Vision Transformer (ViT) is known to be highly nonlinear like other classical neural networks and could be easily fooled by both natural and adversarial patch perturbations. This limitation could pose a threat to the deployment of ViT in the real industrial environment, especially in safety-critical scenarios. In this work, we propose PatchCensor, aiming to certify the patch robustness of ViT by applying exhaustive testing. We try to provide a provable guarantee by considering the worst patch attack scenarios. Unlike empirical defenses against adversarial patches that may be adaptively breached, certified robust approaches can provide a certified accuracy against arbitrary attacks under certain conditions. However, existing robustness certifications are mostly based on robust training, which often requires substantial training efforts and the sacrifice of model performance on normal samples. To bridge the gap, PatchCensor seeks to improve the robustness of the whole system by detecting abnormal inputs instead of training a robust model and asking it to give reliable results for every input, which may inevitably compromise accuracy. Specifically, each input is tested by voting over multiple inferences with different mutated attention masks, where at least one inference is guaranteed to exclude the abnormal patch. This can be seen as complete-coverage testing, which could provide a statistical guarantee on inference at the test time. Our comprehensive evaluation demonstrates that PatchCensor is able to achieve high certified accuracy (e.g. 67.1% on ImageNet for 2%-pixel adversarial patches), significantly outperforming state-of-the-art techniques while achieving similar clean accuracy (81.8% on ImageNet). Meanwhile, our technique also supports flexible configurations to handle different adversarial patch sizes (up to 25%) by simply changing the masking strategy.

翻译：视觉Transformer（Vision Transformer, ViT）具有与经典神经网络类似的高度非线性，且易受自然及对抗性补丁扰动的影响。这一局限性可能对ViT在真实工业环境中的部署构成威胁，尤其在高安全性场景中。本文提出PatchCensor方法，旨在通过穷尽测试认证ViT的补丁鲁棒性。我们通过考虑最坏情况下的补丁攻击场景，尝试提供可证明的保证。与可能被自适应攻破的对抗性补丁经验防御不同，认证鲁棒方法可在特定条件下针对任意攻击提供认证精度。然而，现有鲁棒性认证大多基于鲁棒训练，这通常需要大量训练投入并牺牲模型对正常样本的性能。为弥补这一差距，PatchCensor通过检测异常输入而非训练鲁棒模型（要求模型对每个输入给出可靠结果，这不可避免地会损害精度）来提升整体系统鲁棒性。具体而言，每个输入通过使用不同变异注意力掩码的多次推理投票进行测试，其中至少一次推理保证排除异常补丁。这可视作全覆盖测试，可在测试阶段提供推理的统计保证。综合评估表明，PatchCensor能够实现高认证精度（如ImageNet上针对2%像素对抗性补丁达67.1%），显著优于现有技术，同时保持相近的干净精度（ImageNet上达81.8%）。此外，本技术支持灵活配置，仅通过改变掩码策略即可处理不同尺寸（最高25%）的对抗性补丁。