Current browse context:
cs.CV
Change to browse by:
References & Citations
Computer Science > Computer Vision and Pattern Recognition
Title: PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields
(Submitted on 17 May 2020 (this version), latest version 31 Mar 2021 (v5))
Abstract: Localized adversarial patches aim to induce misclassification in machine learning models by arbitrarily modifying pixels within a restricted region of an image. Such attacks can be realized in the physical world by attaching the adversarial patch to the object to be misclassified. In this paper, we propose a general defense framework that can achieve both high clean accuracy and provable robustness against localized adversarial patches. The cornerstone of our defense framework is to use a convolutional network with small receptive fields that impose a bound on the number of features corrupted by an adversarial patch. We further present the robust masking defense that robustly detects and masks corrupted features for a secure feature aggregation. We evaluate our defense against the most powerful white-box untargeted adaptive attacker and achieve a 92.3% clean accuracy and an 85.2% provable robust accuracy on a 10-class subset of ImageNet against a 31x31 adversarial patch (2% pixels), a 57.4% clean accuracy and a 14.4% provable robust accuracy on 1000-class ImageNet against a 31x31 patch (2% pixels), and an 80.3% clean accuracy and a 61.3% provable accuracy on CIFAR-10 against a 5x5 patch (2.4% pixels). Notably, our provable defenses achieve state-of-the-art provable robust accuracy on ImageNet and CIFAR-10.
Submission history
From: Chong Xiang [view email][v1] Sun, 17 May 2020 03:38:34 GMT (1634kb,D)
[v2] Mon, 8 Jun 2020 14:51:03 GMT (688kb,D)
[v3] Sun, 2 Aug 2020 15:39:00 GMT (800kb,D)
[v4] Sun, 18 Oct 2020 18:12:03 GMT (1251kb,D)
[v5] Wed, 31 Mar 2021 14:20:39 GMT (1214kb,D)
Link back to: arXiv, form interface, contact.