A Majority Invariant Approach to Patch Robustness Certification for Deep Learning Models
Qilin Zhou, Zhengyuan Wei, Haipeng Wang, and W.K. Chan
TL;DR
This paper introduces MajorCert, a novel method for certifying the robustness of deep learning models against patch attacks by analyzing label set manipulations and majority invariance across classifiers.
Contribution
MajorCert is the first approach to certify samples by considering label set manipulations and majority invariance, overcoming limitations of existing strict certification methods.
Findings
Successfully certifies samples with complex patch manipulations
Outperforms existing robustness certification techniques
Provides a new perspective on patch robustness analysis
Abstract
Patch robustness certification ensures no patch within a given bound on a sample can manipulate a deep learning model to predict a different label. However, existing techniques cannot certify samples that cannot meet their strict bars at the classifier or patch region levels. This paper proposes MajorCert. MajorCert firstly finds all possible label sets manipulatable by the same patch region on the same sample across the underlying classifiers, then enumerates their combinations element-wise, and finally checks whether the majority invariant of all these combinations is intact to certify samples.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Machine Learning and Data Classification · Explainable Artificial Intelligence (XAI)