CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models

TL;DR

CrossCert introduces a novel certified defense method that cross-checks two recovery defenders to provide unwavering label certification and systematic warning protection against adversarial patch attacks in deep learning models.

Contribution

It is the first certified detection technique to guarantee unwavering certification and systematic warnings simultaneously against patch attacks.

Findings

Certifies a significant proportion of samples with unwavering guarantees.

Achieves detection certification performance comparable to PatchCensor.

Slightly lower overall performance than ViP in certification tasks.

Abstract

Patch robustness certification is an emerging kind of defense technique against adversarial patch attacks with provable guarantees. There are two research lines: certified recovery and certified detection. They aim to label malicious samples with provable guarantees correctly and issue warnings for malicious samples predicted to non-benign labels with provable guarantees, respectively. However, existing certified detection defenders suffer from protecting labels subject to manipulation, and existing certified recovery defenders cannot systematically warn samples about their labels. A certified defense that simultaneously offers robust labels and systematic warning protection against patch attacks is desirable. This paper proposes a novel certified defense technique called CrossCert. CrossCert formulates a novel approach by cross-checking two certified recovery defenders to provide unwavering certification and detection certification. Unwavering certification ensures that a certified sample, when subjected to a patched perturbation, will always be returned with a benign label without triggering any warnings with a provable guarantee. To our knowledge, CrossCert is the first certified detection technique to offer this guarantee. Our experiments show that, with a slightly lower performance than ViP and comparable performance with PatchCensor in terms of detection certification, CrossCert certifies a significant proportion of samples with the guarantee of unwavering certification.