There are various costs for attackers to manipulate the features of security classifiers. The costs are asymmetric across features and to the directions of changes, which cannot be precisely captured by existing cost models based on $L_p$-norm robustness. In this paper, we utilize such domain knowledge to increase the attack cost of evading classifiers, specifically, tree ensemble models that are widely used by security tasks. We propose a new cost modeling method to capture the feature manipulation cost as constraint, and then we integrate the cost-driven constraint into the node construction process to train robust tree ensembles. During the training process, we use the constraint to find data points that are likely to be perturbed given the feature manipulation cost, and we use a new robust training algorithm to optimize the quality of the trees. Our cost-aware training method can be applied to different types of tree ensembles, including gradient boosted decision trees and random forest models. Using Twitter spam detection as the case study, our evaluation results show that we can increase the attack cost by 10.6X compared to the baseline. Moreover, our robust training method using cost-driven constraint can achieve higher accuracy, lower false positive rate, and stronger cost-aware robustness than the state-of-the-art training method using $L_\infty$-norm cost model. Our code is available at https://github.com/surrealyz/growtrees.

翻译：攻击者可以使用各种成本来操纵安全分类器的特性。 成本在特性和变化方向上是不对称的, 这些成本无法精确地用基于 $_ p$- 诺姆 稳健性的现有成本模型来获取。 在本文中, 我们利用这些域知识来提高逃避分类器的进攻成本, 特别是安全任务广泛使用的树集合模型。 我们提出了一个新的成本模型方法来捕捉特性操纵成本作为制约, 然后我们将成本驱动的限制纳入节点建设过程, 以训练强大的树群。 在培训过程中, 我们使用限制来寻找在功能操纵成本基础上有可能被渗透的数据点。 我们使用一种新的强大的培训算法来优化树的质量。 我们的成本认知培训方法可以适用于不同类型的树团, 包括梯度增强决策树和随机森林模型。 我们用Twitter垃圾存储模型作为案例研究, 我们的评估结果显示, 与基线相比,我们可以增加攻击成本10.6X 。 此外,我们使用成本驱动力强的州/ 州级培训方法,我们使用更强的成本 。