SpringerLink
Log in

ViP: Unified Certified Detection and Recovery for Patch Attack with Vision Transformers

  • Conference paper
  • First Online:
Computer Vision – ECCV 2022 (ECCV 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13685))

Included in the following conference series:

Abstract

Patch attack, which introduces a perceptible but localized change to the input image, has gained significant momentum in recent years. In this paper, we present a unified framework to analyze certified patch defense tasks, including both certified detection and certified recovery, leveraging the recently emerged Vision Transformers (ViTs). In addition to the existing patch defense setting where only one patch is considered, we provide the very first study on develo** certified detection against the dual patch attack, in which the attacker is allowed to adversarially manipulate pixels in two different regions.

By building upon the latest progress in self-supervised ViTs with masked image modeling (i.e., masked autoencoder (MAE)), our method achieves state-of-the-art performance in both certified detection and certified recovery of adversarial patches. Regarding certified detection, we improve the performance by up to \(\sim 16\%\) on ImageNet without training on a single adversarial patch, and for the first time, can also tackle the more challenging dual patch setting. Our method largely closes the gap between detection-based certified robustness and clean image accuracy. Regarding certified recovery, our approach improves certified accuracy by \(\sim 2\%\) on ImageNet across all attack sizes, attaining the new state-of-the-art performance.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 42.79
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 53.49
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Bao, H., Dong, L., Wei, F.: Beit: BERT pre-training of image transformers. In: ICLR (2022)

    Google Scholar 

  2. Brown, T.B., Mané, D., Roy, A., Abadi, M., Gilmer, J.: Adversarial patch. ar**v preprint ar**v:1712.09665 (2017)

  3. Chiang, P.Y., Ni, R., Abdelkader, A., Zhu, C., Studer, C., Goldstein, T.: Certified defenses for adversarial patches. In: ICLR (2020)

    Google Scholar 

  4. Cisse, M.M., Adi, Y., Neverova, N., Keshet, J.: Houdini: fooling deep structured visual and speech recognition models with adversarial examples. In: NeurIPS (2017)

    Google Scholar 

  5. Cohen, J., Rosenfeld, E., Kolter, Z.: Certified adversarial robustness via randomized smoothing. In: ICML (2019)

    Google Scholar 

  6. Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database. In: CVPR (2009)

    Google Scholar 

  7. Dosovitskiy, A., et al.: An image is worth 16 \(\times \) 16 words: transformers for image recognition at scale. In: ICLR (2021)

    Google Scholar 

  8. Eykholt, K., et al.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018)

    Google Scholar 

  9. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)

    Google Scholar 

  10. Han, H., X., et al.: ScaleCert: scalable certified defense against adversarial patches with sparse superficial layers. In: NeurIPS (2021)

    Google Scholar 

  11. Hayes, J.: On visible adversarial perturbations & digital watermarking. In: CVPR Workshops (2018)

    Google Scholar 

  12. He, K., Chen, X., **e, S., Li, Y., Dollár, P., Girshick, R.: Masked autoencoders are scalable vision learners. In: CVPR (2021)

    Google Scholar 

  13. Huang, L., et al.: Universal physical camouflage attacks on object detectors. In: CVPR (2020)

    Google Scholar 

  14. Huang, Y., Li, Y.: Zero-shot certified defense against adversarial patches with vision transformers. ar**v preprint ar**v:2111.10481 (2021)

  15. Levine, A., Feizi, S.: (De) Randomized smoothing for certifiable defense against patch attacks. In: NeurIPS (2020)

    Google Scholar 

  16. Levine, A., Feizi, S.: Robustness certificates for sparse adversarial attacks by randomized ablation. In: AAAI (2020)

    Google Scholar 

  17. McCoyd, M., et al.: Minority reports defense: defending against adversarial patches. In: ACNS (2020)

    Google Scholar 

  18. Metzen, J.H., Yatsura, M.: Efficient certified defenses against patch attacks on image classifiers. In: ICLR (2021)

    Google Scholar 

  19. Mirman, M., Gehr, T., Vechev, M.: Differentiable abstract interpretation for provably robust neural networks. In: ICML (2018)

    Google Scholar 

  20. Naseer, M., Khan, S., Porikli, F.: Local gradients smoothing: defense against localized adversarial attacks. In: WACV (2019)

    Google Scholar 

  21. Salman, H., Jain, S., Wong, E., Madry, A.: Certified patch robustness via smoothed vision transformers. In: CVPR (2022)

    Google Scholar 

  22. Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)

    Google Scholar 

  23. Touvron, H., Cord, M., Douze, M., Massa, F., Sablayrolles, A., Jégou, H.: Training data-efficient image transformers & distillation through attention. In: ICML (2021)

    Google Scholar 

  24. Wei, C., Fan, H., **e, S., Wu, C.Y., Yuille, A., Feichtenhofer, C.: Masked feature prediction for self-supervised visual pre-training. In: CVPR (2022)

    Google Scholar 

  25. Wu, Z., Lim, S.N., Davis, L.S., Goldstein, T.: Making an invisibility cloak: real world adversarial attacks on object detectors. In: ECCV (2020)

    Google Scholar 

  26. **ang, C., Bhagoji, A.N., Sehwag, V., Mittal, P.: PatchGuard: a provably robust defense against adversarial patches via small receptive fields and masking. In: USENIX Security Symposium (2021)

    Google Scholar 

  27. **ang, C., Mahloujifar, S., Mittal, P.: PatchCleanser: certifiably robust defense against adversarial patches for any image classifier. In: USENIX Security Symposium (2022)

    Google Scholar 

  28. **ang, C., Mittal, P.: Patchguard++: efficient provable attack detection against adversarial patches. ar**v preprint ar**v:2104.12609 (2021)

  29. **e, C., Wang, J., Zhang, Z., Zhou, Y., **e, L., Yuille, A.: Adversarial examples for semantic segmentation and object detection. In: ICCV (2017)

    Google Scholar 

  30. Yang, C., Kortylewski, A., **e, C., Cao, Y., Yuille, A.: PatchAttack: a black-box texture-based attack with reinforcement learning. In: ECCV (2020)

    Google Scholar 

  31. Zhou, J., et al.: IBOT: image BERT pre-training with online tokenizer. In: ICLR (2022)

    Google Scholar 

Download references

Acknowledgment

This work is supported by a gift from Open Philanthropy, TPU Research Cloud (TRC) program, and Google Cloud Research Credits program.

Author information

Authors and Affiliations

  1. University of California Santa Cruz, Santa Cruz, CA, USA

    Junbo Li & Cihang **e

  2. Carnegie Mellon University, Pittsburgh, PA, USA

    Huan Zhang

Authors
  1. Junbo Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cihang **e
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cihang **e .

Editor information

Editors and Affiliations

  1. Tel Aviv University, Tel Aviv, Israel

    Shai Avidan

  2. University College London, London, UK

    Gabriel Brostow

  3. Google AI, Accra, Ghana

    Moustapha Cissé

  4. University of Catania, Catania, Italy

    Giovanni Maria Farinella

  5. Facebook (United States), Menlo Park, CA, USA

    Tal Hassner

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 84 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, J., Zhang, H., **e, C. (2022). ViP: Unified Certified Detection and Recovery for Patch Attack with Vision Transformers. In: Avidan, S., Brostow, G., Cissé, M., Farinella, G.M., Hassner, T. (eds) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol 13685. Springer, Cham. https://doi.org/10.1007/978-3-031-19806-9_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-19806-9_33

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-19805-2

  • Online ISBN: 978-3-031-19806-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation