Alex Kantchelian,J. D. Tygar,Anthony D. Joseph

DOI: https://doi.org/10.48550/arXiv.1509.07892

2016-05-27

Abstract:Classifier evasion consists in finding for a given instance $x$ the nearest instance $x'$ such that the classifier predictions of $x$ and $x'$ are different. We present two novel algorithms for systematically computing evasions for tree ensembles such as boosted trees and random forests. Our first algorithm uses a Mixed Integer Linear Program solver and finds the optimal evading instance under an expressive set of constraints. Our second algorithm trades off optimality for speed by using symbolic prediction, a novel algorithm for fast finite differences on tree ensembles. On a digit recognition task, we demonstrate that both gradient boosted trees and random forests are extremely susceptible to evasions. Finally, we harden a boosted tree model without loss of predictive accuracy by augmenting the training set of each boosting round with evading instances, a technique we call adversarial boosting.

Machine Learning,Cryptography and Security

Lorenzo Cascioli,Laurens Devos,Ondřej Kuželka,Jesse Davis

2024-02-14

Abstract:Tree ensembles are one of the most widely used model classes. However, these models are susceptible to adversarial examples, i.e., slightly perturbed examples that elicit a misprediction. There has been significant research on designing approaches to construct such examples for tree ensembles. But this is a computationally challenging problem that often must be solved a large number of times (e.g., for all examples in a training set). This is compounded by the fact that current approaches attempt to find such examples from scratch. In contrast, we exploit the fact that multiple similar problems are being solved. Specifically, our approach exploits the insight that adversarial examples for tree ensembles tend to perturb a consistent but relatively small set of features. We show that we can quickly identify this set of features and use this knowledge to speedup constructing adversarial examples.

Machine Learning

Patrick P. K. Chan,Juan Zheng,Han Liu,E. C. C. Tsang,Daniel S. Yeung

DOI: https://doi.org/10.1016/j.asoc.2021.107311

IF: 8.7

2021-01-01

Applied Soft Computing

Abstract:Although decision trees have been widely applied to different security related applications, their security has not been investigated extensively in an adversarial environment. This work aims to study the robustness of classical decision tree (DT) and Fuzzy decision tree (FDT) under evasion attack that manipulate the features in order to mislead the decision of a classifier. To the best of our knowledge, existing attack methods cannot be applied to DT due to non-differentiation of its decision function. This is the first attack model designed for both DT and FDT. Our model quantifies the influence of changing a feature on the decision. The effectiveness of our method is compared with Papernot (PPNT) and Robustness Verification of Tree-based Models (RVTM), which are state-of-the-art attack methods for DT, and the attack methods employing surrogate and Generative Adversarial Network (GAN) methods. The experimental results suggest that the fuzzifying process increases the robustness of DT. Moreover, FDT with more membership functions is more vulnerable since a smaller number of features is usually used. This study fills the gap of examining the security issue of fuzzy systems in an adversarial environment.

Fuyong Zhang,Kuan Li,Ziliang Ren

DOI: https://doi.org/10.3390/math12060834

IF: 2.4

2024-03-13

Mathematics

Abstract:Learning-based classifiers are found to be vulnerable to attacks by adversarial samples. Some works suggested that ensemble classifiers tend to be more robust than single classifiers against evasion attacks. However, recent studies have shown that this is not necessarily the case under more realistic settings of black-box attacks. In this paper, we propose a novel ensemble approach to improve the robustness of classifiers against evasion attacks by using diversified feature selection and a stochastic aggregation strategy. Our proposed scheme includes three stages. Firstly, the adversarial feature selection algorithm is used to select a feature each time that can trade-offbetween classification accuracy and robustness, and add it to the feature vector bank. Secondly, each feature vector in the bank is used to train a base classifier and is added to the base classifier bank. Finally, m classifiers from the classifier bank are randomly selected for decision-making. In this way, it can cause each classifier in the base classifier bank to have good performance in terms of classification accuracy and robustness, and it also makes it difficult to estimate the gradients of the ensemble accurately. Thus, the robustness of classifiers can be improved without reducing the classification accuracy. Experiments performed using both Linear and Kernel SVMs on genuine datasets for spam filtering, malware detection, and handwritten digit recognition demonstrate that our proposed approach significantly improves the classifiers' robustness against evasion attacks.

mathematics

Yushun Xie,Zhaoquan Gu,Xiaopeng Fu,Le Wang,Weihong Han,Yuexuan Wang

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics50389.2020.00103

2020-01-01

Abstract:Deep neural networks are vulnerable to the adversarial examples that are generated by adding small perturbations to the original inputs. Similarly, traditional machine learning models such as logistic regression and support vector machine are also threatened by such carefully generated adversarial examples. In this paper, we study the adversarial texts that could mislead the sentiment analysis of traditional machine learning models. We present the Ensemble Word Addition (EWA) algorithm, which filters out a small number of words that have large attack ability and these words are added at the end of the original text. By extensive experiments, we show that the generated adversarial texts could fool some traditional machine learning models with a very high confidence, but they cannot affect human's judgment. The experimental results show that the proposed algorithm has a powerful attack ability to misleading the sentiment analysis, specifically the attack success rate could reach above 95% by only adding 4.6% words.

Stefano Calzavara,Pietro Ferrara,Claudio Lucchese

DOI: https://doi.org/10.48550/arXiv.2007.02771

2020-07-06

Abstract:Machine learning has proved invaluable for a range of different tasks, yet it also proved vulnerable to evasion attacks, i.e., maliciously crafted perturbations of input data designed to force mispredictions. In this paper we propose a novel technique to verify the security of decision tree models against evasion attacks with respect to an expressive threat model, where the attacker can be represented by an arbitrary imperative program. Our approach exploits the interpretability property of decision trees to transform them into imperative programs, which are amenable for traditional program analysis techniques. By leveraging the abstract interpretation framework, we are able to soundly verify the security guarantees of decision tree models trained over publicly available datasets. Our experiments show that our technique is both precise and efficient, yielding only a minimal number of false positives and scaling up to cases which are intractable for a competitor approach.

Machine Learning

Edoardo Debenedetti,Nicholas Carlini,Florian Tramèr

2024-02-14

Abstract:Decision-based evasion attacks repeatedly query a black-box classifier to generate adversarial examples. Prior work measures the cost of such attacks by the total number of queries made to the classifier. We argue this metric is flawed. Most security-critical machine learning systems aim to weed out "bad" data (e.g., malware, harmful content, etc). Queries to such systems carry a fundamentally asymmetric cost: queries detected as "bad" come at a higher cost because they trigger additional security filters, e.g., usage throttling or account suspension. Yet, we find that existing decision-based attacks issue a large number of "bad" queries, which likely renders them ineffective against security-critical systems. We then design new attacks that reduce the number of bad queries by $1.5$-$7.3\times$, but often at a significant increase in total (non-bad) queries. We thus pose it as an open problem to build black-box attacks that are more effective under realistic cost metrics.

Cryptography and Security,Machine Learning

Stefano Calzavara,Lorenzo Cazzaro,Giulio Ermanno Pibiri,Nicola Prezza

2023-11-12

Abstract:Verifying the robustness of machine learning models against evasion attacks at test time is an important research problem. Unfortunately, prior work established that this problem is NP-hard for decision tree ensembles, hence bound to be intractable for specific inputs. In this paper, we identify a restricted class of decision tree ensembles, called large-spread ensembles, which admit a security verification algorithm running in polynomial time. We then propose a new approach called verifiable learning, which advocates the training of such restricted model classes which are amenable for efficient verification. We show the benefits of this idea by designing a new training algorithm that automatically learns a large-spread decision tree ensemble from labelled data, thus enabling its security verification in polynomial time. Experimental results on public datasets confirm that large-spread ensembles trained using our algorithm can be verified in a matter of seconds, using standard commercial hardware. Moreover, large-spread ensembles are more robust than traditional ensembles against evasion attacks, at the cost of an acceptable loss of accuracy in the non-adversarial setting.

Machine Learning,Cryptography and Security,Logic in Computer Science

Yuki Yamaguchi,Toshiaki Aoki

DOI: https://doi.org/10.48550/arXiv.2312.16957

2023-12-28

Abstract:Recently, the evolution of deep learning has promoted the application of machine learning (ML) to various systems. However, there are ML systems, such as autonomous vehicles, that cause critical damage when they misclassify. Conversely, there are ML-specific attacks called adversarial attacks based on the characteristics of ML systems. For example, one type of adversarial attack is an evasion attack, which uses minute perturbations called "adversarial examples" to intentionally misclassify classifiers. Therefore, it is necessary to analyze the risk of ML-specific attacks in introducing ML base systems. In this study, we propose a quantitative evaluation method for analyzing the risk of evasion attacks using attack trees. The proposed method consists of the extension of the conventional attack tree to analyze evasion attacks and the systematic construction method of the extension. In the extension of the conventional attack tree, we introduce ML and conventional attack nodes to represent various characteristics of evasion attacks. In the systematic construction process, we propose a procedure to construct the attack tree. The procedure consists of three steps: (1) organizing information about attack methods in the literature to a matrix, (2) identifying evasion attack scenarios from methods in the matrix, and (3) constructing the attack tree from the identified scenarios using a pattern. Finally, we conducted experiments on three ML image recognition systems to demonstrate the versatility and effectiveness of our proposed method.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning,Software Engineering

Fei Zhang,Patrick P. K. Chan,Battista Biggio,Daniel S. Yeung,Fabio Roli

DOI: https://doi.org/10.1109/tcyb.2015.2415032

IF: 11.8

2016-01-01

IEEE Transactions on Cybernetics

Abstract:Pattern recognition and machine learning techniques have been increasinglyadopted in adversarial settings such as spam, intrusion and malware detection,although their security against well-crafted attacks that aim to evadedetection by manipulating data at test time has not yet been thoroughlyassessed. While previous work has been mainly focused on devisingadversary-aware classification algorithms to counter evasion attempts, only fewauthors have considered the impact of using reduced feature sets on classifiersecurity against the same attacks. An interesting, preliminary result is thatclassifier security to evasion may be even worsened by the application offeature selection. In this paper, we provide a more detailed investigation ofthis aspect, shedding some light on the security properties of featureselection against evasion attacks. Inspired by previous work on adversary-awareclassifiers, we propose a novel adversary-aware feature selection model thatcan improve classifier security against evasion attacks, by incorporatingspecific assumptions on the adversary's data manipulation strategy. We focus onan efficient, wrapper-based implementation of our approach, and experimentallyvalidate its soundness on different application examples, including spam andmalware detection.

Ziad Ali,Ameer Mohammed,Imtiaz Ahmad

DOI: https://doi.org/10.1109/tifs.2024.3402309

IF: 7.231

2024-05-25

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning classifiers are vulnerable to adversarial examples, which are carefully crafted inputs designed to compromise their classification performance. Recently, a new machine learning classifier was proposed that is composed of forests of decision trees, inspired by the architecture of deep neural networks. However, deep neural networks are vulnerable to adversarial attacks. Therefore, in this work, we launch a series of adversarial attacks on deep forests, including black-box and white-box attacks, to assess its vulnerability to adversarial attacks for the first time. Prior work has shown that adversarial examples crafted on one model transfer across various models with different learning techniques. We demonstrate empirically that deep forest is vulnerable to cross-technique-based transferability attacks. On the other hand, to improve the performance of deep forest under adversarial settings, our work includes experiments that demonstrate that training non-differentiable models such as deep forests on randomly or adversarially perturbed inputs increases its adversarial robustness to such attacks. Furthermore, a heuristic white-box method to attack deep forests is proposed by implementing a faster and more efficient decision tree attack algorithm. By attacking both deep forest components, namely the cascade forest and multi-grained layer, we show that deep forests are susceptible to the proposed white-box adversarial attack.

computer science, theory & methods,engineering, electrical & electronic

Rui Shu,Tianpei Xia,Laurie Williams,Tim Menzies

DOI: https://doi.org/10.48550/arXiv.2011.12720

2021-10-13

Abstract:Background: Machine learning-based security detection models have become prevalent in modern malware and intrusion detection systems. However, previous studies show that such models are susceptible to adversarial evasion attacks. In this type of attack, inputs (i.e., adversarial examples) are specially crafted by intelligent malicious adversaries, with the aim of being misclassified by existing state-of-the-art models (e.g., deep neural networks). Once the attackers can fool a classifier to think that a malicious input is actually benign, they can render a machine learning-based malware or intrusion detection system ineffective. Goal: To help security practitioners and researchers build a more robust model against non-adaptive, white-box, and non-targeted adversarial evasion attacks through the idea of an ensemble model. Method: We propose an approach called Omni, the main idea of which is to explore methods that create an ensemble of "unexpected models"; i.e., models whose control hyperparameters have a large distance to the hyperparameters of an adversary's target model, with which we then make an optimized weighted ensemble prediction. Result: In studies with five types of adversarial evasion attacks (FGSM, BIM, JSMA, DeepFooland Carlini-Wagner) on five security datasets (NSL-KDD, CIC-IDS-2017, CSE-CIC-IDS2018, CICAnd-Mal2017, and the Contagio PDF dataset), we show Omni is a promising approach as a defense strategy against adversarial attacks when compared with other baseline treatments. Conclusion: When employing ensemble defense against adversarial evasion attacks, we suggest creating an ensemble with unexpected models that are distant from the attacker's expected model (i.e., target model) through methods such as hyperparameter optimization.

Cryptography and Security,Machine Learning

Jie Zhang,Kristina Nikolić,Nicholas Carlini,Florian Tramèr

2024-11-22

Abstract:Ensemble everything everywhere is a defense to adversarial examples that was recently proposed to make image classifiers robust. This defense works by ensembling a model's intermediate representations at multiple noisy image resolutions, producing a single robust classification. This defense was shown to be effective against multiple state-of-the-art attacks. Perhaps even more convincingly, it was shown that the model's gradients are perceptually aligned: attacks against the model produce noise that perceptually resembles the targeted class. In this short note, we show that this defense is not robust to adversarial attack. We first show that the defense's randomness and ensembling method cause severe gradient masking. We then use standard adaptive attack techniques to reduce the defense's robust accuracy from 48% to 1% on CIFAR-100 and from 62% to 4% on CIFAR-10, under the $\ell_\infty$-norm threat model with $\varepsilon=8/255$.

Machine Learning

Battista Biggio,Igino Corona,Zhi-Min He,Patrick P. K. Chan,Giorgio Giacinto,Daniel S. Yeung,Fabio Roli

DOI: https://doi.org/10.1007/978-3-319-20248-8_15

2015-01-01

Abstract:Pattern classifiers have been widely used in adversarial settings like spam and malware detection, although they have not been originally designed to cope with intelligent attackers that manipulate data at test time to evade detection. While a number of adversary-aware learning algorithms have been proposed, they are computationally demanding and aim to counter specific kinds of adversarial data manipulation. In this work, we overcome these limitations by proposing a multiple classifier system capable of improving security against evasion attacks at test time by learning a decision function that more tightly encloses the legitimate samples in feature space, without significantly compromising accuracy in the absence of attack. Since we combine a set of one-class and two-class classifiers to this end, we name our approach one-and-a-half-class (1.5C) classification. Our proposal is general and it can be used to improve the security of any classifier against evasion attacks at test time, as shown by the reported experiments on spam and malware detection.

Jan Brabec,Lukas Machlica

DOI: https://doi.org/10.1109/SMC.2018.00563

2021-07-26

Abstract:In this paper, Bayesian based aggregation of decision trees in an ensemble (decision forest) is investigated. The focus is laid on multi-class classification with number of samples significantly skewed toward one of the classes. The algorithm leverages out-of-bag datasets to estimate prediction errors of individual trees, which are then used in accordance with the Bayes rule to refine the decision of the ensemble. The algorithm takes prevalence of individual classes into account and does not require setting of any additional parameters related to class weights or decision-score thresholds. Evaluation is based on publicly available datasets as well as on an proprietary dataset comprising network traffic telemetry from hundreds of enterprise networks with over a million of users overall. The aim is to increase the detection capabilities of an operating malware detection system. While we were able to keep precision of the system higher than 94\%, that is only 6 out of 100 detections shown to the network administrator are false alarms, we were able to achieve increase of approximately 7\% in the number of detections. The algorithm effectively handles large amounts of data, and can be used in conjunction with most of the state-of-the-art algorithms used to train decision forests.

Machine Learning

Wei Huang,Xingyu Zhao,Xiaowei Huang

DOI: https://doi.org/10.1007/s10994-021-06068-6

IF: 5.414

2021-11-24

Machine Learning

Abstract:Abstract The embedding and extraction of knowledge is a recent trend in machine learning applications, e.g., to supplement training datasets that are small. Whilst, as the increasing use of machine learning models in security-critical applications, the embedding and extraction of malicious knowledge are equivalent to the notorious backdoor attack and defence, respectively. This paper studies the embedding and extraction of knowledge in tree ensemble classifiers, and focuses on knowledge expressible with a generic form of Boolean formulas, e.g., point-wise robustness and backdoor attacks. For the embedding, it is required to be preservative (the original performance of the classifier is preserved), verifiable (the knowledge can be attested), and stealthy (the embedding cannot be easily detected). To facilitate this, we propose two novel, and effective embedding algorithms, one of which is for black-box settings and the other for white-box settings. The embedding can be done in PTIME . Beyond the embedding, we develop an algorithm to extract the embedded knowledge, by reducing the problem to be solvable with an SMT (satisfiability modulo theories) solver. While this novel algorithm can successfully extract knowledge, the reduction leads to an NP computation. Therefore, if applying embedding as backdoor attacks and extraction as defence, our results suggest a complexity gap (P vs. NP) between the attack and defence when working with tree ensemble classifiers. We apply our algorithms to a diverse set of datasets to validate our conclusion extensively.

computer science, artificial intelligence

Ramy Maarouf,Danish Sattar,Ashraf Matrawy

DOI: https://doi.org/10.1109/iscc53001.2021.9631407

2021-09-05

Abstract:Machine learning and deep learning algorithms can be used to classify encrypted Internet traffic. Classification of encrypted traffic can become more challenging in the presence of adversarial attacks that target the learning algorithms. In this paper, we focus on investigating the effectiveness of different evasion attacks and see how resilient machine and deep learning algorithms are. Namely, we test C4.5 Decision Tree, K-Nearest Neighbor (KNN), Artificial Neural Network (ANN), Convolutional Neural Networks (CNN) and Recurrent Neural Networks (RNN). In most of our experimental results, deep learning shows better resilience against the adversarial samples in comparison to machine learning. Whereas, the impact of the attack varies depending on the type of attack.

Francesco Ranzato,Marco Zanella

DOI: https://doi.org/10.48550/arXiv.2012.11352

2020-12-21

Abstract:We put forward a novel learning methodology for ensembles of decision trees based on a genetic algorithm which is able to train a decision tree for maximizing both its accuracy and its robustness to adversarial perturbations. This learning algorithm internally leverages a complete formal verification technique for robustness properties of decision trees based on abstract interpretation, a well known static program analysis technique. We implemented this genetic adversarial training algorithm in a tool called Meta-Silvae (MS) and we experimentally evaluated it on some reference datasets used in adversarial training. The experimental results show that MS is able to train robust models that compete with and often improve on the current state-of-the-art of adversarial training of decision trees while being much more compact and therefore interpretable and efficient tree models.

Machine Learning

Hongge Chen,Huan Zhang,Duane Boning,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.1902.10660

2019-06-11

Abstract:Although adversarial examples and model robustness have been extensively studied in the context of linear models and neural networks, research on this issue in tree-based models and how to make tree-based models robust against adversarial examples is still limited. In this paper, we show that tree based models are also vulnerable to adversarial examples and develop a novel algorithm to learn robust trees. At its core, our method aims to optimize the performance under the worst-case perturbation of input features, which leads to a max-min saddle point problem. Incorporating this saddle point objective into the decision tree building procedure is non-trivial due to the discrete nature of trees --- a naive approach to finding the best split according to this saddle point objective will take exponential time. To make our approach practical and scalable, we propose efficient tree building algorithms by approximating the inner minimizer in this saddle point problem, and present efficient implementations for classical information gain based trees as well as state-of-the-art tree boosting models such as XGBoost. Experimental results on real world datasets demonstrate that the proposed algorithms can substantially improve the robustness of tree-based models against adversarial examples.

Machine Learning

Ruoxi Qin,Linyuan Wang,Xuehui Du,Jian Chen,Xingyuan Chen,Bin Yan

DOI: https://doi.org/10.1016/j.engappai.2024.108653

IF: 8

2024-01-01

Engineering Applications of Artificial Intelligence

Abstract:As the adversarial robustness research of deep neural networks has struggled in attack and defense games with static defense methodology, scholars have introduced the dynamic idea of the systems control to changeover the passive defense position though adapting decision-making. According to the different levels at which dynamism acts on neural networks, dynamic defense methods can be mainly divided into two categories: dynamic feedback control based on input level and uncertainty estimation detection based on decision level. Although both methods aim to hinder the success of the attacker, they cannot achieve the perfect conditions for constructing black box attacks because they ignore the positive role of dynamics in defense at the model level. Inspired by conventional ensemble selection technology in machine learning that treats different models as mutable objects for improving accuracy in uncertain data, this work investigates the robustness issue from a new dynamic aspect: model-level dynamic defense, whether the dynamic attributes depend on input or decision. Specifically, the Dirichlet prior combined with diversity constraint is imposed on the ensemble parameter in training phase to construct select criterion and candidate sub-models. Therefore, the final prediction of ensemble can be strategically selected though the rank of different sub-models’ uncertainty value for robust decision-making in the test phase. The experimental results indicate the comprehensive promotion of robustness (at least 4.17% in black-box attack conditions and at least 1.78% in the case of high-disturbance white-box attack budge) of the proposed method compared with common dynamic and static defense methods.