Towards Practical Certifiable Patch Defense with Vision Transformer
- URL: http://arxiv.org/abs/2203.08519v1
- Date: Wed, 16 Mar 2022 10:39:18 GMT
- Title: Towards Practical Certifiable Patch Defense with Vision Transformer
- Authors: Zhaoyu Chen, Bo Li, Jianghe Xu, Shuang Wu, Shouhong Ding, Wenqiang
Zhang
- Abstract summary: We introduce Vision Transformer (ViT) into the framework of Derandomized Smoothing (DS)
For efficient inference and deployment in the real world, we innovatively reconstruct the global self-attention structure of the original ViT into isolated band unit self-attention.
- Score: 34.00374565048962
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Patch attacks, one of the most threatening forms of physical attack in
adversarial examples, can lead networks to induce misclassification by
modifying pixels arbitrarily in a continuous region. Certifiable patch defense
can guarantee robustness that the classifier is not affected by patch attacks.
Existing certifiable patch defenses sacrifice the clean accuracy of classifiers
and only obtain a low certified accuracy on toy datasets. Furthermore, the
clean and certified accuracy of these methods is still significantly lower than
the accuracy of normal classification networks, which limits their application
in practice. To move towards a practical certifiable patch defense, we
introduce Vision Transformer (ViT) into the framework of Derandomized Smoothing
(DS). Specifically, we propose a progressive smoothed image modeling task to
train Vision Transformer, which can capture the more discriminable local
context of an image while preserving the global semantic information. For
efficient inference and deployment in the real world, we innovatively
reconstruct the global self-attention structure of the original ViT into
isolated band unit self-attention. On ImageNet, under 2% area patch attacks our
method achieves 41.70% certified accuracy, a nearly 1-fold increase over the
previous best method (26.00%). Simultaneously, our method achieves 78.58% clean
accuracy, which is quite close to the normal ResNet-101 accuracy. Extensive
experiments show that our method obtains state-of-the-art clean and certified
accuracy with inferring efficiently on CIFAR-10 and ImageNet.
Related papers
- Patch-Level Contrasting without Patch Correspondence for Accurate and
Dense Contrastive Representation Learning [79.43940012723539]
ADCLR is a self-supervised learning framework for learning accurate and dense vision representation.
Our approach achieves new state-of-the-art performance for contrastive methods.
arXiv Detail & Related papers (2023-06-23T07:38:09Z) - Improving the Accuracy-Robustness Trade-Off of Classifiers via Adaptive Smoothing [9.637143119088426]
We show that a robust base classifier's confidence difference for correct and incorrect examples is the key to this improvement.
We adapt an adversarial input detector into a mixing network that adaptively adjusts the mixture of the two base models.
The proposed flexible method, termed "adaptive smoothing", can work in conjunction with existing or even future methods that improve clean accuracy, robustness, or adversary detection.
arXiv Detail & Related papers (2023-01-29T22:05:28Z) - (Certified!!) Adversarial Robustness for Free! [116.6052628829344]
We certify 71% accuracy on ImageNet under adversarial perturbations constrained to be within a 2-norm of 0.5.
We obtain these results using only pretrained diffusion models and image classifiers, without requiring any fine tuning or retraining of model parameters.
arXiv Detail & Related papers (2022-06-21T17:27:27Z) - PatchCensor: Patch Robustness Certification for Transformers via
Exhaustive Testing [7.88628640954152]
Vision Transformer (ViT) is known to be highly nonlinear like other classical neural networks and could be easily fooled by both natural and adversarial patch perturbations.
This limitation could pose a threat to the deployment of ViT in the real industrial environment, especially in safety-critical scenarios.
We propose PatchCensor, aiming to certify the patch robustness of ViT by applying exhaustive testing.
arXiv Detail & Related papers (2021-11-19T23:45:23Z) - ScaleCert: Scalable Certified Defense against Adversarial Patches with
Sparse Superficial Layers [29.658969173796645]
We propose a certified defense methodology that achieves high provable robustness for high-resolution images.
We leverage the SIN-based compression techniques to significantly improve the certified accuracy.
Our experimental results show that the certified accuracy is increased from 36.3% to 60.4% on the ImageNet dataset.
arXiv Detail & Related papers (2021-10-27T02:05:00Z) - Certified Patch Robustness via Smoothed Vision Transformers [77.30663719482924]
We show how using vision transformers enables significantly better certified patch robustness.
These improvements stem from the inherent ability of the vision transformer to gracefully handle largely masked images.
arXiv Detail & Related papers (2021-10-11T17:44:05Z) - PatchCleanser: Certifiably Robust Defense against Adversarial Patches
for Any Image Classifier [30.559585856170216]
adversarial patch attack against image classification models aims to inject adversarially crafted pixels within a localized restricted image region (i.e., a patch)
We propose PatchCleanser as a robust defense against adversarial patches that is compatible with any image classification model.
We extensively evaluate our defense on the ImageNet, ImageNette, CIFAR-10, CIFAR-100, SVHN, and Flowers-102 datasets.
arXiv Detail & Related papers (2021-08-20T12:09:33Z) - How Robust are Randomized Smoothing based Defenses to Data Poisoning? [66.80663779176979]
We present a previously unrecognized threat to robust machine learning models that highlights the importance of training-data quality.
We propose a novel bilevel optimization-based data poisoning attack that degrades the robustness guarantees of certifiably robust classifiers.
Our attack is effective even when the victim trains the models from scratch using state-of-the-art robust training methods.
arXiv Detail & Related papers (2020-12-02T15:30:21Z) - (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size.
Our method is related to the broad class of randomized smoothing robustness schemes.
Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.