## AI helps you reading Science

## AI Insight

AI extracts a summary of this paper

Weibo:

# An Efficient Adversarial Attack for Tree Ensembles

NIPS 2020, (2020)

EI

Keywords

Abstract

We study the problem of efficient adversarial attacks on tree based ensembles such as gradient boosting decision trees (GBDTs) and random forests (RFs). Since these models are non-continuous step functions and gradient does not exist, most existing efficient adversarial attacks are not applicable. Although decision-based black-box attac...More

Introduction

- It has been widely studied that machine learning models are vulnerable to adversarial examples (Szegedy et al, 2013; Goodfellow et al, 2015; Athalye et al, 2018), where a small imperceptible perturbation on the input can alter the prediction of a model.
- On the leaf tuple space the authors define the distance between two input examples to be the number of trees that have different prediction leaves, and define the neighborhood of a tuple to be all valid tuples within a small hamming distance.

Highlights

- It has been widely studied that machine learning models are vulnerable to adversarial examples (Szegedy et al, 2013; Goodfellow et al, 2015; Athalye et al, 2018), where a small imperceptible perturbation on the input can alter the prediction of a model
- In this paper we study the problem of efficient adversarial attack on tree based ensembles such as gradient boosting decision trees (GBDT) and random forests (RFs), which have been widely used in practice (Chen, Guestrin, 2016; Ke et al, 2017; Zhang et al, 2017; Prokhorenkova et al, 2018)
- With the standard GBDT on the MNIST dataset with 10 classes and 200 trees per class, our method finds the adversarial example with only 2.07 times larger ∞ perturbation than the optimal solution produced by MILP and only uses 0.237 seconds per test example, whereas MILP requires 375 seconds
- Exact Solutions In general computing the exact solution for Eq (1) requires exponential time: Kantchelian et al (2015) showed that the problem is NP-complete for general ensembles and proposed a MILP based method; On the other hand, faster algorithms exist for models of special form: Zhang et al (2020) restricted both the input and prediction of every tree t to binary values ft : {−1, 1}d → {−1, 1} and provided an integer linear program (ILP) based formulation about 4 times faster than Kantchelian et al (2015); Andriushchenko, Hein (2019) showed that the exact robustness of boosted decision stumps can be solved in polynomial time; Chen et al (2019b) proposed a polynomial time algorithm to solve a single decision tree
- We compare with the following existing adversarial attacks that are applicable to tree ensembles:
- We can see that our method provides a tight upper bound rour compared to the exact r∗ from MILP, which means that the adversarial examples found are very close to the one with minimal adversarial perturbation, and our method achieved 1,000∼80,000x speedup on some large models such as HIGGS

Results

- With the standard GBDT on the MNIST dataset with 10 classes and 200 trees per class, the method finds the adversarial example with only 2.07 times larger ∞ perturbation than the optimal solution produced by MILP and only uses 0.237 seconds per test example, whereas MILP requires 375 seconds.
- Neighbor(C ) denotes the neighborhood space around C , which is a set of leaf tuples that close to C in certain distance measurements.
- The authors propose Leaf Tuple attack (LT-Attack) in Algorithm 1 that efficiently solves Eq (3) through two additional concepts TBound(·) and Neighbor(1t)(·) as defined below.
- The outer loop iterates until no better adversarial example can be found, while the inner function generates bound neighborhood with distance 1.
- The authors' LT-Attack enumerates all leaf tuples in the bound neighborhood at each iteration, the complexity of each iteration largely depends on the size of NeighborBound(C ).
- On the MNIST dataset with 784 features and 400 trees the authors have mean | NeighborBound(C )| ≈ 367.9, and the algorithm stops in ∼159.4 iterations when it cannot find a better neighborhood.
- The ensemble is likely to contain duplicate feature split thresholds even though it’s defined on Rd, for example it may come from the image space [255]d and scaled to Rd. Duplicate split thresholds are problematic since the authors cannot move across the threshold without affecting multiple trees, and to overcome the issue the authors use a relaxed version of Neighbor1(·) to allow changing multiple trees at one iteration, as long as it’s caused by the same split threshold.
- RBA-Appr (Yang et al, 2019): An approximate attack for tree ensembles that constructs adversarial examples by searching over training examples of the opposite class.

Conclusion

- Cube (Andriushchenko, Hein, 2019): An empirical attack for tree ensembles that constructs adversarial examples by stochastically changing a few coordinates to the ∞ boundary, and accepts the change if it decreases the functional margin.
- The authors can see that the method provides a tight upper bound rour compared to the exact r∗ from MILP, which means that the adversarial examples found are very close to the one with minimal adversarial perturbation, and the method achieved 1,000∼80,000x speedup on some large models such as HIGGS.

Summary

- It has been widely studied that machine learning models are vulnerable to adversarial examples (Szegedy et al, 2013; Goodfellow et al, 2015; Athalye et al, 2018), where a small imperceptible perturbation on the input can alter the prediction of a model.
- On the leaf tuple space the authors define the distance between two input examples to be the number of trees that have different prediction leaves, and define the neighborhood of a tuple to be all valid tuples within a small hamming distance.
- With the standard GBDT on the MNIST dataset with 10 classes and 200 trees per class, the method finds the adversarial example with only 2.07 times larger ∞ perturbation than the optimal solution produced by MILP and only uses 0.237 seconds per test example, whereas MILP requires 375 seconds.
- Neighbor(C ) denotes the neighborhood space around C , which is a set of leaf tuples that close to C in certain distance measurements.
- The authors propose Leaf Tuple attack (LT-Attack) in Algorithm 1 that efficiently solves Eq (3) through two additional concepts TBound(·) and Neighbor(1t)(·) as defined below.
- The outer loop iterates until no better adversarial example can be found, while the inner function generates bound neighborhood with distance 1.
- The authors' LT-Attack enumerates all leaf tuples in the bound neighborhood at each iteration, the complexity of each iteration largely depends on the size of NeighborBound(C ).
- On the MNIST dataset with 784 features and 400 trees the authors have mean | NeighborBound(C )| ≈ 367.9, and the algorithm stops in ∼159.4 iterations when it cannot find a better neighborhood.
- The ensemble is likely to contain duplicate feature split thresholds even though it’s defined on Rd, for example it may come from the image space [255]d and scaled to Rd. Duplicate split thresholds are problematic since the authors cannot move across the threshold without affecting multiple trees, and to overcome the issue the authors use a relaxed version of Neighbor1(·) to allow changing multiple trees at one iteration, as long as it’s caused by the same split threshold.
- RBA-Appr (Yang et al, 2019): An approximate attack for tree ensembles that constructs adversarial examples by searching over training examples of the opposite class.
- Cube (Andriushchenko, Hein, 2019): An empirical attack for tree ensembles that constructs adversarial examples by stochastically changing a few coordinates to the ∞ boundary, and accepts the change if it decreases the functional margin.
- The authors can see that the method provides a tight upper bound rour compared to the exact r∗ from MILP, which means that the adversarial examples found are very close to the one with minimal adversarial perturbation, and the method achieved 1,000∼80,000x speedup on some large models such as HIGGS.

- Table1: Key differences to prior adversarial attacks that are applicable to general tree ensembles
- Table2: Average 2 perturbation over 500 test examples on the standard (natural) GBDT models. ("*"): For a fair comparison we disabled the random noise optimization discussed in §3.5. Our LT-Attack searches in a subspace of NaiveLeaf so rour is slightly larger, but it is significantly faster
- Table3: Average ∞ and 2 perturbation of 500 test examples (or the entire test set when its size is less than 500) on standard (natural) GBDT models. Datasets are ordered by training data size. Bold and blue highlight the best and the second best entries respectively (not including MILP)
- Table4: Average ∞ and 2 perturbation of 5000 test examples (or the entire test set when its size is less than 5000) on robustly trained GBDT models. Datasets are ordered by training data size. Bold and blue highlight the best and the second best entries respectively (not including MILP). ("*" / " "): Average of 1000 / 500 examples due to long running time
- Table5: Average 2 perturbation over 100 test examples on the standard (natural) random forests (RF) models. Datasets are ordered by training data size. Bold and blue highlight the best and the second best entries respectively (not including MILP)
- Table6: The average complexity statistics for | NeighborBound(·)| from 500 test examples
- Table7: Parameters and statistics for datasets and the standard (natural) RFs
- Table8: Average ∞ perturbation over 100 test examples on the standard (natural) random forests (RF) models. Datasets are ordered by training data size. Bold and blue highlight the best and the second best entries respectively (not including MILP)
- Table9: Average 1 perturbation over 50 test examples on the standard (natural) GBDT models and robustly trained GBDT models. Datasets are ordered by training data size. Bold and blue highlight the best and the second best entries respectively (not including MILP and Verification)
- Table10: Average ∞ and 2 perturbation over 500 test examples on the standard (natural) GBDT models and robustly trained GBDT models. ("*"): Average of 50 examples due to long running time
- Table11: Convergence statistics for the standard (natural) GBDT models between our solution and the optimum MILP solution. We collect the data after the fine-grained binary search but before applying LT-Attack (Initial), and the data after LT-Attack (Converged). We disabled the random noise optimization discussed in §3.5

Funding

- Acknowledgments and Disclosure of Funding We acknowledge the support by NSF IIS-1901527, IIS-2008173, ARL-0011469453, Google Cloud and Facebook

Study subjects and analysis

datasets: 10

Intuitively we could reach a far away adversarial tuple through a series of smaller updates, based on the fact that each tree makes prediction independently. In experiments, we compare 1,2,∞ norm perturbation metrics across 10 datasets, and show that our method is thousands of times faster than MILP (Kantchelian et al, 2015) on most of the large ensembles, and 3∼72x faster than decision based and empirical attacks on all datasets while achieving a smaller distortion. For instance, with the standard (natural) GBDT on the MNIST dataset with 10 classes and 200 trees per class, our method finds the adversarial example with only 2.07 times larger ∞ perturbation than the optimal solution produced by MILP and only uses 0.237 seconds per test example, whereas MILP requires 375 seconds

public datasets: 9

4 Experimental Results. We evaluate the proposed algorithm on 9 public datasets (Smith et al, 1988; Lecun et al, 1998; Chang, Lin, 2011; Wang et al, 2012; Baldi et al, 2014; Xiao et al, 2017; Dua, Graff, 2017) with both the standard (natural) GBDT and RF models, and on an additional 10th dataset (Bosch, 2016) with. ∞ Perturbation breast-cancer diabetes

Reference

- Andriushchenko Maksym, Hein Matthias. Provably robust boosted decision stumps and trees against adversarial attacks // Advances in Neural Information Processing Systems 32. 2019. 13017–13028.
- Athalye Anish, Carlini Nicholas, Wagner David A. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples // ICML. 2018.
- Baldi Pierre, Sadowski Peter, Whiteson D. O. Searching for exotic particles in high-energy physics with deep learning. // Nature communications. 2014. 5. 4308.
- Bosch. Bosch Production Line Performance. 2016. https://www.kaggle.com/c/bosch-production-line-performance/data.
- Brendel Wieland, Rauber Jonas, Bethge Matthias. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models // International Conference on Learning Representations. 2018.
- Brunner Thomas, Diehl Frederik, Truong-Le Michael, Knoll Alois. Guessing Smart: Biased Sampling for Efficient Black-Box Adversarial Attacks // 2019 IEEE/CVF International Conference on Computer Vision (ICCV). 2018. 4957–4965.
- Carlini Nicholas, Wagner David A. Towards Evaluating the Robustness of Neural Networks // 2017 IEEE Symposium on Security and Privacy (SP). 20139–57.
- Chang Chih-Chung, Lin Chih-Jen. LIBSVM: A library for support vector machines // ACM Transactions on Intelligent Systems and Technology. 2011. 2. 27:1–27:27. Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm.
- Chen Hongge, Zhang Huan, Boning Duane S., Hsieh Cho-Jui. Robust Decision Trees Against Adversarial Examples // ICML. 2019a. 1122–1131.
- Chen Hongge, Zhang Huan, Si Si, Li Yang, Boning Duane, Hsieh Cho-Jui. Robustness Verification of Tree-based Models // Advances in Neural Information Processing Systems 32. 2019b. 12317– 12328.
- Chen Jianbo, Jordan Michael I., Wainwright Martin J. HopSkipJumpAttack: A Query-Efficient Decision-Based Adversarial Attack // arXiv preprint arXiv:1904.02144. 2019c.
- Chen Pin-Yu, Zhang Huan, Sharma Yash, Yi Jinfeng, Hsieh Cho-Jui. ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models // Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. 2017.
- Chen Tianqi, Guestrin Carlos. XGBoost: A Scalable Tree Boosting System // Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, NY, USA: Association for Computing Machinery, 2016. 785–794. (KDD ’16).
- Chen Yizheng, Wang Shiqi, Jiang Weifan, Cidon Asaf, Jana Suman. Training Robust Tree Ensembles for Security. 2019d.
- Cheng Minhao, Le Thong, Chen Pin-Yu, Zhang Huan, Yi JinFeng, Hsieh Cho-Jui. Query-Efficient Hard-label Black-box Attack: An Optimization-based Approach // International Conference on Learning Representations. 2019.
- Cheng Minhao, Singh Simranjit, Chen Patrick H., Chen Pin-Yu, Liu Sijia, Hsieh Cho-Jui. SignOPT: A Query-Efficient Hard-label Adversarial Attack // International Conference on Learning Representations. 2020.
- Dua Dheeru, Graff Casey. UCI Machine Learning Repository. 2017.
- Goodfellow Ian J., Shlens Jonathon, Szegedy Christian. Explaining and Harnessing Adversarial Examples // CoRR. 2015. abs/1412.6572.
- Gurobi Optimization LLC. Gurobi Optimizer Reference Manual. 2020.
- Ilyas Andrew, Engstrom Logan, Athalye Anish, Lin Jessy. Black-box Adversarial Attacks with Limited Queries and Information // ICML. 2018.
- Kantchelian Alex, Tygar J. Doug, Joseph Anthony D. Evasion and Hardening of Tree Ensemble Classifiers // ICML. 2015.
- Ke Guolin, Meng Qi, Finley Thomas, Wang Taifeng, Chen Wei, Ma Weidong, Ye Qiwei, Liu Tie-Yan. LightGBM: A Highly Efficient Gradient Boosting Decision Tree // Advances in Neural Information Processing Systems 30. 2017. 3146–3154.
- Lecun Y., Bottou L., Bengio Y., Haffner P. Gradient-based learning applied to document recognition // Proceedings of the IEEE. 1998. 86, 11. 2278–2324.
- Lee Guang-He, Yuan Yang, Chang Shiyu, Jaakkola Tommi. Tight Certificates of Adversarial Robustness for Randomly Smoothed Classifiers // Advances in Neural Information Processing Systems 32. 2019. 4910–4921.
- Madry Aleksander, Makelov Aleksandar, Schmidt Ludwig, Tsipras Dimitris, Vladu Adrian. Towards Deep Learning Models Resistant to Adversarial Attacks // International Conference on Learning Representations. 2018.
- Prokhorenkova Liudmila, Gusev Gleb, Vorobev Aleksandr, Dorogush Anna Veronika, Gulin Andrey. CatBoost: unbiased boosting with categorical features // Advances in neural information processing systems. 2018. 6638–6648.
- Smith J. Walter, Everhart James E., Dickson William C., Knowler William C, Johannes Richard S. Using the ADAP Learning Algorithm to Forecast the Onset of Diabetes Mellitus // Proceedings of the Annual Symposium on Computer Application in Medical Care. 1988.
- Szegedy Christian, Zaremba Wojciech, Sutskever Ilya, Bruna Joan, Erhan Dumitru, Goodfellow Ian J., Fergus Rob. Intriguing properties of neural networks // CoRR. 2013. abs/1312.6199.
- Tu Chun-Chen, Ting Pai-Shun, Chen Pin-Yu, Liu Sijia, Zhang Huan, Yi Jinfeng, Hsieh Cho-Jui, Cheng Shin-Ming. AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks // AAAI. 2018.
- Wang De, Irani Danesh, Pu Calton. Evolutionary study of web spam: Webb Spam Corpus 2011 versus Webb Spam Corpus 2006 // 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom). 2012. 40–49.
- Wang Yihan, Zhang Huan, Chen Hongge, Boning Duane, Hsieh Cho-Jui. On Lp-norm Robustness of Ensemble Decision Stumps and Trees // ICML. 2020.
- Xiao Han, Rasul Kashif, Vollgraf Roland. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. 2017.
- Yang Yao-Yuan, Rashtchian Cyrus, Wang Yizhen, Chaudhuri Kamalika. Robustness for NonParametric Classification: A Generic Attack and Defense. 2019.
- Zhang Fuyong, Wang Yi, Liu Shigang, Wang Hua. Decision-based evasion attacks on tree ensemble classifiers // World Wide Web. 04 2020.
- Zhang Huan, Si Si, Hsieh Cho-Jui. GPU-acceleration for Large-scale Tree Boosting // arXiv preprint arXiv:1706.08359. 2017.

Tags

Comments