Appendix A contains details on the experiments conducted throughout this paper. Details regarding the datasets used in the experiments are included in Table 2. All of the attacks are run on an Ubuntu (16.04) cluster with Y ang et al. [2020] uses Gurobi as the solver. For GeoAdEx, we choose to compute distance to cell and set m to 20 and applied a time limit of 100 seconds per test point. Wang et al. [2019] is generally the fastest, and GeoAdEx is faster than Y ang et al.

Adversarial examples are a widely studied phenomenon in machine learning models.

Adversarial examples are a widely studied phenomenon in machine learning models. While most of the attention has been focused on neural networks, other practical models also suffer from this issue. In this work, we propose an algorithm for evaluating the adversarial robustness of $k$-nearest neighbor classification, i.e., finding a minimum-norm adversarial example. Diverging from previous proposals, we take a geometric approach by performing a search that expands outwards from a given input point. On a high level, the search radius expands to the nearby Voronoi cells until we find a cell that classifies differently from the input point. To scale the algorithm to a large $k$, we introduce approximation steps that find perturbations with smaller norm, compared to the baselines, in a variety of datasets. Furthermore, we analyze the structural properties of a dataset where our approach outperforms the competition.