Provable Robustness Against a Union of $\ell_0$ Adversarial Attacks
This addresses the need for efficient and robust defenses against multiple types of sparse attacks, particularly for heterogeneous data, representing a significant advance over existing methods.
The paper tackles the problem of defending against a union of sparse adversarial attacks (evasion, backdoor, and poisoning) by proposing feature partition aggregation (FPA), which provides certified robustness guarantees and is up to 3,000× faster than state-of-the-art methods while offering larger median robustness certificates across datasets.
Sparse or $\ell_0$ adversarial attacks arbitrarily perturb an unknown subset of the features. $\ell_0$ robustness analysis is particularly well-suited for heterogeneous (tabular) data where features have different types or scales. State-of-the-art $\ell_0$ certified defenses are based on randomized smoothing and apply to evasion attacks only. This paper proposes feature partition aggregation (FPA) -- a certified defense against the union of $\ell_0$ evasion, backdoor, and poisoning attacks. FPA generates its stronger robustness guarantees via an ensemble whose submodels are trained on disjoint feature sets. Compared to state-of-the-art $\ell_0$ defenses, FPA is up to 3,000${\times}$ faster and provides larger median robustness guarantees (e.g., median certificates of 13 pixels over 10 for CIFAR10, 12 pixels over 10 for MNIST, 4 features over 1 for Weather, and 3 features over 1 for Ames), meaning FPA provides the additional dimensions of robustness essentially for free.