Adversarial Training in RKHS

• Adversarial training in RKHS is a framework that uses kernel-induced norms to constrain function sensitivity and mitigate worst-case input perturbations.
• It introduces feature-space perturbation strategies that reformulate the min-max optimization into efficient, convex kernel ridge regression problems.
• Extensions to NTK evolution, multiple kernel learning, and manifold-based regularization provide practical insights for improving robustness and generalization.

Adversarial training in reproducing kernel Hilbert spaces (RKHS) is a class of methodologies that enhance model robustness to worst-case input perturbations—particularly adversarial attacks—by leveraging the geometric, functional, and regularization properties intrinsic to RKHS. The field encompasses classical input-space min-max formulations, RKHS-norm penalization strategies, information geometric regularization, and recent approaches shifting adversarial perturbations directly into the feature space. Collectively, these methods provide both theoretical foundations and practical optimization algorithms for robust learning, applicable to regression, classification, generative modeling, and multiple kernel scenarios.

1. Mathematical Foundations of Adversarial Training in RKHS

Adversarial training in RKHS generalizes the standard adversarial minimax objective into kernel-centric frameworks, exploiting the structure where functions $f$ reside in a Hilbert space induced by a positive-definite kernel $k$. The classic adversarial training objective for regression or classification is: $$\min_{f \in \mathcal{H}} \frac{1}{n} \sum_{i=1}^n \max_{\Delta x \in \Omega_x} \ell(y_i, f(x_i + \Delta x))$$ where $\ell(\cdot, \cdot)$ is the loss (e.g., squared, hinge, cross-entropy) and $\Omega_x$ is the allowed input perturbation set.

The RKHS norm $\|f\|_{\mathcal{H}}$ provides a natural regularization mechanism: $$|f(x) - f(x')| \leq \|f\|_{\mathcal{H}} \cdot \|\Phi(x) - \Phi(x')\|_{\mathcal{H}}$$ with $\Phi$ the kernel feature map. A small RKHS norm constrains the Lipschitz constant, ensuring stability under input perturbations—fundamental for adversarial robustness.

Computing the RKHS norm directly is typically intractable for deep models. Practical approaches employ lower and upper bound approximations for regularization (Bietti et al., 2018), such as:

• Adversarial lower bound: $$\|f\|_{\mathcal{H}} \geq \sup_{x \in \mathcal{X}, \|\delta\|_2 \leq \epsilon} |f(x + \delta) - f(x)|$$
• Gradient penalty: $$\|f\|_{\mathcal{H}} \geq \sup_{x \in \mathcal{X}} \|\nabla f(x)\|_2$$
• Spectral norm upper bounds: Through layer-wise kernel norm proxies.

These regularization terms are frequently added to the empirical risk minimization objective. Recent advances shift the min-max structure into RKHS itself by considering feature-space perturbations (Ribeiro et al., 23 Oct 2025), resulting in convex reformulations with efficient solvers.

2. Feature-Space Adversarial Perturbations and Efficient Optimization

The approach introduced by "Kernel Learning with Adversarial Features" (Ribeiro et al., 23 Oct 2025) reformulates adversarial training by translating input-space attacks to the feature space of RKHS. For $f \in \mathcal{H}$ expressed as $f(x) = \langle f, \phi(x) \rangle_{\mathcal{H}}$, the adversarial formulation becomes

$$\min_{f \in \mathcal{H}} \frac{1}{n} \sum_{i=1}^n \max_{d \in \Omega_{\mathcal{H}}} (y_i - \langle f, \phi(x_i) + d \rangle)^2 \quad \text{with} \quad \Omega_{\mathcal{H}} = \{d: \|d\|_{\mathcal{H}} \leq \delta\}$$

The closed-form solution for the inner maximization yields

$$\max_{d \in \Omega_{\mathcal{H}}} (y - \langle f, \phi(x) + d \rangle)^2 = (|y - f(x)| + \delta \|f\|_{\mathcal{H}})^2$$

leading to an efficient convex minimization problem akin to kernel ridge regression but inherently robust: $$\min_{f \in \mathcal{H}} \frac{1}{n} \sum_{i=1}^n (|y_i - f(x_i)| + \delta \|f\|_{\mathcal{H}})^2$$

The optimization is performed via a block-coordinate algorithm that alternates between weight updates and solving reweighted kernel ridge regression. The "η-trick" variational formulation enables efficient iteration: $$(|y - f(x)| + \delta\|f\|_{\mathcal{H}})^2 = \min_{\eta^0, \eta^1 > 0, \eta^0+\eta^1=1} \left[ \frac{(y - f(x))^2}{\eta^0} + \frac{\delta^2 \|f\|^2_{\mathcal{H}}}{\eta^1} \right]$$ This algorithm avoids nested min-max gradient computations typical in input-space adversarial training.

3. Regularization for Robustness and Generalization

RKHS-based adversarial training can induce overfitting if the regularization parameter $\lambda$ is not properly chosen, especially in the "ridgeless" limit ($\lambda \rightarrow 0$). As shown in (Zhang et al., 2023), the correction term introduced by adversarial training amplifies the RKHS norm and increases the model's Lipschitz constant, resulting in high generalization error and sensitivity.

A limiting formula describes adversarial and noise-augmented kernel regression estimators: $$g_\lambda = \hat{f}_0 + \left(P_{K_X^\perp}^T P_{K_X^\perp} + \frac{\lambda}{\epsilon^2}I\right)^{-1}P_{K_X^\perp}^T P_{K_X}\hat{f}_0$$ where $P_{K_X^\perp}$ projects onto the orthogonal complement of the kernel matrix at training points and $\epsilon$ denotes the noise/attack size.

Appropriate regularization, with $\lambda \sim \epsilon^2$, prevents overfitting and yields estimators with improved robustness and lower generalization error than standard kernel regression. Early stopping can further mitigate complexity and sensitivity (Zhang et al., 2023).

4. Extensions to Multiple Kernel Learning and Distributionally Robust Optimization

Multiple kernel learning (MKL) generalizes RKHS adversarial training to models involving a sum of RKHSs: $\mathcal{H} = \bigoplus_{j=1}^D \mathcal{H}_j$ (Ribeiro et al., 23 Oct 2025, Khuzani et al., 2019). The adversarial formulation with feature-space perturbations becomes

$$\min_{f \in \overline{\mathcal{H}}} \frac{1}{n} \sum_{i=1}^n \max_{d \in \Omega_{\overline{\mathcal{H}}}} (y_i - \langle f, \phi(x_i) + d \rangle)^2$$

with $d$ constrained in each RKHS ball. The closed-form min-max solution

$$(|y - \sum_j f_j(x)| + \delta \sum_j \|f_j\|_{\mathcal{H}_j})^2$$

allows application of iterative reweighted kernel ridge regression for simultaneous estimation of both model weights and kernel mixtures.

Distributionally robust kernel learning leverages KL-divergence balls around the empirical input distribution and recasts kernel-target alignment as a saddle-point optimization (Khuzani et al., 2019). The robust empirical estimator is provably consistent and admits generalization bounds based on Rademacher or Gaussian complexities, improved by matrix concentration inequalities.

5. Adversarial Training for SVMs and Doubly Stochastic Gradient Methods

Adversarial robustness in kernel SVMs is addressed by establishing connections between input space and RKHS feature perturbations (Wu et al., 2021). The worst-case margin shift in feature space is upper bounded by a function of the kernel: $$\sup_{\|\delta\| \leq c} \langle w, \phi(x + \delta) \rangle \leq \sup_{\|\delta_\phi\|_{\mathcal{H}} \leq \epsilon'} \langle w, \phi(x) + \delta_\phi \rangle$$ where $\epsilon' = \sqrt{2f(0) - 2f(c)}$ for $k(x, x') = f(\|x - x'\|)$.

The corresponding adversarial SVM loss is

$$\min_{w \in \mathcal{H}, b} \frac{1}{2}\|w\|^2 + \frac{C}{n}\sum_{i=1}^n [1 - y_i \langle w, \phi(x_i) \rangle + \epsilon' \|w\| - y_i b]_+$$

Training is efficiently performed with doubly stochastic gradients, approximating both data and kernel computations via random sampling and feature maps. Theoretical analysis guarantees $O(1/t)$ convergence rates, comparable computational efficiency to non-robust DSG algorithms, and scalability to large datasets (Wu et al., 2021).

6. Adversarial Training in Deep Neural Networks: Kernel Perspectives and NTK Evolution

Recent work connects kernel methods and adversarial robustness in deep networks through the Neural Tangent Kernel (NTK) (Loo et al., 2022, Li et al., 2023). In the infinite-width limit, the NTK is fixed; in finite-width networks, feature learning occurs via fast evolution of the NTK during early epochs ("kernel learning" phase), then stabilizes ("lazy training"). Adversarial training induces a distinct NTK with higher effective rank and broader feature sharing across classes, producing models with substantial robustness.

Empirical studies demonstrate that adversarially trained NTKs confer robustness even when subsequent fitting is performed non-adversarially, e.g. achieving $76.1\%$ robust accuracy on CIFAR-10 under PGD attack ($\epsilon=4/255$) (Loo et al., 2022). Observations of NTK metrics—kernel distance, effective rank, class-wise specialization—guide practical strategies like time-saving AT switches and remedies against catastrophic overfitting; e.g., introducing anisotropic noise during mini-batch training for improved kernel spectrum (Li et al., 2023).

Moreover, batch normalization using unbiased estimators stabilizes NTK evolution under adversarial examples, minimizing shift in the kernel and model predictions (Li et al., 2023). Kernel dynamics provide principled guidance for when to switch from standard to adversarial training in practice.

7. Connections to Manifold-Based Adversarial Training and Information-Geometric Regularization

Manifold adversarial training (MAT) (Zhang et al., 2018) extends adversarial objectives to perturbation and robustness in the distributional manifold of latent representations, modeled via Gaussian mixtures. The objective penalizes KL divergence in both output-space and latent-space GMMs: $$M_{KL}(x, \theta) = KL[P_{GM}(f(x, \theta)) || P_{GM}(f(x + \epsilon, \theta))]$$ This encourages smooth transition and discriminability in the latent manifold; empirical results show superior performance on MNIST and CIFAR-10, with improved clustering and robustness versus VAT, center loss, or softmax. Information geometric regularization in the latent space generalizes the RKHS norm regularization by directly quantifying the effects of perturbation on the latent distribution.

Summary Table: Principal Adversarial RKHS Methods

Paper / Method	Core Principle	Optimization Form / Features
(Zhang et al., 2018) Manifold Adv. Learning	KL divergence in GMM latent	Adversarially smooths output and manifold via KL in latent space
(Bietti et al., 2018) Kernel norm regularization	RKHS norm bounds	Lower/upper bound regularizers; margin-based generalization
(Wu et al., 2021) Adv-SVM DSG	Feature-space perturbations	DSG optimization, tractable kernel SVM robustification
(Ribeiro et al., 23 Oct 2025) Feature-space adversarial	Closed-form feature attacks	Reduces min-max to convex minimization via reweighting
(Loo et al., 2022) NTK evolution & robustness	NTK transformation	Robust kernels, linearized training, feature learning analysis

Adversarial training in RKHS has evolved to encompass direct feature-space perturbations—yielding computationally efficient, adaptively regularized estimators with provable bounds; sophisticated NTK-guided model selection and training; information-geometric regularization; and scalable robustification of kernel SVMs. Theory and experiments converge to show that appropriate regularization, visualization of kernel dynamics, and careful optimization design are essential for achieving simultaneously robust and generalizable models. Future research may further unify latent manifold regularization, RKHS-based feature perturbations, and NTK evolution in deep architectures.