PatchGuard: A Provably Robust Defense against Adversarial Patches via
Small Receptive Fields and Masking
- URL: http://arxiv.org/abs/2005.10884v5
- Date: Wed, 31 Mar 2021 14:20:39 GMT
- Title: PatchGuard: A Provably Robust Defense against Adversarial Patches via
Small Receptive Fields and Masking
- Authors: Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, Prateek Mittal
- Abstract summary: Localized adversarial patches aim to induce misclassification in machine learning models by arbitrarily modifying pixels within a restricted region of an image.
We propose a general defense framework called PatchGuard that can achieve high provable robustness while maintaining high clean accuracy against localized adversarial patches.
- Score: 46.03749650789915
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Localized adversarial patches aim to induce misclassification in machine
learning models by arbitrarily modifying pixels within a restricted region of
an image. Such attacks can be realized in the physical world by attaching the
adversarial patch to the object to be misclassified, and defending against such
attacks is an unsolved/open problem. In this paper, we propose a general
defense framework called PatchGuard that can achieve high provable robustness
while maintaining high clean accuracy against localized adversarial patches.
The cornerstone of PatchGuard involves the use of CNNs with small receptive
fields to impose a bound on the number of features corrupted by an adversarial
patch. Given a bounded number of corrupted features, the problem of designing
an adversarial patch defense reduces to that of designing a secure feature
aggregation mechanism. Towards this end, we present our robust masking defense
that robustly detects and masks corrupted features to recover the correct
prediction. Notably, we can prove the robustness of our defense against any
adversary within our threat model. Our extensive evaluation on ImageNet,
ImageNette (a 10-class subset of ImageNet), and CIFAR-10 datasets demonstrates
that our defense achieves state-of-the-art performance in terms of both
provable robust accuracy and clean accuracy.
Related papers
- Task-agnostic Defense against Adversarial Patch Attacks [25.15948648034204]
Adversarial patch attacks mislead neural networks by injecting adversarial pixels within a designated local region.
We present PatchZero, a task-agnostic defense against white-box adversarial patches.
Our method achieves SOTA robust accuracy without any degradation in the benign performance.
arXiv Detail & Related papers (2022-07-05T03:49:08Z) - Defending Against Person Hiding Adversarial Patch Attack with a
Universal White Frame [28.128458352103543]
High-performance object detection networks are vulnerable to adversarial patch attacks.
Person-hiding attacks are emerging as a serious problem in many safety-critical applications.
We propose a novel defense strategy that mitigates a person-hiding attack by optimizing defense patterns.
arXiv Detail & Related papers (2022-04-27T15:18:08Z) - ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding
Attacks via Patch-agnostic Masking [95.6347501381882]
Object detectors are found to be vulnerable to physical-world patch hiding attacks.
We propose ObjectSeeker as a framework for building certifiably robust object detectors.
arXiv Detail & Related papers (2022-02-03T19:34:25Z) - Segment and Complete: Defending Object Detectors against Adversarial
Patch Attacks with Robust Patch Detection [142.24869736769432]
Adversarial patch attacks pose a serious threat to state-of-the-art object detectors.
We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks.
We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
arXiv Detail & Related papers (2021-12-08T19:18:48Z) - PatchCleanser: Certifiably Robust Defense against Adversarial Patches
for Any Image Classifier [30.559585856170216]
adversarial patch attack against image classification models aims to inject adversarially crafted pixels within a localized restricted image region (i.e., a patch)
We propose PatchCleanser as a robust defense against adversarial patches that is compatible with any image classification model.
We extensively evaluate our defense on the ImageNet, ImageNette, CIFAR-10, CIFAR-100, SVHN, and Flowers-102 datasets.
arXiv Detail & Related papers (2021-08-20T12:09:33Z) - PatchGuard++: Efficient Provable Attack Detection against Adversarial
Patches [28.94435153159868]
An adversarial patch can arbitrarily manipulate image pixels within a restricted region to induce model misclassification.
Recent provably robust defenses generally follow the PatchGuard framework by using CNNs with small receptive fields.
We extend PatchGuard to PatchGuard++ for provably detecting the adversarial patch attack to boost both provable robust accuracy and clean accuracy.
arXiv Detail & Related papers (2021-04-26T14:22:33Z) - A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems.
This paper proposes a self-supervised adversarial training mechanism in the input space.
It provides significant robustness against the textbfunseen adversarial attacks.
arXiv Detail & Related papers (2020-06-08T20:42:39Z) - Certified Defenses for Adversarial Patches [72.65524549598126]
Adversarial patch attacks are among the most practical threat models against real-world computer vision systems.
This paper studies certified and empirical defenses against patch attacks.
arXiv Detail & Related papers (2020-03-14T19:57:31Z) - (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size.
Our method is related to the broad class of randomized smoothing robustness schemes.
Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.