Constrained Adaptive Attack: Effective Adversarial Attack Against Deep Neural Networks for Tabular Data

TL;DR

This work tackles adversarial robustness for deep neural networks operating on tabular data, where feature constraints create a challenge for conventional attacks. It introduces CAPGD, a parameter-free gradient attack with momentum and adaptive steps, and a repair mechanism to enforce constraint satisfaction, demonstrated to outperform prior gradient attacks and subsume them. Building on CAPGD, the authors propose CAA, a hybrid attack that sequentially applies CAPGD and MOEVA to maximize effectiveness while reducing computational cost, achieving the strongest results across four datasets and five architectures with substantial accuracy drops and speedups over baselines. The findings establish CAPGD and CAA as essential components of a robust evaluation protocol for tabular ML, with implications for defense design and adversarial training strategies, particularly under realistic feature constraints expressed by Ω.

Abstract

State-of-the-art deep learning models for tabular data have recently achieved acceptable performance to be deployed in industrial settings. However, the robustness of these models remains scarcely explored. Contrary to computer vision, there are no effective attacks to properly evaluate the adversarial robustness of deep tabular models due to intrinsic properties of tabular data, such as categorical features, immutability, and feature relationship constraints. To fill this gap, we first propose CAPGD, a gradient attack that overcomes the failures of existing gradient attacks with adaptive mechanisms. This new attack does not require parameter tuning and further degrades the accuracy, up to 81% points compared to the previous gradient attacks. Second, we design CAA, an efficient evasion attack that combines our CAPGD attack and MOEVA, the best search-based attack. We demonstrate the effectiveness of our attacks on five architectures and four critical use cases. Our empirical study demonstrates that CAA outperforms all existing attacks in 17 over the 20 settings, and leads to a drop in the accuracy by up to 96.1% points and 21.9% points compared to CAPGD and MOEVA respectively while being up to five times faster than MOEVA. Given the effectiveness and efficiency of our new attacks, we argue that they should become the minimal test for any new defense or robust architectures in tabular machine learning.

Figures (7)

• Figure 1: Visualization of the complementarity of CAPGD, CPGD and LowProFool with the number of successful adversarial examples.
• Figure 2: Visualization of the complementarity of CAPGD, MOEVA and BF* with the number of successful adversarial examples.
• Figure 3: Impact of CAA budget on the robust accuracy for CTU dataset.
• Figure 4: Visualization of the utility of CAA's components. For attack A (respectively B) we compute the set of clean examples $C_A$ (respectively $C_B)$) on which the attack is successful. The percentage represents the proportion of the set $C_A \cup C_B$ is covered by $C_B$. CAPGD-NADA is CAPGD without adaptive step, CAPGD-NRAN is CAPGD without the random start, CAPGD-NINI is CAPGD without the clean example initizialisation and CAPGD NREP is CAPGD without repair at each iteration.
• Figure 5: Robust accuracy with CAA with varying maximum perturbation $\epsilon$ budget.