Salvato in:
Dettagli Bibliografici
Autori principali: Vo, Quoc Viet, Haq, Tashreque M., Montague, Paul, Abraham, Tamas, Abbasnejad, Ehsan, Ranasinghe, Damith C.
Natura: Preprint
Pubblicazione: 2025
Soggetti:
Accesso online:https://arxiv.org/abs/2511.14003
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866914161994235904
author Vo, Quoc Viet
Haq, Tashreque M.
Montague, Paul
Abraham, Tamas
Abbasnejad, Ehsan
Ranasinghe, Damith C.
author_facet Vo, Quoc Viet
Haq, Tashreque M.
Montague, Paul
Abraham, Tamas
Abbasnejad, Ehsan
Ranasinghe, Damith C.
contents Certified defenses promise provable robustness guarantees. We study the malicious exploitation of probabilistic certification frameworks to better understand the limits of guarantee provisions. Now, the objective is to not only mislead a classifier, but also manipulate the certification process to generate a robustness guarantee for an adversarial input certificate spoofing. A recent study in ICLR demonstrated that crafting large perturbations can shift inputs far into regions capable of generating a certificate for an incorrect class. Our study investigates if perturbations needed to cause a misclassification and yet coax a certified model into issuing a deceptive, large robustness radius for a target class can still be made small and imperceptible. We explore the idea of region-focused adversarial examples to craft imperceptible perturbations, spoof certificates and achieve certification radii larger than the source class ghost certificates. Extensive evaluations with the ImageNet demonstrate the ability to effectively bypass state-of-the-art certified defenses such as Densepure. Our work underscores the need to better understand the limits of robustness certification methods.
format Preprint
id arxiv_https___arxiv_org_abs_2511_14003
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Certified but Fooled! Breaking Certified Defences with Ghost Certificates
Vo, Quoc Viet
Haq, Tashreque M.
Montague, Paul
Abraham, Tamas
Abbasnejad, Ehsan
Ranasinghe, Damith C.
Machine Learning
Cryptography and Security
Computer Vision and Pattern Recognition
Certified defenses promise provable robustness guarantees. We study the malicious exploitation of probabilistic certification frameworks to better understand the limits of guarantee provisions. Now, the objective is to not only mislead a classifier, but also manipulate the certification process to generate a robustness guarantee for an adversarial input certificate spoofing. A recent study in ICLR demonstrated that crafting large perturbations can shift inputs far into regions capable of generating a certificate for an incorrect class. Our study investigates if perturbations needed to cause a misclassification and yet coax a certified model into issuing a deceptive, large robustness radius for a target class can still be made small and imperceptible. We explore the idea of region-focused adversarial examples to craft imperceptible perturbations, spoof certificates and achieve certification radii larger than the source class ghost certificates. Extensive evaluations with the ImageNet demonstrate the ability to effectively bypass state-of-the-art certified defenses such as Densepure. Our work underscores the need to better understand the limits of robustness certification methods.
title Certified but Fooled! Breaking Certified Defences with Ghost Certificates
topic Machine Learning
Cryptography and Security
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2511.14003