Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 82 tok/s
Gemini 2.5 Pro 58 tok/s Pro
GPT-5 Medium 39 tok/s Pro
GPT-5 High 27 tok/s Pro
GPT-4o 119 tok/s Pro
Kimi K2 188 tok/s Pro
GPT OSS 120B 460 tok/s Pro
Claude Sonnet 4.5 35 tok/s Pro
2000 character limit reached

MMCert: Provable Defense against Adversarial Attacks to Multi-modal Models (2403.19080v3)

Published 28 Mar 2024 in cs.CV and cs.CR

Abstract: Different from a unimodal model whose input is from a single modality, the input (called multi-modal input) of a multi-modal model is from multiple modalities such as image, 3D points, audio, text, etc. Similar to unimodal models, many existing studies show that a multi-modal model is also vulnerable to adversarial perturbation, where an attacker could add small perturbation to all modalities of a multi-modal input such that the multi-modal model makes incorrect predictions for it. Existing certified defenses are mostly designed for unimodal models, which achieve sub-optimal certified robustness guarantees when extended to multi-modal models as shown in our experimental results. In our work, we propose MMCert, the first certified defense against adversarial attacks to a multi-modal model. We derive a lower bound on the performance of our MMCert under arbitrary adversarial attacks with bounded perturbations to both modalities (e.g., in the context of auto-driving, we bound the number of changed pixels in both RGB image and depth image). We evaluate our MMCert using two benchmark datasets: one for the multi-modal road segmentation task and the other for the multi-modal emotion recognition task. Moreover, we compare our MMCert with a state-of-the-art certified defense extended from unimodal models. Our experimental results show that our MMCert outperforms the baseline.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (63)
  1. KITTI Road Dataset. https://www.cvlibs.net/datasets/kitti/eval_road.php. Accessed: 2023-10-01.
  2. Multi-modal Emotion Recognition Implementation. https://github.com/katerynaCh/multimodal-emotion-recognition. Accessed: 2023-10-01.
  3. Vqa: Visual question answering. In ICCV, 2015.
  4. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ICML, 2018.
  5. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM workshop on artificial intelligence and security, 2017.
  6. Fusion is not enough: Single-modal attacks to compromise fusion models in autonomous driving. arXiv preprint arXiv:2304.14614, 2023.
  7. Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693, 2020.
  8. Self-attention fusion for audiovisual emotion recognition with incomplete data. In ICPR. IEEE, 2022.
  9. The use of confidence or fiducial limits illustrated in the case of the binomial. Biometrika, 1934.
  10. Certified adversarial robustness via randomized smoothing. arXiv preprint arXiv:1902.02918, 2019.
  11. Sne-roadseg: Incorporating surface normal information into semantic segmentation for accurate freespace detection. In ECCV, 2020.
  12. Scalable certified segmentation via randomized smoothing. In ICML, 2021.
  13. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  14. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715, 2018.
  15. Deep learning-based image segmentation on multimodal medical imaging. IEEE Transactions on Radiation and Plasma Medical Sciences, 2019.
  16. Learning feature fusion in deep learning-based object detector. Journal of Engineering, 2020.
  17. Sture Holm. A simple sequentially rejective multiple test procedure. Scandinavian journal of statistics, 1979.
  18. Iterative answer prediction with pointer-augmented multimodal transformers for textvqa. In CVPR, 2020.
  19. Certified robustness for top-k predictions against adversarial perturbations via randomized smoothing. In ICLR, 2020.
  20. Intrinsic certified robustness of bagging against data poisoning attacks. In AAAI, 2021a.
  21. Almost tight l0-norm certified robustness of top-k predictions against adversarial perturbations. In ICLR, 2021b.
  22. Multiguard: Provably robust multi-label classification against adversarial examples. Advances in Neural Information Processing Systems, 35:10150–10163, 2022.
  23. Reluplex: An efficient smt solver for verifying deep neural networks. In Computer Aided Verification: 29th International Conference, CAV 2017, Heidelberg, Germany, July 24-28, 2017, Proceedings, Part I 30, 2017.
  24. Epic-fusion: Audio-visual temporal binding for egocentric action recognition. In ICCV, 2019.
  25. On single source robustness in deep fusion models. NeurIPS, 2019.
  26. Gated mechanism for attention based multi modal sentiment analysis. In ICASSP. IEEE, 2020.
  27. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019.
  28. Robustness certificates for sparse adversarial attacks by randomized ablation. CoRR, abs/1911.09272, 2019.
  29. Robustness certificates for sparse adversarial attacks by randomized ablation. In AAAI, number 04, 2020.
  30. Deepfusion: Lidar-camera deep fusion for multi-modal 3d object detection. In CVPR, 2022.
  31. Multimodal material segmentation. In CVPR, 2022.
  32. Pointguard: Provably robust 3d point cloud classification. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 6186–6195, 2021.
  33. The ryerson audio-visual database of emotional speech and song (ravdess): A dynamic, multimodal set of facial and vocal expressions in north american english. PloS one, 2018.
  34. Towards deep learning models resistant to adversarial attacks. arXiv, 2017.
  35. End-to-end autonomous driving with semantic depth cloud mapping and multi-agent. IEEE Transactions on Intelligent Vehicles, 2022.
  36. Ix. on the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London., 1933.
  37. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In CVPR, 2015.
  38. Textguard: Provable defense against backdoor attacks on text classification. In NDSS, 2024.
  39. Multi-modal fusion transformer for end-to-end autonomous driving. In CVPR, 2021.
  40. Adversarial training for free! NeurIPS, 2019.
  41. Cycle-consistency for robust visual question answering. In CVPR, 2019.
  42. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 acm sigsac conference on computer and communications security, 2016.
  43. Drift with devil: Security of {{\{{Multi-Sensor}}\}} fusion based localization in {{\{{High-Level}}\}} autonomous driving under {{\{{GPS}}\}} spoofing. In USENIX Security, 2020.
  44. Multinet: Real-time joint semantic reasoning for autonomous driving. In 2018 IEEE intelligent vehicles symposium (IV). IEEE, 2018.
  45. Can audio-visual integration strengthen robustness under multimodal attacks? In CVPR, 2021.
  46. Adversarial risk and the dangers of evaluating against weak attacks. In ICML, 2018.
  47. Multispectral pedestrian detection using deep fusion convolutional neural networks. In ESANN, 2016.
  48. Pointaugmenting: Cross-modal augmentation for 3d object detection. In CVPR, 2021a.
  49. Certified robustness to word substitution attack with differential privacy. In Proceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, 2021b.
  50. Vqa-gnn: Reasoning with multimodal knowledge via graph neural networks for visual question answering. In ICCV, 2023.
  51. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML, 2018.
  52. Fast is better than free: Revisiting adversarial training. arXiv preprint arXiv:2001.03994, 2020.
  53. {{\{{PatchCleanser}}\}}: Certifiably robust defense against adversarial patches for any image classifier. In USENIX Security, 2022.
  54. Fooling vision and language models despite localization and attention mechanism. In CVPR, 2018.
  55. Graphguard: Provably robust graph classification against adversarial attacks. In The Twelfth International Conference on Learning Representations, 2023.
  56. Defending multimodal fusion models against single-source adversaries. In CVPR, 2021.
  57. Safer: A structure-free approach for certified robustness to adversarial word substitutions. arXiv, 2020.
  58. Mosi: multimodal corpus of sentiment intensity and subjectivity analysis in online opinion videos. arXiv preprint arXiv:1606.06259, 2016.
  59. Multimodal language analysis in the wild: Cmu-mosei dataset and interpretable dynamic fusion graph. In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2018.
  60. Certified robustness to text adversarial attacks by randomized [mask]. Computational Linguistics, 2023.
  61. Towards adversarial attack on vision-language pre-training models. In Proceedings of the 30th ACM International Conference on Multimedia, 2022.
  62. Pointcert: Point cloud classification with deterministic certified robustness guarantees. In CVPR, 2023.
  63. Robust lightweight facial expression recognition network with label distribution training. In AAAI, 2021.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up