Related papers: PatchDEMUX: A Certifiably Robust Framework for Multi-label Classifiers Against Adversarial Patches

PatchDEMUX: A Certifiably Robust Framework for Multi-label Classifiers Against Adversarial Patches

URL: http://arxiv.org/abs/2505.24703v1
Date: Fri, 30 May 2025 15:25:51 GMT
Title: PatchDEMUX: A Certifiably Robust Framework for Multi-label Classifiers Against Adversarial Patches
Authors: Dennis Jacob, Chong Xiang, Prateek Mittal,
Abstract summary: We present PatchDEMUX, a certifiably robust framework for multi-label classification against adversarial patches.<n>Our approach is a generalizable method which can extend any existing certifiable defense for single-label classification.<n>We find that PatchDEMUX can achieve non-trivial robustness on the MS-COCO and PASCAL VOC datasets.
Score: 37.33690151547147
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Deep learning techniques have enabled vast improvements in computer vision technologies. Nevertheless, these models are vulnerable to adversarial patch attacks which catastrophically impair performance. The physically realizable nature of these attacks calls for certifiable defenses, which feature provable guarantees on robustness. While certifiable defenses have been successfully applied to single-label classification, limited work has been done for multi-label classification. In this work, we present PatchDEMUX, a certifiably robust framework for multi-label classifiers against adversarial patches. Our approach is a generalizable method which can extend any existing certifiable defense for single-label classification; this is done by considering the multi-label classification task as a series of isolated binary classification problems to provably guarantee robustness. Furthermore, in the scenario where an attacker is limited to a single patch we propose an additional certification procedure that can provide tighter robustness bounds. Using the current state-of-the-art (SOTA) single-label certifiable defense PatchCleanser as a backbone, we find that PatchDEMUX can achieve non-trivial robustness on the MS-COCO and PASCAL VOC datasets while maintaining high clean performance

Related papers

CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models [6.129515045488372]
Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. This paper proposes a novel certified defense technique called CrossCert.
arXiv Detail & Related papers (2024-05-13T11:54:03Z)
Architecture-agnostic Iterative Black-box Certified Defense against Adversarial Patches [18.61334396999853]
adversarial patch attack poses threat to computer vision systems. State-of-the-art certified defenses can be compatible with any model architecture. We propose a novel two-stage Iterative Black-box Certified Defense method, termed IBCD.
arXiv Detail & Related papers (2023-05-18T12:43:04Z)
PointCert: Point Cloud Classification with Deterministic Certified Robustness Guarantees [63.85677512968049]
Point cloud classification is an essential component in many security-critical applications such as autonomous driving and augmented reality. Existing certified defenses against adversarial point clouds suffer from a key limitation: their certified robustness guarantees are probabilistic. We propose a general framework, namely PointCert, that can transform an arbitrary point cloud classifier to be certifiably robust against adversarial point clouds.
arXiv Detail & Related papers (2023-03-03T14:32:48Z)
MultiGuard: Provably Robust Multi-label Classification against Adversarial Examples [67.0982378001551]
MultiGuard is the first provably robust defense against adversarial examples to multi-label classification. Our major theoretical contribution is that we show a certain number of ground truth labels of an input are provably in the set of labels predicted by our MultiGuard.
arXiv Detail & Related papers (2022-10-03T17:50:57Z)
Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection [142.24869736769432]
Adversarial patch attacks pose a serious threat to state-of-the-art object detectors. We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
arXiv Detail & Related papers (2021-12-08T19:18:48Z)
PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing [7.88628640954152]
Vision Transformer (ViT) is known to be highly nonlinear like other classical neural networks and could be easily fooled by both natural and adversarial patch perturbations. This limitation could pose a threat to the deployment of ViT in the real industrial environment, especially in safety-critical scenarios. We propose PatchCensor, aiming to certify the patch robustness of ViT by applying exhaustive testing.
arXiv Detail & Related papers (2021-11-19T23:45:23Z)
Efficient Certified Defenses Against Patch Attacks on Image Classifiers [13.858624044986815]
BagCert is a novel combination of model architecture and certification procedure that allows efficient certification. On CIFAR10, BagCert certifies examples in 43 seconds on a single GPU and obtains 86% clean and 60% certified accuracy against 5x5 patches.
arXiv Detail & Related papers (2021-02-08T12:11:41Z)
PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking [46.03749650789915]
Localized adversarial patches aim to induce misclassification in machine learning models by arbitrarily modifying pixels within a restricted region of an image. We propose a general defense framework called PatchGuard that can achieve high provable robustness while maintaining high clean accuracy against localized adversarial patches.
arXiv Detail & Related papers (2020-05-17T03:38:34Z)
(De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.