Recently, the evolution of deep learning has promoted the application of machine learning (ML) to various systems. However, there are ML systems, such as autonomous vehicles, that cause critical damage when they misclassify. Conversely, there are ML-specific attacks called adversarial attacks based on the characteristics of ML systems. For example, one type of adversarial attack is an evasion attack, which uses minute perturbations called "adversarial examples" to intentionally misclassify classifiers. Therefore, it is necessary to analyze the risk of ML-specific attacks in introducing ML base systems. In this study, we propose a quantitative evaluation method for analyzing the risk of evasion attacks using attack trees. The proposed method consists of the extension of the conventional attack tree to analyze evasion attacks and the systematic construction method of the extension. In the extension of the conventional attack tree, we introduce ML and conventional attack nodes to represent various characteristics of evasion attacks. In the systematic construction process, we propose a procedure to construct the attack tree. The procedure consists of three steps: (1) organizing information about attack methods in the literature to a matrix, (2) identifying evasion attack scenarios from methods in the matrix, and (3) constructing the attack tree from the identified scenarios using a pattern. Finally, we conducted experiments on three ML image recognition systems to demonstrate the versatility and effectiveness of our proposed method.

翻译：近年来，深度学习的演进推动了机器学习（ML）在各类系统中的广泛应用。然而，诸如自动驾驶等ML系统在出现误分类时会造成严重危害。与此同时，基于ML系统特性还产生了被称为对抗攻击的ML特有攻击方式。例如，规避攻击是对抗攻击的一种类型，它利用称为"对抗样本"的微小扰动故意导致分类器误判。因此，在引入基于ML的系统时，有必要分析ML特有攻击的风险。本研究提出了一种利用攻击树定量评估规避攻击风险的分析方法。该方法包含对传统攻击树的扩展以及该扩展的系统化构建流程。在对传统攻击树的扩展中，我们引入ML攻击节点和常规攻击节点来表征规避攻击的多元特性。在系统化构建流程中，我们提出了攻击树构建的三步骤规程：（1）将文献中攻击方法的信息整理为矩阵；（2）从矩阵中的方法识别出规避攻击场景；（3）基于识别出的场景运用模式构建攻击树。最后，我们在三个ML图像识别系统上进行了实验，验证了所提出方法的通用性与有效性。