Related papers: CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models

CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models

URL: http://arxiv.org/abs/2405.07668v1
Date: Mon, 13 May 2024 11:54:03 GMT
Title: CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models
Authors: Qilin Zhou, Zhengyuan Wei, Haipeng Wang, Bo Jiang, W. K. Chan,
Abstract summary: Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. This paper proposes a novel certified defense technique called CrossCert.
Score: 6.129515045488372
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. There are two research lines: certified recovery and certified detection. They aim to label malicious samples with provable guarantees correctly and issue warnings for malicious samples predicted to non-benign labels with provable guarantees, respectively. However, existing certified detection defenders suffer from protecting labels subject to manipulation, and existing certified recovery defenders cannot systematically warn samples about their labels. A certified defense that simultaneously offers robust labels and systematic warning protection against patch attacks is desirable. This paper proposes a novel certified defense technique called CrossCert. CrossCert formulates a novel approach by cross-checking two certified recovery defenders to provide unwavering certification and detection certification. Unwavering certification ensures that a certified sample, when subjected to a patched perturbation, will always be returned with a benign label without triggering any warnings with a provable guarantee. To our knowledge, CrossCert is the first certified detection technique to offer this guarantee. Our experiments show that, with a slightly lower performance than ViP and comparable performance with PatchCensor in terms of detection certification, CrossCert certifies a significant proportion of samples with the guarantee of unwavering certification.

Related papers

sec-certs: Examining the security certification practice for better vulnerability mitigation [0.2886273197127056]
Critical vulnerabilities get discovered in certified products with high assurance levels. Assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products.
arXiv Detail & Related papers (2023-11-29T12:55:16Z)
It's Simplex! Disaggregating Measures to Improve Certified Robustness [32.63920797751968]
This work presents two approaches to improve the analysis of certification mechanisms. New certification approaches have the potential to more than double the achievable radius of certification. Empirical evaluation verifies that our new approach can certify $9%$ more samples at noise scale $sigma = 1$.
arXiv Detail & Related papers (2023-09-20T02:16:19Z)
PointCert: Point Cloud Classification with Deterministic Certified Robustness Guarantees [63.85677512968049]
Point cloud classification is an essential component in many security-critical applications such as autonomous driving and augmented reality. Existing certified defenses against adversarial point clouds suffer from a key limitation: their certified robustness guarantees are probabilistic. We propose a general framework, namely PointCert, that can transform an arbitrary point cloud classifier to be certifiably robust against adversarial point clouds.
arXiv Detail & Related papers (2023-03-03T14:32:48Z)
Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples [30.42301446202426]
Our new emphCertification Aware Attack exploits certifications to produce computationally efficient norm-minimising adversarial examples. While these attacks can be used to assess the tightness of certification bounds, they also highlight that releasing certifications can paradoxically reduce security.
arXiv Detail & Related papers (2023-02-09T00:10:05Z)
COPA: Certifying Robust Policies for Offline Reinforcement Learning against Poisoning Attacks [49.15885037760725]
We focus on certifying the robustness of offline reinforcement learning (RL) in the presence of poisoning attacks. We propose the first certification framework, COPA, to certify the number of poisoning trajectories that can be tolerated. We prove that some of the proposed certification methods are theoretically tight and some are NP-Complete problems.
arXiv Detail & Related papers (2022-03-16T05:02:47Z)
PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing [7.88628640954152]
Vision Transformer (ViT) is known to be highly nonlinear like other classical neural networks and could be easily fooled by both natural and adversarial patch perturbations. This limitation could pose a threat to the deployment of ViT in the real industrial environment, especially in safety-critical scenarios. We propose PatchCensor, aiming to certify the patch robustness of ViT by applying exhaustive testing.
arXiv Detail & Related papers (2021-11-19T23:45:23Z)
Deep Partition Aggregation: Provable Defense against General Poisoning Attacks [136.79415677706612]
Adrial poisoning attacks distort training data in order to corrupt the test-time behavior of a classifier. We propose two novel provable defenses against poisoning attacks. DPA is a certified defense against a general poisoning threat model. SS-DPA is a certified defense against label-flipping attacks.
arXiv Detail & Related papers (2020-06-26T03:16:31Z)
Breaking certified defenses: Semantic adversarial examples with spoofed robustness certificates [57.52763961195292]
We present a new attack that exploits not only the labelling function of a classifier, but also the certificate generator. The proposed method applies large perturbations that place images far from a class boundary while maintaining the imperceptibility property of adversarial examples.
arXiv Detail & Related papers (2020-03-19T17:59:44Z)
Certified Defenses for Adversarial Patches [72.65524549598126]
Adversarial patch attacks are among the most practical threat models against real-world computer vision systems. This paper studies certified and empirical defenses against patch attacks.
arXiv Detail & Related papers (2020-03-14T19:57:31Z)
(De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.