TY - GEN
T1 - CaFA
T2 - 45th IEEE Symposium on Security and Privacy, SP 2024
AU - Ben-Tov, Matan
AU - Deutch, Daniel
AU - Frost, Nave
AU - Sharif, Mahmood
N1 - Publisher Copyright: © 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - This work presents CaFA, a system for Cost-aware Feasible Attacks for assessing the robustness of neural tabular classifiers against adversarial examples realizable in the problem space, while minimizing adversaries' effort. To this end, CaFA leverages TabPGD - an algorithm we set forth to generate adversarial perturbations suitable for tabular data - and incorporates integrity constraints automatically mined by state-of-the-art database methods. After producing adversarial examples in the feature space via TabPGD, CaFA projects them on the mined constraints, leading, in turn, to better attack realizability. We tested CaFA with three datasets and two architectures and found, among others, that the constraints we use are of higher quality (measured via soundness and completeness) than ones employed in prior work. Moreover, CaFA achieves higher feasible success rates - i.e., it generates adversarial examples that are often misclassified while satisfying constraints - than prior attacks while simultaneously perturbing few features with lower magnitudes, thus saving effort and improving inconspicuousness. We open-source CaFA,1 hoping it will serve as a generic system enabling machine-learning engineers to assess their models' robustness against realizable attacks, thus advancing deployed models' trustworthiness.
AB - This work presents CaFA, a system for Cost-aware Feasible Attacks for assessing the robustness of neural tabular classifiers against adversarial examples realizable in the problem space, while minimizing adversaries' effort. To this end, CaFA leverages TabPGD - an algorithm we set forth to generate adversarial perturbations suitable for tabular data - and incorporates integrity constraints automatically mined by state-of-the-art database methods. After producing adversarial examples in the feature space via TabPGD, CaFA projects them on the mined constraints, leading, in turn, to better attack realizability. We tested CaFA with three datasets and two architectures and found, among others, that the constraints we use are of higher quality (measured via soundness and completeness) than ones employed in prior work. Moreover, CaFA achieves higher feasible success rates - i.e., it generates adversarial examples that are often misclassified while satisfying constraints - than prior attacks while simultaneously perturbing few features with lower magnitudes, thus saving effort and improving inconspicuousness. We open-source CaFA,1 hoping it will serve as a generic system enabling machine-learning engineers to assess their models' robustness against realizable attacks, thus advancing deployed models' trustworthiness.
KW - Adversarial machine learning
KW - Adversarial robustness
KW - Neural networks
KW - Tabular data
UR - http://www.scopus.com/inward/record.url?scp=85204101378&partnerID=8YFLogxK
U2 - https://doi.org/10.1109/SP54263.2024.00218
DO - https://doi.org/10.1109/SP54263.2024.00218
M3 - منشور من مؤتمر
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1345
EP - 1364
BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 20 May 2024 through 23 May 2024
ER -