Tree Poisoning Problem
- Tree poisoning is a collection of adversarial challenges on tree-structured models that exploits local alterations to induce significant global effects in predictions and network connectivity.
- The topic splits into two dominant formulations: poisoning learned decision trees through data perturbations and corrupting graph-theoretic trees via contagion, interdiction, or activation under resource constraints.
- Key defenses include greedy sub-tree retraining, formal certification via abstract interpretation, and differential privacy methods, each addressing the recursive vulnerabilities and threshold behaviors intrinsic to tree structures.
The tree poisoning problem denotes a family of adversarial and robustness questions in which the underlying object is a tree, but the operative meaning of “poisoning” depends on context. In one major line of work, the target is a learned decision tree or a tree ensemble, and poisoning means inserting, altering, or certifying against malicious training examples so as to change the retrained model’s predictions (Calzavara et al., 2024, Drews et al., 2019, Vos et al., 2023). In another line, the target is a graph-theoretic tree, and poisoning refers to harmful spread, stochastic corruption, interdiction, or activation under resource constraints; here the core tasks are containment, inference under corrupted observations, connectivity minimization, facility interdiction, or vaccination-style hardening (Meister et al., 2022, Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023, Ehard et al., 2018, Hopkins et al., 2024, Debs et al., 2015). This suggests that the topic is best understood as a cluster of tree-structured adversarial optimization problems rather than a single formalism.
1. Scope and principal formulations
Across the literature summarized here, tree poisoning splits into two dominant formulations. The first is data poisoning of decision-tree learners, where the adversary perturbs training data and exploits the discrete split-selection logic of CART-style models. The second is poisoning or corruption on graph-theoretic trees, where a harmful state, corrupted observation, or interdiction action propagates or is deployed over a rooted tree under explicit budget and observability constraints. The common denominator is that local changes can induce global effects because trees amplify pathwise dependencies and recursive partitioning.
| Formulation | Tree object | Canonical objective |
|---|---|---|
| Decision-tree poisoning | Learned decision tree or random forest | Maximize post-retraining loss or targeted misclassification (Calzavara et al., 2024, Drews et al., 2019) |
| Robust learning against poisoning | Learned decision tree with randomized or abstractly analyzed training | Prove prediction invariance or bound expected degradation under poisoning (Drews et al., 2019, Vos et al., 2023) |
| Contagion, inference, and interdiction on trees | Rooted tree, contact tree, or broadcast tree | Contain spread, infer hidden states under corruption, or worsen network objectives (Meister et al., 2022, Hopkins et al., 2024, Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023, Ehard et al., 2018) |
A common misconception is that tree models are intrinsically robust because they are simple or interpretable. The decision-tree literature directly contradicts this: small changes in the training data can result in different predictions, certified robustness is nontrivial, and a first white-box poisoning attack specifically targeting decision trees has now been presented (Drews et al., 2019, Calzavara et al., 2024). The graph-theoretic literature reaches an analogous conclusion: on trees, worst-case corruption or high-growth parameter regimes can make containment or inference information-theoretically impossible (Meister et al., 2022, Hopkins et al., 2024).
2. Poisoning learned decision trees
A standard poisoning formulation starts from a clean training set , a deterministic tree-learning algorithm , and a poisoning set under a budget and feasibility set . Retraining yields . The attacker’s availability objective is usually to maximize empirical test loss,
while a targeted variant maximizes misclassification on a subset . The supplied overview also describes common feasibility constraints: valid feature domains, optional label-flip permissions, and a small poisoning budget relative to .
For CART-style trees, poisoning acts by changing the class proportions that enter split criteria. The overview gives the standard Gini impurity
0
and the entropy/information-gain form
1
Poisoned examples can therefore increase impurity, decrease information gain for otherwise desirable splits, steer threshold selection for continuous features by placing crafted points near candidate thresholds, and induce cascading downstream changes because once a split changes, all descendant partitions change as well. This recursive sensitivity is a distinctive feature of tree poisoning.
The threat model described in the supplied overview is white-box: the attacker knows 2 or an accurate sample, the learner 3, hyperparameters such as maximum depth and split criterion, and can trigger retraining on 4. Typical attack surfaces are synthetic point injection, label-flip poisoning, and feature perturbation of existing records. A practical attack strategy is greedy selection with damage estimated by local sub-tree retraining rather than full retraining for every candidate. In that strategy, a candidate point is scored by an estimate of
5
with 6 a validation set, and only the minimal affected sub-tree is rebuilt.
"Timber! Poisoning Decision Trees" presents Timber as the first white-box poisoning attack targeting decision trees. According to the abstract, Timber is based on a greedy attack strategy that leverages sub-tree retraining to efficiently estimate the damage caused by poisoning a given training instance. The attack relies on a tree annotation procedure, enabling the sorting of training instances in increasing order of the computational cost of sub-tree retraining; this yields a variant with an early stopping criterion designed to make poisoning attacks more efficient and feasible on larger datasets. The paper also discusses an extension to traditional random forest models and reports that the attacks outperform existing baselines in terms of effectiveness, efficiency, or both, while two representative defenses mitigate the effect of the attacks but fail to effectively thwart them (Calzavara et al., 2024).
3. Certification and defensive learning for decision trees
One response to decision-tree poisoning is formal certification. "Proving Data-Poisoning Robustness in Decision Trees" formulates robustness for a specific input 7 as
8
where 9 and verification is phrased as up to 0 deletions from the observed dataset. The paper presents Antidote, a sound verification technique based on abstract interpretation. Antidote trains decision trees abstractly over an intractably large space of possible poisoned datasets, focuses on the input-directed trace rather than the full tree, treats ties as nondeterminism, and uses an abstract dataset domain of the form 1, abstract predicates, and interval numerics to over-approximate all possible training outcomes (Drews et al., 2019).
The training-time abstractions are explicit. For a node sample set 2, the paper uses class probabilities 3, Gini impurity
4
and split score
5
with 6. The certification theorem is sound in the sense that if abstract training determines a unique class for all concretizations in 7, then the prediction is invariant under any poisoning set within that budget. Empirically, Antidote certifies 38 of 100 test images on MNIST-1-7-Real at depth 2 as robust to 8 deletions with average runtime 9 s, certifies some inputs robust to 0 within 1 seconds, and exhibits a precision–cost trade-off between the Box and Disjuncts domains; for MNIST-1-7-Binary at depth 3 and 2, Disjuncts certifies 52/100 in 3 s and 4 MB, whereas Box certifies 15/100 in 5 s and 6 MB (Drews et al., 2019).
A second response is stability by differential privacy. "Differentially-Private Decision Trees and Provable Robustness to Data Poisoning" introduces PrivaTree, a histogram-based 7-differentially private decision-tree learner that supports mixed numerical and categorical features, uses differentially private quantiles for numerical binning, and labels leaves with permute-and-flip (Vos et al., 2023). At each node, privatized class-conditional histograms are built for bins or categories, and split selection is then pure post-processing of the privatized counts. The paper states a privacy-budget allocation
8
and proves that PrivaTree provides 9-differential privacy.
The poisoning guarantees are distribution-level rather than per-instance. For an 0-DP learner and a poisoning budget of 1 samples, the paper gives
2
and for backdoor attack success rate,
3
The empirical results reported for depth-4 trees include clean accuracies of 99.5% for non-private trees, 98.7% for 4, and 97.4% for 5 on MNIST 0 vs 1, while PrivaTree’s empirical ASR remains below 6 across the full tested range up to 1% poisoning; on tabular data, the paper reports, for example, adult accuracy 7 for PrivaTree at 8 versus 9 for BDPT, 0 for DPGDF, 1 for DiffPrivLib, and 2 for the non-private model (Vos et al., 2023).
These two defense lines are complementary. Certification proves invariance for specific inputs and budgets; differential privacy bounds expected degradation of the learner’s output distribution. Timber’s abstract-level evaluation adds a third point to this picture by indicating that representative defenses can mitigate, but not effectively thwart, white-box poisoning attacks on decision trees (Calzavara et al., 2024).
4. Poisoning, contagion, and inference on graph-theoretic trees
In graph-theoretic trees, poisoning frequently means harmful spread or corrupted observations. "Containing the spread of a contagion on a tree" studies a stochastic infection process on a growing tree together with a tracer who stabilizes one node per round. Each node 3 has infection/transmission parameters 4 and 5, and the per-round expected number of newly infected contacts generated by an infected active node is
6
In the model, the infection runs uninhibited for times 7; for each 8, tracing first queries one frontier node and, if it is infected, stabilizes it and reveals its children, after which every active node may generate a new contact. The central objective is containment: the frontier becomes empty exactly when all infected nodes have been stabilized (Meister et al., 2022).
The paper proves regime-dependent qualitative behavior. There are thresholds under which any non-trivial policy succeeds with high probability: for fixed 9 and 0, if 1 for all 2, then any non-trivial policy contains the infection with probability at least 3, and an analogous result holds for sufficiently small 4. There is also a runaway regime: for fixed non-trivial policy 5, 6, and 7, there exist 8 such that if 9 and 0 for all 1, then with probability at least 2, 3 does not contain the infection (Meister et al., 2022). Policy choice can matter even at fixed parameters. The paper gives an explicit separation instance with 4, 5, and 6 in which descending-time has strictly higher probability of containment than ascending-time, with
7
It also reports that learned time-based policies did not significantly outperform the monotonic time-based policies across 8 instances.
A related but distinct problem is inference on trees under adversarial leaf corruption. "Adversarially-Robust Inference on Trees via Belief Propagation" considers broadcasting on a 9-regular tree with edge correlation 0 and signal-to-noise ratio
1
The paper confirms that a worst-case 2-fraction adversary who can corrupt leaves of its choosing makes inference impossible even when the fraction of corrupted leaves is inverse-polynomial. By contrast, when corruption locations are random and only the values at those locations are adversarially chosen, accurate posterior inference about the root is possible if
3
for universal constants 4 (Hopkins et al., 2024). The canonical belief propagation update is
5
and the paper shows that standard BP already achieves the robust inference guarantee under the semirandom model. It also proves a matching lower bound up to constants: if 6, then inference becomes information-theoretically impossible (Hopkins et al., 2024).
A third spread model studies multiple competing diseases on 7-ary or Galton–Watson trees. "Diseases transmission in a z-ary tree" initializes leaves independently with one of 8 diseases or healthy, and propagates upward by a rule in which a parent takes a disease only if all infected children carry the same disease; conflicting diseases neutralize to healthy. In the symmetric 9-ary case, the recursion reduces to
0
The paper proves a phase transition at 1: for 2 the symmetric fixed point is attracting, whereas for 3 it is repelling; for 4 with two co-dominant diseases, the dynamics converge for almost all initial conditions to a period-2 orbit (Debs et al., 2015). This suggests that poisoning on trees can exhibit genuine dynamical-systems behavior rather than mere monotone spread.
5. Interdiction, firefighting, and vaccination on trees
A large combinatorial-optimization literature treats poisoning as budgeted interdiction or obstruction on a rooted tree. In the Firefighter problem, a rooted tree has a burning root and a per-level protection budget 5; the objective is to maximize the total weight of vertices that never burn. In Resource Minimization for Fire Containment (RMFC), the objective is to find the smallest 6 that saves all leaves. "Firefighting on Trees Beyond Integrality Gaps" gives the standard LP relaxations
7
for Firefighter, and
8
for RMFC. The paper states that the canonical LP has asymptotic integrality gap 9 for Firefighter and 00 for RMFC, then improves on both with a PTAS for Firefighter and a factor-12 approximation for RMFC on trees (Adjiashvili et al., 2016).
A different objective is to minimize expected connectivity by attacking nodes. "The Stochastic Critical Node Problem over Trees" considers a tree 01 with pairwise weights 02, attack costs 03, and a budget 04. If attacks succeed stochastically, the connectivity of a pair 05 is a path product,
06
under the query’s convention that 07 is attack success probability. The optimization problem is
08
The paper proves NP-completeness of the decision version even on trees with unit connection costs and gives nonlinear and linearized formulations, an exact Benders decomposition, and an approximation algorithm for the unit-cost case with time complexity 09 and absolute error at most 10 (Hosteins et al., 2018).
In facility-location interdiction, "p-median location interdiction on trees" asks for a subset of edges whose removal maximally increases the 11-median objective of the residual graph. The paper proves NP-hardness even on trees. Under the restricted setting of trees with unit edge lengths, unit interdiction costs, single-edge interdiction 12, and 13, it shows that if 14 is an optimal 1-median of the tree, then the optimal interdiction is the unique edge incident to a leaf 15 minimizing 16 (Leiß et al., 2023). For unit-length paths, the optimal single-edge interdiction is an endpoint edge, and with multiple interdictions the optimal strategy successively cuts leaf edges.
A further line treats poisoning as vaccination against threshold activation. "Vaccinate your trees!" defines a threshold function 17 on a graph and the 18-hull process; a dynamic monopoly is a seed set that eventually activates the whole graph. The paper studies two budgeted problems on trees: threshold boosting, in which one chooses 19 vertices and sets their thresholds to 20, and vertex removal, in which one deletes 21 vertices. The goals are
22
and
23
For rooted trees, the paper gives exact dynamic programs running in 24 time for threshold boosting and 25 time for vertex removal (Ehard et al., 2018). These algorithms exploit the same structural motif seen elsewhere in the tree-poisoning literature: a post-order recursion with local state summarizing whether a parent has already become active.
6. Shared structure, impossibility phenomena, and open directions
Several cross-cutting themes recur across these formulations. First, the mathematics is overwhelmingly recursive. Decision-tree poisoning operates through recursive partition refinement and sub-tree retraining (Calzavara et al., 2024, Drews et al., 2019). Containment, broadcasting, disease propagation, and threshold activation are all defined by local update rules on rooted subtrees (Meister et al., 2022, Hopkins et al., 2024, Debs et al., 2015, Ehard et al., 2018). Firefighter, RMFC, stochastic critical-node interdiction, and p-median interdiction all derive tractability on trees from unique paths, layered decompositions, or laminar constraints (Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023).
Second, tree poisoning almost always exhibits threshold behavior. In the contagion-tracing model, small 26 or 27 give universal high-probability containment, whereas sufficiently large 28 yields runaway growth under any fixed non-trivial policy (Meister et al., 2022). In adversarially robust broadcasting, the decisive parameters are 29 and the corruption rate 30: worst-case location corruption is impossible to tolerate asymptotically, but semirandom corruption is tolerable up to 31 when 32 exceeds 33 (Hopkins et al., 2024). In multi-disease propagation, a phase transition occurs at 34, after which attracting fixed points give way to periodic behavior (Debs et al., 2015). In differentially private learning, robustness degrades exponentially in 35 through the factor 36 (Vos et al., 2023).
Third, the literature repeatedly distinguishes worst-case from structured adversaries. Worst-case leaf corruption can erase information about the root (Hopkins et al., 2024). White-box data-poisoning attacks on learned trees exploit exact knowledge of the learner and hyperparameters (Calzavara et al., 2024). By contrast, certification under bounded insertions or deletions, semirandom corruption, or differential privacy imposes enough structure to recover meaningful guarantees (Drews et al., 2019, Vos et al., 2023, Hopkins et al., 2024). This suggests that the practical severity of tree poisoning depends as much on the adversary model as on the tree model itself.
Open directions stated in the supplied materials are similarly varied. For private robust tree learning, they include tighter poisoning bounds for DP trees, adaptive data-dependent depth control under DP, and extensions to ensembles (Vos et al., 2023). For disease transmission on trees, they include probabilistic activation variants, critical conditions on offspring distributions in Galton–Watson trees, and classification of higher-period dynamics for general 37 (Debs et al., 2015). More broadly, the optimization literature indicates that several tree-restricted problems become substantially harder on general graphs, so the extent to which tree-specific techniques—sub-tree retraining, laminar LP strengthening, Benders cuts over unique paths, or rooted-subtree dynamic programs—can transfer beyond trees remains an active methodological question (Adjiashvili et al., 2016, Hosteins et al., 2018, Leiß et al., 2023).
Taken together, these works portray the tree poisoning problem as a technically diverse but structurally coherent area. Whether the tree is a learned classifier, a stochastic contact tree, a broadcast graph, or a rooted combinatorial network, the central issue is the same: local adversarial perturbations can reorganize global behavior through recursion, and understanding that reorganization requires explicit attention to budgets, observability, update order, and threshold regimes.