Deep learning image classification is widely used yet is vulnerable to adversarial attack, which can change the computer classification without changing how humans classify the image. This is possible even if the attacker changes just a small patch of the image. We propose a defense against patch attacks based on partially occluding the image around each candidate patch location, so that a few occlusions each completely hide the patch. We demonstrate on CIFAR-10, Fashion MNIST, and MNIST that our defense provides certified security against patch attacks of a certain size. For CIFAR-10 and a 5 × 5 patch, we can provide certify accuracy for 43.8% of images, at a cost of only 1.6% in clean image accuracy compared to the architecture we defend or a cost of 0.1% compared to our training of that architecture, and a 0.1% false positive rate.
CITATION STYLE
McCoyd, M., Park, W., Chen, S., Shah, N., Roggenkemper, R., Hwang, M., … Wagner, D. (2020). Minority reports defense: Defending against adversarial patches. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 12418 LNCS, pp. 564–582). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-61638-0_31
Mendeley helps you to discover research relevant for your work.