Evasion and Hardening of Tree Ensemble Classifiers (1509.07892v2)

Abstract: Classifier evasion consists in finding for a given instance $x$ the nearest instance $x'$ such that the classifier predictions of $x$ and $x'$ are different. We present two novel algorithms for systematically computing evasions for tree ensembles such as boosted trees and random forests. Our first algorithm uses a Mixed Integer Linear Program solver and finds the optimal evading instance under an expressive set of constraints. Our second algorithm trades off optimality for speed by using symbolic prediction, a novel algorithm for fast finite differences on tree ensembles. On a digit recognition task, we demonstrate that both gradient boosted trees and random forests are extremely susceptible to evasions. Finally, we harden a boosted tree model without loss of predictive accuracy by augmenting the training set of each boosting round with evading instances, a technique we call adversarial boosting.

• The paper addresses adversarial evasion vulnerabilities in tree ensemble classifiers and proposes algorithms to find evasive instances and a technique called adversarial boosting to improve their robustness.
• The authors propose an exact algorithm using Mixed Integer Linear Programming and an efficient approximate coordinate descent method to find adversarial instances for tree ensembles across various distance metrics.
• Empirical evaluation shows tree ensembles are vulnerable to evasion, but adversarial boosting significantly reduces susceptibility, although trade-offs exist for different perturbation metrics.

Evasion and Hardening of Tree Ensemble Classifiers

The paper "Evasion and Hardening of Tree Ensemble Classifiers" by Kantchelian, Tygar, and Joseph addresses the critical topic of adversarial vulnerabilities in machine learning classifiers, specifically focusing on tree ensemble models like boosted trees and random forests. These models have demonstrated significant success across various domains but exhibit susceptibility to adversarial evasion, a concern that the authors aim to address with both novel algorithms and hardening techniques.

The authors propose two algorithms to compute evasion instances for tree ensemble classifiers. The first, an exact algorithm, formulates evasion as a Mixed Integer Linear Program (MILP), capable of identifying an optimal adversarial instance that alters the classifier's output. This approach allows the exploration of multiple distance metrics, including $L_0$, $L_1$, $L_2$, and $L_\infty$, providing granular control over the perturbation applied to the original data point. The decision to not constrain application-specific features, thus directly working in feature space, underscores their goal of understanding intrinsic model robustness rather than focusing on specific feature extraction nuances.

However, given the computational complexity inherent in the optimal formulation, the authors also introduce a second algorithm that sacrifices some optimality for efficiency. The approximate algorithm employs symbolic prediction to rapidly evaluate potential changes, leveraging coordinate descent to identify minimal changes that maximize prediction deviation, thereby providing a fast evasion method.

Empirical evaluations on the MNIST digit recognition task underscore the vulnerability of both boosted trees and random forests, which, despite high accuracy rates, are notably brittle in the face of adversarial perturbations. This brittleness is largely due to the discrete and non-differentiable nature of tree ensembles, which prior studies have not extensively probed compared to their differentiable counterparts like neural networks.

The paper also explores preventative measures against such vulnerabilities by implementing a technique termed "adversarial boosting." This hardening process enriches the training phase by incorporating evading instances that are generated iteratively during model training. The efficacy of adversarial boosting is demonstrated by the substantial reduction in evasion susceptibility for the hardened model, referred to as BDT-R, achieving a robustness superior to even RBF-SVM classifiers under $L_0$ distance metrics. However, a trade-off emerges as increased sensitivity is observed for $L_1$, $L_2$, and $L_\infty$ metrics, presenting an avenue for further research into balanced defense mechanisms against multiple types of adversarial attacks.

By solidifying the understanding of evasion tactics specific to non-differentiable models like tree ensembles, this research not only deepens conceptual knowledge but also highlights paths for practical defenses in security-sensitive deployments. Future research can look towards extending these methodologies to diverse datasets and exploring more generalized evasion strategies or universal adversarial examples that may apply broadly across varying models and architectures.

In summary, the paper provides significant insights into the vulnerabilities and fortification strategies of tree ensemble classifiers, contributing valuable techniques for both assessing and enhancing their robustness in adversarial settings.