Tao Zhou,Qi Ye,Wenhan Luo,Kaihao Zhang,Zhiguo Shi,Jiming Chen

DOI: https://doi.org/10.1109/iccv51070.2023.00422

2023-01-01

Abstract:Multi-object tracking (MOT) aims to build moving trajectories for number-agnostic objects. Modern multi-object trackers commonly follow the tracking-by-detection strategy. Therefore, fooling detectors can be an effective solution but it usually requires attacks in multiple successive frames, resulting in low efficiency. Attacking association processes improves efficiency but may require model-specific design, leading to poor generalization. In this paper, we propose a novel False negative and False positive attack (F&F attack) mechanism: it perturbs the input image to erase original detections and to inject deceptive false alarms around original ones while integrating the association attack implicitly. The mechanism can produce effective identity switches against multi-object trackers by only fooling detectors in a few frames. To demonstrate the flexibility of the mechanism, we deploy it to three multi-object trackers (ByteTrack, SORT, and CenterTrack) which are enabled by two representative detectors (YOLOX and CenterNet). Comprehensive experiments on MOT17 and MOT20 datasets show that our method significantly outperforms existing attackers, revealing the vulnerability of the tracking-by-detection paradigm to detection attacks.

Yajie Wang,Yu-an Tan,Wenjiao Zhang,Yuhang Zhao,Xiaohui Kuang

DOI: https://doi.org/10.1016/j.jnca.2020.102634

IF: 7.574

2020-01-01

Journal of Network and Computer Applications

Abstract:Object detection models play an essential role in various IoT devices as one of the core components. Scientific experiments have proven that object detection models are vulnerable to adversarial examples. Heretofore, some attack methods against object detection models have been proposed, but the existing attack methods can only attack white-box models or a specific type of black-box models. In this paper, we propose a novel black-box attack method called Evaporate Attack, which can successfully attack both regression-based and region-based detection models. To perform an effective attack on different types of object detection models, we design an optimization algorithm, which can generate adversarial examples only utilizes the position and label information of the model's prediction. Evaporate Attack can hide objects from detection models without any interior information of the model. This scenario is much practical in real-world faced by the attacker. Our approach achieves an 84% fooling rate on regression-based YOLOv3 and a 48% fooling rate on region-based Faster R–CNN, under the premise that all objects are hidden.

Yatie Xiao,Chi-Man Pun,Bo Liu

DOI: https://doi.org/10.1016/j.patcog.2021.107903

IF: 8

2021-07-01

Pattern Recognition

Abstract:Deep learning has shown superiority in dealing with complicated and professional tasks (e.g., computer vision, audio, and language processing). However, research works have confirmed that Deep Neural Networks (DNNs) are vulnerable to carefully crafted adversarial perturbations, which cause DNNs confusion on specific tasks. In object detection domain, the background has little contributions to object classification, and the crafted adversarial perturbations added to the background do not improve the adversary effect in fooling deep neural detection models yet induce substantial distortions in generated examples. Based on such situation, we introduce an adversarial attack algorithm named Adaptive Object-oriented Adversarial Method (AO 2 AM). It aims to fool deep neural object detection networks with the adversarial examples by applying the adaptive cumulation of object-based gradients and adding the adaptive object-based adversarial perturbations merely onto objects rather than the whole frame of input images. AO 2 AM can effectively make the representations of generated adversarial samples close to the decision boundary in the latent space, and force deep neural detection networks to yield inaccurate locations and false classification in the process of object detection. Compared with existing adversarial attack methods which generate adversarial perturbations acting on the global scale of the original inputs, the adversarial examples produced by AO 2 AM can effectively fool deep neural object detection networks and maintain a high structural similarity with corresponding clean inputs. Performing adversarial attacks on Faster R-CNN, AO 2 AM gains attack success rate (ASR) over 98.00% on pre-processed Pascal VOC 2007&2012 (Val), and reaches SSIM over 0.870. In Fooling SSD, AO 2 AM receives SSIM exceeding 0.980 on L 2 norm constraint. On SSIM and Mean Attack Ratio, AO 2 AM outperforms adversarial attack methods based on global scale perturbations.

computer science, artificial intelligence,engineering, electrical & electronic

Zhuo Leng,Zesen Cheng,Pengxu Wei,Jie Chen

DOI: https://doi.org/10.1007/978-981-99-8555-5_22

2024-01-01

Abstract:Deep neural networks have been demonstrated to be vulnerable to adversarial noise from attacks. Compared with white-box attacks, black-box attacks fool deep neural networks to yield erroneous predictions without knowing the model parameters. Black-box attacks include query-based attacks and transfer-based attacks; the former rely on querying the model while the latter just rely on the transferability of adversarial examples, thus challenging. Existing transfer-based black-box adversarial attack methods focus on the image classification task. Especially, we empirically verify that those methods struggle to balance the attack on objects with different classes and sizes, and thus they perform poorly in the attack on object detectors. In this work, we propose an Object-Aware mechanism to address this issue. It includes Object-Wise Gradient (OWG) calculation to balance the attack on multiple objects and a Domain-Division Map (DDM) to weigh the attack in size. Incorporating our method with seminal baselines (e.g., I-FGSM, MI-FGSM), we achieve superior attack performance on multiple object detectors (e.g., Faster R-CNN, DETR, SSD), which justifies the effectiveness and generality of our method.

Xiang Li,Yuchen Jiang,Chenglin Liu,Shaochong Liu,Hao Luo,Shen Yin

DOI: https://doi.org/10.1109/tai.2021.3107807

2022-02-01

IEEE Transactions on Artificial Intelligence

Abstract:In the fields of deep learning and computer vision, the security of object detection models has received extensive attention. Revealing the security vulnerabilities resulting from adversarial attacks has become one of the most important research directions. Existing studies show that object detection models can also be threatened by adversarial examples, just like other deep-neural-network-based models, e.g., those for classification. In this article, we propose a bidirectional adversarial attack method. First, the added perturbation pushes the prediction results given by the object detectors far away from the ground-truth class while getting close to the background class. Second, a confidence loss function is designed for the region proposal network to reduce the foreground scores. Third, the adversarial examples are generated by a pretrained autoencoder, and the model is trained using an adversarial approach, which can enhance the similarity between the adversarial examples and the original image and speed up algorithm convergence. The proposed method was verified on the most popular two-stage detection framework (Faster R-CNN), and 55.1 drop in the mean average precision (mAP-drop) was obtained. In addition, the adversarial examples have superior transferability, migrating which to the common one-stage detection framework (YOLOv3) gets a 39.5 mAP-drop.

English Else

Abdollah Amirkhani,Mohammad Parsa Karimi

DOI: https://doi.org/10.1007/s00371-021-02256-6

IF: 2.835

2021-07-24

The Visual Computer

Abstract:Despite their many advantages and positive features, the deep neural networks are extremely vulnerable against adversarial attacks. This drawback has substantially reduced the adversarial accuracy of the visual object detectors. To make these object detectors robust to adversarial attacks, a new Gabor filter-based method has been proposed in this paper. This method has then been applied on the YOLOv3 with different backbones, the SSD with different input sizes and on the FRCNN; and thus, six robust object detector models have been presented. In order to evaluate the efficacy of the models, they have been subjected to adversarial training via three types of targeted attacks (TOG-fabrication, TOG-vanishing, and TOG-mislabeling) and three types of untargeted random attacks (DAG, RAP, and UEA). The best average accuracy (49.6%) was achieved by the YOLOv3-d model, and for the PASCAL VOC dataset. This is far superior to the best performance and accuracy and obtained in previous works (25.4%). Empirical results show that, while the presented approach improves the adversarial accuracy of the object detector models, it does not affect the performance of these models on clean data.

computer science, software engineering

Xiangyu Yin,Wenjie Ruan,Jonathan Fieldsend

DOI: https://doi.org/10.48550/arXiv.2207.08044

2022-07-17

Abstract:The adversarial attack can force a CNN-based model to produce an incorrect output by craftily manipulating human-imperceptible input. Exploring such perturbations can help us gain a deeper understanding of the vulnerability of neural networks, and provide robustness to deep learning against miscellaneous adversaries. Despite extensive studies focusing on the robustness of image, audio, and NLP, works on adversarial examples of visual object tracking -- especially in a black-box manner -- are quite lacking. In this paper, we propose a novel adversarial attack method to generate noises for single object tracking under black-box settings, where perturbations are merely added on initial frames of tracking sequences, which is difficult to be noticed from the perspective of a whole video clip. Specifically, we divide our algorithm into three components and exploit reinforcement learning for localizing important frame patches precisely while reducing unnecessary computational queries overhead. Compared to existing techniques, our method requires fewer queries on initialized frames of a video to manipulate competitive or even better attack performance. We test our algorithm in both long-term and short-term datasets, including OTB100, VOT2018, UAV123, and LaSOT. Extensive experiments demonstrate the effectiveness of our method on three mainstream types of trackers: discrimination, Siamese-based, and reinforcement learning-based trackers.

Computer Vision and Pattern Recognition

Han Wu,Syed Yunas,Sareh Rowlands,Wenjie Ruan,Johan Wahlstrom

DOI: https://doi.org/10.1109/IV55152.2023.10186608

2023-12-12

Abstract:Intelligent robots rely on object detection models to perceive the environment. Following advances in deep learning security it has been revealed that object detection models are vulnerable to adversarial attacks. However, prior research primarily focuses on attacking static images or offline videos. Therefore, it is still unclear if such attacks could jeopardize real-world robotic applications in dynamic environments. This paper bridges this gap by presenting the first real-time online attack against object detection models. We devise three attacks that fabricate bounding boxes for nonexistent objects at desired locations. The attacks achieve a success rate of about 90% within about 20 iterations. The demo video is available at <a class="link-external link-https" href="https://youtu.be/zJZ1aNlXsMU" rel="external noopener nofollow">this https URL</a>.

Artificial Intelligence,Computer Vision and Pattern Recognition,Robotics

Pham Phuc,Son Vuong,Khang Nguyen,Tuan Dang

2024-12-25

Abstract:Deep learning-based object detection has become ubiquitous in the last decade due to its high accuracy in many real-world applications. With this growing trend, these models are interested in being attacked by adversaries, with most of the results being on classifiers, which do not match the context of practical object detection. In this work, we propose a novel method to fool object detectors, expose the vulnerability of state-of-the-art detectors, and promote later works to build more robust detectors to adversarial examples. Our method aims to generate adversarial images by perturbing object confidence scores during training, which is crucial in predicting confidence for each class in the testing phase. Herein, we provide a more intuitive technique to embed additive noises based on detected objects' masks and the training loss with distortion control over the original image by leveraging the gradient of iterative images. To verify the proposed method, we perform adversarial attacks against different object detectors, including the most recent state-of-the-art models like YOLOv8, Faster R-CNN, RetinaNet, and Swin Transformer. We also evaluate our technique on MS COCO 2017 and PASCAL VOC 2012 datasets and analyze the trade-off between success attack rate and image distortion. Our experiments show that the achievable success attack rate is up to $100$\% and up to $98$\% when performing white-box and black-box attacks, respectively. The source code and relevant documentation for this work are available at the following link: <a class="link-external link-https" href="https://github.com/anonymous20210106/attack_detector" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition

Haotian Zhang,Xu Ma

DOI: https://doi.org/10.1016/j.cose.2022.102876

2022-11-01

Abstract:Object detection is a hot topic in computer vision (CV), and it has many applications in various security fields. However, many works have demonstrated that neural network-based object detection is vulnerable to adversarial attacks. In this paper, we study adversarial attacks on object detectors in the real world and propose a new adversarial attack called Misleading Attention and Classification Attack (MACA), which can generate adversarial patches to mislead the object detectors. Specifically, we propose a new scheme to generate adversarial patches to fool the object detector. Our scheme restricts the noise of the adversarial patches and aims to ensure that the generated adversarial patches are visually similar to natural images. The attack simulates the complex external physical environment and the 3D transformations of non-rigid objects to increase the robustness of adversarial patches. We attack the up-to-date object detectors (e.g., Yolo-V5), and we prove that our technique has strong transferability among different detectors. Extensive experiments show that it is feasible to transfer the digital adversarial patches to the real world while maintaining the transferability of adversarial patches among different models and the success rate of adversarial attacks.

computer science, information systems

Ka-Ho Chow,Ling Liu,Mehmet Emre Gursoy,Stacey Truex,Wenqi Wei,Yanzhao Wu

DOI: https://doi.org/10.48550/arXiv.2007.05828

2020-07-12

Abstract:Deep neural networks based object detection models have revolutionized computer vision and fueled the development of a wide range of visual recognition applications. However, recent studies have revealed that deep object detectors can be compromised under adversarial attacks, causing a victim detector to detect no object, fake objects, or mislabeled objects. With object detection being used pervasively in many security-critical applications, such as autonomous vehicles and smart cities, we argue that a holistic approach for an in-depth understanding of adversarial attacks and vulnerabilities of deep object detection systems is of utmost importance for the research community to develop robust defense mechanisms. This paper presents a framework for analyzing and evaluating vulnerabilities of the state-of-the-art object detectors under an adversarial lens, aiming to analyze and demystify the attack strategies, adverse effects, and costs, as well as the cross-model and cross-resolution transferability of attacks. Using a set of quantitative metrics, extensive experiments are performed on six representative deep object detectors from three popular families (YOLOv3, SSD, and Faster R-CNN) with two benchmark datasets (PASCAL VOC and MS COCO). We demonstrate that the proposed framework can serve as a methodical benchmark for analyzing adversarial behaviors and risks in real-time object detection systems. We conjecture that this framework can also serve as a tool to assess the security risks and the adversarial robustness of deep object detectors to be deployed in real-world applications.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Chao Zhou,Yuan-Gen Wang,Guopu Zhu

DOI: https://doi.org/10.48550/arXiv.2210.08472

2022-10-16

Abstract:Deep neural networks are facing severe threats from adversarial attacks. Most existing black-box attacks fool target model by generating either global perturbations or local patches. However, both global perturbations and local patches easily cause annoying visual artifacts in adversarial example. Compared with some smooth regions of an image, the object region generally has more edges and a more complex texture. Thus small perturbations on it will be more imperceptible. On the other hand, the object region is undoubtfully the decisive part of an image to classification tasks. Motivated by these two facts, we propose an object-attentional adversarial attack method for untargeted attack. Specifically, we first generate an object region by intersecting the object detection region from YOLOv4 with the salient object detection (SOD) region from HVPNet. Furthermore, we design an activation strategy to avoid the reaction caused by the incomplete SOD. Then, we perform an adversarial attack only on the detected object region by leveraging Simple Black-box Adversarial Attack (SimBA). To verify the proposed method, we create a unique dataset by extracting all the images containing the object defined by COCO from ImageNet-1K, named COCO-Reduced-ImageNet in this paper. Experimental results on ImageNet-1K and COCO-Reduced-ImageNet show that under various system settings, our method yields the adversarial example with better perceptual quality meanwhile saving the query budget up to 24.16\% compared to the state-of-the-art approaches including SimBA.

Computer Vision and Pattern Recognition

Lyu Haoran,Tan Yu'an,Xue Yuan,Wang Yajie,Xue Jingfeng

DOI: https://doi.org/10.1049/cje.2021.03.003

IF: 1.019

2021-01-01

Chinese Journal of Electronics

Abstract:Object detection is one of the essential tasks of computer vision. Object detectors based on the deep neural network have been used more and more widely in safe-sensitive applications, like face recognition, video surveillance, autonomous driving, and other tasks. It has been proved that object detectors are vulnerable to adversarial attacks. We propose a novel black-box attack method, which can successfully attack regression-based and region-based object detectors. We introduce methods to reduce search dimensions, reduce the dimension of optimization problems and reduce the number of queries by using the Covariance matrix adaptation Evolution strategy（CMA-ES） as the primary method to generate adversarial examples. Our method only adds adversarial perturbations in the object box to achieve a precise attack.Our proposed attack can hide the specified object with an attack success rate of 86% and an average number of queries of 5, 124, and hide all objects with a success rate of74% and an average number of queries of 6, 154. Our work illustrates the effectiveness of the CMA-ES method to generate adversarial examples and proves the vulnerability of the object detectors against the adversarial attacks.

Derui Wang,Chaoran Li,Sheng Wen,Qing-Long Han,Surya Nepal,Xiangyu Zhang,Yang Xiang

DOI: https://doi.org/10.1109/TCYB.2020.3041481

2021-01-05

Abstract:This article demonstrates that nonmaximum suppression (NMS), which is commonly used in object detection (OD) tasks to filter redundant detection results, is no longer secure. Considering that NMS has been an integral part of OD systems, thwarting the functionality of NMS can result in unexpected or even lethal consequences for such systems. In this article, an adversarial example attack that triggers malfunctioning of NMS in OD models is proposed. The attack, namely, Daedalus, compresses the dimensions of detection boxes to evade NMS. As a result, the final detection output contains extremely dense false positives. This can be fatal for many OD applications, such as autonomous vehicles and surveillance systems. The attack can be generalized to different OD models, such that the attack cripples various OD applications. Furthermore, a way of crafting robust adversarial examples is developed by using an ensemble of popular detection models as the substitutes. Considering the pervasive nature of model reuse in real-world OD scenarios, Daedalus examples crafted based on an ensemble of substitutes can launch attacks without knowing the parameters of the victim models. The experimental results demonstrate that the attack effectively stops NMS from filtering redundant bounding boxes. As the evaluation results suggest, Daedalus increases the false positive rate in detection results to 99.9% and reduces the mean average precision scores to 0, while maintaining a low cost of distortion on the original inputs. It also demonstrates that the attack can be practically launched against real-world OD systems via printed posters.

Yunhan Jia,Yantao Lu,Junjie Shen,Qi Alfred Chen,Zhenyu Zhong,Tao Wei

DOI: https://doi.org/10.48550/arXiv.1905.11026

2019-05-30

Abstract:Recent work in adversarial machine learning started to focus on the visual perception in autonomous driving and studied Adversarial Examples (AEs) for object detection models. However, in such visual perception pipeline the detected objects must also be tracked, in a process called Multiple Object Tracking (MOT), to build the moving trajectories of surrounding obstacles. Since MOT is designed to be robust against errors in object detection, it poses a general challenge to existing attack techniques that blindly target objection detection: we find that a success rate of over 98% is needed for them to actually affect the tracking results, a requirement that no existing attack technique can satisfy. In this paper, we are the first to study adversarial machine learning attacks against the complete visual perception pipeline in autonomous driving, and discover a novel attack technique, tracker hijacking, that can effectively fool MOT using AEs on object detection. Using our technique, successful AEs on as few as one single frame can move an existing object in to or out of the headway of an autonomous vehicle to cause potential safety hazards. We perform evaluation using the Berkeley Deep Drive dataset and find that on average when 3 frames are attacked, our attack can have a nearly 100% success rate while attacks that blindly target object detection only have up to 25%.

Computer Vision and Pattern Recognition,Cryptography and Security

Xiaofei Wang,Shaohui Mei,Jiawei Lian,Yingjie Lu

DOI: https://doi.org/10.1109/tgrs.2024.3386533

IF: 8.2

2024-04-24

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Recent developments in adversarial attack have witnessed the success of background attack against object detectors. However, most existing methods attack detectors by luring targets into background. Therefore, an innovative background attack framework via dual-adversarial-induced error identification (BADEI) is proposed to attack detectors by deceiving background as targets, as well as deceiving targets as background, where the attack performance can be greatly enhanced by these two kinds of induced error identification. Specifically, a mechanism that generates the adversarial background is proposed to result in dual error detection, where the background can conceal the specified targets and cause the misclassification of the adversarial pattern in the background as a specific category. Moreover, an unoccluded training strategy (UTS) that leverages the target mask of an image is introduced to strategically place adaptive adversarial background beneath the targets while optimizing and updating the pixel values of the background outside the target region, which can enhance attack effectiveness for adversarial background, significantly degrade the targets' average accuracy, and enhance the robustness of background. Finally, a dual deceptive loss function (D2LF) is carefully formulated to generate false negatives (FNs) and false positives (FPs) to achieve untargeted attacks for hiding objects as well as targeted attacks for erroneously recognizing objects. Extensive experiments and comparative analysis of various victim network models on two datasets (including the dataset for object detection in aerial images (DOTA) and RSOD dataset) confirm that the proposed framework exhibits superior performance over the state-of-the-art methods in both digital and physical scenarios.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Chengxiao Luo,Yiming Li,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.1109/ICASSP49357.2023.10095980

2023-01-01

Abstract: Recent studies revealed that deep neural networks (DNNs) are exposed to backdoor threats when training with third-party resources (such as training samples or backbones). The backdoored model has promising performance in predicting benign samples, whereas its predictions can be maliciously manipulated by adversaries based on activating its backdoors with pre-defined trigger patterns. Currently, most of the existing backdoor attacks were conducted on the image classification under the targeted manner. In this paper, we reveal that these threats could also happen in object detection, posing threatening risks to many mission-critical applications ($e.g.$, pedestrian detection and intelligent surveillance systems). Specifically, we design a simple yet effective poison-only backdoor attack in an untargeted manner, based on task characteristics. We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns. We conduct extensive experiments on the benchmark dataset, showing its effectiveness in both digital and physical-world settings and its resistance to potential defenses.

Yier Wei,Haichang Gao,Xingyi Quan,Guotu Luo

DOI: https://doi.org/10.1109/ijcnn60899.2024.10651486

2024-01-01

Abstract:Deep neural networks are widely used in tasks such as autonomous driving and computer vision. Previous studies have shown that it is susceptible to adversarial attacks, resulting in erroneous outputs. However, adversarial attacks against object detection networks are difficult to implement due to the high complexity of the object detection algorithm itself. We propose a transferable adversarial attack method for object detection networks, and collect a large number of real car images for model training and testing. We design a classification probability loss function based on inter-class probability distribution and an IoU loss function based on the predicted bounding box to train the generation of adversarial perturbations. The perturbation is covered on the hood of the car so that the vehicle can successfully escape the object detection model. At the same time, we place the printed adversarial patch on real-world cars and use methods such as perspective transformation and affine transformation to enhance the robustness of adversarial attacks in various complex physical environments. The experimental results in indoor and outdoor scenes show that the adversarial perturbation jointly trained by the above two loss functions can successfully attack the YOLOv3 detector, reducing the number of cars detected by the detector by 91.2% and 90.7% respectively. The proposed attack method performs well in both the digital and physical domains and can be transferred between different detection models.

Shih-Han Chan,Yinpeng Dong,Jun Zhu,Xiaolu Zhang,Jun Zhou

DOI: https://doi.org/10.48550/arXiv.2205.14497

2022-05-28

Computer Vision and Pattern Recognition

Abstract:Deep learning models have been deployed in numerous real-world applications such as autonomous driving and surveillance. However, these models are vulnerable in adversarial environments. Backdoor attack is emerging as a severe security threat which injects a backdoor trigger into a small portion of training data such that the trained model behaves normally on benign inputs but gives incorrect predictions when the specific trigger appears. While most research in backdoor attacks focuses on image classification, backdoor attacks on object detection have not been explored but are of equal importance. Object detection has been adopted as an important module in various security-sensitive applications such as autonomous driving. Therefore, backdoor attacks on object detection could pose severe threats to human lives and properties. We propose four kinds of backdoor attacks for object detection task: 1) Object Generation Attack: a trigger can falsely generate an object of the target class; 2) Regional Misclassification Attack: a trigger can change the prediction of a surrounding object to the target class; 3) Global Misclassification Attack: a single trigger can change the predictions of all objects in an image to the target class; and 4) Object Disappearance Attack: a trigger can make the detector fail to detect the object of the target class. We develop appropriate metrics to evaluate the four backdoor attacks on object detection. We perform experiments using two typical object detection models -- Faster-RCNN and YOLOv3 on different datasets. More crucially, we demonstrate that even fine-tuning on another benign dataset cannot remove the backdoor hidden in the object detection model. To defend against these backdoor attacks, we propose Detector Cleanse, an entropy-based run-time detection framework to identify poisoned testing samples for any deployed object detector.