Papers
Topics
Authors
Recent
Search
2000 character limit reached

Tree Poisoning Problem

Updated 5 July 2026
  • Tree poisoning is a collection of adversarial challenges on tree-structured models that exploits local alterations to induce significant global effects in predictions and network connectivity.
  • The topic splits into two dominant formulations: poisoning learned decision trees through data perturbations and corrupting graph-theoretic trees via contagion, interdiction, or activation under resource constraints.
  • Key defenses include greedy sub-tree retraining, formal certification via abstract interpretation, and differential privacy methods, each addressing the recursive vulnerabilities and threshold behaviors intrinsic to tree structures.

The tree poisoning problem denotes a family of adversarial and robustness questions in which the underlying object is a tree, but the operative meaning of “poisoning” depends on context. In one major line of work, the target is a learned decision tree or a tree ensemble, and poisoning means inserting, altering, or certifying against malicious training examples so as to change the retrained model’s predictions (Calzavara et al., 2024, Drews et al., 2019, Vos et al., 2023). In another line, the target is a graph-theoretic tree, and poisoning refers to harmful spread, stochastic corruption, interdiction, or activation under resource constraints; here the core tasks are containment, inference under corrupted observations, connectivity minimization, facility interdiction, or vaccination-style hardening (Meister et al., 2022, Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023, Ehard et al., 2018, Hopkins et al., 2024, Debs et al., 2015). This suggests that the topic is best understood as a cluster of tree-structured adversarial optimization problems rather than a single formalism.

1. Scope and principal formulations

Across the literature summarized here, tree poisoning splits into two dominant formulations. The first is data poisoning of decision-tree learners, where the adversary perturbs training data and exploits the discrete split-selection logic of CART-style models. The second is poisoning or corruption on graph-theoretic trees, where a harmful state, corrupted observation, or interdiction action propagates or is deployed over a rooted tree under explicit budget and observability constraints. The common denominator is that local changes can induce global effects because trees amplify pathwise dependencies and recursive partitioning.

Formulation Tree object Canonical objective
Decision-tree poisoning Learned decision tree or random forest Maximize post-retraining loss or targeted misclassification (Calzavara et al., 2024, Drews et al., 2019)
Robust learning against poisoning Learned decision tree with randomized or abstractly analyzed training Prove prediction invariance or bound expected degradation under poisoning (Drews et al., 2019, Vos et al., 2023)
Contagion, inference, and interdiction on trees Rooted tree, contact tree, or broadcast tree Contain spread, infer hidden states under corruption, or worsen network objectives (Meister et al., 2022, Hopkins et al., 2024, Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023, Ehard et al., 2018)

A common misconception is that tree models are intrinsically robust because they are simple or interpretable. The decision-tree literature directly contradicts this: small changes in the training data can result in different predictions, certified robustness is nontrivial, and a first white-box poisoning attack specifically targeting decision trees has now been presented (Drews et al., 2019, Calzavara et al., 2024). The graph-theoretic literature reaches an analogous conclusion: on trees, worst-case corruption or high-growth parameter regimes can make containment or inference information-theoretically impossible (Meister et al., 2022, Hopkins et al., 2024).

2. Poisoning learned decision trees

A standard poisoning formulation starts from a clean training set D={(xi,yi)}i=1nD=\{(x_i,y_i)\}_{i=1}^n, a deterministic tree-learning algorithm A()A(\cdot), and a poisoning set P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b under a budget bb and feasibility set F\mathcal{F}. Retraining yields f^=A(DP)\hat{f}=A(D\cup P). The attacker’s availability objective is usually to maximize empirical test loss,

L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],

while a targeted variant maximizes misclassification on a subset TDtestT\subset D_{\text{test}}. The supplied overview also describes common feasibility constraints: valid feature domains, optional label-flip permissions, and a small poisoning budget relative to nn.

For CART-style trees, poisoning acts by changing the class proportions pcp_c that enter split criteria. The overview gives the standard Gini impurity

A()A(\cdot)0

and the entropy/information-gain form

A()A(\cdot)1

Poisoned examples can therefore increase impurity, decrease information gain for otherwise desirable splits, steer threshold selection for continuous features by placing crafted points near candidate thresholds, and induce cascading downstream changes because once a split changes, all descendant partitions change as well. This recursive sensitivity is a distinctive feature of tree poisoning.

The threat model described in the supplied overview is white-box: the attacker knows A()A(\cdot)2 or an accurate sample, the learner A()A(\cdot)3, hyperparameters such as maximum depth and split criterion, and can trigger retraining on A()A(\cdot)4. Typical attack surfaces are synthetic point injection, label-flip poisoning, and feature perturbation of existing records. A practical attack strategy is greedy selection with damage estimated by local sub-tree retraining rather than full retraining for every candidate. In that strategy, a candidate point is scored by an estimate of

A()A(\cdot)5

with A()A(\cdot)6 a validation set, and only the minimal affected sub-tree is rebuilt.

"Timber! Poisoning Decision Trees" presents Timber as the first white-box poisoning attack targeting decision trees. According to the abstract, Timber is based on a greedy attack strategy that leverages sub-tree retraining to efficiently estimate the damage caused by poisoning a given training instance. The attack relies on a tree annotation procedure, enabling the sorting of training instances in increasing order of the computational cost of sub-tree retraining; this yields a variant with an early stopping criterion designed to make poisoning attacks more efficient and feasible on larger datasets. The paper also discusses an extension to traditional random forest models and reports that the attacks outperform existing baselines in terms of effectiveness, efficiency, or both, while two representative defenses mitigate the effect of the attacks but fail to effectively thwart them (Calzavara et al., 2024).

3. Certification and defensive learning for decision trees

One response to decision-tree poisoning is formal certification. "Proving Data-Poisoning Robustness in Decision Trees" formulates robustness for a specific input A()A(\cdot)7 as

A()A(\cdot)8

where A()A(\cdot)9 and verification is phrased as up to P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b0 deletions from the observed dataset. The paper presents Antidote, a sound verification technique based on abstract interpretation. Antidote trains decision trees abstractly over an intractably large space of possible poisoned datasets, focuses on the input-directed trace rather than the full tree, treats ties as nondeterminism, and uses an abstract dataset domain of the form P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b1, abstract predicates, and interval numerics to over-approximate all possible training outcomes (Drews et al., 2019).

The training-time abstractions are explicit. For a node sample set P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b2, the paper uses class probabilities P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b3, Gini impurity

P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b4

and split score

P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b5

with P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b6. The certification theorem is sound in the sense that if abstract training determines a unique class for all concretizations in P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b7, then the prediction is invariant under any poisoning set within that budget. Empirically, Antidote certifies 38 of 100 test images on MNIST-1-7-Real at depth 2 as robust to P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b8 deletions with average runtime P={(x~j,y~j)}j=1bP=\{(\tilde{x}_j,\tilde{y}_j)\}_{j=1}^b9 s, certifies some inputs robust to bb0 within bb1 seconds, and exhibits a precision–cost trade-off between the Box and Disjuncts domains; for MNIST-1-7-Binary at depth 3 and bb2, Disjuncts certifies 52/100 in bb3 s and bb4 MB, whereas Box certifies 15/100 in bb5 s and bb6 MB (Drews et al., 2019).

A second response is stability by differential privacy. "Differentially-Private Decision Trees and Provable Robustness to Data Poisoning" introduces PrivaTree, a histogram-based bb7-differentially private decision-tree learner that supports mixed numerical and categorical features, uses differentially private quantiles for numerical binning, and labels leaves with permute-and-flip (Vos et al., 2023). At each node, privatized class-conditional histograms are built for bins or categories, and split selection is then pure post-processing of the privatized counts. The paper states a privacy-budget allocation

bb8

and proves that PrivaTree provides bb9-differential privacy.

The poisoning guarantees are distribution-level rather than per-instance. For an F\mathcal{F}0-DP learner and a poisoning budget of F\mathcal{F}1 samples, the paper gives

F\mathcal{F}2

and for backdoor attack success rate,

F\mathcal{F}3

The empirical results reported for depth-4 trees include clean accuracies of 99.5% for non-private trees, 98.7% for F\mathcal{F}4, and 97.4% for F\mathcal{F}5 on MNIST 0 vs 1, while PrivaTree’s empirical ASR remains below F\mathcal{F}6 across the full tested range up to 1% poisoning; on tabular data, the paper reports, for example, adult accuracy F\mathcal{F}7 for PrivaTree at F\mathcal{F}8 versus F\mathcal{F}9 for BDPT, f^=A(DP)\hat{f}=A(D\cup P)0 for DPGDF, f^=A(DP)\hat{f}=A(D\cup P)1 for DiffPrivLib, and f^=A(DP)\hat{f}=A(D\cup P)2 for the non-private model (Vos et al., 2023).

These two defense lines are complementary. Certification proves invariance for specific inputs and budgets; differential privacy bounds expected degradation of the learner’s output distribution. Timber’s abstract-level evaluation adds a third point to this picture by indicating that representative defenses can mitigate, but not effectively thwart, white-box poisoning attacks on decision trees (Calzavara et al., 2024).

4. Poisoning, contagion, and inference on graph-theoretic trees

In graph-theoretic trees, poisoning frequently means harmful spread or corrupted observations. "Containing the spread of a contagion on a tree" studies a stochastic infection process on a growing tree together with a tracer who stabilizes one node per round. Each node f^=A(DP)\hat{f}=A(D\cup P)3 has infection/transmission parameters f^=A(DP)\hat{f}=A(D\cup P)4 and f^=A(DP)\hat{f}=A(D\cup P)5, and the per-round expected number of newly infected contacts generated by an infected active node is

f^=A(DP)\hat{f}=A(D\cup P)6

In the model, the infection runs uninhibited for times f^=A(DP)\hat{f}=A(D\cup P)7; for each f^=A(DP)\hat{f}=A(D\cup P)8, tracing first queries one frontier node and, if it is infected, stabilizes it and reveals its children, after which every active node may generate a new contact. The central objective is containment: the frontier becomes empty exactly when all infected nodes have been stabilized (Meister et al., 2022).

The paper proves regime-dependent qualitative behavior. There are thresholds under which any non-trivial policy succeeds with high probability: for fixed f^=A(DP)\hat{f}=A(D\cup P)9 and L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],0, if L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],1 for all L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],2, then any non-trivial policy contains the infection with probability at least L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],3, and an analogous result holds for sufficiently small L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],4. There is also a runaway regime: for fixed non-trivial policy L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],5, L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],6, and L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],7, there exist L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],8 such that if L01(f^;Dtest)=1Dtest(x,y)Dtest1[f^(x)y],L_{0\text{--}1}(\hat{f};D_{\text{test}})=\frac{1}{|D_{\text{test}}|}\sum_{(x,y)\in D_{\text{test}}}\mathbf{1}[\hat{f}(x)\neq y],9 and TDtestT\subset D_{\text{test}}0 for all TDtestT\subset D_{\text{test}}1, then with probability at least TDtestT\subset D_{\text{test}}2, TDtestT\subset D_{\text{test}}3 does not contain the infection (Meister et al., 2022). Policy choice can matter even at fixed parameters. The paper gives an explicit separation instance with TDtestT\subset D_{\text{test}}4, TDtestT\subset D_{\text{test}}5, and TDtestT\subset D_{\text{test}}6 in which descending-time has strictly higher probability of containment than ascending-time, with

TDtestT\subset D_{\text{test}}7

It also reports that learned time-based policies did not significantly outperform the monotonic time-based policies across TDtestT\subset D_{\text{test}}8 instances.

A related but distinct problem is inference on trees under adversarial leaf corruption. "Adversarially-Robust Inference on Trees via Belief Propagation" considers broadcasting on a TDtestT\subset D_{\text{test}}9-regular tree with edge correlation nn0 and signal-to-noise ratio

nn1

The paper confirms that a worst-case nn2-fraction adversary who can corrupt leaves of its choosing makes inference impossible even when the fraction of corrupted leaves is inverse-polynomial. By contrast, when corruption locations are random and only the values at those locations are adversarially chosen, accurate posterior inference about the root is possible if

nn3

for universal constants nn4 (Hopkins et al., 2024). The canonical belief propagation update is

nn5

and the paper shows that standard BP already achieves the robust inference guarantee under the semirandom model. It also proves a matching lower bound up to constants: if nn6, then inference becomes information-theoretically impossible (Hopkins et al., 2024).

A third spread model studies multiple competing diseases on nn7-ary or Galton–Watson trees. "Diseases transmission in a z-ary tree" initializes leaves independently with one of nn8 diseases or healthy, and propagates upward by a rule in which a parent takes a disease only if all infected children carry the same disease; conflicting diseases neutralize to healthy. In the symmetric nn9-ary case, the recursion reduces to

pcp_c0

The paper proves a phase transition at pcp_c1: for pcp_c2 the symmetric fixed point is attracting, whereas for pcp_c3 it is repelling; for pcp_c4 with two co-dominant diseases, the dynamics converge for almost all initial conditions to a period-2 orbit (Debs et al., 2015). This suggests that poisoning on trees can exhibit genuine dynamical-systems behavior rather than mere monotone spread.

5. Interdiction, firefighting, and vaccination on trees

A large combinatorial-optimization literature treats poisoning as budgeted interdiction or obstruction on a rooted tree. In the Firefighter problem, a rooted tree has a burning root and a per-level protection budget pcp_c5; the objective is to maximize the total weight of vertices that never burn. In Resource Minimization for Fire Containment (RMFC), the objective is to find the smallest pcp_c6 that saves all leaves. "Firefighting on Trees Beyond Integrality Gaps" gives the standard LP relaxations

pcp_c7

for Firefighter, and

pcp_c8

for RMFC. The paper states that the canonical LP has asymptotic integrality gap pcp_c9 for Firefighter and A()A(\cdot)00 for RMFC, then improves on both with a PTAS for Firefighter and a factor-12 approximation for RMFC on trees (Adjiashvili et al., 2016).

A different objective is to minimize expected connectivity by attacking nodes. "The Stochastic Critical Node Problem over Trees" considers a tree A()A(\cdot)01 with pairwise weights A()A(\cdot)02, attack costs A()A(\cdot)03, and a budget A()A(\cdot)04. If attacks succeed stochastically, the connectivity of a pair A()A(\cdot)05 is a path product,

A()A(\cdot)06

under the query’s convention that A()A(\cdot)07 is attack success probability. The optimization problem is

A()A(\cdot)08

The paper proves NP-completeness of the decision version even on trees with unit connection costs and gives nonlinear and linearized formulations, an exact Benders decomposition, and an approximation algorithm for the unit-cost case with time complexity A()A(\cdot)09 and absolute error at most A()A(\cdot)10 (Hosteins et al., 2018).

In facility-location interdiction, "p-median location interdiction on trees" asks for a subset of edges whose removal maximally increases the A()A(\cdot)11-median objective of the residual graph. The paper proves NP-hardness even on trees. Under the restricted setting of trees with unit edge lengths, unit interdiction costs, single-edge interdiction A()A(\cdot)12, and A()A(\cdot)13, it shows that if A()A(\cdot)14 is an optimal 1-median of the tree, then the optimal interdiction is the unique edge incident to a leaf A()A(\cdot)15 minimizing A()A(\cdot)16 (Leiß et al., 2023). For unit-length paths, the optimal single-edge interdiction is an endpoint edge, and with multiple interdictions the optimal strategy successively cuts leaf edges.

A further line treats poisoning as vaccination against threshold activation. "Vaccinate your trees!" defines a threshold function A()A(\cdot)17 on a graph and the A()A(\cdot)18-hull process; a dynamic monopoly is a seed set that eventually activates the whole graph. The paper studies two budgeted problems on trees: threshold boosting, in which one chooses A()A(\cdot)19 vertices and sets their thresholds to A()A(\cdot)20, and vertex removal, in which one deletes A()A(\cdot)21 vertices. The goals are

A()A(\cdot)22

and

A()A(\cdot)23

For rooted trees, the paper gives exact dynamic programs running in A()A(\cdot)24 time for threshold boosting and A()A(\cdot)25 time for vertex removal (Ehard et al., 2018). These algorithms exploit the same structural motif seen elsewhere in the tree-poisoning literature: a post-order recursion with local state summarizing whether a parent has already become active.

6. Shared structure, impossibility phenomena, and open directions

Several cross-cutting themes recur across these formulations. First, the mathematics is overwhelmingly recursive. Decision-tree poisoning operates through recursive partition refinement and sub-tree retraining (Calzavara et al., 2024, Drews et al., 2019). Containment, broadcasting, disease propagation, and threshold activation are all defined by local update rules on rooted subtrees (Meister et al., 2022, Hopkins et al., 2024, Debs et al., 2015, Ehard et al., 2018). Firefighter, RMFC, stochastic critical-node interdiction, and p-median interdiction all derive tractability on trees from unique paths, layered decompositions, or laminar constraints (Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023).

Second, tree poisoning almost always exhibits threshold behavior. In the contagion-tracing model, small A()A(\cdot)26 or A()A(\cdot)27 give universal high-probability containment, whereas sufficiently large A()A(\cdot)28 yields runaway growth under any fixed non-trivial policy (Meister et al., 2022). In adversarially robust broadcasting, the decisive parameters are A()A(\cdot)29 and the corruption rate A()A(\cdot)30: worst-case location corruption is impossible to tolerate asymptotically, but semirandom corruption is tolerable up to A()A(\cdot)31 when A()A(\cdot)32 exceeds A()A(\cdot)33 (Hopkins et al., 2024). In multi-disease propagation, a phase transition occurs at A()A(\cdot)34, after which attracting fixed points give way to periodic behavior (Debs et al., 2015). In differentially private learning, robustness degrades exponentially in A()A(\cdot)35 through the factor A()A(\cdot)36 (Vos et al., 2023).

Third, the literature repeatedly distinguishes worst-case from structured adversaries. Worst-case leaf corruption can erase information about the root (Hopkins et al., 2024). White-box data-poisoning attacks on learned trees exploit exact knowledge of the learner and hyperparameters (Calzavara et al., 2024). By contrast, certification under bounded insertions or deletions, semirandom corruption, or differential privacy imposes enough structure to recover meaningful guarantees (Drews et al., 2019, Vos et al., 2023, Hopkins et al., 2024). This suggests that the practical severity of tree poisoning depends as much on the adversary model as on the tree model itself.

Open directions stated in the supplied materials are similarly varied. For private robust tree learning, they include tighter poisoning bounds for DP trees, adaptive data-dependent depth control under DP, and extensions to ensembles (Vos et al., 2023). For disease transmission on trees, they include probabilistic activation variants, critical conditions on offspring distributions in Galton–Watson trees, and classification of higher-period dynamics for general A()A(\cdot)37 (Debs et al., 2015). More broadly, the optimization literature indicates that several tree-restricted problems become substantially harder on general graphs, so the extent to which tree-specific techniques—sub-tree retraining, laminar LP strengthening, Benders cuts over unique paths, or rooted-subtree dynamic programs—can transfer beyond trees remains an active methodological question (Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023).

Taken together, these works portray the tree poisoning problem as a technically diverse but structurally coherent area. Whether the tree is a learned classifier, a stochastic contact tree, a broadcast graph, or a rooted combinatorial network, the central issue is the same: local adversarial perturbations can reorganize global behavior through recursion, and understanding that reorganization requires explicit attention to budgets, observability, update order, and threshold regimes.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Tree Poisoning Problem.