Saved in:
Bibliographic Details
Main Authors: Zhou, Qilin, Wei, Zhengyuan, Wang, Haipeng, Jiang, Bo, Chan, W. K.
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.07668
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914794086334464
author Zhou, Qilin
Wei, Zhengyuan
Wang, Haipeng
Jiang, Bo
Chan, W. K.
author_facet Zhou, Qilin
Wei, Zhengyuan
Wang, Haipeng
Jiang, Bo
Chan, W. K.
contents Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. There are two research lines: certified recovery and certified detection. They aim to label malicious samples with provable guarantees correctly and issue warnings for malicious samples predicted to non-benign labels with provable guarantees, respectively. However, existing certified detection defenders suffer from protecting labels subject to manipulation, and existing certified recovery defenders cannot systematically warn samples about their labels. A certified defense that simultaneously offers robust labels and systematic warning protection against patch attacks is desirable. This paper proposes a novel certified defense technique called CrossCert. CrossCert formulates a novel approach by cross-checking two certified recovery defenders to provide unwavering certification and detection certification. Unwavering certification ensures that a certified sample, when subjected to a patched perturbation, will always be returned with a benign label without triggering any warnings with a provable guarantee. To our knowledge, CrossCert is the first certified detection technique to offer this guarantee. Our experiments show that, with a slightly lower performance than ViP and comparable performance with PatchCensor in terms of detection certification, CrossCert certifies a significant proportion of samples with the guarantee of unwavering certification.
format Preprint
id arxiv_https___arxiv_org_abs_2405_07668
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models
Zhou, Qilin
Wei, Zhengyuan
Wang, Haipeng
Jiang, Bo
Chan, W. K.
Software Engineering
Artificial Intelligence
Cryptography and Security
Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. There are two research lines: certified recovery and certified detection. They aim to label malicious samples with provable guarantees correctly and issue warnings for malicious samples predicted to non-benign labels with provable guarantees, respectively. However, existing certified detection defenders suffer from protecting labels subject to manipulation, and existing certified recovery defenders cannot systematically warn samples about their labels. A certified defense that simultaneously offers robust labels and systematic warning protection against patch attacks is desirable. This paper proposes a novel certified defense technique called CrossCert. CrossCert formulates a novel approach by cross-checking two certified recovery defenders to provide unwavering certification and detection certification. Unwavering certification ensures that a certified sample, when subjected to a patched perturbation, will always be returned with a benign label without triggering any warnings with a provable guarantee. To our knowledge, CrossCert is the first certified detection technique to offer this guarantee. Our experiments show that, with a slightly lower performance than ViP and comparable performance with PatchCensor in terms of detection certification, CrossCert certifies a significant proportion of samples with the guarantee of unwavering certification.
title CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models
topic Software Engineering
Artificial Intelligence
Cryptography and Security
url https://arxiv.org/abs/2405.07668