PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier

Abstract: The adversarial patch attack against image classification models aims to inject adversarially crafted pixels within a localized restricted image region (i.e., a patch) for inducing model misclassification. This attack can be realized in the physical world by printing and attaching the patch to the victim object and thus imposes a real-world threat to computer vision systems. To counter this threat, we propose PatchCleanser as a certifiably robust defense against adversarial patches that is compatible with any … Show more

“…For a patch of any shape, size, and location, vertical/horizontal lines that do not intersect with the patch can generate masks that remove the entire patch. This patch-agnostic property is a huge improvement from all existing masking-based certifiably robust defenses (for image classification) against adversarial patches [38,66,67,69], whose robustness is completely undermined without a good prior estimation of the patch information.…”

“…3 One challenge of the pixel-masking defense is ensuring that some masks can remove the entire patch without knowing how attackers generate the patch. A naive solution to this challenge, which is adopted by a few certifiably robust image classification techniques [38,67], is to move a mask across all possible image locations and evaluate model predictions on every masked image. If the mask is large enough to cover the entire patch, at least one masked image (regardless of the patch location) has no adversarial pixels and enables safe model predictions.…”

“…Unfortunately, many of these defenses are found broken when there is an adaptive attacker who knows about the defense setup [10]. To provide a strong provable robustness guarantee for patch attacks, the research community has proposed a number of certifiably robust defenses [11,20,27,38,42,55,66,67,69,75] for image classification models. In this paper, ObjectSeeker focuses on securing a harder task of object detection.…”

“…Xiang et al [68] pointed out that the bottleneck for the defense performance is the imperfection of existing certifiably robust image classifies: the incorrect classification outputs from the robust image classifier resulted in a heavy trade-off between robustness and clean performance. Though the imperfection of robust image classifiers has been mitigated since DetectorGuard was published [55,67], we find these new classifiers too expensive to be used in the costly sliding window operation of DetectorGuard. In this paper, we design ObjectSeeker solely based on vanilla undefended object detectors and easily bypass the bottleneck of imperfect image classifiers.…”

“…To generate a set of masks that simultaneously mask out two regions (patches) of the input image, we adopt the mask set generation technique from PatchCleanser [67], state-ofthe-art certifiably robust image classification defense against adversarial patches. The high-level idea is to move large masks over the input images while using a larger stride to skip a number of mask locations to improve efficiency.…”

ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking

“…For a patch of any shape, size, and location, vertical/horizontal lines that do not intersect with the patch can generate masks that remove the entire patch. This patch-agnostic property is a huge improvement from all existing masking-based certifiably robust defenses (for image classification) against adversarial patches [38,66,67,69], whose robustness is completely undermined without a good prior estimation of the patch information.…”

“…3 One challenge of the pixel-masking defense is ensuring that some masks can remove the entire patch without knowing how attackers generate the patch. A naive solution to this challenge, which is adopted by a few certifiably robust image classification techniques [38,67], is to move a mask across all possible image locations and evaluate model predictions on every masked image. If the mask is large enough to cover the entire patch, at least one masked image (regardless of the patch location) has no adversarial pixels and enables safe model predictions.…”

“…Unfortunately, many of these defenses are found broken when there is an adaptive attacker who knows about the defense setup [10]. To provide a strong provable robustness guarantee for patch attacks, the research community has proposed a number of certifiably robust defenses [11,20,27,38,42,55,66,67,69,75] for image classification models. In this paper, ObjectSeeker focuses on securing a harder task of object detection.…”

“…Xiang et al [68] pointed out that the bottleneck for the defense performance is the imperfection of existing certifiably robust image classifies: the incorrect classification outputs from the robust image classifier resulted in a heavy trade-off between robustness and clean performance. Though the imperfection of robust image classifiers has been mitigated since DetectorGuard was published [55,67], we find these new classifiers too expensive to be used in the costly sliding window operation of DetectorGuard. In this paper, we design ObjectSeeker solely based on vanilla undefended object detectors and easily bypass the bottleneck of imperfect image classifiers.…”

“…To generate a set of masks that simultaneously mask out two regions (patches) of the input image, we adopt the mask set generation technique from PatchCleanser [67], state-ofthe-art certifiably robust image classification defense against adversarial patches. The high-level idea is to move large masks over the input images while using a larger stride to skip a number of mask locations to improve efficiency.…”

ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking

BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense