Scalable and Precise Patch Robustness Certification for Deep Learning Models with Top-k Predictions

TL;DR

This paper introduces CostCert, a scalable and precise certification method for deep learning models' top-k predictions, effectively defending against adversarial patches without combinatorial complexity.

Contribution

CostCert provides a novel, scalable approach to certify the true label within top-k predictions without pairwise comparisons or combinatorial explosion, improving robustness verification.

Findings

CostCert outperforms PatchGuard in certified accuracy, retaining up to 57.3% at patch size 96.

CostCert is scalable and precise, avoiding combinatorial explosion in certification.

Experiments demonstrate significant robustness improvements over existing methods.

Abstract

Patch robustness certification is an emerging verification approach for defending against adversarial patch attacks with provable guarantees for deep learning systems. Certified recovery techniques guarantee the prediction of the sole true label of a certified sample. However, existing techniques, if applicable to top-k predictions, commonly conduct pairwise comparisons on those votes between labels, failing to certify the sole true label within the top k prediction labels precisely due to the inflation on the number of votes controlled by the attacker (i.e., attack budget); yet enumerating all combinations of vote allocation suffers from the combinatorial explosion problem. We propose CostCert, a novel, scalable, and precise voting-based certified recovery defender. CostCert verifies the true label of a sample within the top k predictions without pairwise comparisons and combinatorial explosion through a novel design: whether the attack budget on the sample is infeasible to cover the smallest total additional votes on top of the votes uncontrollable by the attacker to exclude the true labels from the top k prediction labels. Experiments show that CostCert significantly outperforms the current state-of-the-art defender PatchGuard, such as retaining up to 57.3% in certified accuracy when the patch size is 96, whereas PatchGuard has already dropped to zero.