ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers

Husheng Han; Kaidi Xu; Xing Hu; Xiaobing Chen; Ling Liang; Zidong Du; Qi Guo; Yanzhi Wang; Yunji Chen

ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers

Husheng Han (Co-first Author), Kaidi Xu (Co-first Author), Xing Hu^*, Xiaobing Chen, Ling Liang, Zidong Du, Qi Guo, Yanzhi Wang, Yunji Chen

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

17 Citations (Scopus)

Abstract

Adversarial patch attacks that craft the pixels in a confined region of the input images show their powerful attack effectiveness in physical environments even with noises or deformations. Existing certified defenses towards adversarial patch attacks work well on small images like MNIST and CIFAR-10 datasets, but achieve very poor certified accuracy on higher-resolution images like ImageNet. It is urgent to design both robust and effective defenses against such a practical and harmful attack in industry-level larger images. In this work, we propose the certified defense methodology that achieves high provable robustness for high-resolution images and largely improves the practicality for real adoption of the certified defense. The basic insight of our work is that the adversarial patch intends to leverage localized superficial important neurons (SIN) to manipulate the prediction results. Hence, we leverage the SIN-based DNN compression techniques to significantly improve the certified accuracy, by reducing the adversarial region searching overhead and filtering the prediction noises. Our experimental results show that the certified accuracy is increased from 36.3% (the state-of-the-art certified detection) to 60.4% on the ImageNet dataset, largely pushing the certified defenses for practical use. © 2021 Neural information processing systems foundation. All rights reserved.

Original language	English
Title of host publication	NIPS '21: Proceedings of the 35th International Conference on Neural Information Processing Systems
Publisher	Curran Associates Inc.
Pages	28169-28181
ISBN (Print)	9781713845393
Publication status	Published - Dec 2021
Externally published	Yes
Event	35th Conference on Neural Information Processing Systems (NeurIPS 2021) - Virtual, Los Angeles, United States Duration: 6 Dec 2021 → 14 Dec 2021 https://nips.cc/virtual/2021/index.html https://papers.nips.cc/paper/2021 https://media.neurips.cc/Conferences/NeurIPS2021/NeurIPS_2021_poster.pdf https://www.proceedings.com/63069.html

Publication series

Name	Advances in Neural Information Processing Systems
Volume	34
ISSN (Print)	1049-5258

Conference

Conference	35th Conference on Neural Information Processing Systems (NeurIPS 2021)
Place	United States
City	Los Angeles
Period	6/12/21 → 14/12/21
Internet address	https://nips.cc/virtual/2021/index.html https://papers.nips.cc/paper/2021 https://media.neurips.cc/Conferences/NeurIPS2021/NeurIPS_2021_poster.pdf https://www.proceedings.com/63069.html

Funding

This work is partially supported by the Beĳing Natural Science Foundation (JQ18013), the NSF of China(under Grants 61925208, 62002338, U19B2019), Beĳing Academy of Artificial Intelligence (BAAI) and Beĳing Nova Program of Science and Technology (Z191100001119093) , CAS Project for Young Scientists in Basic Research (YSBR-029), Youth Innovation Promotion Association CAS and Xplore Prize.

Access Output

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Han, H., Xu, K., Hu, X., Chen, X., Liang, L., Du, Z., Guo, Q., Wang, Y., & Chen, Y. (2021). ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers. In NIPS '21: Proceedings of the 35th International Conference on Neural Information Processing Systems (pp. 28169-28181). (Advances in Neural Information Processing Systems; Vol. 34). Curran Associates Inc.. https://dl.acm.org/doi/10.5555/3540261.3542419

@inproceedings{8c580aeb8e574798ad9e8dce5d11aa47,

title = "ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers",

abstract = "Adversarial patch attacks that craft the pixels in a confined region of the input images show their powerful attack effectiveness in physical environments even with noises or deformations. Existing certified defenses towards adversarial patch attacks work well on small images like MNIST and CIFAR-10 datasets, but achieve very poor certified accuracy on higher-resolution images like ImageNet. It is urgent to design both robust and effective defenses against such a practical and harmful attack in industry-level larger images. In this work, we propose the certified defense methodology that achieves high provable robustness for high-resolution images and largely improves the practicality for real adoption of the certified defense. The basic insight of our work is that the adversarial patch intends to leverage localized superficial important neurons (SIN) to manipulate the prediction results. Hence, we leverage the SIN-based DNN compression techniques to significantly improve the certified accuracy, by reducing the adversarial region searching overhead and filtering the prediction noises. Our experimental results show that the certified accuracy is increased from 36.3% (the state-of-the-art certified detection) to 60.4% on the ImageNet dataset, largely pushing the certified defenses for practical use. {\textcopyright} 2021 Neural information processing systems foundation. All rights reserved.",

author = "Husheng Han and Kaidi Xu and Xing Hu and Xiaobing Chen and Ling Liang and Zidong Du and Qi Guo and Yanzhi Wang and Yunji Chen",

year = "2021",

month = dec,

language = "English",

isbn = "9781713845393",

series = "Advances in Neural Information Processing Systems",

publisher = "Curran Associates Inc.",

pages = "28169--28181",

booktitle = "NIPS '21: Proceedings of the 35th International Conference on Neural Information Processing Systems",

address = "United States",

note = "35th Conference on Neural Information Processing Systems (NeurIPS 2021) ; Conference date: 06-12-2021 Through 14-12-2021",

url = "https://nips.cc/virtual/2021/index.html, https://papers.nips.cc/paper/2021, https://media.neurips.cc/Conferences/NeurIPS2021/NeurIPS_2021_poster.pdf, https://www.proceedings.com/63069.html",

}

Han, H, Xu, K, Hu, X, Chen, X, Liang, L, Du, Z, Guo, Q, Wang, Y & Chen, Y 2021, ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers. in NIPS '21: Proceedings of the 35th International Conference on Neural Information Processing Systems. Advances in Neural Information Processing Systems, vol. 34, Curran Associates Inc., pp. 28169-28181, 35th Conference on Neural Information Processing Systems (NeurIPS 2021), Los Angeles, United States, 6/12/21. <https://dl.acm.org/doi/10.5555/3540261.3542419>

ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers. / Han, Husheng (Co-first Author); Xu, Kaidi (Co-first Author); Hu, Xing et al.
NIPS '21: Proceedings of the 35th International Conference on Neural Information Processing Systems. Curran Associates Inc., 2021. p. 28169-28181 (Advances in Neural Information Processing Systems; Vol. 34).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - ScaleCert

T2 - 35th Conference on Neural Information Processing Systems (NeurIPS 2021)

AU - Han, Husheng

AU - Xu, Kaidi

AU - Hu, Xing

AU - Chen, Xiaobing

AU - Liang, Ling

AU - Du, Zidong

AU - Guo, Qi

AU - Wang, Yanzhi

AU - Chen, Yunji

PY - 2021/12

Y1 - 2021/12

N2 - Adversarial patch attacks that craft the pixels in a confined region of the input images show their powerful attack effectiveness in physical environments even with noises or deformations. Existing certified defenses towards adversarial patch attacks work well on small images like MNIST and CIFAR-10 datasets, but achieve very poor certified accuracy on higher-resolution images like ImageNet. It is urgent to design both robust and effective defenses against such a practical and harmful attack in industry-level larger images. In this work, we propose the certified defense methodology that achieves high provable robustness for high-resolution images and largely improves the practicality for real adoption of the certified defense. The basic insight of our work is that the adversarial patch intends to leverage localized superficial important neurons (SIN) to manipulate the prediction results. Hence, we leverage the SIN-based DNN compression techniques to significantly improve the certified accuracy, by reducing the adversarial region searching overhead and filtering the prediction noises. Our experimental results show that the certified accuracy is increased from 36.3% (the state-of-the-art certified detection) to 60.4% on the ImageNet dataset, largely pushing the certified defenses for practical use. © 2021 Neural information processing systems foundation. All rights reserved.

AB - Adversarial patch attacks that craft the pixels in a confined region of the input images show their powerful attack effectiveness in physical environments even with noises or deformations. Existing certified defenses towards adversarial patch attacks work well on small images like MNIST and CIFAR-10 datasets, but achieve very poor certified accuracy on higher-resolution images like ImageNet. It is urgent to design both robust and effective defenses against such a practical and harmful attack in industry-level larger images. In this work, we propose the certified defense methodology that achieves high provable robustness for high-resolution images and largely improves the practicality for real adoption of the certified defense. The basic insight of our work is that the adversarial patch intends to leverage localized superficial important neurons (SIN) to manipulate the prediction results. Hence, we leverage the SIN-based DNN compression techniques to significantly improve the certified accuracy, by reducing the adversarial region searching overhead and filtering the prediction noises. Our experimental results show that the certified accuracy is increased from 36.3% (the state-of-the-art certified detection) to 60.4% on the ImageNet dataset, largely pushing the certified defenses for practical use. © 2021 Neural information processing systems foundation. All rights reserved.

UR - http://www.scopus.com/inward/record.url?scp=85130138869&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85130138869&origin=recordpage

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781713845393

T3 - Advances in Neural Information Processing Systems

SP - 28169

EP - 28181

BT - NIPS '21: Proceedings of the 35th International Conference on Neural Information Processing Systems

PB - Curran Associates Inc.

Y2 - 6 December 2021 through 14 December 2021

ER -

ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers

Abstract

Publication series

Conference

Funding

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this