Trained Random Forests Completely Reveal your Dataset
This reveals a critical vulnerability in widely used ensemble methods, impacting privacy and security in machine learning applications.
The paper tackles the problem of dataset reconstruction from trained random forests, demonstrating that an optimization-based attack can completely or near-completely reconstruct the training dataset using information from common libraries like scikit-learn, with results showing susceptibility even with small numbers of trees and partial reconstruction with bootstrap aggregation.
We introduce an optimization-based reconstruction attack capable of completely or near-completely reconstructing a dataset utilized for training a random forest. Notably, our approach relies solely on information readily available in commonly used libraries such as scikit-learn. To achieve this, we formulate the reconstruction problem as a combinatorial problem under a maximum likelihood objective. We demonstrate that this problem is NP-hard, though solvable at scale using constraint programming -- an approach rooted in constraint propagation and solution-domain reduction. Through an extensive computational investigation, we demonstrate that random forests trained without bootstrap aggregation but with feature randomization are susceptible to a complete reconstruction. This holds true even with a small number of trees. Even with bootstrap aggregation, the majority of the data can also be reconstructed. These findings underscore a critical vulnerability inherent in widely adopted ensemble methods, warranting attention and mitigation. Although the potential for such reconstruction attacks has been discussed in privacy research, our study provides clear empirical evidence of their practicability.