Sparse or $\ell_0$ adversarial attacks arbitrarily perturb an unknown subset of the features. $\ell_0$ robustness analysis is particularly well-suited for heterogeneous (tabular) data where features have different types or scales. State-of-the-art $\ell_0$ certified defenses are based on randomized smoothing and apply to evasion attacks only. This paper proposes feature partition aggregation (FPA) -- a certified defense against the union of $\ell_0$ evasion, backdoor, and poisoning attacks. FPA generates its stronger robustness guarantees via an ensemble whose submodels are trained on disjoint feature sets. Compared to state-of-the-art $\ell_0$ defenses, FPA is up to 3,000${\times}$ faster and provides larger median robustness guarantees (e.g., median certificates of 13 pixels over 10 for CIFAR10, 12 pixels over 10 for MNIST, 4 features over 1 for Weather, and 3 features over 1 for Ames), meaning FPA provides the additional dimensions of robustness essentially for free.

翻译：稀疏或 $\ell_0$ 对抗攻击可对特征的未知子集进行任意扰动。$\ell_0$ 鲁棒性分析特别适用于特征类型或尺度各异的异构（表格）数据。现有最先进的 $\ell_0$ 认证防御基于随机平滑，且仅适用于逃逸攻击。本文提出特征分区聚合（FPA）——一种针对 $\ell_0$ 逃逸攻击、后门攻击和投毒攻击并集的认证防御。FPA 通过集成学习实现更强的鲁棒性保证，其子模型在不相交的特征集上训练。与最先进的 $\ell_0$ 防御相比，FPA 速度提升高达 3000 倍，并提供更大的中位鲁棒性保证（例如，CIFAR10 的中位认证像素为 13 个而非 10 个，MNIST 为 12 个而非 10 个，Weather 为 4 个特征而非 1 个，Ames 为 3 个特征而非 1 个），这意味着 FPA 几乎无需额外成本即可提供额外的鲁棒性维度。