Symmetry Defense Against XGBoost Adversarial Perturbation Attacks

TL;DR

This paper explores how symmetry-based defenses can significantly improve the robustness of gradient-boosting decision trees (GBDTs) against adversarial attacks, achieving near-perfect accuracy in challenging scenarios.

Contribution

It demonstrates that GBDTs lack invariance to symmetries and introduces a symmetry defense method that substantially enhances adversarial robustness.

Findings

Up to 100% accuracy against zero-knowledge attacks.

Over 95% accuracy against perfect-knowledge attacks on F-MNIST.

First application of symmetry defense to GBDTs.

Abstract

We examine whether symmetry can be used to defend tree-based ensemble classifiers such as gradient-boosting decision trees (GBDTs) against adversarial perturbation attacks. The idea is based on a recent symmetry defense for convolutional neural network classifiers (CNNs) that utilizes CNNs' lack of invariance with respect to symmetries. CNNs lack invariance because they can classify a symmetric sample, such as a horizontally flipped image, differently from the original sample. CNNs' lack of invariance also means that CNNs can classify symmetric adversarial samples differently from the incorrect classification of adversarial samples. Using CNNs' lack of invariance, the recent CNN symmetry defense has shown that the classification of symmetric adversarial samples reverts to the correct sample classification. In order to apply the same symmetry defense to GBDTs, we examine GBDT invariance and are the first to show that GBDTs also lack invariance with respect to symmetries. We apply and evaluate the GBDT symmetry defense for nine datasets against six perturbation attacks with a threat model that ranges from zero-knowledge to perfect-knowledge adversaries. Using the feature inversion symmetry against zero-knowledge adversaries, we achieve up to 100% accuracy on adversarial samples even when default and robust classifiers have 0% accuracy. Using the feature inversion and horizontal flip symmetries against perfect-knowledge adversaries, we achieve up to over 95% accuracy on adversarial samples for the GBDT classifier of the F-MNIST dataset even when default and robust classifiers have 0% accuracy.