Abstract
Learning-based classifiers are found to be susceptible to adversarial examples. Recent studies suggested that ensemble classifiers tend to be more robust than single classifiers against evasion attacks. In this paper, we argue that this is not necessarily the case. In particular, we show that a discrete-valued random forest classifier can be easily evaded by adversarial inputs manipulated based only on the model decision outputs. The proposed evasion algorithm is gradient free and can be fast implemented. Our evaluation results demonstrate that random forests can be even more vulnerable than SVMs, either single or ensemble, to evasion attacks under both white-box and the more realistic black-box settings.
Similar content being viewed by others
References
Androutsopoulos, I., Paliouras, G., Michelakis, E: Learning to Filter Unsolicited Commercial E-mail. “DEMOKRITOS” National Center for Scientific Research (2004)
Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: International Conference on Machine Learning, pp 274–283 (2018)
Biggio, B., Roli, F.: Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recogn. 84, 317–331 (2018)
Biggio, B., Fumera, G., Roli, F.: Multiple classifier systems for robust classifier design in adversarial environments. Int. J. Mach. Learn. Cybern. 1(1-4), 27–41 (2010)
Biggio, B., Corona, I., Maiorca, D., Nelson, B., ŠrndiĆ, N., Laskov, P., Giacinto, G., Roli, F.: Evasion attacks against machine learning at test time. In: Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pp 387–402 (2013)
Brendel, W., Rauber, J., Bethge, M.: Decision-Based Adversarial Attacks: Reliable Attacks against Black-Box Machine Learning Models. In: International Conference on Learning Representations (2018)
Calzavara, S., Lucchese, C., Tolomei, G., Abebe, S.A., Orlando, S.: Treant:, Training evasion-aware decision trees. arXiv:1907.01197 (2019)
Carlini, N., Wagner, D.: Towards Evaluating the Robustness of Neural Networks. In: IEEE Symposium on Security and Privacy, pp 39–57 (2017)
Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I., Madry, A.: On evaluating adversarial robustness. arXiv:1902.06705 (2019)
Chang, C.C., Lin, C.J.: Libsvm: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2(3), 1–27 (2011)
Cheng, M., Le, T., Chen, P.Y., Zhang, H., Yi, J., Hsieh, C.J.: Query-efficient hard-label black-box attack: an optimization-based approach. In: International Conference on Learning Representation (2019)
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (2015)
Ho, T.K.: The random subspace method for constructing decision forests. IEEE Trans. Pattern Anal. Mach. Intell. 20(8), 832–844 (1998)
Ho, T.K.: A data complexity analysis of comparative advantages of decision forest constructors. Pattern Analysis & Applications 5(2), 102–112 (2002)
Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial machine learning. In: ACM Workshop on Security and Artificial Intelligence, pp 43–58 (2011)
Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-Box Adversarial Attacks with Limited Queries and Information. In: International Conference on Machine Learning, pp 2137–2146 (2018)
Kantchelian, A., Tygar, J., Joseph, A.: Evasion and hardening of tree ensemble classifiers. In: International Conference on Machine Learning, pp 2387–2396 (2016)
Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. In: International Conference on Learning Representations (2017)
LeCun, Y., Bottou, L., Bengio, Y., Haffner, P.: Gradient-based learning applied to document recognition. Proc. IEEE 86(11), 2278–2324 (1998)
Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: Deepfool: a Simple and Accurate Method to Fool Deep Neural Networks. In: IEEE Conference on Computer Vision and Pattern Recognition, pp 2574–2582 (2016)
Mujtaba, G., Shuib, L., Raj, R.G., Majeed, N., Al-Garadi, M.A.: Email classification research trends: review and open issues. IEEE Access 5, 9044–9064 (2017)
Papernot, N., McDaniel, P., Sinha, A., Wellman, M.: Towards the science of security and privacy in machine learning. arXiv:1611.03814 (2016)
Smutz, C., Stavrou, A.: When a tree falls: using diversity in ensemble classifiers to identify evasion in malware detectors. In: Network and Distributed System Security Symposium (2016)
Šrndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: IEEE Symposium on Security and Privacy, pp 197–211 (2014)
Wu, L., Zhu, Z., Tai, C., et al.: Understanding and enhancing the transferability of adversarial examples. arXiv:1802.09707 (2018)
Zhang, F., Chan, P.P., Biggio, B., Yeung, D.S., Roli, F.: Adversarial feature selection against evasion attacks. IEEE Trans. Cybern. 46(3), 766–777 (2016)
Zhang, F.Y., Wang, Y., Wang, H.: Gradient Correlation: are ensemble classifiers more robust against evasion attacks in practical settings?. In: International Conference on Web Information Systems Engineering. pp. 96–110 (2018)
Zhou, Z.H.: Ensemble methods: foundations and algorithms. CRC Press, Boca Raton (2012)
Acknowledgements
This work was supported in part by National Natural Science Foundation of China (61876038) and in part by Dongguan University of Technology (KCYKYQD2017003).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article belongs to the Topical Collection: Special Issue on Web Information Systems Engineering 2018
Guest Editors: Hakim Hacid, Wojciech Cellary, Hua Wang and Yanchun Zhang
Rights and permissions
About this article
Cite this article
Zhang, F., Wang, Y., Liu, S. et al. Decision-based evasion attacks on tree ensemble classifiers. World Wide Web 23, 2957–2977 (2020). https://doi.org/10.1007/s11280-020-00813-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11280-020-00813-y