(De)Randomized Smoothing for Certifiable Defense against Patch Attacks

TL;DR

This paper introduces a new certifiable defense mechanism against patch adversarial attacks on images, providing deterministic robustness guarantees that outperform previous methods in speed and accuracy on CIFAR-10 and ImageNet.

Contribution

The authors develop a de-randomized smoothing-based certification method specifically for patch attacks, achieving faster training and higher certified accuracy than prior approaches.

Findings

Achieves up to 57.6% certified accuracy on CIFAR-10 for 5x5 patches.

Provides certificates at ImageNet scale.

Outperforms existing certification methods in speed and robustness.

Abstract

Patch adversarial attacks on images, in which the attacker can distort pixels within a region of bounded size, are an important threat model since they provide a quantitative model for physical adversarial attacks. In this paper, we introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size, no patch adversarial examples exist. Our method is related to the broad class of randomized smoothing robustness schemes which provide high-confidence probabilistic robustness certificates. By exploiting the fact that patch attacks are more constrained than general sparse attacks, we derive meaningfully large robustness certificates against them. Additionally, in contrast to smoothing-based defenses against L_p and sparse attacks, our defense method against patch attacks is de-randomized, yielding improved, deterministic certificates. Compared to the existing patch certification method proposed by Chiang et al. (2020), which relies on interval bound propagation, our method can be trained significantly faster, achieves high clean and certified robust accuracy on CIFAR-10, and provides certificates at ImageNet scale. For example, for a 5-by-5 patch attack on CIFAR-10, our method achieves up to around 57.6% certified accuracy (with a classifier with around 83.8% clean accuracy), compared to at most 30.3% certified accuracy for the existing method (with a classifier with around 47.8% clean accuracy). Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet. Code is available at https://github.com/alevine0/patchSmoothing.