Certified Robustness against Sparse Adversarial Perturbations via Data Localization

TL;DR

This paper extends the theory of data localization for adversarial robustness from $\,ell_2$-bounded to $\,ell_0$-bounded perturbations, introducing a simple, effective classifier called Box-NN that improves certified robustness against sparse attacks.

Contribution

It provides necessary and sufficient conditions for $\,ell_0$-robust classifiers and proposes Box-NN, a simple classifier that enhances certified robustness against sparse adversarial attacks.

Findings

Box-NN outperforms existing methods on MNIST and Fashion-MNIST.

Theoretical conditions for $\,ell_0$-robustness are established.

Improved certified robustness against sparse attacks.

Abstract

Recent work in adversarial robustness suggests that natural data distributions are localized, i.e., they place high probability in small volume regions of the input space, and that this property can be utilized for designing classifiers with improved robustness guarantees for $\ell_2$-bounded perturbations. Yet, it is still unclear if this observation holds true for more general metrics. In this work, we extend this theory to $\ell_0$-bounded adversarial perturbations, where the attacker can modify a few pixels of the image but is unrestricted in the magnitude of perturbation, and we show necessary and sufficient conditions for the existence of $\ell_0$-robust classifiers. Theoretical certification approaches in this regime essentially employ voting over a large ensemble of classifiers. Such procedures are combinatorial and expensive or require complicated certification techniques. In contrast, a simple classifier emerges from our theory, dubbed Box-NN, which naturally incorporates the geometry of the problem and improves upon the current state-of-the-art in certified robustness against sparse attacks for the MNIST and Fashion-MNIST datasets.