We propose PatchZero, a task-agnostic defense that is compatible with multiple downstream models. Specifically, our defense detects the adversarial pixels and “zeros out” the patch region by repainting with mean pixel values. We formulate the patch detection problem as a semantic segmentation task such that our model can generalize to patches of any size and shape. We further design a two-stage adversarial training scheme to defend against the stronger adaptive attacks. Our method achieves state-of-the-art robust ac-curacy without any degrade in the benign performance.
@article{xu2022patchzero, title={PatchZero: Defending against Adversarial Patch Attacks by Detecting and Zeroing the Patch}, author={Xu, Ke and Xiao, Yao and Zheng, Zhaoheng and Cai, Kaijie and Nevatia, Ram}, journal={arXiv preprint arXiv:2207.01795}, year={2022}}
WACV 2023