CertMask: Certifiable Defense Against Adversarial Patches via Theoretically Optimal Mask Coverage

TL;DR

CertMask introduces a provably robust, single-pass masking framework for defending against adversarial patches. By reducing patch coverage to a geometric, 1-D/2-D dot-coverage problem, it constructs a provably sufficient set of binary masks that guarantee $k$-fold patch coverage with $O(n)$ inference, outperforming prior $O(n^2)$ approaches like PatchCleanser. The approach provides rigorous theorems on coverage and tight lower bounds, and demonstrates superior clean and certified robust accuracy across ImageNet, ImageNette, and CIFAR-10, with strong cross-architecture generality. Practically, CertMask enables scalable, certifiable patch robustness with reduced computation and without retraining, offering a strong, deployable defense for real-world vision systems.

Abstract

Adversarial patch attacks inject localized perturbations into images to mislead deep vision models. These attacks can be physically deployed, posing serious risks to real-world applications. In this paper, we propose CertMask, a certifiably robust defense that constructs a provably sufficient set of binary masks to neutralize patch effects with strong theoretical guarantees. While the state-of-the-art approach (PatchCleanser) requires two rounds of masking and incurs $O(n^2)$ inference cost, CertMask performs only a single round of masking with $O(n)$ time complexity, where $n$ is the cardinality of the mask set to cover an input image. Our proposed mask set is computed using a mathematically rigorous coverage strategy that ensures each possible patch location is covered at least $k$ times, providing both efficiency and robustness. We offer a theoretical analysis of the coverage condition and prove its sufficiency for certification. Experiments on ImageNet, ImageNette, and CIFAR-10 show that CertMask improves certified robust accuracy by up to +13.4\% over PatchCleanser, while maintaining clean accuracy nearly identical to the vanilla model.

Figures (8)

• Figure 1: Overview of the CertMask inference pipeline. Given an input image of size $L_x \times L_y$, we deterministically construct a set of $N_{\textit{masks,k}}$ binary masks, where each mask has spatial support $M_x \times M_y$ and is positioned such that every patch of size at most $2r_x \times 2r_y$ is guaranteed to be covered by exactly $k$ different masks. Each masked image is evaluated by the classifier, yielding a prediction. For aggregation, if all predictions agree, we output the unanimous result. If disagreement occurs and one class appears exactly $k$ times, that class is returned as the certified prediction. Otherwise, the majority class is selected to account for potential benign misclassifications.
• Figure 2: 1-D Effective Coverage Interval. For a mask (size $M$) and adversarial patch (radius $r$), the effective coverage interval (shaded) has a size of $M-2r$, representing the range where full patch coverage is guaranteed.
• Figure 3: 2-D Effective Coverage Area. The shaded region illustrates the effective coverage area for a mask of size $M_x \times M_y$. For an adversarial patch with radii $r_x$ and $r_y$, this area has dimensions $(M_x-2r_x)\times(M_y-2r_y)$.
• Figure 4: Pavement strategy for 1-D domain. This figure illustrates the mask placement strategy where effective coverage intervals are arranged contiguously, ensuring complete and gap-free coverage of the domain.
• Figure 5: Pavement strategy for 2-D domain. This figure illustrates the mask placement strategy where effective coverage areas are arranged contiguously, ensuring complete and gap-free coverage of the 2-D domain.