Localized adversarial patches aim to induce misclassification in machine learning models by arbitrarily modifying pixels within a restricted region of an image. Such attacks can be realized in the physical world by attaching the adversarial patch to the object to be misclassified. In this paper, we propose a general defense framework that can achieve both high clean accuracy and provable robustness against localized adversarial patches. The cornerstone of our defense framework is to use a convolutional network with small receptive fields that impose a bound on the number of features corrupted by an adversarial patch. We further present the robust masking defense that robustly detects and masks corrupted features for a secure feature aggregation. We evaluate our defense against the most powerful white-box untargeted adaptive attacker and achieve a 92.3% clean accuracy and an 85.2% provable robust accuracy on a 10-class subset of ImageNet against a 31x31 adversarial patch (2% pixels), a 57.4% clean accuracy and a 14.4% provable robust accuracy on 1000-class ImageNet against a 31x31 patch (2% pixels), and an 80.3% clean accuracy and a 61.3% provable accuracy on CIFAR-10 against a 5x5 patch (2.4% pixels). Notably, our provable defenses achieve state-of-the-art provable robust accuracy on ImageNet and CIFAR-10.

本文介绍了一种名为PatchGuard的通用防御框架，采用具有小感受野的CNNs对受攻击的特征数量进行限制，设计出抵御本地化对抗性补丁的安全特征聚合机制，使用稳健掩蔽防御方法有效检测和遮盖受损特征，并且在ImageNet、ImageNette和CIFAR-10数据集上达到了最先进的可证明鲁棒准确性和干净准确性的性能表现。

PatchGuard：通过小的感受野和掩蔽策略的可证明鲁棒性防御对抗性贴片攻击