CertMask: Certifiable Defense Against Adversarial Patches via Theoretically Optimal Mask Coverage
DOI:
https://doi.org/10.1609/aaai.v40i10.37716Abstract
Adversarial patch attacks inject localized perturbations into images to mislead deep vision models. These attacks can be physically deployed, posing serious risks to real-world applications. In this paper, we propose CertMask, a certifiably robust defense that constructs a provably sufficient set of binary masks to neutralize patch effects with strong theoretical guarantees. While the state-of-the-art approach (PatchCleanser) requires two rounds of masking and incurs O(n^2) inference cost, CertMask performs only a single round of masking with O(n) time complexity, where n is the cardinality of the mask set to cover an input image. Our proposed mask set is computed using a mathematically rigorous coverage strategy that ensures each possible patch location is covered at least k times, providing both efficiency and robustness. We offer a theoretical analysis of the coverage condition and prove its sufficiency for certification. Experiments on ImageNet, ImageNette, and CIFAR-10 show that CertMask improves certified robust accuracy by up to +13.4% over PatchCleanser, while maintaining clean accuracy nearly identical to the vanilla model.
Downloads
Published
2026-03-14
How to Cite
Lyu, X., Lin, C.-C., Arafat, A. A., von der Brüggen, G., Chen, J.-J., & Guo, Z. (2026). CertMask: Certifiable Defense Against Adversarial Patches via Theoretically Optimal Mask Coverage. Proceedings of the AAAI Conference on Artificial Intelligence, 40(10), 7735–7743. https://doi.org/10.1609/aaai.v40i10.37716
Issue
Section
AAAI Technical Track on Computer Vision VII
