Scalable Whitebox Attacks on Tree-based Models

TL;DR

This paper introduces a scalable whitebox attack method for tree ensemble models by smoothing them with sigmoid functions, enabling gradient-based attacks and revealing vulnerabilities efficiently.

Contribution

It presents a novel approach that adapts gradient-based adversarial testing to non-differentiable tree models, bridging a gap in robustness evaluation for industry-relevant models.

Findings

Successfully reveals vulnerabilities in tree ensembles

Scales to large testing tasks with manageable computational cost

Balances attack effectiveness and efficiency

Abstract

Adversarial robustness is one of the essential safety criteria for guaranteeing the reliability of machine learning models. While various adversarial robustness testing approaches were introduced in the last decade, we note that most of them are incompatible with non-differentiable models such as tree ensembles. Since tree ensembles are widely used in industry, this reveals a crucial gap between adversarial robustness research and practical applications. This paper proposes a novel whitebox adversarial robustness testing approach for tree ensemble models. Concretely, the proposed approach smooths the tree ensembles through temperature controlled sigmoid functions, which enables gradient descent-based adversarial attacks. By leveraging sampling and the log-derivative trick, the proposed approach can scale up to testing tasks that were previously unmanageable. We compare the approach against both random perturbations and blackbox approaches on multiple public datasets (and corresponding models). Our results show that the proposed method can 1) successfully reveal the adversarial vulnerability of tree ensemble models without causing computational pressure for testing and 2) flexibly balance the search performance and time complexity to meet various testing criteria.