Certified defense methods against adversarial perturbations have been
recently investigated in the black-box setting with a zeroth-order (ZO)
perspective. However, these methods suffer from high model variance with low
performance on high-dimensional datasets due to the ineffective design of the
denoiser and are limited in their utilization of ZO techniques. To this end, we
propose a certified ZO preprocessing technique for removing adversarial
perturbations from the attacked image in the black-box setting using only model
queries. We propose a robust UNet denoiser (RDUNet) that ensures the robustness
of black-box models trained on high-dimensional datasets. We propose a novel
black-box denoised smoothing (DS) defense mechanism, ZO-RUDS, by prepending our
RDUNet to the black-box model, ensuring black-box defense. We further propose
ZO-AE-RUDS in which RDUNet followed by autoencoder (AE) is prepended to the
black-box model. We perform extensive experiments on four classification
datasets, CIFAR-10, CIFAR-10, Tiny Imagenet, STL-10, and the MNIST dataset for
image reconstruction tasks. Our proposed defense methods ZO-RUDS and ZO-AE-RUDS
beat SOTA with a huge margin of $35\%$ and $9\%$, for low dimensional
(CIFAR-10) and with a margin of $20.61\%$ and $23.51\%$ for high-dimensional
(STL-10) datasets, respectively.

本篇文章提出了一种证明 ZO 预处理技术，使用仅基于模型查询的黑盒模型，通过提前将 RDUNet 附加到黑盒模型中来确保黑盒模型对高维数据集进行训练时的鲁棒性，进而提出了 DS 和 AE-RUDS 两种新的黑盒防御机制，并在四个分类数据集上进行了广泛实验，结果表明我们的提出的方法 ZO-RUDS 和 ZO-AE-RUDS 大幅度击败了 SOTA。

通过鲁棒的 UNet 降噪器进行证明的零阶黑盒防御

Certified Zeroth-order Black-Box Defense with Robust UNet Denoiser

Recently, few certified defense methods have been developed to provably
guarantee the robustness of a text classifier to adversarial synonym
substitutions. However, all existing certified defense methods assume that the
defenders are informed of how the adversaries generate synonyms, which is not a
realistic scenario. In this paper, we propose a certifiably robust defense
method by randomly masking a certain proportion of the words in an input text,
in which the above unrealistic assumption is no longer necessary. The proposed
method can defend against not only word substitution-based attacks, but also
character-level perturbations. We can certify the classifications of over 50%
texts to be robust to any perturbation of 5 words on AGNEWS, and 2 words on
SST2 dataset. The experimental results show that our randomized smoothing
method significantly outperforms recently proposed defense methods across
multiple datasets.

本文提出了一种随机遮挡的可证明鲁棒防御方法，对于 AGNEWS 数据集上五个词，SST2 数据集上两个词的任意扰动分类可以获得超过 50% 的证明鲁棒性，并在多个数据集上明显优于最近提出的防御方法。