2. Realistic Adversarial Attacks for Tabular Data Using Generative Models
In our previous posts, we highlighted how adversarial attacks designed in controlled environments often fail to reflect real-world scenarios. So far, we have focused on images and text. In this post we will move to tabular data, allegedly one of the most widely used formats in practice, powering critical systems such as financial decision-making, medical diagnoses, and automated risk assessments. Tabular AI/ML applications are equally vulnerable to adversarial attacks. Here, we will explore how to construct adversarial attacks specifically for tabular data, with a focus on maintaining realism and practical relevance.
Consider a credit card fraud detection system that processes records like this:
| Age | Income | Transaction Amount | Account Type |
|---|---|---|---|
| 35 | 4000 | 500 | Premium |
This is a normal transaction that the system flags as suspicious. A naive attacker might think they can bypass the system simply by changing a single value. For example, they could inflate the transaction amount to an absurd number:
| Age | Income | Transaction Amount | Account Type |
|---|---|---|---|
| 35 | 4000 | 999,999,999 | Premium |
Technically, the database accepts it, and it might fool an AI/ML model. But in reality, such an extreme number would immediately raise red flags: auditors, internal checks, or sanity rules would catch it instantly. This simple example shows that adversarial attacks on tabular ML models must respect constraints that make them plausible in the real world. We can identify three such constraints:
-
Mutability Constraints
Certain features, such as blood type or date of birth, cannot be altered. -
Structural Constraints
Tabular features have predefined domains. For example, age is restricted to integers between 0–120, and categorical variables can only take on a fixed set of values. -
Inter-feature Dependencies
Features often have logical or statistical relationships. For instance, LoanAmount should not exceed a reasonable percentage of Income. These dependencies must be preserved.
Violating any of these constraints produces unrealistic or easily detected adversarial examples. Traditional adversarial attacks, which work well for images, often fail when applied in tabular settings because they do not account for mutability, structural limits, or inter-feature dependencies[1]. As a result, these methods frequently generate invalid or implausible records.
Therefore, we need new adversarial approaches that can bypass machine learning models and at the same time respecting the inherent constraints of real-world tabular data. By ensuring that adversarial examples remain plausible and stealthy, these methods can more accurately simulate attacks that might occur in practice.
We present below the main steps of our approach, and in the next two posts we will discuss them more in-depth.
Our Approach: Step by Step
Building realistic adversarial attacks for tabular data can be approached in multiple ways. One option, which is the most generalizable, is to adapt existing image-based methods (e.g gradient-based, gradient-free, or learning-based attacks) by incorporating the feasibility constraints discussed earlier. This process involves masking immutable features, keeping values within valid ranges through rounding, for example, and applying post-hoc repair operations to maintain inter-feature dependencies. The second option is to develop entirely new techniques tailored to a specific use case, such as fraud detection. While potentially more effective for a single domain, this approach is difficult to generalize to other applications without significant effort.
We opted for the first approach, combining generative models with feasibility constraints enforced through post-hoc repair. Generative models are particularly appealing because they are far more efficient than iterative optimization methods. Once trained, they can produce adversarial examples in a single step. Post-hoc repair ensures that all generated outputs satisfy the necessary constraints, providing guarantees that constraint-aware optimization alone may not offer.
There are two key steps that we followed to build an adversarial attack for tabular ML which generates feasible input that are closer to a real-world scenario.
- Step 1: Converting Deep Generative Models (DGMs) into Constrained DGMs (C-DGMs)
The first step is to ensure that generative models produce valid tabular data. To achieve this, we designed a differentiable constraint layer that performs post-hoc repair to correct outputs violating domain constraints, such as logical relationships between features (e.g., total_income = salary + bonus + other). This layer works as a filter that catches mistakes and fixes them. This results in a model capable of generating realistic tabular samples that conform to all feasibility requirements. This method is discussed in detail in our work How Realistic is Your Synthetic Data? Constraining Deep Generative Models for Tabular Data.
- Step 2: Converting C-DGMs into Adversarial C-DGMs (C-AdvDGMs)
Once the constrained generative model reliably produces valid samples, we adapt it to generate adversarial examples that can mislead machine learning models. This is achieved through the incorporation of an adversarial loss and architectural modifications. This approach is described further in Deep Generative Models as an Adversarial Attack Strategy for Tabular Machine Learning.
In the next posts, we will take a closer look at these two steps. First, in Step 1, we will show how deep generative models (DGMs) can be transformed into constrained generative models (C-DGMs) that produce valid, realistic tabular samples. We will explain the design of the differentiable constraint layer that ensures all domain constraints are satisfied.
Following that, in Step 2, we will demonstrate how (C-DGMs) can be extended to C-AdvDGMs to generate adversarial examples capable of bypassing machine learning models. We will explore the incorporation of adversarial loss and architectural modifications.
1. Ghamizi et al., “Search-based adversarial testing and improvement of constrained credit scoring systems.”, FSE 2020
Note: This blog series is based on research about the realism of current adversarial attacks from my time at the SerVal group, SnT (University of Luxembourg). It’s an easy-to-digest format for anyone interested in the topic, especially those who may not have time (or willingness) to read our full papers.
The work and results presented here are a team effort, including Asst. Prof. Dr. Maxime Cordy, Dr. Thibault Simonetto, Dr. Salah Ghamizi, (to be Dr.) Mohamed Djilani, (to be Dr.) Mihaela C. Stoian and Asst. Prof. Dr. Eleonora Giunchiglia.
If you want to dig deeper into the results or specific subtopics, check out the papers linked in each blog post.
Enjoy Reading This Article?
Here are some more articles you might like to read next: