Certified Defenses for Adversarial Patches

TL;DR

This paper introduces the first certified defense against adversarial patch attacks in computer vision, demonstrating improved robustness and faster training methods, with promising transferability across different patch shapes.

Contribution

The paper presents the first certified defense for patch attacks and introduces faster training methods, along with insights on robustness transfer across patch shapes.

Findings

Existing defenses are easily broken by white-box adversaries.

The proposed certified defense improves robustness against patch attacks.

Robustness transfers surprisingly well across different patch shapes.

Abstract

Adversarial patch attacks are among one of the most practical threat models against real-world computer vision systems. This paper studies certified and empirical defenses against patch attacks. We begin with a set of experiments showing that most existing defenses, which work by pre-processing input images to mitigate adversarial patches, are easily broken by simple white-box adversaries. Motivated by this finding, we propose the first certified defense against patch attacks, and propose faster methods for its training. Furthermore, we experiment with different patch shapes for testing, obtaining surprisingly good robustness transfer across shapes, and present preliminary results on certified defense against sparse attacks. Our complete implementation can be found on: https://github.com/Ping-C/certifiedpatchdefense.