The adversarial patch attack aims to fool image classifiers within a bounded, contiguous region of arbitrary changes, posing a real threat to computer vision systems (e.g., autonomous driving, content moderation, biometric authentication, medical imaging) in the physical world. To address this problem in a trustworthy way, proposals have been made for certified patch defenses that ensure the robustness of classification models and prevent future patch attacks from breaching the defense. State-of-the-art certified defenses can be compatible with any model architecture, as well as achieve high clean and certified accuracy. Although the methods are adaptive to arbitrary patch positions, they inevitably need to access the size of the adversarial patch, which is unreasonable and impractical in real-world attack scenarios. To improve the feasibility of the architecture-agnostic certified defense in a black-box setting (i.e., position and size of the patch are both unknown), we propose a novel two-stage Iterative Black-box Certified Defense method, termed IBCD.In the first stage, it estimates the patch size in a search-based manner by evaluating the size relationship between the patch and mask with pixel masking. In the second stage, the accuracy results are calculated by the existing white-box certified defense methods with the estimated patch size. The experiments conducted on two popular model architectures and two datasets verify the effectiveness and efficiency of IBCD.

翻译：摘要：对抗补丁攻击旨在通过一个边界连续、可任意修改的区域内欺骗图像分类器，对物理世界中的计算机视觉系统（如自动驾驶、内容审核、生物特征认证、医学影像）构成实际威胁。为了以可信方式解决该问题，研究者提出了认证补丁防御方案，以确保分类模型的鲁棒性，并防止未来的补丁攻击突破防御。现有最先进的认证防御方法可兼容任意模型架构，同时实现高清洁准确率与认证准确率。尽管这些方法能适应任意补丁位置，但它们不可避免地需要获知对抗补丁的尺寸，这在实际攻击场景中既不合理也不可行。为提升黑盒设置下（即补丁位置与尺寸均未知）架构无关认证防御的可行性，我们提出了一种新颖的两阶段迭代式黑盒认证防御方法，记为IBCD。第一阶段通过基于搜索的方式，利用像素掩码评估补丁与掩码的尺寸关系来估计补丁尺寸；第二阶段利用现有白盒认证防御方法与估计的补丁尺寸计算准确率结果。在两个通用模型架构及两个数据集上进行的实验验证了IBCD的有效性与高效性。