Faster Repeated Evasion Attacks in Tree Ensembles
This work addresses a computational bottleneck for security researchers and practitioners using tree ensembles, offering an incremental improvement over existing methods.
The paper tackles the problem of efficiently generating adversarial examples for tree ensembles by exploiting the consistency of perturbed features across multiple attacks, resulting in faster repeated evasion attacks.
Tree ensembles are one of the most widely used model classes. However, these models are susceptible to adversarial examples, i.e., slightly perturbed examples that elicit a misprediction. There has been significant research on designing approaches to construct such examples for tree ensembles. But this is a computationally challenging problem that often must be solved a large number of times (e.g., for all examples in a training set). This is compounded by the fact that current approaches attempt to find such examples from scratch. In contrast, we exploit the fact that multiple similar problems are being solved. Specifically, our approach exploits the insight that adversarial examples for tree ensembles tend to perturb a consistent but relatively small set of features. We show that we can quickly identify this set of features and use this knowledge to speedup constructing adversarial examples.