Provably robust boosted decision stumps and trees against adversarial attacks
Authors: Maksym Andriushchenko, Matthias Hein
NeurIPS 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We show in this paper that for boosted decision stumps the exact min-max robust loss and test error for an l1-attack can be computed in O(T log T) time per input... For boosted trees we show how to efficiently calculate and optimize an upper bound on the robust loss, which leads to state-of-the-art robust test error for boosted trees on MNIST (12.5% for 1 = 0.3), FMNIST (23.2% for 1 = 0.1), and CIFAR-10 (74.7% for 1 = 8/255). |
| Researcher Affiliation | Academia | Maksym Andriushchenko University of Tübingen maksym.andriushchenko@uni-tuebingen.de Matthias Hein University of Tübingen matthias.hein@uni-tuebingen.de |
| Pseudocode | Yes | The detailed algorithm can be found in Appendix B. |
| Open Source Code | Yes | The code of all our experiments is available at http://github.com/max-andr/provably-robust-boosting. |
| Open Datasets | Yes | For evaluation we use 11 datasets: breast-cancer, diabetes, cod-rna, MNIST 1-5 (digit 1 vs digit 5), MNIST 2-6 (digit 2 vs digit 6, following [32] and [9]), FMNIST shoes (sandals vs sneakers), GTS 100-rw (speed 100 vs roadworks), GTS 30-70 (speed 30 vs speed 70), MNIST, FMNIST, and CIFAR-10. More details about the datasets are given in Appendix F. |
| Dataset Splits | Yes | We perform model selection of our models and models from Chen et al. [9] based on the validation set of 20% randomly selected points from the original training set, and we train on the rest of the training set. |
| Hardware Specification | No | The paper does not provide specific hardware details such as GPU/CPU models, memory specifications, or cloud computing instance types used for the experiments. |
| Software Dependencies | No | The paper mentions implementing models (e.g., XGBoost, Light GBM) but does not provide specific version numbers for any software dependencies or libraries. |
| Experiment Setup | Yes | Both for stumps and trees, we perform l1 adversarial training following [32], i.e. every iteration we train on clean training points and adversarial examples (equal proportion). We generate adversarial examples via the cube attack a simple attack inspired by random search [50] described in Appendix D (we use 10 iterations and p = 0.5)... All models are trained with the exponential loss... We fit our robust trees with depth of up to 30 for MNIST and FMNIST, and with depth of up to 4 for CIFAR-10. Note that we restrict the minimum number of examples in a leaf to 100. |