research-article

Decision-based evasion attacks on tree ensemble classifiers

Authors:

Hua WangAuthors Info & Claims

World Wide Web, Volume 23, Issue 5

Pages 2957 - 2977

https://doi.org/10.1007/s11280-020-00813-y

Published: 01 September 2020 Publication History

Abstract

Learning-based classifiers are found to be susceptible to adversarial examples. Recent studies suggested that ensemble classifiers tend to be more robust than single classifiers against evasion attacks. In this paper, we argue that this is not necessarily the case. In particular, we show that a discrete-valued random forest classifier can be easily evaded by adversarial inputs manipulated based only on the model decision outputs. The proposed evasion algorithm is gradient free and can be fast implemented. Our evaluation results demonstrate that random forests can be even more vulnerable than SVMs, either single or ensemble, to evasion attacks under both white-box and the more realistic black-box settings.

References

[1]

Androutsopoulos, I., Paliouras, G., Michelakis, E: Learning to Filter Unsolicited Commercial E-mail. “DEMOKRITOS” National Center for Scientific Research (2004)

[2]

Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: International Conference on Machine Learning, pp 274–283 (2018)

[3]

Biggio B and Roli F Wild patterns: Ten years after the rise of adversarial machine learning Pattern Recogn. 2018 84 317-331

[4]

Biggio B, Fumera G, and Roli F Multiple classifier systems for robust classifier design in adversarial environments Int. J. Mach. Learn. Cybern. 2010 1 1-4 27-41

[5]

Biggio, B., Corona, I., Maiorca, D., Nelson, B., ŠrndiĆ, N., Laskov, P., Giacinto, G., Roli, F.: Evasion attacks against machine learning at test time. In: Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pp 387–402 (2013)

[6]

Brendel, W., Rauber, J., Bethge, M.: Decision-Based Adversarial Attacks: Reliable Attacks against Black-Box Machine Learning Models. In: International Conference on Learning Representations (2018)

[7]

Calzavara, S., Lucchese, C., Tolomei, G., Abebe, S.A., Orlando, S.: Treant:, Training evasion-aware decision trees. arXiv:1907.01197 (2019)

[8]

Carlini, N., Wagner, D.: Towards Evaluating the Robustness of Neural Networks. In: IEEE Symposium on Security and Privacy, pp 39–57 (2017)

[9]

Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I., Madry, A.: On evaluating adversarial robustness. arXiv:1902.06705 (2019)

[10]

Chang CC and Lin CJ Libsvm: a library for support vector machines ACM Trans. Intell. Syst. Technol. 2011 2 3 1-27

[11]

Cheng, M., Le, T., Chen, P.Y., Zhang, H., Yi, J., Hsieh, C.J.: Query-efficient hard-label black-box attack: an optimization-based approach. In: International Conference on Learning Representation (2019)

[12]

Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (2015)

[13]

Ho TK The random subspace method for constructing decision forests IEEE Trans. Pattern Anal. Mach. Intell. 1998 20 8 832-844

[14]

Ho TKA data complexity analysis of comparative advantages of decision forest constructorsPattern Analysis & Applications200252102-1121930441

[15]

Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial machine learning. In: ACM Workshop on Security and Artificial Intelligence, pp 43–58 (2011)

[16]

Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-Box Adversarial Attacks with Limited Queries and Information. In: International Conference on Machine Learning, pp 2137–2146 (2018)

[17]

Kantchelian, A., Tygar, J., Joseph, A.: Evasion and hardening of tree ensemble classifiers. In: International Conference on Machine Learning, pp 2387–2396 (2016)

[18]

Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. In: International Conference on Learning Representations (2017)

[19]

LeCun Y, Bottou L, Bengio Y, and Haffner P Gradient-based learning applied to document recognition Proc. IEEE 1998 86 11 2278-2324

[20]

Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: Deepfool: a Simple and Accurate Method to Fool Deep Neural Networks. In: IEEE Conference on Computer Vision and Pattern Recognition, pp 2574–2582 (2016)

[21]

Mujtaba G, Shuib L, Raj RG, Majeed N, and Al-Garadi MA Email classification research trends: review and open issues IEEE Access 2017 5 9044-9064

[22]

Papernot, N., McDaniel, P., Sinha, A., Wellman, M.: Towards the science of security and privacy in machine learning. arXiv:1611.03814 (2016)

[23]

Smutz, C., Stavrou, A.: When a tree falls: using diversity in ensemble classifiers to identify evasion in malware detectors. In: Network and Distributed System Security Symposium (2016)

[24]

Šrndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: IEEE Symposium on Security and Privacy, pp 197–211 (2014)

[25]

Wu, L., Zhu, Z., Tai, C., et al.: Understanding and enhancing the transferability of adversarial examples. arXiv:1802.09707 (2018)

[26]

Zhang F, Chan PP, Biggio B, Yeung DS, and Roli F Adversarial feature selection against evasion attacks IEEE Trans. Cybern. 2016 46 3 766-777

[27]

Zhang, F.Y., Wang, Y., Wang, H.: Gradient Correlation: are ensemble classifiers more robust against evasion attacks in practical settings?. In: International Conference on Web Information Systems Engineering. pp. 96–110 (2018)

[28]

Zhou ZH Ensemble methods: foundations and algorithms 2012 Boca Raton CRC Press

Cited By

Kabdjou JTagne ERawat DAcosta JKamhoua C(2024)A pipeline approach for privacy preservation against poisoning attacks in a Mobile Edge Computing environmentAd Hoc Networks10.1016/j.adhoc.2023.103385154:COnline publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.adhoc.2023.103385
Manoharan PYin JWang HZhang YYe W(2024)Insider threat detection using supervised machine learning algorithmsTelecommunications Systems10.1007/s11235-023-01085-387:4(899-915)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1007/s11235-023-01085-3
Sadasivan PWhittaker FSingh R(2024)Correlation Between Macro Economic Variables and Financial Sector Australian Share Market IndexDatabases Theory and Applications10.1007/978-981-96-1242-0_18(239-249)Online publication date: 17-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-1242-0_18
Show More Cited By

Index Terms

Decision-based evasion attacks on tree ensemble classifiers
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
        Supervised learning by classification
    2. Machine learning approaches
      1. Classification and regression trees
2. Theory of computation

Index terms have been assigned to the content through auto-classification.

Recommendations

Evasion attacks against machine learning at test time
ECMLPKDD'13: Proceedings of the 2013th European Conference on Machine Learning and Knowledge Discovery in Databases - Volume Part III

In security-sensitive applications, the success of machine learning depends on a thorough vetting of their resistance to adversarial data. In one pertinent, well-motivated attack scenario, an adversary may attempt to evade a deployed system at test time ...
Mitigating Evasion Attacks to Deep Neural Networks via Region-based Classification
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Deep neural networks (DNNs) have transformed several artificial intelligence research areas including computer vision, speech recognition, and natural language processing. However, recent studies demonstrated that DNNs are vulnerable to adversarial ...
Gradient Correlation: Are Ensemble Classifiers More Robust Against Evasion Attacks in Practical Settings?
Web Information Systems Engineering – WISE 2018
Abstract
Pattern recognition is an essential part of modern security systems for malware detection, intrusion detection, and spam filtering. Conventional classifiers widely used in these applications are found vulnerable themselves to adversarial machine ...

Comments

Information & Contributors

Information

Published In

cover image World Wide Web

World Wide Web Volume 23, Issue 5

Sep 2020

321 pages

ISSN:1386-145X

Issue’s Table of Contents

© Springer Science+Business Media, LLC, part of Springer Nature 2020.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 September 2020

Accepted: 30 March 2020

Revision received: 07 February 2020

Received: 26 March 2019

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kabdjou JTagne ERawat DAcosta JKamhoua C(2024)A pipeline approach for privacy preservation against poisoning attacks in a Mobile Edge Computing environmentAd Hoc Networks10.1016/j.adhoc.2023.103385154:COnline publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.adhoc.2023.103385
Manoharan PYin JWang HZhang YYe W(2024)Insider threat detection using supervised machine learning algorithmsTelecommunications Systems10.1007/s11235-023-01085-387:4(899-915)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1007/s11235-023-01085-3
Sadasivan PWhittaker FSingh R(2024)Correlation Between Macro Economic Variables and Financial Sector Australian Share Market IndexDatabases Theory and Applications10.1007/978-981-96-1242-0_18(239-249)Online publication date: 17-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-1242-0_18
Adeyemo AHasan SThapliyal HDeMara RPartin-Vaisband IKatkoori S(2023)Enhancing the Security of Collaborative Deep Neural Networks: An Examination of the Effect of Low Pass FiltersProceedings of the Great Lakes Symposium on VLSI 202310.1145/3583781.3590299(461-465)Online publication date: 5-Jun-2023
https://dl.acm.org/doi/10.1145/3583781.3590299
Nowrozy RAhmed K(2023)Enhancing Health Information Systems Security: An Ontology Model ApproachHealth Information Science10.1007/978-981-99-7108-4_8(91-100)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1007/978-981-99-7108-4_8
Wang HZhang WZou LMaamar Z(2022)Guest Editorial: WWWJ Special Issue of the 22th International Conference on Web Information Systems Engineering (WISE 2021)World Wide Web10.1007/s11280-022-01131-126:2(709-712)Online publication date: 13-Dec-2022
https://dl.acm.org/doi/10.1007/s11280-022-01131-1
Sun YGuo JLi BHaldar N(2022)Effective rule mining of sparse data based on transfer learningWorld Wide Web10.1007/s11280-022-01042-126:1(461-480)Online publication date: 21-Mar-2022
https://dl.acm.org/doi/10.1007/s11280-022-01042-1
Yin HSong XYang SLi J(2022)Sentiment analysis and topic modeling for COVID-19 vaccine discussionsWorld Wide Web10.1007/s11280-022-01029-y25:3(1067-1083)Online publication date: 1-May-2022
https://dl.acm.org/doi/10.1007/s11280-022-01029-y
Zhu LXu MXu YZhu ZZhao YKong X(2022)A multi-attribute decision making approach based on information extraction for real estate buyer profilingWorld Wide Web10.1007/s11280-022-01010-926:1(187-205)Online publication date: 9-Feb-2022
https://dl.acm.org/doi/10.1007/s11280-022-01010-9
Ma YCui NJiang ZYuan YWang G(2022)Group homophily based facility location selection in geo-social networksWorld Wide Web10.1007/s11280-022-01008-326:1(33-53)Online publication date: 23-Mar-2022
https://dl.acm.org/doi/10.1007/s11280-022-01008-3
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents