On Lp-norm Robustness of Ensemble Decision Stumps and Trees

Yihan Wang
Yihan Wang
Hongge Chen
Hongge Chen

ICML 2020, 2020.

Cited by: 0|Bibtex|Views42|Links
Keywords:
adversarial exampleensemble stumpdecision treedecision stumpnorm perturbationMore(7+)
Weibo:
For a single decision tree, similar to the ∞ norm case, we show that the problem of complete robustness verification of p norm robustness can be done in linear time

Abstract:

Recent papers have demonstrated that ensemble stumps and trees could be vulnerable to small input perturbations, so robustness verification and defense for those models have become an important research problem. However, due to the structure of decision trees, where each node makes decision purely based on one feature value, all the previ...More

Code:

Data:

0
Introduction
Highlights
  • It has been observed that small human-imperceptible perturbations can mislead a well-trained deep neural network (Goodfellow et al, 2015; Szegedy et al, 2013), which leads to extensive studies on robustness of deep neural network models
  • Cheng et al (2019a); Chen et al (2019a); Kantchelian et al (2016) showed that adversarial examples exist in ensemble trees, and several recent works considered the problem of robustness verification (Chen et al, 2019b; Ranzato & Zanella, 2019; 2020; Törnblom & Nadjm-Tehrani, 2019) and adversarial defense (Chen et al, 2019a; Andriushchenko & Hein, 2019; Chen et al, 2019e; Calzavara et al, 2019; 2020; Chen et al, 2019d) for ensemble trees and stumps
  • For a single decision tree, similar to the ∞ norm case, we show that the problem of complete robustness verification of p norm robustness can be done in linear time
  • We prove that the 0 norm robustness evaluation can be done in linear time, while for the p norm case with p ∈ (0, ∞), the robustness verification problem is NP-complete
  • Incomplete Verification for p robustness it’s impossible to solve p verification for decision stumps in polynomial time, we show sound verification can be done in polynomial time by dynamic programming, inspired by the pseudo-polynomial time algorithm for Knapsack
  • For the 1 norm robustness verification problem, we have shown it’s NP-complete to conduct complete verification
Results
  • The authors empirically test the proposed algorithms for p robustness verification and training.
  • The authors' code is publicly available at https://github.com/YihanWang617/On-ell_p-Robustnessof-Ensemble-Stumps-and-Trees.
  • In Table 2, the authors can find that the proposed DP algorithm gives almost exactly the same bound as MILP, while being 50 − 100 times faster.
  • This speedup guarantees its further applications in certified robust training
Conclusion
  • The authors first develop methods to efficiently verify the general p norm robustness for tree-based ensemble models.
  • Based on the proposed efficient verification algorithms proposed, the authors further derive the first p norm certified robust training algorithms for ensemble stumps and trees
Summary
  • Introduction:

    It has been observed that small human-imperceptible perturbations can mislead a well-trained deep neural network (Goodfellow et al, 2015; Szegedy et al, 2013), which leads to extensive studies on robustness of deep neural network models.
  • Cheng et al (2019a); Chen et al (2019a); Kantchelian et al (2016) showed that adversarial examples exist in ensemble trees, and several recent works considered the problem of robustness verification (Chen et al, 2019b; Ranzato & Zanella, 2019; 2020; Törnblom & Nadjm-Tehrani, 2019) and adversarial defense (Chen et al, 2019a; Andriushchenko & Hein, 2019; Chen et al, 2019e; Calzavara et al, 2019; 2020; Chen et al, 2019d) for ensemble trees and stumps.
  • Adversarial attacks can only find adversarial examples which do not provide a sound safety guarantee — even if an attack fails to find an adversarial example, it does not imply no adversarial example exists
  • Results:

    The authors empirically test the proposed algorithms for p robustness verification and training.
  • The authors' code is publicly available at https://github.com/YihanWang617/On-ell_p-Robustnessof-Ensemble-Stumps-and-Trees.
  • In Table 2, the authors can find that the proposed DP algorithm gives almost exactly the same bound as MILP, while being 50 − 100 times faster.
  • This speedup guarantees its further applications in certified robust training
  • Conclusion:

    The authors first develop methods to efficiently verify the general p norm robustness for tree-based ensemble models.
  • Based on the proposed efficient verification algorithms proposed, the authors further derive the first p norm certified robust training algorithms for ensemble stumps and trees
Tables
  • Table1: Summary of the algorithms and their complexity for robustness verification of ensemble trees and stumps. Blue cells are the contribution of this paper
  • Table2: General p-norm ensemble stump verification. This table reports verified test error (verified err.) and average per sample verification time (avg. time) of each method. For our proposed DP based verification, precision is also reported. For 0 verification, we report verified errors with 0 = 1 (changing 1 pixels). For 0 norm, we also report r∗, which is the average the number features that can be perturbed at most while the prediction stays the same
  • Table3: General p-norm tree ensemble verification. We report verified test error (verified err.) and average per-example verification time (avg. time) of each method. K: size of cliques; L: number of levels in multi-level verification (defined similarly as in (<a class="ref-link" id="cChen_et+al_2019_b" href="#rChen_et+al_2019_b">Chen et al, 2019b</a>)). Our p incomplete verification can obtain results very close to complete verification (MILP), with huge speedups
Download tables as Excel
Funding
  • This work is partially supported by NSF IIS-1719097, Intel, Google cloud and Facebook
  • Huan Zhang is supported by the IBM fellowship
Reference
  • Andriushchenko, M. and Hein, M. Provably robust boosted decision stumps and trees against adversarial attacks. In NeurIPS, 2019.
    Google ScholarLocate open access versionFindings
  • Athalye, A., Carlini, N., and Wagner, D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420, 2018.
    Findings
  • Bastani, O., Pu, Y., and Solar-Lezama, A. Verifiable reinforcement learning via policy extraction. In Advances in Neural Information Processing Systems, pp. 2494–2504, 2018.
    Google ScholarLocate open access versionFindings
  • Brendel, W., Rauber, J., and Bethge, M. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In ICLR, 2018.
    Google ScholarLocate open access versionFindings
  • Calzavara, S., Lucchese, C., Tolomei, G., Abebe, S. A., and Orlando, S. Treant: Training evasion-aware decision trees. arXiv preprint arXiv:1907.01197, 2019.
    Findings
  • Calzavara, S., Lucchese, C., Marcuzzi, F., and Orlando, S. Feature partitioning for robust tree ensembles and their certification in adversarial scenarios. arXiv preprint arXiv:2004.03295, 2020.
    Findings
  • Carlini, N. and Wagner, D. Towards evaluating the robustness of neural networks. In Security and Privacy (SP), 2017 IEEE Symposium on, pp. 39–5IEEE, 2017.
    Google ScholarLocate open access versionFindings
  • Chen, H., Zhang, H., Chen, P.-Y., Yi, J., and Hsieh, C.-J. Attacking visual language grounding with adversarial examples: A case study on neural image captioning. In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 2587–2597, 2018.
    Google ScholarLocate open access versionFindings
  • Chen, H., Zhang, H., Boning, D., and Hsieh, C.-J. Robust decision trees against adversarial examples. In ICML, 2019a.
    Google ScholarLocate open access versionFindings
  • Chen, H., Zhang, H., Si, S., Li, Y., Boning, D., and Hsieh, C.-J. Robustness verification of tree-based models. In NeurIPS, 2019b.
    Google ScholarLocate open access versionFindings
  • Chen, J., Jordan, M. I., and Wainwright, M. J. Hopskipjumpattack: A query-efficient decision-based adversarial attack. arXiv preprint arXiv:1904.02144, 2019c.
    Findings
  • Chen, P.-Y., Zhang, H., Sharma, Y., Yi, J., and Hsieh, C.-J. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15–26. ACM, 2017.
    Google ScholarLocate open access versionFindings
  • Chen, Y., Wang, S., Jiang, W., Cidon, A., and Jana, S. Training robust tree ensembles for security. arXiv preprint arXiv:1912.01149, 2019d.
    Findings
  • Chen, Y., Wang, S., Jiang, W., Cidon, A., and Jana, S. Costaware robust tree ensembles for security applications. arXiv preprint arXiv:1912.01149, 2019e.
    Findings
  • Cheng, M., Le, T., Chen, P.-Y., Yi, J., Zhang, H., and Hsieh, C.-J. Query-efficient hard-label black-box attack: An optimization-based approach. In ICLR, 2019a.
    Google ScholarLocate open access versionFindings
  • Cheng, M., Le, T., Chen, P.-Y., Zhang, H., Yi, J., and Hsieh, C.-J. Query-efficient hard-label black-box attack: An optimization-based approach. In International Conference on Learning Representations, 2019b. URL https://openreview.net/forum?id=rJlk6iRqKX.
    Locate open access versionFindings
  • Cheng, M., Singh, S., Chen, P., Chen, P.-Y., Liu, S., and Hsieh, C.-J. Sign-opt: A query-efficient hard-label adversarial attackh. In ICLR, 2020.
    Google ScholarLocate open access versionFindings
  • Friedman, J. H. Greedy function approximation: a gradient boosting machine. Annals of statistics, pp. 1189–1232, 2001.
    Google ScholarLocate open access versionFindings
  • Gehr, T., Mirman, M., Drachsler-Cohen, D., Tsankov, P., Chaudhuri, S., and Vechev, M. Ai2: Safety and robustness certification of neural networks with abstract interpretation. In 2018 IEEE Symposium on Security and Privacy (SP), pp. 3–18. IEEE, 2018.
    Google ScholarLocate open access versionFindings
  • Goodfellow, I. J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In ICLR, 2015.
    Google ScholarLocate open access versionFindings
  • Ilyas, A., Engstrom, L., Athalye, A., and Lin, J. Queryefficient black-box adversarial examples. In ICLR, 2018.
    Google ScholarLocate open access versionFindings
  • Kantchelian, A., Tygar, J., and Joseph, A. Evasion and hardening of tree ensemble classifiers. In ICML, 2016.
    Google ScholarLocate open access versionFindings
  • Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. Towards deep learning models resistant to adversarial attacks. In ICLR, 2018.
    Google ScholarLocate open access versionFindings
  • Mirman, M., Gehr, T., and Vechev, M. Differentiable abstract interpretation for provably robust neural networks. In International Conference on Machine Learning, pp. 3578–3586, 2018.
    Google ScholarLocate open access versionFindings
  • Ranzato, F. and Zanella, M. Robustness verification of decision tree ensembles. OVERLAY@ AI* IA, 2509:59– 64, 2019.
    Google ScholarLocate open access versionFindings
  • Ranzato, F. and Zanella, M. Abstract interpretation of decision tree ensemble classifiers. In AAAI, pp. 5478–5486, 2020.
    Google ScholarLocate open access versionFindings
  • Salman, H., Yang, G., Zhang, H., Hsieh, C.-J., and Zhang, P. A convex relaxation barrier to tight robustness verification of neural networks. arXiv preprint arXiv:1902.08722, 2019.
    Findings
  • Schott, L., Rauber, J., Bethge, M., and Brendel, W. Towards the first adversarially robust neural network model on mnist. arXiv preprint arXiv:1805.09190, 2018.
    Findings
  • Singh, G., Gehr, T., Mirman, M., Püschel, M., and Vechev, M. Fast and effective robustness certification. In NIPS, 2018.
    Google ScholarLocate open access versionFindings
  • Singh, G., Gehr, T., Püschel, M., and Vechev, M. An abstract domain for certifying neural networks. Proceedings of the ACM on Programming Languages, 3(POPL):41, 2019.
    Google ScholarLocate open access versionFindings
  • Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In ICLR, 2013.
    Google ScholarFindings
  • Wong, E., Schmidt, F., Metzen, J. H., and Kolter, J. Z. Scaling provable adversarial defenses. In NIPS, 2018.
    Google ScholarLocate open access versionFindings
  • Xu, K., Chen, H., Liu, S., Chen, P.-Y., Weng, T.-W., Hong, M., and Lin, X. Topology attack and defense for graph neural networks: an optimization perspective. In Proceedings of the 28th International Joint Conference on Artificial Intelligence, pp. 3961–3967. AAAI Press, 2019.
    Google ScholarLocate open access versionFindings
  • Zhang, H., Weng, T.-W., Chen, P.-Y., Hsieh, C.-J., and Daniel, L. Efficient neural network robustness certification with general activation functions. In NIPS, 2018.
    Google ScholarLocate open access versionFindings
  • Zhang, H., Chen, H., Song, Z., Boning, D., Dhillon, I. S., and Hsieh, C.-J. The limitations of adversarial training and the blind-spot attack. In ICLR, 2019a.
    Google ScholarLocate open access versionFindings
  • Zhang, H., Chen, H., Xiao, C., Li, B., Boning, D., and Hsieh, C.-J. Towards stable and efficient training of verifiably robust neural networks. arXiv preprint arXiv:1906.06316, 2019b.
    Findings
  • Zhang, H., Yu, Y., Jiao, J., Xing, E. P., Ghaoui, L. E., and Jordan, M. I. Theoretically principled trade-off between robustness and accuracy. arXiv preprint arXiv:1901.08573, 2019c.
    Findings
  • Zhang, H., Zhang, P., and Hsieh, C.-J. Recurjac: An efficient recursive algorithm for bounding jacobian matrix of neural networks and its applications. In AAAI, 2019d.
    Google ScholarLocate open access versionFindings
  • Tramèr, F. and Boneh, D. Adversarial training and robustness for multiple perturbations. In Advances in Neural Information Processing Systems, pp. 5866–5876, 2019.
    Google ScholarLocate open access versionFindings
  • Tramer, F., Carlini, N., Brendel, W., and Madry, A. On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347, 2020.
    Findings
  • Wang, S., Chen, Y., Abdou, A., and Jana, S. Mixtrain: Scalable training of formally robust neural networks. arXiv preprint arXiv:1811.02625, 2018a.
    Findings
  • Wang, S., Pei, K., Whitehouse, J., Yang, J., and Jana, S. Efficient formal safety analysis of neural networks. In NIPS, 2018b.
    Google ScholarLocate open access versionFindings
  • Weng, T.-W., Zhang, H., Chen, H., Song, Z., Hsieh, C.-J., Boning, D., Dhillon, I. S., and Daniel, L. Towards fast computation of certified robustness for relu networks. In ICML, 2018.
    Google ScholarLocate open access versionFindings
  • Wong, E. and Kolter, J. Z. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML, 2018.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments