{"id":"https://openalex.org/W4362721716","doi":"https://doi.org/10.1145/3591870","title":"PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing","display_name":"PatchCensor: Patch Robustness Certification for Transformers via Exhaustive Testing","publication_year":2023,"publication_date":"2023-04-08","ids":{"openalex":"https://openalex.org/W4362721716","doi":"https://doi.org/10.1145/3591870"},"language":"en","primary_location":{"id":"doi:10.1145/3591870","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3591870","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101684275","display_name":"Yuheng Huang","orcid":"https://orcid.org/0000-0003-3666-4020"},"institutions":[{"id":"https://openalex.org/I154425047","display_name":"University of Alberta","ror":"https://ror.org/0160cpw27","country_code":"CA","type":"education","lineage":["https://openalex.org/I154425047"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Yuheng Huang","raw_affiliation_strings":["University of Alberta, Canada"],"raw_orcid":"https://orcid.org/0000-0003-3666-4020","affiliations":[{"raw_affiliation_string":"University of Alberta, Canada","institution_ids":["https://openalex.org/I154425047"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101468661","display_name":"Lei Ma","orcid":"https://orcid.org/0000-0002-8621-2420"},"institutions":[{"id":"https://openalex.org/I154425047","display_name":"University of Alberta","ror":"https://ror.org/0160cpw27","country_code":"CA","type":"education","lineage":["https://openalex.org/I154425047"]},{"id":"https://openalex.org/I74801974","display_name":"The University of Tokyo","ror":"https://ror.org/057zh3y96","country_code":"JP","type":"education","lineage":["https://openalex.org/I74801974"]}],"countries":["CA","JP"],"is_corresponding":false,"raw_author_name":"Lei Ma","raw_affiliation_strings":["University of Alberta, Canada and The University of Tokyo, Japan"],"raw_orcid":"https://orcid.org/0000-0002-8621-2420","affiliations":[{"raw_affiliation_string":"University of Alberta, Canada and The University of Tokyo, Japan","institution_ids":["https://openalex.org/I74801974","https://openalex.org/I154425047"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100628298","display_name":"Yuanchun Li","orcid":"https://orcid.org/0000-0002-1591-2526"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yuanchun Li","raw_affiliation_strings":["Institute for AI Industry Research (AIR), Tsinghua University, China"],"raw_orcid":"https://orcid.org/0000-0002-1591-2526","affiliations":[{"raw_affiliation_string":"Institute for AI Industry Research (AIR), Tsinghua University, China","institution_ids":["https://openalex.org/I99065089"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.9579,"has_fulltext":false,"cited_by_count":12,"citation_normalized_percentile":{"value":0.88631036,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"32","issue":"6","first_page":"1","last_page":"34"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9860000014305115,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T14117","display_name":"Integrated Circuits and Semiconductor Failure Analysis","score":0.9817000031471252,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7868938446044922},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.6676555275917053},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5126323103904724},{"id":"https://openalex.org/keywords/transformer","display_name":"Transformer","score":0.5113479495048523},{"id":"https://openalex.org/keywords/convolutional-neural-network","display_name":"Convolutional neural network","score":0.5011112689971924},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4904138743877411},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.43509548902511597},{"id":"https://openalex.org/keywords/computer-engineering","display_name":"Computer engineering","score":0.39797472953796387},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.3807564675807953},{"id":"https://openalex.org/keywords/real-time-computing","display_name":"Real-time computing","score":0.3687286376953125},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.17149177193641663},{"id":"https://openalex.org/keywords/electrical-engineering","display_name":"Electrical engineering","score":0.11767783761024475}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7868938446044922},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.6676555275917053},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5126323103904724},{"id":"https://openalex.org/C66322947","wikidata":"https://www.wikidata.org/wiki/Q11658","display_name":"Transformer","level":3,"score":0.5113479495048523},{"id":"https://openalex.org/C81363708","wikidata":"https://www.wikidata.org/wiki/Q17084460","display_name":"Convolutional neural network","level":2,"score":0.5011112689971924},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4904138743877411},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.43509548902511597},{"id":"https://openalex.org/C113775141","wikidata":"https://www.wikidata.org/wiki/Q428691","display_name":"Computer engineering","level":1,"score":0.39797472953796387},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3807564675807953},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.3687286376953125},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.17149177193641663},{"id":"https://openalex.org/C119599485","wikidata":"https://www.wikidata.org/wiki/Q43035","display_name":"Electrical engineering","level":1,"score":0.11767783761024475},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C165801399","wikidata":"https://www.wikidata.org/wiki/Q25428","display_name":"Voltage","level":2,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3591870","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3591870","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.8199999928474426,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[{"id":"https://openalex.org/G1527383148","display_name":null,"funder_award_id":"2022YFF0604501","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"},{"id":"https://openalex.org/G1716091338","display_name":null,"funder_award_id":"JPMJMI20B8","funder_id":"https://openalex.org/F4320338243","funder_display_name":"JST-Mirai Program"},{"id":"https://openalex.org/G194510352","display_name":null,"funder_award_id":"62272261, RGPIN-2021-02549, RGPAS-2021-00034, and DGECR-2021-00019","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320309949","display_name":"Canadian Institute for Advanced Research","ror":"https://ror.org/01sdtdd95"},{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320334593","display_name":"Natural Sciences and Engineering Research Council of Canada","ror":"https://ror.org/01h531d29"},{"id":"https://openalex.org/F4320334764","display_name":"Japan Society for the Promotion of Science","ror":"https://ror.org/00hhkn466"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null},{"id":"https://openalex.org/F4320338243","display_name":"JST-Mirai Program","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":86,"referenced_works":["https://openalex.org/W12634471","https://openalex.org/W2043100293","https://openalex.org/W2097117768","https://openalex.org/W2117876524","https://openalex.org/W2189774688","https://openalex.org/W2560674852","https://openalex.org/W2572504188","https://openalex.org/W2607219512","https://openalex.org/W2616028256","https://openalex.org/W2618043096","https://openalex.org/W2734506812","https://openalex.org/W2779003141","https://openalex.org/W2787496614","https://openalex.org/W2796249144","https://openalex.org/W2798302089","https://openalex.org/W2799640043","https://openalex.org/W2804337238","https://openalex.org/W2809376420","https://openalex.org/W2888307014","https://openalex.org/W2922015121","https://openalex.org/W2937358712","https://openalex.org/W2954629067","https://openalex.org/W2957905354","https://openalex.org/W2963302614","https://openalex.org/W2963327228","https://openalex.org/W2963564844","https://openalex.org/W2963716183","https://openalex.org/W2963726920","https://openalex.org/W2963952467","https://openalex.org/W2964164993","https://openalex.org/W2964197269","https://openalex.org/W2968940383","https://openalex.org/W2969664989","https://openalex.org/W2977524784","https://openalex.org/W2998600476","https://openalex.org/W3035524670","https://openalex.org/W3089346405","https://openalex.org/W3089756992","https://openalex.org/W3090119274","https://openalex.org/W3090608524","https://openalex.org/W3091388282","https://openalex.org/W3091441586","https://openalex.org/W3097269597","https://openalex.org/W3099169439","https://openalex.org/W3099610985","https://openalex.org/W3102720581","https://openalex.org/W3113588330","https://openalex.org/W3114686421","https://openalex.org/W3118608800","https://openalex.org/W3119118477","https://openalex.org/W3120991880","https://openalex.org/W3124118940","https://openalex.org/W3128390792","https://openalex.org/W3138516171","https://openalex.org/W3143373604","https://openalex.org/W3145185940","https://openalex.org/W3159243264","https://openalex.org/W3164024107","https://openalex.org/W3172091474","https://openalex.org/W3178469298","https://openalex.org/W3178517081","https://openalex.org/W3178864044","https://openalex.org/W3189865072","https://openalex.org/W3200467243","https://openalex.org/W3202320739","https://openalex.org/W3205945722","https://openalex.org/W3209343599","https://openalex.org/W3212899624","https://openalex.org/W3214243459","https://openalex.org/W3217157240","https://openalex.org/W3217804443","https://openalex.org/W4214755140","https://openalex.org/W4221157467","https://openalex.org/W4230674625","https://openalex.org/W4297336597","https://openalex.org/W4297573953","https://openalex.org/W4321151009","https://openalex.org/W4381325153","https://openalex.org/W6733645847","https://openalex.org/W6736640963","https://openalex.org/W6766511095","https://openalex.org/W6795276571","https://openalex.org/W6803813760","https://openalex.org/W6803960875","https://openalex.org/W6804514161","https://openalex.org/W6931259419"],"related_works":["https://openalex.org/W96612179","https://openalex.org/W2770234245","https://openalex.org/W2566006169","https://openalex.org/W2987774938","https://openalex.org/W632915154","https://openalex.org/W4229499248","https://openalex.org/W4378874356","https://openalex.org/W2055733372","https://openalex.org/W2369811061","https://openalex.org/W4210772589"],"abstract_inverted_index":{"In":[0,277],"the":[1,74,79,90,123,138,159,165,169,184,286,304,351,361,367,370,422,441,481,503],"past":[2],"few":[3],"years,":[4],"Transformer":[5,21],"has":[6,225],"been":[7,226],"widely":[8],"adopted":[9],"in":[10,41,78,84,122,158,164,168],"many":[11],"domains":[12],"and":[13,25,34,56,64,265,350,383],"applications":[14],"because":[15],"of":[16,76,92,107,137,186,199,205,233,289,353,369,378],"its":[17,38,240,267],"impressive":[18],"performance.":[19],"Vision":[20],"(ViT),":[22],"a":[23,71,115,119,147,175,187,196,274,299,325,380,435],"successful":[24],"well-known":[26],"variant,":[27],"attracts":[28],"considerable":[29],"attention":[30,411],"from":[31],"both":[32,62],"industry":[33],"academia":[35],"thanks":[36],"to":[37,73,88,101,182,216,263,270,272,284,297,365,386,420,452,494],"record-breaking":[39],"performance":[40,355],"various":[42],"vision":[43],"tasks.":[44],"However,":[45,334],"ViT":[46,77,93,242,250,290,485],"is":[47,94,111,126,207,214,251,261,401,418,450,480],"also":[48,145,208,490],"highly":[49],"nonlinear":[50],"like":[51],"other":[52],"classical":[53],"neural":[54],"networks":[55],"could":[57,69,130,144,173,433],"be":[58,102,131,146,174,217,317,427],"easily":[59],"fooled":[60],"by":[61,191,291,302,373,403,500],"natural":[63,132],"adversarial":[65,177,313,463,497],"perturbations.":[66],"This":[67,203,425],"limitation":[68],"pose":[70],"threat":[72],"deployment":[75],"real":[80,219],"industrial":[81],"environment,":[82],"especially":[83],"safety-critical":[85],"scenarios.":[86,308],"How":[87],"improve":[89,266,366],"robustness":[91,110,231,288,336,368],"thus":[95],"an":[96,152,200,246],"urgent":[97],"issue":[98],"that":[99,154,180,315,448],"needs":[100],"addressed.":[103],"Among":[104],"all":[105],"kinds":[106],"robustness,":[108,268],"patch":[109,121,178,230,287,306,498],"defined":[112],"as":[113,135,151,212,249,429,483],"giving":[114],"reliable":[116,388],"output":[117],"when":[118],"random":[120],"input":[124,201,400],"domain":[125],"perturbed.":[127],"The":[128,477],"perturbation":[129],"corruption,":[133],"such":[134,150],"part":[136],"camera":[139],"lens":[140],"being":[141],"blurred.":[142],"It":[143,260],"distribution":[148],"shift,":[149],"object":[153],"does":[155],"not":[156,269],"exist":[157],"training":[160,348,379],"data":[161],"suddenly":[162],"appearing":[163],"camera.":[166],"And":[167],"worst":[170,305],"case,":[171],"there":[172,224],"malicious":[176],"attack":[179,206,307],"aims":[181],"fool":[183],"prediction":[185],"machine":[188],"learning":[189],"model":[190,354,382],"arbitrarily":[192],"modifying":[193],"pixels":[194],"within":[195],"restricted":[197],"region":[198],"image.":[202],"kind":[204],"called":[209],"physical":[210],"attack,":[211],"it":[213,385],"believed":[215],"more":[218,254,258],"than":[220],"digital":[221],"attack.":[222],"Although":[223],"some":[227],"work":[228],"on":[229,239,341,356,438,459,475],"improvement":[232],"Convolutional":[234],"Neural":[235],"Network,":[236],"related":[237],"studies":[238],"counterpart":[241],"are":[243,338],"still":[244],"at":[245,414,440],"early":[247],"stage":[248],"usually":[252],"much":[253],"complex":[255],"with":[256,408],"far":[257],"parameters.":[259],"harder":[262],"assess":[264],"mention":[271],"provide":[273,298,324,434],"provable":[275,300],"guarantee.":[276],"this":[278],"work,":[279],"we":[280],"propose":[281],"PatchCensor,":[282],"aiming":[283],"certify":[285],"applying":[292],"exhaustive":[293],"testing.":[294],"We":[295],"try":[296],"guarantee":[301,437],"considering":[303],"Unlike":[309],"empirical":[310],"defenses":[311],"against":[312,328],"patches":[314],"may":[316,394],"adaptively":[318],"breached,":[319],"certified":[320,326,455],"robust":[321,342,381],"approaches":[322],"can":[323,426],"accuracy":[327,456,473,479],"arbitrary":[329],"attacks":[330],"under":[331],"certain":[332],"conditions.":[333],"existing":[335],"certifications":[337],"mostly":[339],"based":[340],"training,":[343],"which":[344,393,432],"often":[345],"requires":[346],"substantial":[347],"efforts":[349],"sacrifice":[352],"normal":[357],"samples.":[358],"To":[359],"bridge":[360],"gap,":[362],"PatchCensor":[363,449],"seeks":[364],"whole":[371],"system":[372],"detecting":[374],"abnormal":[375,423],"inputs":[376],"instead":[377],"asking":[384],"give":[387],"results":[389],"for":[390,461],"every":[391],"input,":[392],"inevitably":[395],"compromise":[396],"accuracy.":[397],"Specifically,":[398],"each":[399],"tested":[402],"voting":[404],"over":[405],"multiple":[406],"inferences":[407],"different":[409,496],"mutated":[410],"masks,":[412],"where":[413],"least":[415],"one":[416],"inference":[417,439],"guaranteed":[419],"exclude":[421],"patch.":[424],"seen":[428],"complete-coverage":[430],"testing,":[431],"statistical":[436],"test":[442],"time.":[443],"Our":[444],"comprehensive":[445],"evaluation":[446],"demonstrates":[447],"able":[451],"achieve":[453],"high":[454],"(e.g.,":[457],"67.1%":[458],"ImageNet":[460],"2%-pixel":[462],"patches),":[464],"significantly":[465],"outperforming":[466],"state-of-the-art":[467],"techniques":[468],"while":[469],"achieving":[470],"similar":[471],"clean":[472,478],"(81.8%":[474],"ImageNet).":[476],"same":[482],"vanilla":[484],"models.":[486],"Meanwhile,":[487],"our":[488],"technique":[489],"supports":[491],"flexible":[492],"configurations":[493],"handle":[495],"sizes":[499],"simply":[501],"changing":[502],"masking":[504],"strategy.":[505]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}