Constrained Adaptive Attack: Effective Adversarial Attack Against Deep Neural Networks for Tabular Data

Thank you for your review. We appreciate that you acknowledge the importance of the problem and the quality and persuasiveness of our analysis. We will address below your doubts about the originality and significance of our work.

W1 - Existing differentiable function:

We acknowledge that integrating the constraints as a differentiable penalty function is not novel in this work and was proposed by CPGD [33]. Nevertheless, the results in [33] (confirmed in Table 2 of our paper) indicate that leveraging the constraints penalty function is not sufficient to achieve high effectiveness with gradient-based attacks. An attack that only uses a differentiable penalty such as CPGD remains ineffective in the challenging datasets we address. Thus, the need for the novel mechanisms we introduce in CAPGD and CAA.

W2 - CAPGD novelty:

We understand your concern regarding the similarities between CPGD and CAPGD, being both gradient attacks where the constraints are included as penalty functions. However, we respectfully disagree for the following reasons:

(1) Compared to the previous attack, CPGD, our new attack CAPGD introduces 4 novel mechanisms to increase the effectiveness of the attack: the repair operator, the adaptive step, the momentum, and multiple initialization. We demonstrate the effectiveness and complementarity of each component. For instance, removing the constraints repair operator, a novelty of this paper, reduces the effectiveness of the attack by up to 24.1 robust accuracy points. CAPGD significantly increases the effectiveness of gradient-based attacks on 3/4 datasets, while preserving the efficiency advantage of gradient-based attacks w.r.t. search attacks.

(2) Designing CAPGD is not intuitive. The literature on adversarial attacks proposed many mechanisms to improve their effectiveness, including random sampling, reinitialization, adaptive steps, and revert to best, and the first challenge was to identify which mechanisms are relevant to our use case, namely which mechanisms are compatible and beneficial to the constraints satisfaction objective. In particular, we found out that combining all the mechanisms in the literature was not optimal, and we achieved the best performances without reverting to the example with the higher loss when the step size changes. We provided in Appendix B.1 a study of the components of CAPGD and their complementarity.

We hope this clarifies our argument on why CAPGD is not a straightforward improvement of CPGD. We are open to further discussion and would be happy to elaborate on any points if needed.

W3 - Applying a combination of attacks:

We appreciate your concern regarding the design of our meta-attack CAA. Nevertheless, we respectfully believe that its design represents a significant contribution for two reasons:

(1) By applying a combination of complementary and strong attacks, we aim to become the standard for evaluating the robustness of models to adversarial attacks in Tabular Machine Learning.

Identifying both "complementary" and "strong" attacks for a meta-attack is not straightforward. We presented in Table 1 of our manuscript 10 attacks proposed for Tabular Machine Learning. Some are gradient-based and others are search-based. We first identified which attacks natively support all the constraints, and which could eventually be extended. We ended with 2 gradient attacks CPGD (native support) and LowProFool (extension needed), and two search attacks BF* and MOEVA. Next, we demonstrated that our new attack CAPGD subsumes CPGD and LowProfool and that MOEVA subsumes BF*. Then we needed to validate the complementarity of CAPGD and MOEVA (Figure 2 of our manuscript). Finally, we confirmed with an extensive evaluation (Table 3 of our manuscript) that our new CAA attack combining MOEVA and CAPGD still preserves the benefits of each (efficiency of CAPGD and effectiveness of MOEVA). Each step required formal analysis, extensive engineering, and exhaustive experiments.

(2) Meta-attacks, that combine existing attacks are an active line of research. In Computer Vision, AutoAttack by Croce et al.[12] is a meta attack combining existing attacks (APGD+FAB) to benefit from the complementarity of search and gradient attacks. The attack has revolutionized the research of robustness assessment in computer vision and led to a significant improvement of novel defense mechanisms.

We strongly believe that CAA will be as impactful for Tabular Machine Learning as AutoAttack, especially as it was carefully designed to achieve both efficiency for simple cases and effectiveness for challenging cases and has very limited hyper-parameters.

Thank you once again for your constructive feedback, we will update the final manuscript according to your feedback to better showcase the significance of our meta-attack.

W4 - Undifferentiable models:

We agree that tree-based models such as XGBoost are in many settings outperforming Deep Neural Network (DNN) architectures. DNN architectures are catching up, in particular for large datasets as demonstrated in [5], hence the need to evaluate their robustness.

However, we also argue that CAA is relevant to any model (including tree-based models) with two settings:

• in transferability, by generating adversarial examples on a surrogate model and evaluating their success rate on the target (tree-based) model,
• by applying CAA (through the search-based component MOEVA that is model agnostic).

In the common author response (C3), we provide an empirical study for both settings and show that CAA remains effective against random forest and XGBOOST models.

We will also update the appendix in the final version of the paper with a discussion on undifferentiable models.

Thank you for your support and your insightful feedback. We appreciate your comments towards improving the quality of the paper. We clarify and answer your concerns below.

W1/Q1 - Explaining the role of the repair operator. Is CAPGD guaranteed to generate an attack that satisfies the dataset and perturbation constraints at the end of execution?

The repair operator's role is to ensure equality constraints are satisfied during optimization. While equality constraints are included in the penalty function, optimization alone does not achieve exact equality of feature values. The repair operator addresses this by setting the value of the left-hand side of an equation to match the evaluation of the right-hand side in each iteration. It maintains other dataset constraints such as bounds, mutability, and feature types but does not ensure other relational constraints are met. The operator can violate maximum perturbation constraints, yet at each iteration, the perturbation is corrected back within the allowed maximum. This approach has been shown to improve the success rate of CAPGD, as demonstrated by our ablation study in Table 7.

W2/Q2 - Attacks fail to generate adversarial examples on CTU for 2/5 models. Is it the high number of constraints? Impact of different numbers and types of constraints ?

Thank you for raising this comment. Indeed, CTU dataset exhibits a large number of constraints compared to the other datasets, and some are particularly challenging. We show in the common answer (C1) that these constraints are harder to optimize.

W2/Q3 - CAA epsilon values - Why may CAA show a smaller success rate when considering higher epsilon values?

Thank you for pointing out the pattern in Fig5b. Indeed, CAA's performance can decrease with higher budgets. We provide below a complementary analysis of this behavior.

We investigated the case of augmenting the EPS budget of CAA on LCLD dataset with STG model. We found that when augmenting the EPS budget from 1 to 5, the success rate of CAPGD drops from 27.1% to 0.4% and is not entirely balanced by MOEVA's improvement from 4.3% to 12.4%.

The drop in CAPGD performance is caused in almost all cases by the violation of boundary constraint after the repair operator when the repair operator fixes the constraints of the type A = B / C.

Each of these features is defined in the dataset with their respective maximum and minimum values. Given Max(B) and Min(C), the repair operator will lead to Max(A) = Max(B) / Min( C), however in the definition of the dataset proposed by Simonetto et. al. [33], Max (A) is lower than Max(B) / Min( C). Hence our repair operator contradicts the boundary constraint definitions. This phenomenon appears only for large perturbations. This violation should be solved by fixing the dataset's definition of the boundary constraints to take into account the feature relationships.

We have included in the limitation section of our paper (in the final version, and in the author's response above C3) a discussion on the quality of the constrained datasets available and the coherence between their boundary constraints and their feature constraints.

W2/Q3 - MOEVA Iterations - Why may MOEVA show a smaller success rate with a higher number of generations?

MOEVA is a multi-objective genetic algorithm. An inherent problem of multi-objective optimization is the trade-off between the objectives. If all solutions in the population are on the Pareto front, the algorithm must decide which solutions to discard for the next iteration, potentially discarding a valid adversarial example in our case.

Figure 1 in the Author's response PDF shows the evolution of the success rate of MOEVA with the number of iterations in the same settings as in Figure 7b for TabTransformer. We find that the success rate reaches a maximum at 100 iterations. We argue that valid adversarial examples were discarded when the search continued to 1000 iterations. To confirm our hypothesis, we run the same experiment with a 10 times larger search population, such that more solutions are preserved at each iteration. We observe that in this setting, MOEVA converges slower (due to less selection pressure) but the success rate strictly increases with the number of generations. Increasing the population size also increases the execution time (by 3.4x in this case), due to the selection operator overhead.

Our approach CAA aims at minimizing the memory and computation overheads while maximizing the success rate, and CAA can be tuned to lead to lower robust accuracy with more iterations if the search space is expanded (for example with larger populations). We thank you for this remark and we have introduced a discussion on the impact of the population size in the appendix.

W3 - Limitation sections:

Thank you for this suggestion. We added a limitation section in the common author response (C4), and to the updated paper for the final version.

W4 - Typos:

Thank you for pointing this out, we have corrected them for the final version.

W5 - The proposed attacks are specific:

We agree that tree-based models are in many settings outperforming Deep Neural Network (DNN) architectures. DNN architectures are catching up, in particular for large datasets as demonstrated in [A], hence the need to evaluate their robustness.

However, we also argue that CAA is relevant to any model (including tree-based models) with two settings:

• in transferability, by generating adversarial examples on a surrogate model and evaluating their success rate on the target (tree-based) model,
• by applying CAA (through the search-based component MOEV, which is model agnostic).

In the common author response, we provide an empirical study for both settings and show that CAA remains effective against random forest and XGBOOST models.

[A] Borisov et al. "Deep neural networks and tabular data: A survey. 2021.

I sincerely thank the authors for their wide and deep response. Their points sound reasonable and clarify the open points that I raised in the review. I hope that the authors will discuss their new results in the next version of their paper.

I have only an observation about the results in Table 3 of the attached PDF. It seems to me that attacking STG is difficult independently of the considered constraints since its robust accuracy is always 95.3%. Understanding if the model is really robust or if a better attack is needed could be an interesting future work.

I will modify my review to acknowledge your response and improve my score, given the depth of your analysis and dedication you have shown in your response.

Thank you for your feedback. We appreciate the opportunity to clarify and address any misunderstandings. We will address each of your points one by one and welcome further discussion on these issues.

W1 - Lack of novelty and contribution. CAPGD is modified based on CPGD. CAA is a combination of CAPGD and MOEVA:

We agree that the core intuitions behind the improvements of CAPGD and CAA are elegant and not particularly complex, but we would like to point out that:

(1) the literature on adversarial attacks proposed many mechanisms to improve their effectiveness, including random sampling, reinitialization, adaptive steps, and revert to best, and the first challenge was to identify which mechanisms are relevant to our use case, namely which mechanisms are compatible and beneficial to the constraints satisfaction objective. In particular, we found out that combining all the mechanisms in the literature was not optimal, and we achieved the best performances without reverting to the example with the higher loss when the step size changes. We provided in Appendix B.1 a study of the components of CAPGD and their complementarity. In addition, we also proposed new iterative repair mechanisms that were not explored in previous work and demonstrated their effectiveness. Hence, CAPGD is not a straightforward improvement of CPGD.

(2) meta attacks, that combine existing attacks are also an active line of research. In Computer Vision, AutoAttack by Croce et al.[12] is a meta attack combining existing attacks (APGD+FAB) to benefit from the complementarity of search and gradient attacks. The attack has revolutionized the research of robustness assessment in computer vision and led to a significant improvement of novel defense mechanisms. We believe CAA will be as impactful for Tabular Machine Learning as AutoAttack, especially as it was carefully designed to achieve both efficiency for simple cases and effectiveness for challenging cases and has very limited hyper-parameters.

We strongly argue that both attacks required significant design, engineering, and experimentation to find the optimal mechanisms and attacks to combine, and we have demonstrated that our techniques represent a significant leap forward for the community.

W2 - The implementation of CAA might be complex and resource-intensive, which could limit its practical applicability in some settings:

Thank you for raising this critical aspect of robustness evaluation. The implementation of CAA brings marginal overhead in terms of implementation, given that the constraint evaluation runs on CPU and is parallelized.

In addition, we have carefully evaluated the impact of CAA in terms of runtime. Compared to the closest attack in terms of performance, MOEVA, CAA is significantly cheaper and faster to run. In Table 3, we showed that CAA is up to 5 times faster than MOEVA, and is always less expensive to run than MOEVA on 4 datasets. The only case where CAA is marginally more resource intensive is on CTU, but the overhead is between 7.76% and 13.74%, respectively for VIME and TabNet architectures.

Thank you for opening this discussion, we will incorporate it in the final manuscript within a limitation section (cf common authors's response, C4). We discuss there the cases where CAA could be more expensive, and will suggest good practices for practitioners to use CAPGD and CAA to their fullest potential.

W3 - Lack of evaluation against defense mechanisms: There have been many works proposed since Madry Adversarial Training. It is not fair to say that it is the only reliable defense against evasion attacks:

Thank you for raising this critical point. There may have been a misunderstanding as we do not claim that Madry's Adversarial Training (AT) is the only reliable one, but that AT with all its improvements is. Since then, the robustbench benchmark [A] has continuously updated its leaderboard with new defenses, but all the effective ones are based on adversarial training and some data augmentation mechanisms. Some have proposed AT + Cutmix [B], others AT + Generative models (for example with 20M synthetic data [C]). To validate the effectiveness of CAA on stronger defenses we have implemented 5 new synthetic data for Tabular ML in combination with Adversarial Training: AT + TVAE [D], AT + WGAN [E], AT + TableGAN [F], AT + CT-GAN [D] and AT + GOGGLE [G]. We evaluated CAA on these 5 defenses and report in Table 4 of the authors' response PDF the best robustness achieved by these defenses, compared to the robustness by the vanilla Madry AT on all our datasets and models. The results are the average over 5 seeds run to ensure reliable evaluation.

Our new extensive experiments show that these new defenses can significantly improve the robustness of the models to CAA, but that our new attack remains effective for URL and LCLD datasets across all architectures, and for WIDS on TabTransformer and STG architectures.

Thank you for suggesting this study, we will discuss these new results in the appendix of the final version of the manuscript.

[A] Croce et al. "Robustbench: a standardized adversarial robustness benchmark."(2020).

[B] Yun et al. "Cutmix: Regularization strategy to train strong classifiers with localizable features." ICCV, (2019).

[C] Wang et al. "Better diffusion models further improve adversarial training." ICML. PMLR, (2023).

[D] Xu et al. Modeling tabular data using conditional GAN. NeurIPS, (2019).

[E] Arjovsky et al. Wasserstein GAN. CoRR, abs/1701.07875, (2017)

[F] Park et. al. Data synthesis based on generative adversarial networks. VLDB Endowment, (2018)

[G] Liu et al. GOGGLE: Generative modelling for tabular data by learning relational structure. ICLR, (2022)

Thank you for your positive feedback and your praise for the extensiveness and significance of our work in advancing tabular adversarial machine learning. We appreciate your interest and would be happy to provide further explanations to address any questions you have.

W1 - Clarification of the penalty function:

The penalty function transforms each constraint formulation into a differentiable loss function to be minimized by gradient descent. Let's consider one complex constraint from the LCLD credit scoring use case: The term of the loan can only be 36 or 60 months and the number of open accounts is lower than the number of allowed accounts for this client.

Such a constraint can be formally written as (term ∈ {36, 60}) ∧ (open_acc ≤ total_acc). The AND operator ∧ is equivalent to a sum of loss, while the element of set operator c∈{a,b,...} is equivalent to multiple OR operators, that are described as min(|c-a|,|c-b|,...) in a loss function. Finally, the a≤b operator is equivalent to a min(0,a-b) in a loss function.

Hence, the complex constraint translates as the following penalty: min(|term − 36|,|term − 60|)+ max(0, open_acc − total_acc)

Thank you for requesting these clarifications. We will update the final version accordingly and provide a meaningful example for each use case.

W2 - Clarification of the Equations (1) and (2):

The grammar in equations (1) and (2) are inspired by the work of Simonetto et al. [33] where they demonstrate the completeness of this grammar and its ability to cover all linear constraints.

To elaborate on the two equations, equation (1) means that a constraint formula ω can either be an intersection (∧), or a union (∨) of two other constraint formulae ω1, ω2, or ω can be a comparison operator between two values ψ, or ω can be the feature $f$ equals a value of the set {ψ1 ... ψk}.

Then equation (2) details the numeric expressions that are supported by the grammar. A numeric expression ψ can be constant, an operation between two other numerical expressions ψ1 and ψ2, or a specific feature f, or the value for f of the clean sample $x_i$. The difference between $f_i$ and $x_i$ is that $f_i$ corresponds to the current value of the evaluated example and $x_i$ corresponds to its original value in the clean example. This seemingly simple grammar allows very large recursive combinations and covers all the relations found in the features of our datasets.

In this grammar, the symbol $\in$ represents a type of constraint, and not that $f$ is a value. The constraint $f \in \{ψ_1, ..., ψ_k\}$ is equivalent to $(f=ψ_1) \lor (...) \lor (f=ψ_k)$ Hence we can simplify the grammar as follows:

$\omega := \omega_1 \land \omega_2 \mid \omega_1 \lor \omega_2 \mid \psi_1 \succeq \psi_2$ (1)

$\psi := c \mid f \mid \psi_1 \oplus \psi_2 \mid x_i$ (2)

To improve the readability of these equations, we will include the above detailed explanation in the final manuscript, and we have prepared an exhaustive table, Table 1 of the Author Rebuttal PDF, with examples of each type of constraint of the grammar, with real-world examples, and how they are converted into a penalty function. We will also include this table in the updated manuscript.

Q1 - Are there any other constraints in tabular data besides categorical features, immutability, and feature relationship constraints?

To the best of our knowledge, the only constraints related to tabular features are the ones we handle: types (including discrete, categorical, and binary), immutability, boundaries (minimum and maximum possible values), and feature relationships. Other constraints could be considered, but they are related to the threat model and the capabilities of the attackers, and hence outside the scope of the study. For example, the constraints on the budget of the attacker and the cost of changing a feature (for example an attacker could not change the feature of his current balance, without having sufficient resources to actually update his real account balance, or to change its address without the cost of moving its real address).

Q2 - Why are gradient attacks ineffective on the CTU dataset?

Thank you for raising this comment. Indeed, CTU dataset exhibits a large number of constraints compared to the other datasets, and some are particularly challenging. We show in the common answer (C1) that these constraints hinder gradient attacks and are harder to optimize.

Q3- Why is feature engineering necessary for the datasets? Have all four datasets considered in the paper undergone feature engineering?

You are right, each dataset has been proposed by different research teams with their own pre-processing and feature engineering. We did not run any additional feature engineering.

However, some datasets rely heavily on raw measurements, for example, the Botnet CTU dataset with features related to a number of connections in ports and traffic load; or WIDS dataset where the features are numerical biological data (eg. albumin_apache about albumin concentration in g/L). Other datasets were designed by their authors with more feature engineering. In the LCLD credit scoring dataset, some features (grade, subgrade, fico_range_low) are scores computed by Lending Club to grade the customer and the loan, and are the result of feature processing and engineering of raw features. Therefore, the four use cases cover different levels of feature engineering, with datasets as you pointed out requiring little feature engineering (WIDS), and datasets built with more advanced feature engineering (LCLD).

Thank you for raising this point. We will update the appendix section related to the dataset and provide clarifications and relevant references to the feature engineering process of each dataset.