Certified Defences Against Adversarial Patch Attacks on Semantic Segmentation
This addresses security threats for real-world deep learning applications in semantic segmentation, offering a novel certified defense without requiring model changes or retraining.
The paper tackles the problem of adversarial patch attacks on semantic segmentation models by introducing Demasked Smoothing, the first certified defense method for this task, which certifies an average of 64% of pixel predictions for a 1% patch in detection and 48% for a 0.5% patch in recovery on the ADE20K dataset.
Adversarial patch attacks are an emerging security threat for real world deep learning applications. We present Demasked Smoothing, the first approach (up to our knowledge) to certify the robustness of semantic segmentation models against this threat model. Previous work on certifiably defending against patch attacks has mostly focused on image classification task and often required changes in the model architecture and additional training which is undesirable and computationally expensive. In Demasked Smoothing, any segmentation model can be applied without particular training, fine-tuning, or restriction of the architecture. Using different masking strategies, Demasked Smoothing can be applied both for certified detection and certified recovery. In extensive experiments we show that Demasked Smoothing can on average certify 64% of the pixel predictions for a 1% patch in the detection task and 48% against a 0.5% patch for the recovery task on the ADE20K dataset.