Journal article
ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers
26 Oct 2021
Abstract
Adversarial patch attacks that craft the pixels in a confined region of the
input images show their powerful attack effectiveness in physical environments
even with noises or deformations. Existing certified defenses towards
adversarial patch attacks work well on small images like MNIST and CIFAR-10
datasets, but achieve very poor certified accuracy on higher-resolution images
like ImageNet. It is urgent to design both robust and effective defenses
against such a practical and harmful attack in industry-level larger images. In
this work, we propose the certified defense methodology that achieves high
provable robustness for high-resolution images and largely improves the
practicality for real adoption of the certified defense. The basic insight of
our work is that the adversarial patch intends to leverage localized
superficial important neurons (SIN) to manipulate the prediction results.
Hence, we leverage the SIN-based DNN compression techniques to significantly
improve the certified accuracy, by reducing the adversarial region searching
overhead and filtering the prediction noises. Our experimental results show
that the certified accuracy is increased from 36.3% (the state-of-the-art
certified detection) to 60.4% on the ImageNet dataset, largely pushing the
certified defenses for practical use.
Metrics
2 Record Views
Details
- Title
- ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers
- Creators
- Husheng HanKaidi XuXing HuXiaobing ChenLing LiangZidong DuQi GuoYanzhi WangYunji Chen
- Resource Type
- Journal article
- Language
- English
- Academic Unit
- Computer Science (Computing)
- Identifiers
- 991019173583604721