Guanlin Li,Guowen Xu,Han Qiu,Ruan He,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1007/978-3-031-19772-7_39

2022-01-01

Abstract:3D point cloud classification models based on deep neural networks were proven to be vulnerable to adversarial examples, with a quantity of novel attack techniques proposed by researchers recently. It is of paramount importance to preserve the robustness of 3D models under adversarial environments, considering their broad application in safety- and security-critical tasks. Unfortunately, existing defenses are not general enough to satisfactorily mitigate all types of attacks. In this paper, we design two innovative methodologies to improve the adversarial robustness of 3D point cloud classification models. (1) We introduce CCN, a novel point cloud architecture which can smooth and disrupt the adversarial perturbations. (2) We propose AMS, a novel data augmentation strategy to adaptively balance the model usability and robustness. Extensive evaluations indicate the integration of the two techniques provides much more robustness than existing defense solutions for 3D classification models.

Xiang Li,Yuchen Jiang,Chenglin Liu,Shaochong Liu,Hao Luo,Shen Yin

DOI: https://doi.org/10.1109/tai.2021.3107807

2022-02-01

IEEE Transactions on Artificial Intelligence

Abstract:In the fields of deep learning and computer vision, the security of object detection models has received extensive attention. Revealing the security vulnerabilities resulting from adversarial attacks has become one of the most important research directions. Existing studies show that object detection models can also be threatened by adversarial examples, just like other deep-neural-network-based models, e.g., those for classification. In this article, we propose a bidirectional adversarial attack method. First, the added perturbation pushes the prediction results given by the object detectors far away from the ground-truth class while getting close to the background class. Second, a confidence loss function is designed for the region proposal network to reduce the foreground scores. Third, the adversarial examples are generated by a pretrained autoencoder, and the model is trained using an adversarial approach, which can enhance the similarity between the adversarial examples and the original image and speed up algorithm convergence. The proposed method was verified on the most popular two-stage detection framework (Faster R-CNN), and 55.1 drop in the mean average precision (mAP-drop) was obtained. In addition, the adversarial examples have superior transferability, migrating which to the common one-stage detection framework (YOLOv3) gets a 39.5 mAP-drop.

English Else

Ruikui Wang,Yuanfang Guo,Ruijie Yang,Yunhong Wang

DOI: https://doi.org/10.1016/j.neucom.2024.128620

IF: 6

2024-01-01

Neurocomputing

Abstract:The transferability and robustness of adversarial examples are two practical and important properties for black- box adversarial attacks. In this paper, we explore effective mechanisms to boost both of them across network hierarchy. In general, a typical network can be hierarchically divided into output stage, intermediate stage and input stage. Due to the over-specialization of the substitute model, we can hardly improve the transferability and robustness of the adversarial perturbations in the output stage. Therefore, we focus on manipulating the intermediate and input stages in this paper, and propose a Transferable and Robust Adversarial Perturbation generation (TRAP) method. Specifically, we propose the dynamically guided mechanism to continuously calculate accurate directional guidances for perturbation generation in the intermediate stage. In the input stage, instead of employing the single-form transformation augmentations adopted in the existing methods, we leverage multi-form affine transformation augmentations to enrich the input diversity and simultaneously boost the robustness and transferability of the adversarial perturbations. Extensive evaluations on ImageNet validation set demonstrate that our TRAP achieves superior transferability when attacking convolution neural networks (CNNs) and vision transformers (ViTs) compared to closely related state-of-the-art methods. For instance, based on the ResNet-101 model, we achieve an average attack success rate of 97.5% on black-box CNN models and 70.1% on ViT models, respectively. Moreover, TRAP exhibits robust performance against various physical-world interferences, such as Gaussian blurring, Gaussian noise, JPEG compression, color distortions, image erosion and image dilation. Additionally, we also show the potential application of our TRAP method for proactive defense against deepfake.

Ziang Yan,Yiwen Guo,Changshui Zhang

2018-01-01

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN models into making arbitrary predictions. To address this problem, we propose a training recipe named DeepDefense. Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms the state-of-the-arts by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results will be made publicly available.

Kevin Eykholt,Ivan Evtimov,Earlence Fernandes,Bo Li,Amir Rahmati,Chaowei Xiao,Atul Prakash,Tadayoshi Kohno,Dawn Song

DOI: https://doi.org/10.48550/arXiv.1707.08945

2018-04-11

Abstract:Recent studies show that the state-of-the-art deep neural networks (DNNs) are vulnerable to adversarial examples, resulting from small-magnitude perturbations added to the input. Given that that emerging physical systems are using DNNs in safety-critical situations, adversarial examples could mislead these systems and cause dangerous <a class="link-external link-http" href="http://situations.Therefore" rel="external noopener nofollow">this http URL</a>, understanding adversarial examples in the physical world is an important step towards developing resilient learning algorithms. We propose a general attack algorithm,Robust Physical Perturbations (RP2), to generate robust visual adversarial perturbations under different physical conditions. Using the real-world case of road sign classification, we show that adversarial examples generated using RP2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints. Due to the current lack of a standardized testing method, we propose a two-stage evaluation methodology for robust physical adversarial examples consisting of lab and field tests. Using this methodology, we evaluate the efficacy of physical adversarial manipulations on real objects. Witha perturbation in the form of only black and white stickers,we attack a real stop sign, causing targeted misclassification in 100% of the images obtained in lab settings, and in 84.8%of the captured video frames obtained on a moving vehicle(field test) for the target classifier.

Cryptography and Security,Machine Learning

Liang Tong,Minzhe Guo,Atul Prakash,Yevgeniy Vorobeychik

DOI: https://doi.org/10.48550/arXiv.2005.04272

2020-10-09

Abstract:Despite the remarkable success of deep neural networks, significant concerns have emerged about their robustness to adversarial perturbations to inputs. While most attacks aim to ensure that these are imperceptible, physical perturbation attacks typically aim for being unsuspicious, even if perceptible. However, there is no universal notion of what it means for adversarial examples to be unsuspicious. We propose an approach for modeling suspiciousness by leveraging cognitive salience. Specifically, we split an image into foreground (salient region) and background (the rest), and allow significantly larger adversarial perturbations in the background, while ensuring that cognitive salience of background remains low. We describe how to compute the resulting non-salience-preserving dual-perturbation attacks on classifiers. We then experimentally demonstrate that our attacks indeed do not significantly change perceptual salience of the background, but are highly effective against classifiers robust to conventional attacks. Furthermore, we show that adversarial training with dual-perturbation attacks yields classifiers that are more robust to these than state-of-the-art robust learning approaches, and comparable in terms of robustness to conventional attacks.

Machine Learning,Cryptography and Security

Changming Xu,Gagandeep Singh

2023-06-06

Abstract:Universal Adversarial Perturbations (UAPs) are imperceptible, image-agnostic vectors that cause deep neural networks (DNNs) to misclassify inputs with high probability. In practical attack scenarios, adversarial perturbations may undergo transformations such as changes in pixel intensity, scaling, etc. before being added to DNN inputs. Existing methods do not create UAPs robust to these real-world transformations, thereby limiting their applicability in practical attack scenarios. In this work, we introduce and formulate UAPs robust against real-world transformations. We build an iterative algorithm using probabilistic robustness bounds and construct such UAPs robust to transformations generated by composing arbitrary sub-differentiable transformation functions. We perform an extensive evaluation on the popular CIFAR-10 and ILSVRC 2012 datasets measuring our UAPs' robustness under a wide range common, real-world transformations such as rotation, contrast changes, etc. We further show that by using a set of primitive transformations our method can generalize well to unseen transformations such as fog, JPEG compression, etc. Our results show that our method can generate UAPs up to 23% more robust than state-of-the-art baselines.

Machine Learning,Cryptography and Security

Xiaoyi Dong,Jiangfan Han,Dongdong Chen,Jiayang Liu,Huanyu Bian,Zehua Ma,Hongsheng Li,Xiaogang Wang,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/CVPR42600.2020.01291

2020-01-01

Abstract:Deep Neural Networks are vulnerable to adversarial samples, which can fool classifiers by adding small perturbations onto the original image. Since the pioneering optimization-based adversarial attack method, many following methods have been proposed in the past several years. However most of these methods add perturbations in a \"pixel-wise\" and \"global\" way. Firstly, because of the contradiction between the local smoothness of natural images and the noisy property of these adversarial perturbations, this \"pixel-wise\" way makes these methods not robust to image processing based defense methods and steganalysis based detection methods. Secondly, we find adding perturbations to the background is less useful than to the salient object, thus the \"global\" way is also not optimal. Based on these two considerations, we propose the first robust superpixel-guided attentional adversarial attack method. Specifically, the adversarial perturbations are only added to the salient regions and guaranteed to be same within each superpixel. Through extensive experiments, we demonstrate our method can preserve the attack ability even in this highly constrained modification space. More importantly, compared to existing methods, it is significantly more robust to image processing based defense and steganalysis based detection.

Jun Yan,Huilin Yin,Wancheng Ge,Li Liu

DOI: https://doi.org/10.1016/j.displa.2023.102479

IF: 3.074

2023-07-08

Displays

Abstract:The research on universal adversarial perturbations (UAPs) is significant to trustworthy deep learning. To disentangle the UAPs with the training data dependency and the target model dependency, the exploration of procedural noise functions is a feasible method. However, the current procedural adversarial noise attack method has several characteristics like visually significant anisotropy and gradient artifacts that may impact the stealthiness of adversarial examples. This study proposes a novel model-free and data-free UAP method based on the procedural noise functions with two variants: Simplex noise attack and Worley noise attack. The attack method can achieve deceit on the neural networks with a more aesthetic rendering effect. A detailed empirical study is provided to validate the effectiveness of the proposed attack method. The extensive experiments show that the UAPs generated by the proposed method achieve considerable attack performance on the ImageNet dataset and the CIFAR-10 dataset. Moreover, this study implements the performance evaluation and robustness analysis of existing defense methods against the proposed UAPs. It has the potential to enhance research on the robustness of neural networks in real applications. The code is available at https://github.com/momo1986/adversarial_example_simplex_worley .

engineering, electrical & electronic,instruments & instrumentation,optics,computer science, hardware & architecture

Yatie Xiao,Chi-Man Pun,Bo Liu

DOI: https://doi.org/10.1016/j.patcog.2021.107903

IF: 8

2021-07-01

Pattern Recognition

Abstract:Deep learning has shown superiority in dealing with complicated and professional tasks (e.g., computer vision, audio, and language processing). However, research works have confirmed that Deep Neural Networks (DNNs) are vulnerable to carefully crafted adversarial perturbations, which cause DNNs confusion on specific tasks. In object detection domain, the background has little contributions to object classification, and the crafted adversarial perturbations added to the background do not improve the adversary effect in fooling deep neural detection models yet induce substantial distortions in generated examples. Based on such situation, we introduce an adversarial attack algorithm named Adaptive Object-oriented Adversarial Method (AO 2 AM). It aims to fool deep neural object detection networks with the adversarial examples by applying the adaptive cumulation of object-based gradients and adding the adaptive object-based adversarial perturbations merely onto objects rather than the whole frame of input images. AO 2 AM can effectively make the representations of generated adversarial samples close to the decision boundary in the latent space, and force deep neural detection networks to yield inaccurate locations and false classification in the process of object detection. Compared with existing adversarial attack methods which generate adversarial perturbations acting on the global scale of the original inputs, the adversarial examples produced by AO 2 AM can effectively fool deep neural object detection networks and maintain a high structural similarity with corresponding clean inputs. Performing adversarial attacks on Faster R-CNN, AO 2 AM gains attack success rate (ASR) over 98.00% on pre-processed Pascal VOC 2007&amp;2012 (Val), and reaches SSIM over 0.870. In Fooling SSD, AO 2 AM receives SSIM exceeding 0.980 on L 2 norm constraint. On SSIM and Mean Attack Ratio, AO 2 AM outperforms adversarial attack methods based on global scale perturbations.

computer science, artificial intelligence,engineering, electrical & electronic

Ziang Yan,Yiwen Guo,Changshui Zhang

DOI: https://doi.org/10.48550/arXiv.1803.00404

2018-02-23

Computer Vision and Pattern Recognition

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN classifiers into making arbitrary predictions. To address this problem, we propose a training recipe named "deep defense". Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms training with adversarial/Parseval regularizations by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results are available at https://github.com/ZiangYan/deepdefense.pytorch

Guijian Tang,Tingsong Jiang,Weien Zhou,Chao Li,Wen Yao,Yong Zhao

DOI: https://doi.org/10.1016/j.neucom.2023.03.050

IF: 6

2023-04-05

Neurocomputing

Abstract:Although Deep Neural Networks (DNNs)-based object detectors are widely used in various fields, especially on aerial imagery object detections, it has been observed that a small elaborately designed patch attached to the images can mislead the DNNs-based detectors into producing erroneous output. However, the target detectors being attacked are quite simple, and the attack efficiency is relatively low in previous works, making it not practicable in real scenarios. To address these limitations, a new adversarial patch attack algorithm is proposed in this paper. Firstly, we designed a novel loss function using the intermediate outputs of the models rather than the model's final outputs interpreted by the detection head to optimize adversarial patches. The experiments conducted on the DOTA, RSOD, and NWPU VHR-10 datasets demonstrate that our method can significantly degrade the performance of the detectors. Secondly, we conducted intensive experiments to investigate the impact of different outputs of the detection model on generating adversarial patches, demonstrating the class score is not as effective as the objectness score. Thirdly, we comprehensively analyzed the attack transferability across different aerial imagery datasets, verifying that the patches generated on one dataset are also effective in attacking another. Moreover, we proposed ensemble training to boost the attack's transferability across models. Our work alarms the application of DNNs-based object detectors in aerial imagery.

computer science, artificial intelligence

Lu, Fang,Wang, Bin,Zhou, Boyang

DOI: https://doi.org/10.1007/s10489-023-05253-5

IF: 5.3

2024-01-14

Applied Intelligence

Abstract:Recent studies have shown that deep neural networks (DNNs) are vulnerable to adversarial examples (AEs). Denoising based on the input pre-processing is one of the defenses against adversarial attacks. However, it is hard to remove multiple adversarial perturbations, especially in the presence of evolving attacks. To address this challenge, we attempt to extract the commonality of adversarial perturbations. Due to the imperceptibility of adversarial perturbations in the input space, we conduct the extraction in the deep feature space where the perturbations become more apparent. Through the obtained common characteristics, we craft common adversarial examples (CAEs) to train the denoiser. Furthermore, to prevent image distortion while removing as much of the adversarial perturbation as possible, we propose a hybrid loss function that guides the training process at both the pixel level and the deep feature space. Our experiments show that our defense method can eliminate multiple adversarial perturbations, significantly enhancing adversarial robustness compared to previous state-of-the-art methods. Moreover, it can be plug-and-play for various classification models, which demonstrates the generalizability of our defense method.

computer science, artificial intelligence

Zhuo Leng,Zesen Cheng,Pengxu Wei,Jie Chen

DOI: https://doi.org/10.1007/978-981-99-8555-5_22

2024-01-01

Abstract:Deep neural networks have been demonstrated to be vulnerable to adversarial noise from attacks. Compared with white-box attacks, black-box attacks fool deep neural networks to yield erroneous predictions without knowing the model parameters. Black-box attacks include query-based attacks and transfer-based attacks; the former rely on querying the model while the latter just rely on the transferability of adversarial examples, thus challenging. Existing transfer-based black-box adversarial attack methods focus on the image classification task. Especially, we empirically verify that those methods struggle to balance the attack on objects with different classes and sizes, and thus they perform poorly in the attack on object detectors. In this work, we propose an Object-Aware mechanism to address this issue. It includes Object-Wise Gradient (OWG) calculation to balance the attack on multiple objects and a Domain-Division Map (DDM) to weigh the attack in size. Incorporating our method with seminal baselines (e.g., I-FGSM, MI-FGSM), we achieve superior attack performance on multiple object detectors (e.g., Faster R-CNN, DETR, SSD), which justifies the effectiveness and generality of our method.

Jiazhi Guan,Yi Zhao,Zhuoer Xu,Changhua Meng,Ke Xu,Youjian Zhao

DOI: https://doi.org/10.1609/aaai.v38i1.27762

2024-01-01

Abstract:The non-consensual exploitation of facial manipulation has emerged as a pressing societal concern. In tandem with the identification of such fake content, recent research endeavors have advocated countering manipulation techniques through proactive interventions, specifically the incorporation of adversarial noise to impede the manipulation in advance. Nevertheless, with insufficient consideration of robustness, we show that current methods falter in providing protection after simple perturbations, e.g., blur. In addition, traditional optimization-based methods face limitations in scalability as they struggle to accommodate the substantial expansion of data volume, a consequence of the time-intensive iterative pipeline. To solve these challenges, we propose a learning-based model, Adversarial Robust Safeguard (ARS), to generate desirable protection noise in a single forward process, concurrently exhibiting a heightened resistance against prevalent perturbations. Specifically, our method involves a two-way protection design, characterized by a basic protection component responsible for generating efficacious noise features, coupled with robust protection for further enhancement. In robust protection, we first fuse image features with spatially duplicated noise embedding, thereby accounting for inherent information redundancy. Subsequently, a combination comprising a differentiable perturbation module and an adversarial network is devised to simulate potential information degradation during the training process. To evaluate it, we conduct experiments on four manipulation methods and compare recent works comprehensively. The results of our method exhibit good visual effects with pronounced robustness against varied perturbations at different levels.

Lina Wang,Xingshu Chen,Yulong Wang,Yawei Yue,Yi Zhu,Xuemei Zeng,Wei Wang

DOI: https://doi.org/10.48550/arXiv.2106.09872

2021-06-18

Abstract:The vulnerability of deep neural networks to adversarial examples, which are crafted maliciously by modifying the inputs with imperceptible perturbations to misled the network produce incorrect outputs, reveals the lack of robustness and poses security concerns. Previous works study the adversarial robustness of image classifiers on image level and use all the pixel information in an image indiscriminately, lacking of exploration of regions with different semantic meanings in the pixel space of an image. In this work, we fill this gap and explore the pixel space of the adversarial image by proposing an algorithm to looking for possible perturbations pixel by pixel in different regions of the segmented image. The extensive experimental results on CIFAR-10 and ImageNet verify that searching for the modified pixel in only some pixels of an image can successfully launch the one-pixel adversarial attacks without requiring all the pixels of the entire image, and there exist multiple vulnerable points scattered in different regions of an image. We also demonstrate that the adversarial robustness of different regions on the image varies with the amount of semantic information contained.

Computer Vision and Pattern Recognition,Physics and Society

Jiale Duan,Linyao Qiu,Guangjun He,Ling Zhao,Zhenshi Zhang,Haifeng Li

DOI: https://doi.org/10.3390/rs16060997

IF: 5

2024-03-13

Remote Sensing

Abstract:In synthetic aperture radar (SAR) imaging, intelligent object detection methods are facing significant challenges in terms of model robustness and application security, which are posed by adversarial examples. The existing adversarial example generation methods for SAR object detection can be divided into two main types: global perturbation attacks and local perturbation attacks. Due to the dynamic changes and irregular spatial distribution of SAR coherent speckle backgrounds, the attack effectiveness of global perturbation attacks is significantly reduced by coherent speckle. In contrast, by focusing on the image objects, local perturbation attacks achieve targeted and effective advantages over global perturbations by minimizing interference from the SAR coherent speckle background. However, the adaptability of conventional local perturbations is limited because they employ a fixed size without considering the diverse sizes and shapes of SAR objects under various conditions. This paper presents a framework for region-adaptive local perturbations (RaLP) specifically designed for SAR object detection tasks. The framework consists of two modules. To address the issue of coherent speckle noise interference in SAR imagery, we develop a local perturbation generator (LPG) module. By filtering the original image, this module reduces the speckle features introduced during perturbation generation. It then superimposes adversarial perturbations in the form of local perturbations on areas of the object with weaker speckles, thereby reducing the mutual interference between coherent speckles and adversarial perturbation. To address the issue of insufficient adaptability in terms of the size variation in local adversarial perturbations, we propose an adaptive perturbation optimizer (APO) module. This optimizer adapts the size of the adversarial perturbations based on the size and shape of the object, effectively solving the problem of adaptive perturbation size and enhancing the universality of the attack. The experimental results show that RaLP reduces the detection accuracy of the YOLOv3 detector by 29.0%, 29.9%, and 32.3% on the SSDD, SAR-Ship, and AIR-SARShip datasets, respectively, and the model-to-model and dataset-to-dataset transferability of RaLP attacks are verified.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Chao Zhou,Yuan-Gen Wang,Guopu Zhu

DOI: https://doi.org/10.48550/arXiv.2210.08472

2022-10-16

Abstract:Deep neural networks are facing severe threats from adversarial attacks. Most existing black-box attacks fool target model by generating either global perturbations or local patches. However, both global perturbations and local patches easily cause annoying visual artifacts in adversarial example. Compared with some smooth regions of an image, the object region generally has more edges and a more complex texture. Thus small perturbations on it will be more imperceptible. On the other hand, the object region is undoubtfully the decisive part of an image to classification tasks. Motivated by these two facts, we propose an object-attentional adversarial attack method for untargeted attack. Specifically, we first generate an object region by intersecting the object detection region from YOLOv4 with the salient object detection (SOD) region from HVPNet. Furthermore, we design an activation strategy to avoid the reaction caused by the incomplete SOD. Then, we perform an adversarial attack only on the detected object region by leveraging Simple Black-box Adversarial Attack (SimBA). To verify the proposed method, we create a unique dataset by extracting all the images containing the object defined by COCO from ImageNet-1K, named COCO-Reduced-ImageNet in this paper. Experimental results on ImageNet-1K and COCO-Reduced-ImageNet show that under various system settings, our method yields the adversarial example with better perceptual quality meanwhile saving the query budget up to 24.16\% compared to the state-of-the-art approaches including SimBA.

Computer Vision and Pattern Recognition

Ruijie Yang,Yunhong Wang,Yuanfang Guo

2021-01-01

Abstract: Most of the adversarial attack methods suffer from large perceptual distortions such as visible artifacts, when the attack strength is relatively high. These perceptual distortions contain a certain portion which contributes less to the attack success rate. This portion of distortions, which is induced by unnecessary modifications and lack of proper perceptual distortion constraint, is the target of the proposed framework. In this paper, we propose a perceptual distortion reduction framework to tackle this problem from two perspectives. We guide the perturbation addition process to reduce unnecessary modifications by proposing an activated region transfer attention mask, which intends to transfer the activated regions of the target model from the correct prediction to incorrect ones. Note that an ensemble model is adopted to predict the activated regions of the unseen models in the black-box setting of our framework. Besides, we propose a perceptual distortion constraint and add it into the objective function of adversarial attack to jointly optimize the perceptual distortions and attack success rate. Extensive experiments have verified the effectiveness of our framework on several baseline methods.

Quanxin Zhang,Yuhang Zhao,Yajie Wang,Thar Baker,Jian Zhang,Jingjing Hu

DOI: https://doi.org/10.1016/j.comnet.2020.107388

IF: 5.493

2020-10-01

Computer Networks

Abstract:<p>Deep neural network is the main research branch in artificial intelligence and suitable for many decision-making fields. Autonomous driving and unmanned vehicle often depend on deep neural networks for accurate and reliable detection, classification, and ranging of surrounding objects in real on-road environments, either locally or by swarm intelligence among distributed nodes via 5G channel. But, it has been demonstrated that deep neural networks are vulnerable to well-designed adversarial examples that are imperceptible to human eyes in computer vision tasks. It is valuable to study the vulnerability for enhancing the robustness of neural networks. However, existing adversarial examples against object detection models are image-dependent, so in this paper, we implement adversarial attacks against object detection models using universal perturbations. We find the cross-task, cross-model, and cross-dataset transferability of universal perturbations, we train universal perturbations generator firstly and then add the universal perturbations to the target images in two ways: resizing and pile-up, in order to solve the problem that universal perturbations cannot be directly applied to attack object detection models. We use the transferability of universal perturbations to attack black-box object detection models. In this way, the time cost of generating adversarial examples is reduced. A series of experiments are conducted on PASCAL VOC and MS COCO datasets demonstrating the feasibility of cross-task attacks and proving the effectiveness of our attack on two representative object detectors: regression-based models like YOLOv3 and proposal-based models like Faster R-CNN.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture