Certifiable (Multi)Robustness Against Patch Attacks Using ERM

Patch attacks [Brown et al., 2017, Karmon et al., 2018, Yang et al., 2020] are an important threat model in the general field of test-time evasion attacks [Goodfellow et al., 2014]. In a patch attack, the adversary replaces a contiguous block of pixels with an adversarially crafted pattern. Patch attacks can realize physical world attacks to computer vision systems by printing and attaching a patch to an object. To secure the performance of computer vision systems against patch-attacks, there has been an active line of research for providing certifiable robustness guarantees against them [see e.g., McCoyd et al., 2020, Xiang et al., 2020, Xiang and Mittal, 2021, Metzen and Yatsura, 2021, Zhang et al., 2020, Chiang et al., 2020]. Xiang et al. [2022] recently proposed a state-of-the-art algorithm called Patch-Cleanser that can provably defend against patch attacks. They use a double-masking approach based on zero-ing out two different contiguous blocks of an input image, hopefully to remove the adversarial patch. For each one-masked image, if for all possible locations of the second mask, the prediction model outputs the same classification, it means that the first mask removed the adversarial patch, and the agreed-upon prediction is correct. Any disagreements in these predictions imply that the mask was not covered by the first patch.