Certified Defences Against Adversarial Patch Attacks on Semantic Segmentation

• URL: http://arxiv.org/abs/2209.05980v1
• Date: Tue, 13 Sep 2022 13:24:22 GMT
• Title: Certified Defences Against Adversarial Patch Attacks on Semantic Segmentation
• Authors: Maksym Yatsura, Kaspar Sakmann, N. Grace Hua, Matthias Hein and Jan Hendrik Metzen
• Abstract summary: We present Demasked Smoothing, the first approach to certify the robustness of semantic segmentation models against patch attacks. Using different masking strategies, Demasked Smoothing can be applied both for certified detection and certified recovery. In extensive experiments we show that Demasked Smoothing can on average certify 64% of the pixel predictions for a 1% patch in the detection task and 48% against a 0.5% patch for the recovery task on the ADE20K dataset.
• Score: 44.13336566131961
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Adversarial patch attacks are an emerging security threat for real world deep learning applications. We present Demasked Smoothing, the first approach (up to our knowledge) to certify the robustness of semantic segmentation models against this threat model. Previous work on certifiably defending against patch attacks has mostly focused on image classification task and often required changes in the model architecture and additional training which is undesirable and computationally expensive. In Demasked Smoothing, any segmentation model can be applied without particular training, fine-tuning, or restriction of the architecture. Using different masking strategies, Demasked Smoothing can be applied both for certified detection and certified recovery. In extensive experiments we show that Demasked Smoothing can on average certify 64% of the pixel predictions for a 1% patch in the detection task and 48% against a 0.5% patch for the recovery task on the ADE20K dataset.

Related papers

• Anomaly Unveiled: Securing Image Classification against Adversarial Patch Attacks [3.6275442368775512]
  Adversarial patch attacks pose a significant threat to the practical deployment of deep learning systems. In this paper, we investigate the behavior of adversarial patches as anomalies within the distribution of image information. Our proposed defense mechanism utilizes a clustering-based technique called DBSCAN to isolate anomalous image segments.
  arXiv  Detail & Related papers  (2024-02-09T08:52:47Z)
• Can We Trust the Unlabeled Target Data? Towards Backdoor Attack and Defense on Model Adaptation [120.42853706967188]
  We explore the potential backdoor attacks on model adaptation launched by well-designed poisoning target data. We propose a plug-and-play method named MixAdapt, combining it with existing adaptation algorithms.
  arXiv  Detail & Related papers  (2024-01-11T16:42:10Z)
• Task-agnostic Defense against Adversarial Patch Attacks [25.15948648034204]
  Adversarial patch attacks mislead neural networks by injecting adversarial pixels within a designated local region. We present PatchZero, a task-agnostic defense against white-box adversarial patches. Our method achieves SOTA robust accuracy without any degradation in the benign performance.
  arXiv  Detail & Related papers  (2022-07-05T03:49:08Z)
• Towards Practical Certifiable Patch Defense with Vision Transformer [34.00374565048962]
  We introduce Vision Transformer (ViT) into the framework of Derandomized Smoothing (DS) For efficient inference and deployment in the real world, we innovatively reconstruct the global self-attention structure of the original ViT into isolated band unit self-attention.
  arXiv  Detail & Related papers  (2022-03-16T10:39:18Z)
• ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking [95.6347501381882]
  Object detectors are found to be vulnerable to physical-world patch hiding attacks. We propose ObjectSeeker as a framework for building certifiably robust object detectors.
  arXiv  Detail & Related papers  (2022-02-03T19:34:25Z)
• Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection [142.24869736769432]
  Adversarial patch attacks pose a serious threat to state-of-the-art object detectors. We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
  arXiv  Detail & Related papers  (2021-12-08T19:18:48Z)
• PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing [7.88628640954152]
  Vision Transformer (ViT) is known to be highly nonlinear like other classical neural networks and could be easily fooled by both natural and adversarial patch perturbations. This limitation could pose a threat to the deployment of ViT in the real industrial environment, especially in safety-critical scenarios. We propose PatchCensor, aiming to certify the patch robustness of ViT by applying exhaustive testing.
  arXiv  Detail & Related papers  (2021-11-19T23:45:23Z)
• PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier [30.559585856170216]
  adversarial patch attack against image classification models aims to inject adversarially crafted pixels within a localized restricted image region (i.e., a patch) We propose PatchCleanser as a robust defense against adversarial patches that is compatible with any image classification model. We extensively evaluate our defense on the ImageNet, ImageNette, CIFAR-10, CIFAR-100, SVHN, and Flowers-102 datasets.
  arXiv  Detail & Related papers  (2021-08-20T12:09:33Z)
• Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
  The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data. We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
  arXiv  Detail & Related papers  (2021-03-06T05:50:29Z)
• (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
  We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
  arXiv  Detail & Related papers  (2020-02-25T08:39:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.