We present Timber, the first white-box poisoning attack targeting decision trees. Timber is based on a greedy attack strategy that leverages sub-tree retraining to efficiently estimate the damage caused by poisoning a given training instance. The attack relies on a tree annotation procedure, which enables the sorting of training instances so that they are processed in increasing order of the computational cost of sub-tree retraining. This sorting yields a variant of Timber that supports an early stopping criterion, designed to make poisoning attacks more efficient and feasible on larger datasets. We also discuss an extension of Timber to traditional random forest models, which is valuable since decision trees are typically combined into ensembles to improve their predictive power. Our experimental evaluation on public datasets demonstrates that our attacks outperform existing baselines in terms of effectiveness, efficiency, or both. Moreover, we show that two representative defenses can mitigate the effect of our attacks, but fail to effectively thwart them.

翻译：本文提出了Timber，这是首个针对决策树的白盒投毒攻击方法。Timber基于一种贪婪攻击策略，该策略利用子树重训练来高效评估污染特定训练实例所造成的损害。该攻击依赖于一种树标注流程，该流程能够对训练实例进行排序，使其按照子树重训练计算成本递增的顺序被处理。这种排序产生了一个支持早期停止准则的Timber变体，旨在使投毒攻击在更大数据集上更高效且可行。我们还讨论了Timber向传统随机森林模型的扩展，这一扩展具有重要价值，因为决策树通常被组合成集成模型以提升其预测能力。在公开数据集上的实验评估表明，我们的攻击在有效性、效率或两者兼具方面均优于现有基线方法。此外，我们证明两种代表性防御机制虽能缓解攻击效果，但无法有效阻止我们的攻击。