Efficient Certified Defenses Against Patch Attacks on Image ClassifiersDownload PDF

Sep 28, 2020 (edited Mar 12, 2021)ICLR 2021 PosterReaders: Everyone
  • Keywords: robustness, certified defense, adversarial patch, aversarial examples
  • Abstract: Adversarial patches pose a realistic threat model for physical world attacks on autonomous systems via their perception component. Autonomous systems in safety-critical domains such as automated driving should thus contain a fail-safe fallback component that combines certifiable robustness against patches with efficient inference while maintaining high performance on clean inputs. We propose BagCert, a novel combination of model architecture and certification procedure that allows efficient certification. We derive a loss that enables end-to-end optimization of certified robustness against patches of different sizes and locations. On CIFAR10, BagCert certifies 10.000 examples in 43 seconds on a single GPU and obtains 86% clean and 60% certified accuracy against 5x5 patches.
  • One-sentence Summary: We propose a method for certifying robustness against adversarial patches that combines high certified accuracy with efficient inference while maintaining strong performance on clean data.
  • Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
15 Replies