# On Lp-norm Robustness of Ensemble Decision Stumps and Trees

ICML 2020, 2020.

Keywords:

Weibo:

Abstract:

Recent papers have demonstrated that ensemble stumps and trees could be vulnerable to small input perturbations, so robustness verification and defense for those models have become an important research problem. However, due to the structure of decision trees, where each node makes decision purely based on one feature value, all the previ...More

Code:

Data:

Introduction

- It has been observed that small human-imperceptible perturbations can mislead a well-trained deep neural network (Goodfellow et al, 2015; Szegedy et al, 2013), which leads to extensive studies on robustness of deep neural network models.
- Cheng et al (2019a); Chen et al (2019a); Kantchelian et al (2016) showed that adversarial examples exist in ensemble trees, and several recent works considered the problem of robustness verification (Chen et al, 2019b; Ranzato & Zanella, 2019; 2020; Törnblom & Nadjm-Tehrani, 2019) and adversarial defense (Chen et al, 2019a; Andriushchenko & Hein, 2019; Chen et al, 2019e; Calzavara et al, 2019; 2020; Chen et al, 2019d) for ensemble trees and stumps.
- Adversarial attacks can only find adversarial examples which do not provide a sound safety guarantee — even if an attack fails to find an adversarial example, it does not imply no adversarial example exists

Highlights

- It has been observed that small human-imperceptible perturbations can mislead a well-trained deep neural network (Goodfellow et al, 2015; Szegedy et al, 2013), which leads to extensive studies on robustness of deep neural network models
- Cheng et al (2019a); Chen et al (2019a); Kantchelian et al (2016) showed that adversarial examples exist in ensemble trees, and several recent works considered the problem of robustness verification (Chen et al, 2019b; Ranzato & Zanella, 2019; 2020; Törnblom & Nadjm-Tehrani, 2019) and adversarial defense (Chen et al, 2019a; Andriushchenko & Hein, 2019; Chen et al, 2019e; Calzavara et al, 2019; 2020; Chen et al, 2019d) for ensemble trees and stumps
- For a single decision tree, similar to the ∞ norm case, we show that the problem of complete robustness verification of p norm robustness can be done in linear time
- We prove that the 0 norm robustness evaluation can be done in linear time, while for the p norm case with p ∈ (0, ∞), the robustness verification problem is NP-complete
- Incomplete Verification for p robustness it’s impossible to solve p verification for decision stumps in polynomial time, we show sound verification can be done in polynomial time by dynamic programming, inspired by the pseudo-polynomial time algorithm for Knapsack
- For the 1 norm robustness verification problem, we have shown it’s NP-complete to conduct complete verification

Results

- The authors empirically test the proposed algorithms for p robustness verification and training.
- The authors' code is publicly available at https://github.com/YihanWang617/On-ell_p-Robustnessof-Ensemble-Stumps-and-Trees.
- In Table 2, the authors can find that the proposed DP algorithm gives almost exactly the same bound as MILP, while being 50 − 100 times faster.
- This speedup guarantees its further applications in certified robust training

Conclusion

- The authors first develop methods to efficiently verify the general p norm robustness for tree-based ensemble models.
- Based on the proposed efficient verification algorithms proposed, the authors further derive the first p norm certified robust training algorithms for ensemble stumps and trees

Summary

## Introduction:

It has been observed that small human-imperceptible perturbations can mislead a well-trained deep neural network (Goodfellow et al, 2015; Szegedy et al, 2013), which leads to extensive studies on robustness of deep neural network models.- Cheng et al (2019a); Chen et al (2019a); Kantchelian et al (2016) showed that adversarial examples exist in ensemble trees, and several recent works considered the problem of robustness verification (Chen et al, 2019b; Ranzato & Zanella, 2019; 2020; Törnblom & Nadjm-Tehrani, 2019) and adversarial defense (Chen et al, 2019a; Andriushchenko & Hein, 2019; Chen et al, 2019e; Calzavara et al, 2019; 2020; Chen et al, 2019d) for ensemble trees and stumps.
- Adversarial attacks can only find adversarial examples which do not provide a sound safety guarantee — even if an attack fails to find an adversarial example, it does not imply no adversarial example exists
## Results:

The authors empirically test the proposed algorithms for p robustness verification and training.- The authors' code is publicly available at https://github.com/YihanWang617/On-ell_p-Robustnessof-Ensemble-Stumps-and-Trees.
- In Table 2, the authors can find that the proposed DP algorithm gives almost exactly the same bound as MILP, while being 50 − 100 times faster.
- This speedup guarantees its further applications in certified robust training
## Conclusion:

The authors first develop methods to efficiently verify the general p norm robustness for tree-based ensemble models.- Based on the proposed efficient verification algorithms proposed, the authors further derive the first p norm certified robust training algorithms for ensemble stumps and trees

- Table1: Summary of the algorithms and their complexity for robustness verification of ensemble trees and stumps. Blue cells are the contribution of this paper
- Table2: General p-norm ensemble stump verification. This table reports verified test error (verified err.) and average per sample verification time (avg. time) of each method. For our proposed DP based verification, precision is also reported. For 0 verification, we report verified errors with 0 = 1 (changing 1 pixels). For 0 norm, we also report r∗, which is the average the number features that can be perturbed at most while the prediction stays the same
- Table3: General p-norm tree ensemble verification. We report verified test error (verified err.) and average per-example verification time (avg. time) of each method. K: size of cliques; L: number of levels in multi-level verification (defined similarly as in (<a class="ref-link" id="cChen_et+al_2019_b" href="#rChen_et+al_2019_b">Chen et al, 2019b</a>)). Our p incomplete verification can obtain results very close to complete verification (MILP), with huge speedups

Funding

- This work is partially supported by NSF IIS-1719097, Intel, Google cloud and Facebook
- Huan Zhang is supported by the IBM fellowship

Reference

- Andriushchenko, M. and Hein, M. Provably robust boosted decision stumps and trees against adversarial attacks. In NeurIPS, 2019.
- Athalye, A., Carlini, N., and Wagner, D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420, 2018.
- Bastani, O., Pu, Y., and Solar-Lezama, A. Verifiable reinforcement learning via policy extraction. In Advances in Neural Information Processing Systems, pp. 2494–2504, 2018.
- Brendel, W., Rauber, J., and Bethge, M. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In ICLR, 2018.
- Calzavara, S., Lucchese, C., Tolomei, G., Abebe, S. A., and Orlando, S. Treant: Training evasion-aware decision trees. arXiv preprint arXiv:1907.01197, 2019.
- Calzavara, S., Lucchese, C., Marcuzzi, F., and Orlando, S. Feature partitioning for robust tree ensembles and their certification in adversarial scenarios. arXiv preprint arXiv:2004.03295, 2020.
- Carlini, N. and Wagner, D. Towards evaluating the robustness of neural networks. In Security and Privacy (SP), 2017 IEEE Symposium on, pp. 39–5IEEE, 2017.
- Chen, H., Zhang, H., Chen, P.-Y., Yi, J., and Hsieh, C.-J. Attacking visual language grounding with adversarial examples: A case study on neural image captioning. In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 2587–2597, 2018.
- Chen, H., Zhang, H., Boning, D., and Hsieh, C.-J. Robust decision trees against adversarial examples. In ICML, 2019a.
- Chen, H., Zhang, H., Si, S., Li, Y., Boning, D., and Hsieh, C.-J. Robustness verification of tree-based models. In NeurIPS, 2019b.
- Chen, J., Jordan, M. I., and Wainwright, M. J. Hopskipjumpattack: A query-efficient decision-based adversarial attack. arXiv preprint arXiv:1904.02144, 2019c.
- Chen, P.-Y., Zhang, H., Sharma, Y., Yi, J., and Hsieh, C.-J. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15–26. ACM, 2017.
- Chen, Y., Wang, S., Jiang, W., Cidon, A., and Jana, S. Training robust tree ensembles for security. arXiv preprint arXiv:1912.01149, 2019d.
- Chen, Y., Wang, S., Jiang, W., Cidon, A., and Jana, S. Costaware robust tree ensembles for security applications. arXiv preprint arXiv:1912.01149, 2019e.
- Cheng, M., Le, T., Chen, P.-Y., Yi, J., Zhang, H., and Hsieh, C.-J. Query-efficient hard-label black-box attack: An optimization-based approach. In ICLR, 2019a.
- Cheng, M., Le, T., Chen, P.-Y., Zhang, H., Yi, J., and Hsieh, C.-J. Query-efficient hard-label black-box attack: An optimization-based approach. In International Conference on Learning Representations, 2019b. URL https://openreview.net/forum?id=rJlk6iRqKX.
- Cheng, M., Singh, S., Chen, P., Chen, P.-Y., Liu, S., and Hsieh, C.-J. Sign-opt: A query-efficient hard-label adversarial attackh. In ICLR, 2020.
- Friedman, J. H. Greedy function approximation: a gradient boosting machine. Annals of statistics, pp. 1189–1232, 2001.
- Gehr, T., Mirman, M., Drachsler-Cohen, D., Tsankov, P., Chaudhuri, S., and Vechev, M. Ai2: Safety and robustness certification of neural networks with abstract interpretation. In 2018 IEEE Symposium on Security and Privacy (SP), pp. 3–18. IEEE, 2018.
- Goodfellow, I. J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In ICLR, 2015.
- Ilyas, A., Engstrom, L., Athalye, A., and Lin, J. Queryefficient black-box adversarial examples. In ICLR, 2018.
- Kantchelian, A., Tygar, J., and Joseph, A. Evasion and hardening of tree ensemble classifiers. In ICML, 2016.
- Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. Towards deep learning models resistant to adversarial attacks. In ICLR, 2018.
- Mirman, M., Gehr, T., and Vechev, M. Differentiable abstract interpretation for provably robust neural networks. In International Conference on Machine Learning, pp. 3578–3586, 2018.
- Ranzato, F. and Zanella, M. Robustness verification of decision tree ensembles. OVERLAY@ AI* IA, 2509:59– 64, 2019.
- Ranzato, F. and Zanella, M. Abstract interpretation of decision tree ensemble classifiers. In AAAI, pp. 5478–5486, 2020.
- Salman, H., Yang, G., Zhang, H., Hsieh, C.-J., and Zhang, P. A convex relaxation barrier to tight robustness verification of neural networks. arXiv preprint arXiv:1902.08722, 2019.
- Schott, L., Rauber, J., Bethge, M., and Brendel, W. Towards the first adversarially robust neural network model on mnist. arXiv preprint arXiv:1805.09190, 2018.
- Singh, G., Gehr, T., Mirman, M., Püschel, M., and Vechev, M. Fast and effective robustness certification. In NIPS, 2018.
- Singh, G., Gehr, T., Püschel, M., and Vechev, M. An abstract domain for certifying neural networks. Proceedings of the ACM on Programming Languages, 3(POPL):41, 2019.
- Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In ICLR, 2013.
- Wong, E., Schmidt, F., Metzen, J. H., and Kolter, J. Z. Scaling provable adversarial defenses. In NIPS, 2018.
- Xu, K., Chen, H., Liu, S., Chen, P.-Y., Weng, T.-W., Hong, M., and Lin, X. Topology attack and defense for graph neural networks: an optimization perspective. In Proceedings of the 28th International Joint Conference on Artificial Intelligence, pp. 3961–3967. AAAI Press, 2019.
- Zhang, H., Weng, T.-W., Chen, P.-Y., Hsieh, C.-J., and Daniel, L. Efficient neural network robustness certification with general activation functions. In NIPS, 2018.
- Zhang, H., Chen, H., Song, Z., Boning, D., Dhillon, I. S., and Hsieh, C.-J. The limitations of adversarial training and the blind-spot attack. In ICLR, 2019a.
- Zhang, H., Chen, H., Xiao, C., Li, B., Boning, D., and Hsieh, C.-J. Towards stable and efficient training of verifiably robust neural networks. arXiv preprint arXiv:1906.06316, 2019b.
- Zhang, H., Yu, Y., Jiao, J., Xing, E. P., Ghaoui, L. E., and Jordan, M. I. Theoretically principled trade-off between robustness and accuracy. arXiv preprint arXiv:1901.08573, 2019c.
- Zhang, H., Zhang, P., and Hsieh, C.-J. Recurjac: An efficient recursive algorithm for bounding jacobian matrix of neural networks and its applications. In AAAI, 2019d.
- Tramèr, F. and Boneh, D. Adversarial training and robustness for multiple perturbations. In Advances in Neural Information Processing Systems, pp. 5866–5876, 2019.
- Tramer, F., Carlini, N., Brendel, W., and Madry, A. On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347, 2020.
- Wang, S., Chen, Y., Abdou, A., and Jana, S. Mixtrain: Scalable training of formally robust neural networks. arXiv preprint arXiv:1811.02625, 2018a.
- Wang, S., Pei, K., Whitehouse, J., Yang, J., and Jana, S. Efficient formal safety analysis of neural networks. In NIPS, 2018b.
- Weng, T.-W., Zhang, H., Chen, H., Song, Z., Hsieh, C.-J., Boning, D., Dhillon, I. S., and Daniel, L. Towards fast computation of certified robustness for relu networks. In ICML, 2018.
- Wong, E. and Kolter, J. Z. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML, 2018.

Tags

Comments