Adversarial example (AE) is an attack method for machine learning, which is
crafted by adding imperceptible perturbation to the data inducing
misclassification. In the current paper, we investigated the upper bound of the
probability of successful AEs based on the Gaussian Process (GP)
classification. We proved a new upper bound that depends on AE's perturbation
norm, the kernel function used in GP, and the distance of the closest pair with
different labels in the training dataset. Surprisingly, the upper bound is
determined regardless of the distribution of the sample dataset. We showed that
our theoretical result was confirmed through the experiment using ImageNet. In
addition, we showed that changing the parameters of the kernel function induces
a change of the upper bound of the probability of successful AEs.

该研究选择了对抗样本（AE）作为机器学习的一种攻击方法，通过对数据添加不可感知的扰动来诱导错分。研究通过使用高斯过程（GP）分类，探究了成功 AE 的概率上限，并证明了该上限取决于 AE 的扰动范数、GP 中使用的核函数以及训练数据集中不同标签最近对之间的距离。令人惊讶的是，该上限并不依赖于样本数据集的分布情况。通过在 ImageNet 上进行的实验证明了我们的理论结果，并展示了改变核函数参数会导致成功 AE 概率上限的变化。