of the data sources (Perote & Perote-Peña, 2004; Dekel et al., 2010; Hardt et al., 2016; Chen et al., 2018; Dong et al., 2018; Cullina et al., 2018; Awasthi et al., 2019) ; the present work subscribes to this literature. This paper focuses on the ubiquitous binary classification problem, and we look to design classification algorithms that are robust to gaming behaviors during the test phase. We study a strict generalization of the canonical classification setup that naturally incorporates data points' preferences over classification outcomes (which leads to strategic behaviors as we will describe later). In particular, each data point is denoted as a tuple (x, y, r) where x ∈ X and y ∈ {−1, +1} are the feature and label, respectively (as in classic classification problems), and additionally, r ∈ R is a real number that describes how much this data point prefers label +1 over −1. Importantly, we allow r to be negative, meaning that the data point may prefer label −1. For instance, in the decision rules for COVID-19 testing, individuals who prefer to get tested have r > 0, while those who prefer not to be tested have r < 0. The magnitude |r| captures how strong their preferences are. For example, in the school choice matching market, students have heterogeneous preferences over universities (Pathak, 2017; Roth, 2008) and may manipulate their application materials during the admission process. Let set R ⊆ R denote the set of all possible values that the preference value r may take. Obviously, the trivial singleton set R = {0} corresponds to the classic classification setup without any preferences. Another special case of R = {1} corresponds to the situation where all data points prefer label +1 equally. This is the strategic classification settings studied in several previous works (Hardt et al., 2016; Hu et al., 2019b; Miller et al., 2019) . A third special case is R = {−1, 1}. This corresponds to classification under evasion attacks (Biggio et al., 2013; Goodfellow et al., 2015; Li & Vorobeychik, 2014; Cullina et al., 2018; Awasthi et al., 2019) , where any test data point (x, y) prefers the opposite of its true label y, i.e., the "adversarial" assumption.

Our model considers any general preference set R. As we will show, this much richer set of preferences may sometimes make learning more difficult, both statistically and computationally, but not always. Like (Hardt et al., 2016; Dong et al., 2018; Goodfellow et al., 2015; Cullina et al., 2018) , our model assumes that manipulation is only possible to the data features and happens only during the test phase. Specifically, the true feature of the test data may be altered by the strategic data point. The cost of masking a true feature x to appear as a different feature z is captured by a cost function c(z; x). Therefore, the test data point's decision needs to balance the cost of altering feature and the reward of inducing its preferred label captured by r. As is standard in game-theoretic analysis, the test data point is assumed a rational decision maker and will choose to alter to the feature z that maximizes its quasi-linear utility [r · I(h(z) = 1) − c(z; x)]. This naturally gives rise to a Stackelberg game (Von Stackelberg, 2010) . We aim to learn, from i.i.d. drawn (unaltered) training data, the optimal classifier h * that minimizes the 0-1 classification loss, assuming any randomly drawn test data point (from the same distribution as testing data) will respond to h * strategically. Notably, the data point's strategic behaviors will not change its true label. Such behavior is referred to as strategic gaming, which crucially differs from strategic improvement studied recently (Kleinberg & Raghavan, 2019; Miller et al., 2019) .

The Strategic VC-Dimension. We introduce the novel notion of strategic VC-dimension SVC(H, R, c) which captures the learnability of any hypothesis class H when test data points' strategic behaviors are induced by cost function c and preference values from any set R ⊆ R.

• We prove that any strategic classification problem is agnostic PAC learnable by the empirical risk minimization paradigm with O −2 [d + log( 1 δ ))] samples, where d =SVC (H, R, c) . Conceptually, this result illustrates that SVC correctly characterizes the learnability of the hypothesis class H in our strategic setup.

• Our SVC notion generalizes the adversarial VC-dimension (AVC) introduced in (Cullina et al., 2018) for adversarial learning with evasion attacks. Formally, we prove that AVC equals precisely SVC(H, R, c) for R = {−1, 1} when data points are allowed to move within region {z; c(z; x) ≤ 1} in the corresponding adversarial learning setup. However, for general preference set R, SVC can be arbitrarily larger than both AVC and the standard VC dimension. Thus, complex strategic behaviors may indeed make the learning statistically more difficult. Interestingly, to our knowledge, this is the first time that adversarial learning and strategic learning are unified under the same PAC-learning framework.

• We prove SVC(H, R, c)≤ 2 for any H and R when c is any separable cost function (introduced by (Hardt et al., 2016) ). Invoking our sample complexity results above, this also recovers a main learnability result of (2016) and, moreover, generalizes their result to arbitrary agent preferences.

Strategic Linear Classification. As a case study, we instantiate our strategic classification framework in perhaps one of the most fundamental classification problems, linear classification. Here, features are in R d linear space. We assume the cost function c(z; x) for any x is induced by arbitrary seminorms of the difference z −x. We distinguish between two crucial situations: (1) instance-invariant cost function which means the cost of altering the feature x to x + ∆ is the same for any x; (2) instance-wise cost function which allows the cost from x to x + ∆ to be different for different x. Our results show that the more general instancewise costs impose significantly more difficulties in terms of both statistical learnability and computational tractability.

• Statistical Learnability. We prove that the SVC of linear classifiers is ∞ for instance-wise cost functions even when features are in R 2 ; in contrast, the SVC is at most d + 1 for any instance-independent cost functions and any R when features are in R d . This later result also strictly generalizes the AVC bound for linear classifiers proved in (Cullina et al., 2018) , and illustrates an interesting conceptual message: though SVC can be significantly larger than AVC in general, extending from R = {−1, 1} (the adversarial setting) to an arbitrary strategic preference set R does not affect the statistical learnability of strategic linear classification.

• Computational Tractability. We show that the empirical risk minimization problem for linear classifier can be solved in polynomial time only when the strategic classification problem exhibits certain adversarial nature. Specifically, an instance is said to have adversarial preferences if all negative test points prefer label +1 (but possibly to different extents) and all positive test points prefer label −1. A strictly more relaxed situation has essentially adversarial references -i.e., any negative test point prefers label +1 more than any positive test point. We show that for instance-invariant cost functions, any essentially adversarial instance can be solved in polynomial time whereas for instance-wise cost functions, only adversarial instances can be solved in polynomial time. These positive results are essentially the best one can hope for. Indeed, we prove that the following situations, which goes slightly beyond the tractable cases above, are both NP-hard: (1) instance-invariant cost functions but general preferences; (2) instance-wise cost functions but essentially adversarial preferences.

Most relevant to ours is perhaps the strategic classification model studied by (Hardt et al., 2016) and (Zhang & Conitzer, 2021) , where Hardt et al. (2016) formally formulated the strategic classification problem as a repeated Stackelberg game and Zhang & Conitzer (2021) studied the PAC-learning problem and tightly characterized the sample complexity via "incentive-aware ERM". However, their model and results all assume homogeneous agent preferences, i.e., all agents equally prefer label +1. Our model strictly generalizes the model of (Hardt et al., 2016; Zhang & Conitzer, 2021) by allowing agents' heterogeneous preferences over classification outcomes. Besides the modeling differences, the research questions we study are also quite different from, and not comparable to, (Hardt et al., 2016) . Their positive results are derived under the assumption of separable cost functions or its variants. While our characterization of SVC equaling at most 2 under separable cost functions implies a PAC-learnability result of (Hardt et al., 2016) , this characterization serves more as our case study and our main contribution here is the study of the novel concept of SVC, which does not appear in previous works. Moreover, we study the efficient learnability of linear classifiers with cost functions induced by semi-norms. This broad and natural class of cost functions is not separable, and thus the results of Hardt et al. (2016) does not apply to this case.

Our model also generalizes the setup of adversarial classification with evasion attacks, which has been studied in numerous applications, particularly deep learning models (Biggio et al., 2013; 2012; Li & Vorobeychik, 2014; Carlini & Wagner, 2017; Goodfellow et al., 2015; Jagielski et al., 2018; Moosavi-Dezfooli et al., 2017; Mozaffari-Kermani et al., 2015; Rubinstein et al., 2009) ; however, most of these works do not yield theoretical guarantees. Our work extends and strictly generalizes the recent work of (Cullina et al., 2018) through our more general concept of SVC and results on computational efficiency. In a different work, (Awasthi et al., 2019) studied computationally efficient learning of linear classifiers in adversarial classification with l ∞ -norminduced δ-ball for allowable adversarial moves. Our computational tractability results generalize their results to δ-ball induced by arbitrary semi-norms. 1 Strategic classification has been studied in other different settings or domains or for different purposes, including spam filtering (Brückner & Scheffer, 2011) , classification under incentive-compatibility constraints (Zhang & Conitzer, 2021) , online learning (Dong et al., 2018; Chen et al., 2020) , and understanding the social implications (Akyol et al., 2016; Milli et al., 2019; Hu et al., 2019b) . A relevant but quite different line of recent works study strategic improvements (Kleinberg & Raghavan, 2019; Miller et al., 2019; Ustun et al., 2019; Bechavod et al., 2020; Shavit et al., 2020) . Finally, going beyond classification, strategic behaviors in machine learning has received significant recent attentions, including in regression problems (Perote & Perote-Peña, 2004; Dekel et al., 2010; Chen et al., 2018) , distinguishing distributions (Zhang et al., 2019a; , and learning for pricing (Amin et al., 2013; Mohri & Munoz, 2015; Vanunts & Drutsa, 2019) . Due to space limit, we refer the curious reader to Appendix A for detailed discussions.

Basic Setup. We consider binary classification, where each data point is characterized by a tuple (x, y, r). Like classic classification setups, x ∈ X is the feature vector and y ∈ {+1, −1} is its label. The only difference of our setup from classic classification problems is the additional r ∈ R ⊆ R, which is the data point's (positive or negative) preference/reward of being labeled as +1. The data point's reward for label −1 is, without loss of generality, normalized to be 0. A classifier is a mapping h : X → {+1, −1}. Our model is essentially the same as that of (Hardt et al., 2016; Miller et al., 2019) , except that the r in our model can be any real value from set R whereas the aforementioned works assume r = 1 for all data points. Notably, we also allow r to be negative, which means some data points prefer to be classified as label −1. This generalization is natural and very useful because it allows much richer agent preferences. For instance, it casts the adversarial/robust classification problem as a special case of our model as well (see discussions later). Intuitively, the set R captures the richness of agents' preferences. As we will prove, how rich it is will affect both the statistical learnability and computational tractability of the learning problem.

The Strategic Manipulation of Test Data. We consider strategic behaviors during the test phase and assume that the training data is unaltered/uncontaminated. An illustration of the setup can be found in Figure 1 . A generic test data point is denoted as (x, y, r). The test data point is strategic and may shift its feature to vector z with cost c(z; x) where c : X ×X → R ≥0 . In general, function c can be an arbitrary non-negative cost function. In our study of strategic linear classification, we assume the cost functions are induced by threshold classifiers, which we do not consider. seminorms. We will consider the following two types of cost functions, with increasing generality.

is instance-invariant if there is a common function l such that c(z; x) = l(z − x) for any point (x, y, r).

instance-wise if for each data point (x, y, r), there is a function l x such that c(z; x) = l x (z − x). Notably, l x may be different for different data point (x, y, r).

Both cases have been considered in previous works. For instance, the separable cost function studied in (Hardt et al., 2016) is instance-wise, and the cost function induced by a seminorm as assumed by the main theorem of (Cullina et al., 2018) is instance-invariant. We shall prove later that the choice among these two types of cost functions will largely affect the efficient learnability of the problem.

Given a classifier h, the strategic test data point (x, y, r) may shift its feature vector to z and would like to pick the best such z by solving the following optimization problem:

Data Point Best Response:

where I(S) is the indicator function and [I(h(z) = 1) · r − c(z; x)] is the quasi-linear utility function of data point (x, y, r). We call ∆ c (x, r; h) the manipulated feature. When there are multiple best responses, we assume the data point may choose any best response and thus will adopt the standard worst-case analysis. Note that the test data's strategic behaviors do not change its true label. Such strategic gaming behaviors differs from strategic improvements (see (2019) for more discussions on their differences).

A STRAC problem is described by a hypothesis class H, the set of preferences R and a manipulation cost function c. We thus denote it as STRAC H, R, c . Adopting the standard statistical learning framework, the input to our learning task are n uncontaminated training data points (x 1 , y 1 , r 1 ), · · · , (x n , y n , r n ) drawn independently and identically (i.i.d.) from distribution D. Given these training data, we look to learn a classifier h ∈ H which minimizes the basic 0-1 loss, defined as follows:

Strategic 0-1 Loss of classifier h :

Notably, the classifier h in the above loss definition takes the manipulated feature ∆ c (x, r; h)) as input and, nevertheless, looks to correctly predict the true label y. For notational convenience, we sometimes omit c when it is clear from the context and simply write ∆(x, r; h) and L(h; D).

Our strategic classification model generalizes several models studied in previous literature, which we now sketch. Non-strategic classification.

When R = {0} and c(z; x) > 0 for any x = z, our model degenerates to the standard non-strategic setting. Strategic classification with homogeneous preference. When R = {1}, our model degenerates to the strategic classification model studied in prior work (Hardt et al., 2016; Hu et al., 2019b; Milli et al., 2019 )-here all data points have the same incentive of being classified as +1. Adversarial Classification.

When R = {1, −1} (or {δ, −δ},δ = 0), our model becomes the adversarial classification problem (2018; 2019), where each data point can adversarially move to induce the opposite of its true labelwithin the ball of radius 1 induced by cost function c. Our Proposition 1 provides formal evidence for this connection. Generalized Adversarial Classification. An interesting generalization of the above adversarial classification setting is that r < 0 for all data points with true label +1 and r > 0 for all data points with true label −1. This captures the situation where each point has different "power" (decided by |r|) to play against the classifier. To our knowledge, this generalized setting has not been considered before. Our results yield new efficient statistical learnability and computational tractability for this setting.

In this section, we introduce the notion of strategic VCdimension (SVC) and show that it properly captures the behaviors of a hypothesis class in the strategic setup introduced above. We then show the connection of SVC with previous studies on both strategic and adversarial learning. Before formally introducing SVC, we first define the shattering coefficients in strategic setups.

Definition 1 (Strategic Shattering Coefficients). The n'th shattering coefficient of any strategic classification problem STRAC H, R, c is defined as

That is, σ n (H, R, c) captures the maximum number of classification behaviors/outcomes (among all choices of data points) that classifiers in H can possibly induce by using manipulated features as input. Like classic definition of shattering coefficient, the σ n (H, R, c) here does not involve the labels of the data points at all. In contrast, in the shattering coefficient definition for adversarial VC-dimension of (Cullina et al., 2018), the "max" is allowed to be over data labels as well. This is an important difference from us. Given the definition of the strategic shattering coefficients, the definition of strategic VC-dimension is standard.

We show that the SVC defined above correctly characterizes the learnability of any strategic classification problem STRAC H, R, c . We consider the standard Empirical risk minimization (ERM) paradigm for strategic classification, but take into account training data's manipulation behaviors. Specifically, given any cost function c, any n uncontaminated training data points (x 1 , y 1 , r 1 ), · · · , (x n , y n , r n ) drawn independently and identically (i.i.d.) from the same distribution D, the strategic empirical risk minimization (SERM) problem computes a classifier h ∈ H that minimizes the empirical strategic 0-1 loss in Eq. (2) . Formally, the SERM for STRAC H, R, c is defined as follows:

is the empirical loss (compared to the expected loss L c (h, D) defined in Equation (2)). Unlike the standard (non-strategic) ERM problem and similar in spirit to the "incentive-aware ERM" in (Zhang & Conitzer, 2021) , classifiers in the SERM problem take each data point's strategic response ∆ c (x i , r i ; h) as input, while not the original feature vector x i .

Given the definition of strategic VC-dimension and the SERM framework, we state the sample complexity result for PAC-learning in our strategic setup:

Definition 3 (PAC-Learnability). In a strategic classification problem STRAC H, R, c , the hypothesis class H ⊆

is Probably Approximately Correctly (PAC) learnable by an algorithm A if there is a function m H,R,c : (0, 1) 2 − → N such that ∀(δ, ) ∈ (0, 1) 2 , for any n ≥ m H,R,c (δ, ) and any distribution D for (x, y, r), with at least probability

The key idea of the proof is to convert our new strategic learning setup to a standard PAC learning setup, so that the Rademacher complexity argument can be applied. This is done by viewing the preference r ∈ R as an additional dimension in the augmented feature vector space. Formally, we consider the new binary hypothesis

It turns out that the SVC defined above captures the VC-dimension for this new hypothesis classH. Formally proof can be found in Appendix B.1.

Due to space limit, we defer all formal proofs to the appendix. Proof sketches are provided for some of the results. Next, we illustrate how SVC connects to previous literature, particularly the two most relevant works by Cullina et al. 

We show that SVC generalizes the adversarial VC dimension (AVC) introduced by (Cullina et al., 2018). We give an intuitive description of AVC here, and refer the curious reader to Appendix 1 for its formal definition. At a high level, AVC captures the behaviors of binary classifiers under adversarial manipulations. Such adversarial manipulations are described by a binary nearness relation B ⊆ X × X and (z; x) ∈ B if and only if data point with feature x can manipulate its feature to z. Note that there is no direct notion of agents' utilities or costs in adversarial classification since each data point simply tries to ruin the classifier by moving within the allowed manipulation region (usually an δ-ball around the data point). Nevertheless, our next result shows that AVC with binary nearness relation B always equals to SVC as long as the set of strategic manipulations induced by the data points' incentives is the same as B. To formalize our statement, we need the following consistency definition. 

By definition any cost function c is r-consistent with the natural binary nearness relation it induces B c = {(z; x) : c(z; x) ≤ r}. Conversely, any binary relation B is rconsistent (for any r > 0) with a natural cost function that is simply an indicator function of B defined as follows

Note that, B and c may be r-consistent for infinitely many different r, as shown in the above example with B and c B . As a corollary of Proposition 1, we know that SVC is in general larger than or at least equal to AVC when the strategic behaviors it induces include B. This is formalized in the following statement. Corollary 1.1. Suppose a cost function c is r-consistent with binary nearness relation B and ±r ∈ R, then we have

Corollary 1.1 illustrates that for any cost function c, the SVC with a rich preference set R is generally no less than the corresponding AVC under the natural binary nearness relation that c induces. One might wonder how large their gap can be. Our next result shows that for a general R the gap between SVC and AVC can be arbitrarily large even in natural setups. The intrinsic reason is that a general preference set R will lead to different extents of preferences (i.e., some data points strongly prefers label 1 whereas some slightly prefers it). Such variety of preferences gives rise to more strategic classification outcomes and renders the SVC larger than AVC, and sometimes significantly larger, as shown in the following proposition. Proposition 2. For any integer n > 0, there exists a hypothesis class H with point classifiers, an instance-invariant cost function c(z;

x) ≤ r} is the natural nearness relation induced by c and r > 0.

Not only restricting the set R of preference values can reduce the SVC. This subsection shows that restricting to special classes of cost functions can also lead to a small SVC.

One special class of cost functions studied in many previous works is the separable cost functions (Hardt et al., 2016; Milli et al., 2019; Hu et al., 2019a) . Formally, a cost function

The following Proposition 3 shows that when the cost function is separable, SVC is at most 2 for any hypothesis class H and any class of preference set R. 2 Therefore, separable cost function essentially reduces any classification problem to a problem in lower dimension. Together with Theorem 1, Proposition 3 also recovers the PAC-learnability result of (Hardt et al., 2016) in their strategic-robust learning model (specifically, Theorem 1.8 of (2016)) and, moreover, generalizes their learnability from homogeneous agent preferences to the case with arbitrary agent preference values.

Proposition 3. For any hypothesis class H, any preference set R satisfying 0 ∈ R, and any separable cost function

The assumption 0 ∈ R means each agent must strictly prefer either label +1 or −1. This assumption is necessary since if 0 ∈ R, SVC will be at least the classic VC dimension of H and thus Proposition 3 cannot hold. We remark that the above SVC upper bound 2 holds for any hypothesis class H. This bound 2 is tight for some classes of hypothesis, e.g., linear classifiers.

This section instantiates our previous general framework in one of the most fundamental special cases, i.e., linear classification. We will study both the statistical and computational efficiency in strategic linear classification. Naturally, we will restrict X ⊆ R d in this section. Moreover, the cost functions are always assumed to be induced by semi-norms. 3 A linear classifier is defined by a hyperplane w · x + b = 0; feature vector x is classified as +1 if and only if w · x + b ≥ 0. With slight abuse of notation, we sometimes also call (w, b) a hyperplane or a linear classifier. Let H d denote the hypothesis set of all d-dimensional linear classifiers. For linear classifier (w, b), the data point's best response can be more explicit expressed as:

The model of (Hardt et al., 2016) corresponds to the case R = {1} in our model. For that restricted situation, the proof of Proposition 3 can be simplified to prove SVC = 1 when R = {1}. It turns out that arbitrary preference set R only increases the SVC by at most 1. 3 A function l : X → R ≥0 is a seminorm if it satisfies: (1) triangle inequality: l(x + z) ≤ l(x) + l(z) for any x, z ∈ X ; and (2) homogeneity: l(λx) = |λ|l(x) for any x ∈ X , λ ∈ R.

We first study the statistical learnability by examining the strategic VC-dimension (SVC). Our first result is a negative one, showing that SVC can be unbounded in general even for linear classifiers with features in R 2 (i.e., X ⊂ R 2 ) and with simple preference set R = {+1, −1}.

Proof Sketch. We consider a set of data points {x i } n i=1 in R 2 whose features are close but with cost functions induced by different norms. The cost functions are designed such that each point x i is allowed to strategically alter its feature within a carefully designed polygon G i centered at the origin. Specifically, for any label pattern L ∈ {+1, −1} n , it has a corresponding node s L on a unit cycle. The polygon G i for x i is the convex hull of all s L s whose label pattern L classifies i as +1. Figure 2 illustrates a high-level idea of our construction. Under such cost functions, we prove that H can induce all 2 n possible label patterns. The formal construction and proof can be found in Appendix C.

In the study of adversarial VC-dimension (AVC) by (Cullina et al., 2018) , the feature manipulation region of each data point is assumed to be instance-invariant. As a corollary, Theorem (2) implies that AVC also becomes ∞ for linear classifiers in R 2 if each data point's manipulation region is allowed to be different.

It turns out that the ∞-large SVC above is mainly due to the instance-wise cost functions. Our next result shows that under instance-invariant cost functions, the SVC will behave nicely and, in fact, equal to the AVC for linear classifiers despite the much richer data point manipulation behaviors. This result also strictly generalizes the characterization of AVC by (Cullina et al., 2018) for linear classifiers and shows that linear classifiers will be no harder to learn statistically even allowing richer manipulation preferences of data points. In particular, if l is a norm (i.e., l(x) = 0 iff x = 0), then dim(V l ) = 0 and SVC(H, R, c) = d + 1.

Proof Sketch. The key idea of the proof relies on a careful construction of a linear mapping which, given any set of

, maps the class of linear classifiers to the vector space of points' utilities and moreover, the sign of each data point's utility will correspond exactly to the label of the data point after its strategic manipulation. Using the structure of this construction, we can identify the relationship between the dimension of the linear mapping and the strategic VC-dimension. By bounding the dimension of the space of signed agent utilities, we are able to derive the SVC though with some involved algebraic argument to exactly pin down the dimension of the linear mapping due to possible degeneracy of V l ball.

In this subsection, we turn our attention to the computational efficiency of learning. The standard ERM problem for linear classification to minimize the 0-1 loss is already known to be NP-hard in the general agnostic learning setting (Feldman et al., 2012) . This implies that agnostic PAC learning by SERM is also NP-hard in our strategic setup. Therefore, our computational study will focus on the more interesting PAC-learning case, that is, assuming there exists a strategic linear classifier that perfectly separates all the data points. In the non-strategic case, the ERM problem can be solved easily by a linear feasibility problem.

It turns out that the presence of gaming behaviors does make the resultant SERM problem significantly more challenging. We prove essentially tight computational tractability results in this subsection. Specifically, any strategic linear classification instance can be efficiently PAC-learnable by the SERM when the problem exhibits some "adversarial nature". However, the SERM problem immediately becomes NP-hard even when we go slightly beyond such adversarial situations. We start by defining what we mean by "adversarial nature" of the problem. 

be the minimum reward among all −1 points and the maximum reward among all +1 points, respectively. We say the instance is "adversarial" if min − ≥ 0 ≥ max + and is "essentially adversarial" if min − ≥ max + .

In other words, an instance is "adversarial" if each data point would like to move to the opposite side of its label though with different magnitudes of preferences, and is "essentially adversarial" if any negative data point has a stronger preference to move to the positive side than any positive data point. Many natural settings are essentially adversarial, e.g., all the four examples in Subsection 2.2.

Our first main result of this subsection (Theorem 4) shows that when the strategic classification problem exhibits the above adversarial nature, linear strategic classification can be efficiently PAC-learnable by SERM. The second main result Theorem 5 shows that the SERM problem becomes NP-hard once we go slightly beyond the adversarial setups identified in Theorem 4. These results show that the computational tractability of strategic classification is primarily governed by the preference set R. Interestingly, this is in contrast to the statistical learnability results in Theorem 2 and 3 where the preference set R did not play much role.

Theorem 4. Any separable strategic linear classification instance STRAC H d , R, c is efficiently PAC-learnable by the SERM in polynomial time in the following two situations:

1. The problem is essentially adversarial (min − ≥ max + ) and cost function c(z; x) = l(z − x) is instance-invariant and induced by seminorm l.

2. The problem is adversarial (min − ≥ 0 ≥ max + ) and the instance-wise cost function c(z; x) = l x (z − x) is induced by seminorms l x .

Proof Sketch. For situation 1, we can formulate the SERM problem as the following feasibility problem:

where l * is the dual norm of l.

This unfortunately is not a convex program due to the nonconvex constraint l * (w) = 1 -indeed we prove later that this program is NP-hard to solve in general. Therefore, instead, we solve a relaxation of the above program, by relaxing constraint l * (w) = 1 to l * (w) ≤ 1 to obtain a convex program. The crucial step of our proof is to show that this relaxation is tight under the essentially adversarial assumption. This is proved by converting any optimal solution of the relax convex program to a feasible and optimal solution to the original problem. This is the crucial and also difficult step since the solution to the relaxed convex program may not satisfy l * (w) = 1 -in fact, it will satisfy l * (w) < 1 generally which is why the original program is NP-hard in general. Fortunately, using the essentially adversarial assumption, we are able to employ a carefully crafted construction to generate an optimal solution the the above non-convex program.

For situation 2, we can formulate it as another non-convex program with parameter w, :

Fortunately, for any fixed > 0, the above program is convex in variable w. Moreover, if the system is feasible for 0 > 0 then it is feasible for any 0 < ≤ 0 . This allows us to determine the feasibility problem above for any via binary search, which overall is in polynomial time.

Our next result shows that the positive claim in Theorem (4) are essentially the best one can hope for. Indeed, the SERM immediately becomes NP-hard if one goes slightly beyond the two tractable situations in Theorem (4) . Note that our results did not rule out the possibility of other computationally efficient learning algorithms other than the SERM. We leave this as an intriguing open problem for future works. Theorem 5. Suppose the strategic classification problem is linearly separable, then the SERM Problem for linear classifiers is NP-hard in the following two situations:

1. Preferences are arbitrary and the cost function is instant-invariant and induced by the standard l 2 norm, i.e., c(z; x) = x − z|| 2 2 . 2. The problem is essentially adversarial (min − ≥ max + ) and the cost function is instance-wise and induced by norms.

Remark 1. Theorem 3, Theorem 4 and Theorem 5 together imply that for strategic linear classification:

(1) the problem is efficiently PAC-learnable (both statistically and computationally) when the cost function is instance-invariant and preferences are essentially adversarial;

(2) SERM can be solved efficiently but SVC is infinitely large when the cost function is instance-wise and preferences are adversarial;

(3) the problem is efficiently PAC learnable in statistical sense, but SERM is NP-hard when the cost function is instance-invariant and preferences are arbitrary.

In this work, we propose and study a general strategic classification setting where data points have different preferences over classification outcomes and different manipulation costs. We establish the PAC-learning framework for this strategic learning setting and characterize both the statistical and computational learnability result for linear classifiers. En route, we generalize the recent characterization of adversarial VC-dimension (Cullina et al., 2018) as well as computational tractability for learning linear classifiers by (Awasthi et al., 2019). Our conclusion reveals two important insights. First, the additional intricacy of having different preferences harms the statistical learnability of general hypothesis classes, but not for linear classifiers. Second, learning strategic linear classifiers can be done efficiently only when the setup exhibits some adversarial nature and becomes NP-hard in general.

Our learnability result for linear classifiers applies to cost functions induced by semi-norms. A future direction is to generalize the theory to cost function induced by asymmetric semi-norms or even any metrics. We also note that the strategic classification model we consider is under the full-information assumption, i.e., the cost function and the strategic preferences are transparent. This is analogous to the evasion attack in the adversarial machine learning literature, where the training data is supposed to be uncontaminated and the manipulation only happens during testing. What if we cannot observe the strategic preferences during training or do not know the adversaries' cost function? This can be reformulated as online learning through repeated Stackelberg games and has been studied in (Dong et al., 2018) , but it does not apply to classifiers with 0-1 loss. 

The work of (Hardt et al., 2016) is most relevant to our work-they introduced a Stackelberg game framework to model the interaction between the learner and the test data. Our model can be viewed as a generalization of (Hardt et al., 2016) by allowing heterogeneous preferences over classification outcomes. (Hardt et al., 2016 ) assume a special class of separably cost functions, and prove that the optimal classifier is always a threshold classifier. Essentially, the assumption of separable cost functions reduces the feature space to a low dimension, which is also why the strategic VC dimension in this case is at most 2 as we proved. Despite this clean characterization, it appears a strong and somewhat unrealistic requirement. For example, one consequence of separable cost functions is that for any two features x, z, the manipulation cost from either x to z or from z to x must be 0. 4 This appears unrealistic in reality. For example, a high-school student with true average math grade 80 and true average literature grade 95 is likely to incur cost if she/he wants to appear as 95 for math and 80 for literature, and vice versa. This is because different students are good at different aspects. Our model imposes less assumptions on the cost functions. For example, in our study of strategic linear classification, the cost functions are induced by arbitrary semi-norms.

(Brückner & Scheffer, 2011) is one of the first to consider the Stackelberg game formulation of strategic classification, motivated by spam filtering; however they do not study generalization bounds. (Zhang & Conitzer, 2021) provide the sample complexity result for strategic PAC-learning under the homogeneous preference setting and in particular study the case under the incentive-compatibility constraints, i.e., subject to no data points will misreport features. These two works all assume the positive labels are always and equally preferred. There has also been work on understanding the social implications of strategically robust classification (Akyol et al., 2016; Milli et al., 2019; Hu et al., 2019b) ; these works show that improving the learner's performance may lead to increased social burden and unfairness. (Dong et al., 2018; Chen et al., 2020) extend strategic linear classification to an online setting where the input features are not known a-priori, but instead are revealed in an online manner. They both focused on the optimization problem of regret minimization. Our setting however is in the more canonical PAC-learning setup and our objective is to design statistically and computationally efficient learning algorithms. All these aforementioned works, including the present work, consider gaming behaviors. A relevant but quite different line of recent works study strategic improvements where the manipulation does really change the inherent quality and labels (Kleinberg & Raghavan, 2019; Miller et al., 2019; Ustun et al., 2019; Bechavod et al., 2020; Shavit et al., 2020) . The question there is mainly to design incentive mechanisms to encourage agents' efforts or improvements.

Finally, going beyond classification, strategic behaviors in machine learning has received significant recent attentions, including in regression problems (Perote & Perote-Peña, 2004; Dekel et al., 2010; Chen et al., 2018) D) is the standard expected risk of the newly definedh ∈H under the distribution D in the non-strategic setting. Therefore, studying the PAC sample complexity upper bound for H under the strategic setting R, c is equivalent to studying the sample complexity forH in the non-strategic setting. The latter problem can be addressed by employing the standard PAC learning analysis. From the Fundamental Theorem of Statistical Learning (Theorem 6.8 in (Shalev-Shwartz & Ben-David, 2014)), we knowH is agnostic PAC learnable with sample complexity O( −2 (VC(H) + log 1 δ )), meaning that there exists a constant C such that for any (δ, ) ∈ (0, 1) 2 and any distribution D

for (x, y, r), as long as n ≥ C · −2 (VC(H) + log 1 δ ), with at least probability 1 − δ, we have y 1 ; h) , . . . , f (x n , y n ; h)) : h ∈ H}| (7) is the shattering coefficient, and f (x i , y i ) = I(h(x i ) = y i ) is the loss function of the corrupted classifierh = κ R (h).

Since B and c are r-consistent, we have B = {(z; x) : c(z; x) ≤ r}. Let R = {+r, −r}. We now prove the proposition by arguing sup{n ∈ N : σ n (H, R, c) = 2 n } = sup{n : σ n (F, B) = 2 n }.

1. If sup{n ∈ N : σ n (H, R, c) = 2 n } = n, by Definition 1, there exists (x i , r i ) ∈ X × R, i = 1, · · · , n such that |{(h(∆ c (x 1 , r 1 ; h)), · · · , h(∆ c (x n , r n ; h)) : h ∈ H}| = 2 n . Since Definition 1 does not rely on the true labels of x i , we may let the true labels of x i be y i = −r i /r for any i. In this case, each x i 's strategic preference is against its true label, which corresponds to the loss function f in Equation (7) for the adversarial setting. Therefore, taking (x i , y i ) = (x i , y i ) in Equation (7) gives σ n (F, B) = 2 n . This implies sup{n ∈ N : σ n (H, R, c) = 2 n } ≤ sup{n : σ n (F, B) = 2 n }.

2. Conversely, if sup{n : σ n (F, B) = 2 n } = n, from Equation (7), there exists (x i , y i ) ∈ X × R, i = 1, · · · , n such that |{(f (x 1 , y 1 ), . . . , f (x n , y n )) : f ∈ F}| = 2 n . Similarly, taking r i = −ry i ∈ R gives σ n (H, R, c) = 2 n , which implies sup{n ∈ N : σ n (H, R, c) = 2 n } ≥ sup{n : σ n (F, B) = 2 n }. The cost function c(z; x) is a metric defined as follows. Since metric is symmetric, i.e., c(z; x) = c(x; z), we will use the notation c(x, z) instead throughout this proof.

and R is set to be [−n, −1] ∪ [1, n].

First, we verify that c(·, ·) is indeed a metric. Given the Definition (9), it is easy to see that c(x, z) = 0 iff x = z, and c(x, z) = c(z, x), ∀x, z ∈ X . It remains to check the triangle inequality, i.e., for any x, y, z ∈ X , c(x, y) + c(y, z) ≥ c(x, z).

Consider the case when x, y, z are different elements in X . By enumerating all the possibility that whether each x, y, z is in [n] or S, it suffices to discuss the following 8(= 2 3 ) cases:

, z ∈ S, we need to show that c(x, y) ≥ c(x, z) − c(y, z). Conditioned on the relationship between x, y and set z, the maximum value of c(x, z) − c(y, z) is x − y + 1 when y ∈ z, x / ∈ z. Therefore, c(x, y) = x + y ≥ x − y + 1 ≥ c(x, z) − c(y, z).

x, z ∈ S, y ∈ [n], then c(x, y) + c(y, z) ≥ y + y > 1 ≥ c(x, z).

6. if x, y ∈ S, z ∈ [n], then the maximum value for c(x, z) − c(y, z) is z + 1 − z = 1 when z / ∈ x, z ∈ y. Therefore, c(x, y) ≥ 1 ≥ c(x, z) − c(y, z).

7. if x ∈ S, y, z ∈ [n], it is equivalent to case 4. 8. if y, z ∈ S, x ∈ [n], it is equivalent to case 6.

Next, we show VC(H) = 1, AVC(H, B c (r)) = 1, and SVC(H, R, c) ≥ n. Observe that VC(H) = 1 follows easily since no point classifier h s ∈ H can generate the label pattern (+1, +1) for any pair of distinct data points.

Next we prove AVC(H, B c (r)) = 1. We first show AVC(H, B c (r)) ≤ 1 by arguing that under binary nearness relation B c (r) = {(z; x) : c(z, x) ≤ r} with r ≥ 1, any two elements x 1 , x 2 in X cannot be shattered by H.

1. If at least one of r 1 , r 2 equals −r, e.g., r 1 = −r, we show that x 1 can never be classified as +1 by contradiction.

Suppose some h s ∈ H classifies (x 1 , −r) as +1: if x 1 = s, since r 1 = −r < 0, x 1 will not manipulate its feature and be classified as −1; if x 1 = s, x 1 can move to any z ∈ S with cost 1 ≤ r, and will also be classified as −1. Therefore, (x 1 , x 2 ) can not be shattered.

2. If r 1 = r 2 = r, consider the following two cases:

(a) If at least one of x 1 , x 2 belongs to S, e.g., x 1 ∈ S, then x 1 can move to any s ∈ S as c(x 1 , s) = 1 ≤ r for any s ∈ S. Therefore x 1 can never be classified as −1 by any point classifier in H.

, we may w.l.o.g. assume x 1 < x 2 , i.e., x 1 + 1 ≤ x 2 . Observe that when r < x 1 , any h s ∈ H will classify x 1 as -1 because c(x 1 , s) = x 1 > r, ∀s ∈ S; when r ≥ x 1 + 1, any h s ∈ H will classify x 1 as +1 because c(x 1 , s) = x 1 + 1 ≤ r, ∀s ∈ S. Therefore, in order to shatter (x 1 , x 2 ), r must lie in the interval [x 1 , x 1 + 1) ∩ [x 2 , x 2 + 1) = ∅, which draws the contradiction.

To see that AVC(H, B c (r)) ≥ 1, for any x ∈ [n] with r > 0, it can be classified as either +1 or −1 as long as r ∈ [x, x + 1). We thus have AVC(H, c) = 1.

Finally, we prove that SVC(H, R, c) = n. Consider the subset [n] ⊂ X of size n, with each element i equipped with a strategic preference r i = i. For any label pattern L ∈ {+1, −1} n , let s L = {i ∈ [n] : L i = +1} be an element in S. We claim that h s L ∈ H gives exactly the label pattern L on [n] . To see this, consider any i ∈ [n]:

1. If i ∈ s L , i will move to s L ∈ S and be classified as +1, as the cost c(i, s L ) = i ≤ r i = i.

2. If i / ∈ s L , i will not move to s L ∈ S and be classified as −1, as the cost c(i, s L ) = i + 1 > r i = i.

Therefore, any label pattern L ∈ {+1, −1} n can be achieved by some h s L ∈ H. This implies SVC(H, R, c) ≥ n. On the other hand, it's easy to see H cannot shatter n + 1 points, because any subset of size n + 1 must contain an element s 0 in S, and no matter what strategic preference s 0 has, it will either be classified as +1 by all h s ∈ H, or be classified as +1 by only one classifier in H, i.e., h s0 . Either case renders the shattering for n + 1 points impossible.

Proof. Define the adversarial region for an adversary (x, r) as N (x, r) = {z ∈ X : c 2 (z) ≤ c 1 (x) + |r|} ⊇ {x}. Since staying with the same feature has no cost, this implies c(x; x) = 0 or equivalently c 2 (x) ≤ c 1 (x) for any x ∈ X . Then, the best response function for (x, r) can be characterized by

Suppose there are three points

By Pigeonhole principle, there must exists two elements in {r 1 , r 2 , r 3 } which have the same sign. Suppose these two elements are r 1 , r 2 and consider the following two cases:

1. r 1 > 0, r 2 > 0. From Equation 10, for any h ∈ H, h(∆(x 2 , r 2 ; h)) = −1 means h(z) = −1, ∀z ∈ N (x 2 , r 2 ). Note that N (x 1 , r 1 ) ⊆ N (x 2 , r 2 ), we also have h(z) = −1, ∀z ∈ N (x 1 , r 1 ). As a result, h(∆(x 1 , r 1 ; h)) = −1, meaning the sign pattern {+, −} cannot be achieved by any h ∈ H for {(x 1 , r 1 ), (x 2 , r 2 )}.

2. r 1 < 0, r 2 < 0. From Equation 10, for any h ∈ H, h(∆(x 2 , r 2 ; h)) = 1 means h(z) = 1, ∀z ∈ N (x 2 , r 2 ). Similarly, from N (x 1 , r 1 ) ⊆ N (x 2 , r 2 ) we conclude h(z) = 1, ∀z ∈ N (x 1 , r 1 ) and h(∆(x 1 , r 1 ; h)) = 1, meaning the sign pattern {−, +} cannot be achieved by any h ∈ H for {(x 1 , r 1 ), (x 2 , r 2 )}.

Proof. Let X = R 2 , and consider the linear hypothesis class on X :

x ∈ X }. We show that for any n ∈ Z + and R = {+1}, there exist n points {x i } n i=1 ∈ X n and corresponding cost functions {c i } n i=1 , such that the n'th shattering coefficients σ n (H, R, {c i } n i=1 ) = 2 n (see Definition 1 for σ n ). Note that the cost function is instance-wise. For convenience, here we equivalently think of it as each data point i has a different cost function c i . Let x i = (0, 0), ∀i ∈ [n] be the set of data points. The main challenge of the proof is a very careful construction of the cost function for each data point. To do so, we first pick a set of 2 n different points S = {s j } 2 n j=1 lying on the unit circle, i.e., With slight abuse of notation, let s L = {i ∈ [n] : L i = +1} ∈ S be the point in S that corresponds to the set of the indexes of L with L i = 1. Let h L be any linear classifier whose decision boundary intersects the unit circle centered at x i and strictly separates s L from all the other elements in S ∪S. We will use h L to denote both the linear classifier and its decision boundary (i.e., a line in R 2 ) interchangeably. Due to the convexity of G i , such h L must exist. We further let h L give prediction result +1 for the half plane that contains s L and −1 for the other half plane. Figure 3 illustrates the geometry of this example.

We now argue that h L induces the given label pattern L for instances

To see this, we examine h L (∆ ci (x i , 1; h)) for each i:

1. If i ∈ s L , then s L ∈ S i and x i can move to s L with cost c i (s L ; x i ) < 1. This is because G i is convex and there exist a point x i on h L such that c i (x i ; x i ) < c i (s L ; x i ) = 1 = r i (e.g., choose x i as the intersection point of the segment [x i , s L ] and h L ). Therefore, h L will classify x i as positive. This case is shown in the left panel of Figure 3 .

2. If i / ∈ s L , then s L / ∈ S i and G i does not intersect h L . In this case, h L (x) = −1, and moving across h L always induces a cost strictly larger than 1. Therefore, the best response for x i is to stay put and h L will classify x i as negative. This case is shown in the right panel of Figure 3 . Now we have shown that the n'th shattering coefficients σ n (H, {+1, −1}, {c i } n i=1 ) = 2 n . Since n can take any integer, we conclude the strategic VC-dimension in this case is +∞.

The following lemma from advanced linear algebra is widely known and will be useful for our analysis.

Lemma 1. For any seminorm l : R d − → R ≥0 , and the cost function c(z; x) = l(z − x) induced by l, the minimum manipulation cost for x to move to the hyperplane w · x + b = 0 is given by the following:

where l * (w) = sup z∈B {w · z} ∈ R ≥0 ∪ {+∞}, and B = {z : l(z) ≤ 1} is the unit ball induced by l.

The proof is divided into the following two parts. The first part is the more involved one.

Proof of SVC(H d , R, c) ≤ d + 1 − dim(V l ): Figure 3 . Left: If i ∈ sL, hL intersects with Gi, and xi can manipulate its feature within Gi to cross hL. Right: If i / ∈ sL, hL and Gi are disjoint; xi cannot manipulate its feature within Gi to cross hL. Given any label pattern L ∈ {+1, −1} n , Gi is the convex, origin-symmetric polygon associated with xi's cost function. The linear classifier hL is chosen to separate sL from all other elements in S ∪ S and classifies sL as +1. The left/right panel shows the two situations, depending on i ∈ sL or i ∈ sL.

It suffices to show that for any n > d + 1 − dim(V l ) and n data points (x i , r i ) ∈ R d × R, ∀i = 1, · · · , n, there exists a label pattern L ∈ {+1, −1} n , such that for any h ∈ H d cannot induce L, i.e.,

(h(∆ c (x 1 , r 1 ; h), · · · , h(∆ c (x n , r n ; h))) = L.

The first step of our proof derives a succinct characterization about the classification outcome for a set of data points. For any seminorm l, it is known the set B = {x : l(x) ≤ 1} is nonempty, closed, convex, and origin-symmetric. Let l * (w) = sup z∈B {w · z}. We have l * (w) > 0 for all w = 0 since 0 is an interior point of B. According to Lemma 1, for any x ∈ R d and any linear classifier h = (w, b) ∈ H d , the minimum manipulation cost for x to move to the decision boundary of h is |w · x + b|/l * (w). Note that we may w.l.o.g. restrict to w's such that l * (w) = 1 since the sign function sgn(w · x + b) does not change after re-scaling. For any data point (x, r) ∈ X × R and linear classifier h ∈ H d , we define the signed manipulation cost to the classification boundary as

using the condition l * (w) = 1. We claim that h(∆ c (x, r; h)) = 2I(w · x + b ≥ −r) − 1. This follows a case analysis:

1. If r ≤ 0, then h(∆ c (x, r, h)) = 1 if and only if h(x) = 1 and x cannot move across the decision boundary of h within cost |r| = −r. This implies h(∆ c (x, r; h)) = 2I(w · x + b ≥ −r) − 1.

2. If r > 0, then h(∆ c (x, r, h)) = −1 if and only if h(x) = −1 and x cannot move across the decision boundary of h within cost r. In this case, h(∆ c (x, r; h)) = −(2I(−(w · x + b) > r) − 1) = 2I(w · x + b ≥ −r) − 1. Note that the first inequality holds strictly because we assume h always gives +1 for those x on the decision boundary.

For a set of samples (X, r) where X = (x 1 , · · · , x n ), r = (r 1 , · · · , r n ), define the set of all possible vectors (over the choice of linear classifiers (w, b) ∈ H d ) of signed manipulation costs as

there is a h ∈ H d that achieves a label pattern L on (X, r) if and only if there exist an element in D(H d , x) + r with the corresponding sign pattern L.

Recall that a linear classifier is described by (w, b) ∈ R d+1 . The second step of our proof rules out "trivial" linear classifiers under strategic behaviors, and consequently allows us to work with only linear classifiers in a linear space of smaller dimension. Let B = {x : l(x) ≤ 1} and V l be the largest linear space contained in B. We argue that it suffice to consider only linear classifiers (w, b) with w ⊥ V l . This is because for any w that is not orthogonal to the subspace V l , we can findz ∈ V l such that c(z; x) = 0 and w ·z → ∞ since V l is a linear subspace. This means any data point can induce its preferred label sgn(r) with 0 cost, by moving toz if sgn(r) = + and −z otherwise. Any such linear classifier will result in the same label pattern, simply specified by sgn(r). As a consequence, we only need to focus on linear classifiers (w, b) with w ⊥ V l . LetH d = {(w, b) : w ⊥ V l } denote all such linear classifiers.

Next, we argue that when restricting to the non-trivial class of linear classifiersH d , the D(H d , X) defined in Equation (11) lies in a linear subspace with dimension at most d + 1 − dim(V l ). Consider the linear mapping G X :H d → R n determined by the data features X, defined as

Since w ⊥ V l , w is from a linear subspace of d − dim(V l ). Linear mapping will not increase the dimension of the image space, therefore D(H d , X) lies in a space with dimension at most d + 1 − dim(V l ).

Finally, we prove that there must exist label patterns that cannot be induced by linear classifiers whenever the number of data points n > d + 1 − dim(V l ). Let span D(H d , X) denote the smallest linear space that contains D(H d , X). Since span D(H d , X) has dimension at most d + 1 − dim(V l ) < n but span D(H d , X) ⊂ R n , there must exist a non-zero vectorū ∈ R n such that: (1)ū = 0; (2)ū ⊥ span D(H d , X) (i.e.,ū · v = 0, ∀v ∈ span D(H d , X) ); and (3)ū · r ≤ 0 (ifū · r ≥ 0, simply takes its negation). Note that this impliesū · v ≤ 0, ∀v ∈ span D(H d , X) + r.

We argue that the sign pattern of the vectorū, denoted as sgn(ū), and the sign pattern of all negatives (L = (−1, · · · , −1)) cannot be achieved simultaneously byH d . Suppose sgn(ū) can be achieved byH d , then there must exist v 1 ∈ span(D(H d , X)) + r such that sgn(ū) = sgn(v 1 ) andū · v 1 ≤ 0. Since sgn(ū) = sgn(v 1 ) also impliesū · v 1 ≥ 0, we thus haveū · v 1 = j=1ū j v 1 j = 0. We claim that there must exist j such thatū j > 0. First of all, we cannot haveū j < 0 for any j since that implies v 1 j < 0 (only strictly less v 1 j 's will be assigned −1 pattern due to our tie breaking rule) and consequently,ū · v 1 < 0, a contradiction. Also note thatū = 0, so there exist j ∈ [n] such thatū j > 0.

Utilizing the above property ofū, we show that the sign pattern L = (−1, · · · , −1) cannot be achieved byH d . Suppose, for the sake of contradiction, that this is not true. Then there exists another v 2 = (v 2 1 , · · · , v 2 n ) ∈ span D(H d , X) + r with all its elements being strictly negative. Now consider v = v 1 − v 2 ∈ span(D(H d , X)), we haveū · v =ū · v 1 −ū · v 2 = 0 −ū · v 2 > 0. Here the inequality holds becauseū j ≥ 0, v 2 j < 0 for all j and there exists some j such thatū j > 0. Therefore, we draw a contradiction to the fact thatū · v = 0 for any v ∈ span(D(H d , X)). Now we proved that sgn(ū) and L = (−1, · · · , −1) cannot be achieved simultaneously by non-trivial classifiersH d , and the only achievable sign pattern for trivial classifiers is sgn(r). Note that r ∈ span D(H d , X) + r, sgn(r) is thus also achievable byH d . Therefore, the trivial classifiers has no contributions to the shattering coefficient, and we conclude at least one of sgn(ū) and L = (−1, · · · , −1) cannot be achieved by H d .

Proof of SVC(H d , R, c) ≥ d + 1 − dim(V l ):

The second step of the proof shows SVC(H, R, c) ≥ d + 1 − dim(V l ) by giving an explicit construction of (X, r) that can be shattered by H d . Let x 0 = 0, and (x 1 , · · · , x t ) be a basis of the subspace orthogonal to V l , (x t+1 , · · · , x d ) be a basis of the subspace V l , where t = d − dim(V l ).

We claim that the t + 1 = d + 1 − dim(V l ) data points in {0, 1, · · · , t} can be shattered by H d . In particular, for any given subset S ⊆ {0, 1, · · · , t}, consider the linear system

Because (x 1 , · · · , x d ) has full rank, the solution (w S , b S ) must exist. Therefore, the half-plane h = w S · x + b S separates S and {x 0 , · · · , x d }/S. Now consider the case when each x i has a strategic preference r i ∈ R. Since w S is chosen to be orthogonal to V l , w S · x i is bounded when x i ∈ {z : c(z; x i ) ≤ r i }. Let δ S = max 0≤i≤t {sup{w S · (z − x i ) : c(z; x i ) ≤ r i }}, and δ = max(1, 2δ S ). Then the data set {δx 0 , · · · , δx t } can be shattered by H d for any given c, R, because the classifier (δw S , δb S ) separates the subset S and the other points regardless their strategic responses. thus completing our proof. Concretely, given any optimal solution (w * , b * , * ) to OP (14), we construct another solution (w,b,¯ ) as follows:

We claim that the constructed solution above remains feasible to OP (14). Note that for data point with label 1, we have: (1) min − + max + 2 ≥ r i by assumption r i ≤ max + ≤ min − ; (2) x i · w * + b * ≥ −r i by the feasibility of (w * , b * , * ). Therefore

This proves that the constructed solution is feasible for data points with label 1. Similar argument using the inequality min − + max + 2 ≤ r i for any negative label data point shows that it is also feasible for negative data points. It is easy to see that the solution quality is as good as the optimal solution * since α ≤ 1. This proves the optimality of the constructed solution.

Finally, we consider the Situation 2 where the instance is adversarial, i.e, min − ≥ 0 ≥ max + . In this case, r i in the first constraint of System (12) is always non-positive whereas r i in the second constraint is always non-negative. After basic algebraic manipulations, the SERM problem becomes the following optimization problem.

This is again not a convex feasibility problem due to the non-convex term (r i + ) · l * xi (w), however for any fixed > 0 both constraints are convex. Moreover, if the system is feasible for some 0 > 0 and it is feasible for any 0 < ≤ 0 . Therefore, we can determine the feasibility of the (convex) system for any fixed and then binary search for the feasible . Therefore, the feasibility problem in System (12) can be solved in polynomial time.

Proof. We start with Situation 1, i.e., the preferences are arbitrary but the cost function is c(z; x) = x − z|| 2 2 . We will show later that the second situation can be reduced from the first. In the first situation, the feasibility problem is System (13) with l as the l 2 norm. Our reduction starts by reducing this system to the following optimization problem (OP) maximize ||w|| 2 2 subject to x i · w + b ≥ −r i , for points (x i , r i ) with label 1.

Formally, we claim that for any fixed , system (13) is feasible if and only if OP (16) has optimal objective value 1. The "if" direction is simple. That is, if OP (16) has optimal objective value 1, then the optimal solution (w * , b * ) is automatically a feasible solution to System (13) because ||w * || 2 = 1. For the "only if" direction, let (w,b) be any feasible solution to System (13), then it is easy to verify w * =w ||w||2 and b * =b ||w||2 must also be feasible to System (13). Moreover, it is an optimal solution to OP (16) with objective value 1, as desired.

We now prove that determining whether the optimal objective value of OP (16) equals 1 or not is NP-complete. We reduce from the following well-known NP-complete problem called the partition problem:

Given d positive integers c 1 , · · · , c d , decide whether there exists a subset S ⊂ [d] such that i∈S c i = i ∈S c i

Price of transparency in strategic machine learning

Strategic classification from revealed preferences

Agnostic learning of monomials by halfspaces is hard

Explaining and harnessing adversarial examples

EU regulations on algorithmic decision-making and a "right to explanation

Measuring price discrimination and steering on e-commerce web sites

Association for Computing Machinery

The disparate effects of strategic manipulation

The disparate effects of strategic manipulation

Manipulating machine learning: Poisoning attacks and countermeasures for regression learning

IEEE Symposium on Security and Privacy (SP)

How do classifiers induce agents to invest effort strategically?

Feature cross-substitution in adversarial classification

Strategic classification is causal modeling in disguise

The social cost of strategic classification

Revenue optimization against strategic buyers

Universal adversarial perturbations

Systematic poisoning attacks on and defenses for machine learning in healthcare

What really matters in designing school choice mechanisms

Strategy-proof estimators for simple regression

What have we learned from market design? Innovations: Technology, Governance, Globalization

Stealthy poisoning attacks on pca-based anomaly detectors. SIGMETRICS Perform

What are these 2 n different points will not matter to our construction neither it matters which point is mapped to which subset so long as it is a bijection. Moreover, letS = {(−x, −y) : (x, y) ∈ S} be the set that is origin-symmetric to S such thatS ∩ S = ∅.S is chosen to "symmetrize" our construction to obtain a norm and needs not to have any interpretation. For any x i , we now define its cost function c i through the following steps : 1

−y) : (x, y) ∈ S i } ⊆S be the set that is origin-symmetric to S i

Let G i be the convex, origin-symmetric polygon with the vertex set being S i ∪S i

The cost function of x i is defined as c i (z; x) = x − z Gi , where · Gi = inf{ ∈ R ≥0 : x ∈ G i } is a norm derived from polygon G i (note the origin-symmetry of S i ∪S i and thus G i )

Acknowledgement. We thank anonymous ICML reviewers for helpful suggestions. H. Xu is supported by a GIDI award from the UVA Global Infectious Diseases Institute and a Google Faculty Research Award. A. Vullikanti is supported by NSF grants IIS-1931628, CCF-1918656, NSF IIS-1955797, and NIH grant R01GM109718. R. Sundaram is supported by NSF grants CNS-1718286 and IIS-2039945.

Proof of Theorem 4. For any data point (x, y, r), let the manipulation cost for the data point be c(z; x) = l x (z − x) where l x is any seminorm. Since the instance is separable, there exists a hyperplane h : w · x + b = 0 that separates the given n training points (x 1 , y 1 , r 1 ), · · · , (x n , y n , r n ) under strategic behaviors. The SERM problem is thus a feasibility problem, which we now formulate. Utilizing Lemma 1 about the signed distance from x i to hyperplane h under cost function c(z; x i ) = l xi (z − x i ), we can formulate the SERM problem under the separability assumption. Concretely, we would like to find a hyperplane h : w · x + b = 0 such that it satisfies the following for any (x i , y i , r i ):1. If y i = 1 and r i ≥ 0, we must have either w ·Note that we classify any point on the hyperplane as +1 as well, which is why the strict inequality for Case 3 and 4. Case 1 can be summarized as w·x+b l *x i (w) ≥ −r i . Similarly, Case 3 can be summarized as w·x+b l *x i (w) < −r i . To impose the strict inequality for Case 3 and 4, we may introduce an slack variable. These observations lead to the following formulation of the SERM problem.We now consider the two settings as described in the theorem statement. We first consider Situation 1, i.e., the essentially adversarial case with min − ≥ max + and an instance-invariant cost function induced by the same seminorm l, i.e., c(z; x) = l(x − z) for any x. In this case, System (12) is equivalent to the followingThis system is unfortunately not a convex feasibility problem. To solve System (13), we consider the following optimization program (OP), which is a relaxation of System (13) by relaxing the non-convex constraint l * (w) = 1 to the convex constraintNote that OP (14) is a convex program because the objective and constraints are either linear or convex. Therefore, OP (14) can be efficiently solved in polynomial time. 5 Note that this relaxation is not tight in general as we will show later that solving System (13) is NP-hard in general.Our main insight is that under the assumption of min − ≥ max + , the above relaxation is tight -i.e., there always exists an optimal solution to the above problem with l * (w) = 1. This solution is then a feasible solution to System (13) as well,We now reduce the above partition problem to solving OP (16). Given any instance of partition problem, construct the following SERM instance.The Constructed Hard SERM Instance for Situation 1: We will have n = 2d + 3 data points with feature vectors from R d . For convenience, we will use e i to denote the basis vector in R d whose entries are all 0 except that the i'th is 1. For each i ∈ [d], there is a data point (x, y, r) = (2 √ d · e i , 1, 4) as well as a data point ( √ d · e i , −1, 1 − ). The remaining three data points are (c, 1, 2), data point (2c, −1, 2 − ), and data point (3c, 1, 2).We claim that OP (16) instantiated with the above constructed instance has an optimal objective value 1 if and only if the answer to the given partition problem is Yes. We first prove the "if" direction. If the partition problem is a Yes instance, then there exists an S such that i∈S c i − i ∈S c i = 0. We argue that the following construction is an optimal solution to OP (16) with optimal objective value 1:Clearly, ||w * || 2 2 = 1. We only need to prove feasibility of (w * , b * ). For any label 1 point (x, r) = (2The feasibility of point (c, 2) with label 1 is argued as follows:Feasibility of (2c, 2 − ) and (3c, 2) are similarly verified.We now prove the "only if" direction. In particular, we prove that that if OP (16) has some optimal solution (w * , b) with ||w * || 2 2 = 1, then the partition instance must be Yes. Let us first examine the feasibility of OP (16).

2. By the constraints with respect to negative-label data points (3. By the constraints with respect to data point (c, 2) with label 1, we have c · w + b ≥ −2, or equivalently −2 − b ≤ c · w.4. By the constraints with respect to data point (2c, 2 − ) with label -1, we have 2c · w + b ≤ −2, or equivalently −2 − b ≥ 2c · w.5. By the constraints with respect to data point (3c, 2) with label 1, we have 3c · w + b ≥ −2, or equivalently −2 − b ≤ 3c · w.Point 3-5 implies 2c · w ≤ −2 − b ≤ min{c · w, 3c · w}. This must imply c · w = 0 as any non-zero c · w cannot satisfy 2c · w ≤ min{c · w, 3c · w}. As a consequence, the only feasible b value is b = −2. Plugging b = −2 into Point 1 and 2, we haveSince the optimal objective value is 1 =it is easy to see that this optimal objective is achieved only when each w * i equals either − 1√ d } to be the set of i such that w * i is positive. It is easy to verify that S will be a solution to the partition problem, implying that it is a Yes instance. This proves the NP-hardness for Situation 1 stated in the theorem.Finally, we consider Situation 2 which can be reduced from the first situation. In particular, the constructed hard instance above has reward preferences all being positive (in fact, drawn from only three possible values {1, 2, 4}), but do not satisfy the essentially adversarial condition. However, if we are allowed to use instant-wise cost functions, we can simply scale down the reward preference for point with label 1 but propositionally scale down its cost function so that the right-hand-side of the first constraint in System (13) remains the same. Concretely, we now modify our constructed instance above to be the follows.The Constructed Hard SERM Instance for Situation 2: We still have n = 2d + 3 data points with feature vectors from R d . For each i ∈ [d], there is a data point (x, y, r) = (2 √ d · e i , 1, 0.5) with cost function c(z; x) = 1 8 |z − x|| 2 2 as well as a data point ( √ d · e i , −1, 1 − ) with cost function c(z; x) = |z − x|| 2 2 . The remaining three data points are: (1) data point (c, 1, 0.5) with cost function c(z; x) = 1 4 |z − x|| 2 2 ; (2) data point (2c, −1, 2 − ) with cost function c(z; x) = |z − x|| 2 2 ; (3) data point (3c, 1, 0.5) with cost function c(z; x) = 1 4 |z − x|| 2 2 . It is easy to verify that the above instance satisfy situation 1 in the theorem statement and is equivalent to the instance we constructed for the second situation and thus is also NP-hard.