Patch robustness certification is an emerging kind of provable defense technique against adversarial patch attacks for deep learning systems. Certified detection ensures the detection of all patched harmful versions of certified samples, which mitigates the failures of empirical defense techniques that could (easily) be compromised. However, existing certified detection methods are ineffective in certifying samples that are misclassified or whose mutants are inconsistently pre icted to different labels. This paper proposes HiCert, a novel masking-based certified detection technique. By focusing on the problem of mutants predicted with a label different from the true label with our formal analysis, HiCert formulates a novel formal relation between harmful samples generated by identified loopholes and their benign counterparts. By checking the bound of the maximum confidence among these potentially harmful (i.e., inconsistent) mutants of each benign sample, HiCert ensures that each harmful sample either has the minimum confidence among mutants that are predicted the same as the harmful sample itself below this bound, or has at least one mutant predicted with a label different from the harmful sample itself, formulated after two novel insights. As such, HiCert systematically certifies those inconsistent samples and consistent samples to a large extent. To our knowledge, HiCert is the first work capable of providing such a comprehensive patch robustness certification for certified detection. Our experiments show the high effectiveness of HiCert with a new state-of the-art performance: It certifies significantly more benign samples, including those inconsistent and consistent, and achieves significantly higher accuracy on those samples without warnings and a significantly lower false silent ratio.

翻译：补丁鲁棒性认证是一种新兴的、针对深度学习系统对抗性补丁攻击的可证明防御技术。认证检测确保对所有经过认证样本的补丁化有害版本进行检测，从而缓解了经验性防御技术可能（轻易）被攻破的失效问题。然而，现有的认证检测方法在认证那些被误分类或其突变体被不一致地预测为不同标签的样本时效果有限。本文提出HiCert，一种新颖的基于掩码的认证检测技术。通过聚焦于突变体预测标签与真实标签不同的问题，并结合我们的形式化分析，HiCert在由已识别漏洞生成的有害样本与其良性对应样本之间建立了一种新颖的形式化关系。通过检查每个良性样本的潜在有害（即不一致）突变体中最大置信度的边界，HiCert确保每个有害样本要么具有与有害样本自身预测相同的突变体中的最小置信度低于此边界，要么至少有一个突变体被预测为与有害样本自身不同的标签，这一结论基于两项新颖的洞见形式化得出。因此，HiCert在很大程度上有系统地认证了这些不一致样本和一致样本。据我们所知，HiCert是首个能够为认证检测提供如此全面补丁鲁棒性认证的工作。我们的实验展示了HiCert的高效性，其性能达到了新的最先进水平：它认证了显著更多的良性样本（包括不一致和一致样本），并在无警告样本上实现了显著更高的准确率，同时具有显著更低的虚假静默比率。