Despite its success and popularity, machine learning is now recognized as vulnerable to evasion attacks, i.e., carefully crafted perturbations of test inputs designed to force prediction errors. In this paper we focus on evasion attacks against decision tree ensembles, which are among the most successful predictive models for dealing with non-perceptual problems. Even though they are powerful and interpretable, decision tree ensembles have received only limited attention by the security and machine learning communities so far, leading to a sub-optimal state of the art for adversarial learning techniques. We thus propose Treant, a novel decision tree learning algorithm that, on the basis of a formal threat model, minimizes an evasion-aware loss function at each step of the tree construction. Treant is based on two key technical ingredients: robust splitting and attack invariance, which jointly guarantee the soundness of the learning process. Experimental results on publicly available datasets show that Treant is able to generate decision tree ensembles that are at the same time accurate and nearly insensitive to evasion attacks, outperforming state-of-the-art adversarial learning techniques.

中文翻译：

---

树精：训练逃避意识的决策树

尽管获得了成功和广泛普及，但如今机器学习被认为容易受到规避攻击的攻击，即，精心设计的测试输入扰动会导致预测错误。在本文中，我们专注于针对决策树集成的规避攻击，决策树集成是处理非感知问题的最成功的预测模型之一。尽管决策树集合功能强大且易于理解，但到目前为止，它们仅受到安全性和机器学习社区的有限关注，从而导致对抗性学习技术处于次优状态。因此，我们建议Treant，这是一种新颖的决策树学习算法，该算法基于正式威胁模型，将在树的构建的每个步骤中的逃避感知损失函数最小化。Treant基于两个关键技术要素：稳健的拆分和攻击不变性，它们共同保证了学习过程的稳健性。在公开数据集上的实验结果表明，Treant能够生成决策树集合，这些集合同时准确且几乎对逃避攻击不敏感，优于最新的对抗学习技术。