Certifying Decision Trees Against Evasion Attacks by Program Analysis

TL;DR

This paper introduces a method to verify the security of decision trees against evasion attacks by transforming them into imperative programs and applying program analysis techniques, ensuring sound security guarantees.

Contribution

It presents a novel approach that leverages program analysis and abstract interpretation to certify decision trees against adversarial evasion attacks.

Findings

Technique is precise with minimal false positives

Scales to complex models intractable for previous methods

Soundly verifies security guarantees of decision trees

Abstract

Machine learning has proved invaluable for a range of different tasks, yet it also proved vulnerable to evasion attacks, i.e., maliciously crafted perturbations of input data designed to force mispredictions. In this paper we propose a novel technique to verify the security of decision tree models against evasion attacks with respect to an expressive threat model, where the attacker can be represented by an arbitrary imperative program. Our approach exploits the interpretability property of decision trees to transform them into imperative programs, which are amenable for traditional program analysis techniques. By leveraging the abstract interpretation framework, we are able to soundly verify the security guarantees of decision tree models trained over publicly available datasets. Our experiments show that our technique is both precise and efficient, yielding only a minimal number of false positives and scaling up to cases which are intractable for a competitor approach.