State-of-the-art deep learning models for tabular data have recently achieved
acceptable performance to be deployed in industrial settings. However, the
robustness of these models remains scarcely explored. Contrary to computer
vision, there are no effective attacks to properly evaluate the adversarial
robustness of deep tabular models due to intrinsic properties of tabular data,
such as categorical features, immutability, and feature relationship
constraints. To fill this gap, we first propose CAPGD, a gradient attack that
overcomes the failures of existing gradient attacks with adaptive mechanisms.
This new attack does not require parameter tuning and further degrades the
accuracy, up to 81% points compared to the previous gradient attacks. Second,
we design CAA, an efficient evasion attack that combines our CAPGD attack and
MOEVA, the best search-based attack. We demonstrate the effectiveness of our
attacks on five architectures and four critical use cases. Our empirical study
demonstrates that CAA outperforms all existing attacks in 17 over the 20
settings, and leads to a drop in the accuracy by up to 96.1% points and 21.9%
points compared to CAPGD and MOEVA respectively while being up to five times
faster than MOEVA. Given the effectiveness and efficiency of our new attacks,
we argue that they should become the minimal test for any new defense or robust
architectures in tabular machine learning.

我们提出了 CAPGD 和 CAA 两种新的攻击方法，证明它们在表格机器学习中的有效性和高效性，认为它们应成为任何新的防御或鲁棒性架构的最低测试标准。

约束性自适应攻击：针对表格数据深度神经网络的有效对抗性攻击

Constrained Adaptive Attack: Effective Adversarial Attack Against Deep  Neural Networks for Tabular Data

Adversarial examples, generated by carefully crafted perturbation, have
attracted considerable attention in research fields. Recent works have argued
that the existence of the robust and non-robust features is a primary cause of
the adversarial examples, and investigated their internal interactions in the
feature space. In this paper, we propose a way of explicitly distilling feature
representation into the robust and non-robust features, using Information
Bottleneck. Specifically, we inject noise variation to each feature unit and
evaluate the information flow in the feature representation to dichotomize
feature units either robust or non-robust, based on the noise variation
magnitude. Through comprehensive experiments, we demonstrate that the distilled
features are highly correlated with adversarial prediction, and they have
human-perceptible semantic information by themselves. Furthermore, we present
an attack mechanism intensifying the gradient of non-robust features that is
directly related to the model prediction, and validate its effectiveness of
breaking model robustness.

本文提出了一种通过 Information Bottleneck 明确地提炼出稳健特征和非稳健特征的方法，这些特征高度相关于对抗性预测并具有人类可感知的语义信息。此外，我们还提出了一种攻击机制来强化与模型预测直接相关的非稳健特征，并验证了其破坏模型鲁棒性的效果。