Yajie Wang,Haoran Lv,Xiaohui Kuang,Gang Zhao,Yu-an Tan,Quanxin Zhang,Jingjing Hu

DOI: https://doi.org/10.1016/j.ins.2020.08.087

IF: 8.1

2020-01-01

Information Sciences

Abstract:As one of the core components of the computer vision, the object detection model plays a vital role in various security-sensitive systems. However, it has been proved that the object detection model is vulnerable to the adversarial attack. In this paper, we propose a novel adversarial patch attack against object detection models. Our attack can make the object of a specific class invisible to object detection models. We design the detection score to measure the detection model's output and generate the adversarial patch by minimizing the detection score. We successfully suppress the model's inference and fool several state-of-the-art object detection models. We triumphantly achieve a minimum recall of 11.02% and a maximum fooling rate of 81.00% and demonstrates the high transferability of adversarial patch between different architecture and datasets. Finally, we successfully fool a real-time object detection system in the physical world, demonstrating the feasibility of transferring the digital adversarial patch to the physical world. Our work illustrates the vulnerability of the object detection model against the adversarial patch attack in both the digital and physical world. (C) 2020 Elsevier Inc. All rights reserved.

Zijian Zhu,Hang Su,Chang Liu,Wenzhao Xiang,Shibao Zheng

DOI: https://doi.org/10.48550/arXiv.2109.15177

2021-09-30

Computer Vision and Pattern Recognition

Abstract:Blind spots or outright deceit can bedevil and deceive machine learning models. Unidentified objects such as digital "stickers," also known as adversarial patches, can fool facial recognition systems, surveillance systems and self-driving cars. Fortunately, most existing adversarial patches can be outwitted, disabled and rejected by a simple classification network called an adversarial patch detector, which distinguishes adversarial patches from original images. An object detector classifies and predicts the types of objects within an image, such as by distinguishing a motorcyclist from the motorcycle, while also localizing each object's placement within the image by "drawing" so-called bounding boxes around each object, once again separating the motorcyclist from the motorcycle. To train detectors even better, however, we need to keep subjecting them to confusing or deceitful adversarial patches as we probe for the models' blind spots. For such probes, we came up with a novel approach, a Low-Detectable Adversarial Patch, which attacks an object detector with small and texture-consistent adversarial patches, making these adversaries less likely to be recognized. Concretely, we use several geometric primitives to model the shapes and positions of the patches. To enhance our attack performance, we also assign different weights to the bounding boxes in terms of loss function. Our experiments on the common detection dataset COCO as well as the driving-video dataset D2-City show that LDAP is an effective attack method, and can resist the adversarial patch detector.

Yexin Duan,Jialin Chen,Xingyu Zhou,Junhua Zou,Zhengyun He,Jin Zhang,Wu Zhang,Zhisong Pan

DOI: https://doi.org/10.48550/arXiv.2109.00124

2022-05-14

Abstract:An adversary can fool deep neural network object detectors by generating adversarial noises. Most of the existing works focus on learning local visible noises in an adversarial "patch" fashion. However, the 2D patch attached to a 3D object tends to suffer from an inevitable reduction in attack performance as the viewpoint changes. To remedy this issue, this work proposes the Coated Adversarial Camouflage (CAC) to attack the detectors in arbitrary viewpoints. Unlike the patch trained in the 2D space, our camouflage generated by a conceptually different training framework consists of 3D rendering and dense proposals attack. Specifically, we make the camouflage perform 3D spatial transformations according to the pose changes of the object. Based on the multi-view rendering results, the top-n proposals of the region proposal network are fixed, and all the classifications in the fixed dense proposals are attacked simultaneously to output errors. In addition, we build a virtual 3D scene to fairly and reproducibly evaluate different attacks. Extensive experiments demonstrate the superiority of CAC over the existing attacks, and it shows impressive performance both in the virtual scene and the real world. This poses a potential threat to the security-critical computer vision systems.

Computer Vision and Pattern Recognition

Jeonghun Kim,Hunmin Yang,Se-Yoon Oh

DOI: https://doi.org/10.9766/kimst.2023.26.1.044

2023-02-05

Journal of the Korea Institute of Military Science and Technology

Abstract:Adversarial attacks have received great attentions for their capacity to distract state-of-the-art neural networks by modifying objects in physical domain. Patch-based attack especially have got much attention for its optimization effectiveness and feasible adaptation to any objects to attack neural network-based object detectors. However, despite their strong attack performance, generated patches are strongly perceptible for humans, violating the fundamental assumption of adversarial examples. In this paper, we propose a camouflaged adversarial patch optimization method using military camouflage assessment metrics for naturalistic patch attacks. We also investigate camouflaged attack loss functions, applications of various camouflaged patches on army tank images, and validate the proposed approach with extensive experiments attacking Yolov5 detection model. Our methods produce more natural and realistic looking camouflaged patches while achieving competitive performance.

Fengyi Liu,Zhichao Lian

DOI: https://doi.org/10.1109/dasc/picom/cbdcom/cy59711.2023.10361358

2023-01-01

Abstract:Although image recognition and classification methods based on deep neural networks (DNNs) have accomplished remarkable achievements in the domain of computer vision, more and more research in recent years has shown that these models may have vulnerabilities that can be easily exploited by attackers, leading to incorrect output results. Especially in the realm of object detection, the incorporation of meticulously crafted patches onto images can potentially deceive DNN-based detectors, resulting in erroneous output outcomes. These patches can be carefully designed to greatly interfere with and mislead the output results of deep neural networks. These misleading output results may lead to serious security issues and losses, so it is becoming increasingly important to study and strengthen the robustness and security of DNNs based target detectors. However, previous methods did not consider the interpretability of the model, and this paper proposes a new mothed to adversarial patch attacks. First, we employ the model interpretable algorithm Grad-CAM to obtain the patch's location within the model's region of interest for the target. Subsequently, we calculate the precise patch placement and apply it accordingly. Following that, we utilize a loss function to optimize patch, ensuring its effectiveness. The experimental results obtained from the DOTA dataset indicate that our proposed method effectively degrades the performance of the target detection model. Secondly, we conducted experiments to improve the transferability of adversarial patches across different models, and verified that using patches to cover the regions of interest in the model improves the transferability of patches.

Yusheng Zhao,Huanqian Yan,Xingxing Wei

2020-01-01

Abstract: Deep neural networks have been widely used in many computer vision tasks. However, it is proved that they are susceptible to small, imperceptible perturbations added to the input. Inputs with elaborately designed perturbations that can fool deep learning models are called adversarial examples, and they have drawn great concerns about the safety of deep neural networks. Object detection algorithms are designed to locate and classify objects in images or videos and they are the core of many computer vision tasks, which have great research value and wide applications. In this paper, we focus on adversarial attack on some state-of-the-art object detection models. As a practical alternative, we use adversarial patches for the attack. Two adversarial patch generation algorithms have been proposed: the heatmap-based algorithm and the consensus-based algorithm. The experiment results have shown that the proposed methods are highly effective, transferable and generic. Additionally, we have applied the proposed methods to competition "Adversarial Challenge on Object Detection" that is organized by Alibaba on the Tianchi platform and won top 7 in 1701 teams. Code is available at: https://github.com/FenHua/DetDak

Jakob Shack,Katarina Petrovic,Olga Saukh

2024-10-23

Abstract:Adversarial attacks pose a significant threat to the robustness and reliability of machine learning systems, particularly in computer vision applications. This study investigates the performance of adversarial patches for the YOLO object detection network in the physical world. Two attacks were tested: a patch designed to be placed anywhere within the scene - global patch, and another patch intended to partially overlap with specific object targeted for removal from detection - local patch. Various factors such as patch size, position, rotation, brightness, and hue were analyzed to understand their impact on the effectiveness of the adversarial patches. The results reveal a notable dependency on these parameters, highlighting the challenges in maintaining attack efficacy in real-world conditions. Learning to align digitally applied transformation parameters with those measured in the real world still results in up to a 64\% discrepancy in patch performance. These findings underscore the importance of understanding environmental influences on adversarial attacks, which can inform the development of more robust defenses for practical machine learning applications.

Computer Vision and Pattern Recognition,Machine Learning

Yatie Xiao,Chi-Man Pun,Bo Liu

DOI: https://doi.org/10.1016/j.patcog.2021.107903

IF: 8

2021-07-01

Pattern Recognition

Abstract:Deep learning has shown superiority in dealing with complicated and professional tasks (e.g., computer vision, audio, and language processing). However, research works have confirmed that Deep Neural Networks (DNNs) are vulnerable to carefully crafted adversarial perturbations, which cause DNNs confusion on specific tasks. In object detection domain, the background has little contributions to object classification, and the crafted adversarial perturbations added to the background do not improve the adversary effect in fooling deep neural detection models yet induce substantial distortions in generated examples. Based on such situation, we introduce an adversarial attack algorithm named Adaptive Object-oriented Adversarial Method (AO 2 AM). It aims to fool deep neural object detection networks with the adversarial examples by applying the adaptive cumulation of object-based gradients and adding the adaptive object-based adversarial perturbations merely onto objects rather than the whole frame of input images. AO 2 AM can effectively make the representations of generated adversarial samples close to the decision boundary in the latent space, and force deep neural detection networks to yield inaccurate locations and false classification in the process of object detection. Compared with existing adversarial attack methods which generate adversarial perturbations acting on the global scale of the original inputs, the adversarial examples produced by AO 2 AM can effectively fool deep neural object detection networks and maintain a high structural similarity with corresponding clean inputs. Performing adversarial attacks on Faster R-CNN, AO 2 AM gains attack success rate (ASR) over 98.00% on pre-processed Pascal VOC 2007&2012 (Val), and reaches SSIM over 0.870. In Fooling SSD, AO 2 AM receives SSIM exceeding 0.980 on L 2 norm constraint. On SSIM and Mean Attack Ratio, AO 2 AM outperforms adversarial attack methods based on global scale perturbations.

computer science, artificial intelligence,engineering, electrical & electronic

Wanghan Jiang,Yue Zhou,Xue Jiang

DOI: https://doi.org/10.1109/igarss52108.2023.10281657

2023-01-01

Abstract:Object detection in remote sensing images is an essential application of deep learning. However, due to the vulnerability of deep learning models, they are susceptible to adversarial attacks, which can undermine their reliability and accuracy. While significant progress has been made in the field of adversarial attacks, most of the work has focused on image classification tasks due to the complexity of object detection. In this paper, we propose a target camouflage method based on adversarial attacks that can mislead detectors and hide targets with minimal pixel perturbations. Experiments on the DIOR dataset demonstrate the effectiveness of our approach. Our method generates adversarial examples that can successfully fool Faster R-CNN into failing to detect objects with minimal perturbations.

Yier Wei,Haichang Gao,Xingyi Quan,Guotu Luo

DOI: https://doi.org/10.1109/ijcnn60899.2024.10651486

2024-01-01

Abstract:Deep neural networks are widely used in tasks such as autonomous driving and computer vision. Previous studies have shown that it is susceptible to adversarial attacks, resulting in erroneous outputs. However, adversarial attacks against object detection networks are difficult to implement due to the high complexity of the object detection algorithm itself. We propose a transferable adversarial attack method for object detection networks, and collect a large number of real car images for model training and testing. We design a classification probability loss function based on inter-class probability distribution and an IoU loss function based on the predicted bounding box to train the generation of adversarial perturbations. The perturbation is covered on the hood of the car so that the vehicle can successfully escape the object detection model. At the same time, we place the printed adversarial patch on real-world cars and use methods such as perspective transformation and affine transformation to enhance the robustness of adversarial attacks in various complex physical environments. The experimental results in indoor and outdoor scenes show that the adversarial perturbation jointly trained by the above two loss functions can successfully attack the YOLOv3 detector, reducing the number of cars detected by the detector by 91.2% and 90.7% respectively. The proposed attack method performs well in both the digital and physical domains and can be transferred between different detection models.

Ka-Ho Chow,Ling Liu,Mehmet Emre Gursoy,Stacey Truex,Wenqi Wei,Yanzhao Wu

DOI: https://doi.org/10.48550/arXiv.2007.05828

2020-07-12

Abstract:Deep neural networks based object detection models have revolutionized computer vision and fueled the development of a wide range of visual recognition applications. However, recent studies have revealed that deep object detectors can be compromised under adversarial attacks, causing a victim detector to detect no object, fake objects, or mislabeled objects. With object detection being used pervasively in many security-critical applications, such as autonomous vehicles and smart cities, we argue that a holistic approach for an in-depth understanding of adversarial attacks and vulnerabilities of deep object detection systems is of utmost importance for the research community to develop robust defense mechanisms. This paper presents a framework for analyzing and evaluating vulnerabilities of the state-of-the-art object detectors under an adversarial lens, aiming to analyze and demystify the attack strategies, adverse effects, and costs, as well as the cross-model and cross-resolution transferability of attacks. Using a set of quantitative metrics, extensive experiments are performed on six representative deep object detectors from three popular families (YOLOv3, SSD, and Faster R-CNN) with two benchmark datasets (PASCAL VOC and MS COCO). We demonstrate that the proposed framework can serve as a methodical benchmark for analyzing adversarial behaviors and risks in real-time object detection systems. We conjecture that this framework can also serve as a tool to assess the security risks and the adversarial robustness of deep object detectors to be deployed in real-world applications.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Hua Ma,Yinshan Li,Yansong Gao,Zhi Zhang,Alsharif Abuadbba,Anmin Fu,Said F. Al-Sarawi,Nepal Surya,Derek Abbott

2023-09-02

Abstract:Object detection is the foundation of various critical computer-vision tasks such as segmentation, object tracking, and event detection. To train an object detector with satisfactory accuracy, a large amount of data is required. However, due to the intensive workforce involved with annotating large datasets, such a data curation task is often outsourced to a third party or relied on volunteers. This work reveals severe vulnerabilities of such data curation pipeline. We propose MACAB that crafts clean-annotated images to stealthily implant the backdoor into the object detectors trained on them even when the data curator can manually audit the images. We observe that the backdoor effect of both misclassification and the cloaking are robustly achieved in the wild when the backdoor is activated with inconspicuously natural physical triggers. Backdooring non-classification object detection with clean-annotation is challenging compared to backdooring existing image classification tasks with clean-label, owing to the complexity of having multiple objects within each frame, including victim and non-victim objects. The efficacy of the MACAB is ensured by constructively i abusing the image-scaling function used by the deep learning framework, ii incorporating the proposed adversarial clean image replica technique, and iii combining poison data selection criteria given constrained attacking budget. Extensive experiments demonstrate that MACAB exhibits more than 90% attack success rate under various real-world scenes. This includes both cloaking and misclassification backdoor effect even restricted with a small attack budget. The poisoned samples cannot be effectively identified by state-of-the-art detection techniques.The comprehensive video demo is at <a class="link-external link-https" href="https://youtu.be/MA7L_LpXkp4" rel="external noopener nofollow">this https URL</a>, which is based on a poison rate of 0.14% for YOLOv4 cloaking backdoor and Faster R-CNN misclassification backdoor.

Computer Vision and Pattern Recognition,Cryptography and Security

Pham Phuc,Son Vuong,Khang Nguyen,Tuan Dang

2024-12-25

Abstract:Deep learning-based object detection has become ubiquitous in the last decade due to its high accuracy in many real-world applications. With this growing trend, these models are interested in being attacked by adversaries, with most of the results being on classifiers, which do not match the context of practical object detection. In this work, we propose a novel method to fool object detectors, expose the vulnerability of state-of-the-art detectors, and promote later works to build more robust detectors to adversarial examples. Our method aims to generate adversarial images by perturbing object confidence scores during training, which is crucial in predicting confidence for each class in the testing phase. Herein, we provide a more intuitive technique to embed additive noises based on detected objects' masks and the training loss with distortion control over the original image by leveraging the gradient of iterative images. To verify the proposed method, we perform adversarial attacks against different object detectors, including the most recent state-of-the-art models like YOLOv8, Faster R-CNN, RetinaNet, and Swin Transformer. We also evaluate our technique on MS COCO 2017 and PASCAL VOC 2012 datasets and analyze the trade-off between success attack rate and image distortion. Our experiments show that the achievable success attack rate is up to $100$\% and up to $98$\% when performing white-box and black-box attacks, respectively. The source code and relevant documentation for this work are available at the following link: <a class="link-external link-https" href="https://github.com/anonymous20210106/attack_detector" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition

Guijian Tang,Tingsong Jiang,Weien Zhou,Chao Li,Wen Yao,Yong Zhao

DOI: https://doi.org/10.1016/j.neucom.2023.03.050

IF: 6

2023-04-05

Neurocomputing

Abstract:Although Deep Neural Networks (DNNs)-based object detectors are widely used in various fields, especially on aerial imagery object detections, it has been observed that a small elaborately designed patch attached to the images can mislead the DNNs-based detectors into producing erroneous output. However, the target detectors being attacked are quite simple, and the attack efficiency is relatively low in previous works, making it not practicable in real scenarios. To address these limitations, a new adversarial patch attack algorithm is proposed in this paper. Firstly, we designed a novel loss function using the intermediate outputs of the models rather than the model's final outputs interpreted by the detection head to optimize adversarial patches. The experiments conducted on the DOTA, RSOD, and NWPU VHR-10 datasets demonstrate that our method can significantly degrade the performance of the detectors. Secondly, we conducted intensive experiments to investigate the impact of different outputs of the detection model on generating adversarial patches, demonstrating the class score is not as effective as the objectness score. Thirdly, we comprehensively analyzed the attack transferability across different aerial imagery datasets, verifying that the patches generated on one dataset are also effective in attacking another. Moreover, we proposed ensemble training to boost the attack's transferability across models. Our work alarms the application of DNNs-based object detectors in aerial imagery.

computer science, artificial intelligence

Tao Bai,Jinqi Luo,Jun Zhao

DOI: https://doi.org/10.48550/arXiv.2106.15202

2021-06-29

Computer Vision and Pattern Recognition

Abstract:Deep learning based image recognition systems have been widely deployed on mobile devices in today's world. In recent studies, however, deep learning models are shown vulnerable to adversarial examples. One variant of adversarial examples, called adversarial patch, draws researchers' attention due to its strong attack abilities. Though adversarial patches achieve high attack success rates, they are easily being detected because of the visual inconsistency between the patches and the original images. Besides, it usually requires a large amount of data for adversarial patch generation in the literature, which is computationally expensive and time-consuming. To tackle these challenges, we propose an approach to generate inconspicuous adversarial patches with one single image. In our approach, we first decide the patch locations basing on the perceptual sensitivity of victim models, then produce adversarial patches in a coarse-to-fine way by utilizing multiple-scale generators and discriminators. The patches are encouraged to be consistent with the background images with adversarial training while preserving strong attack abilities. Our approach shows the strong attack abilities in white-box settings and the excellent transferability in black-box settings through extensive experiments on various models with different architectures and training methods. Compared to other adversarial patches, our adversarial patches hold the most negligible risks to be detected and can evade human observations, which is supported by the illustrations of saliency maps and results of user evaluations. Lastly, we show that our adversarial patches can be applied in the physical world.

Kai Xu,Xiao Cheng,Ji Qiao,Jia-Teng Li,Kai-Xuan Ji,Jia-Yong Zhong,Peng Tian,Jian-Xun Mi

DOI: https://doi.org/10.1109/access.2024.3508760

IF: 3.9

2024-12-07

IEEE Access

Abstract:Adversarial attack has gradually become an important branch in the field of artificial intelligence security, where the potential threat brought by adversarial example attack is more not to be ignored. This paper proposes a new attack mode for the task of object detection. We find that by attacking the localization task in object detection, a kind of adversarial attack on target bounding boxes can be realized. We discover that, for a certain target in the input image, the areas concerned by the classification and localization of the object detection model are determined but different. Therefore, we propose a local perturbation based adversarial attack method for object detection localization, which identifies key areas affecting target localization and adds adversarial perturbations to these areas to achieve bounding box attacks on target bounding box localization while ensuring high stealthiness. Experimental results on MS COCO dataset and self-built dataset show that our method generates adversarial examples that can make the object detector locate abnormally. More importantly, studying adversarial example attack is beneficial to understanding deep networks and developing robust models.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yue Xu,Chuanming Wang,Xiaolong Zheng,Yi Huang,Peilun Du,Zeyuan Zhou,Liang Liu,Huadong Ma

DOI: https://doi.org/10.3233/faia240670

2024-01-01

Abstract:Remarkable advancements have been made in the field of object detection, and given its widespread application, it is of paramount importance to investigate the robustness of detection models. However, previous methods have primarily focused on models based on Convolutional Neural Networks (CNNs), seriously neglecting the Transformer-based models that develop rapidly but exhibit obvious differences in terms of information processing. Therefore, this paper aims to address this gap by exploring potential attacks arising from the self-attention mechanism inhered in Transformer. Specifically, we propose a novel adversarial attack scenario targeting Transformer-based object detection models, where only objects of specific class fail to be detected, while irrelevant objects remain undisturbed. Therefore, human perception is hard to find errors even with the detector fail. To achieve this goal, we introduce an adversarial patch generation method, termed Class-Specific Adversarial (CSAdv) patches, which simultaneously leverages class probability to attack specific objects and utilizes the output from Transformer decoder structures, Query Output, to protect irrelevant objects. Due to the long-range interactions of Transformer, the adversarial patch does not need to directly cover or closely surround the specific objects. Instead, it achieves remote targeted attacks simply by being placed in the corner of image, which greatly enhances the concealment of patches. Extensive experiments are conducted on various benchmark datasets and Transformer-based baselines, and the experimental results show that CSAdv can effectively mask certain class while keeping other classes as unaffected as far as possible.

Guijian Tang,Wen Yao,Tingsong Jiang,Yong Zhao,Jialiang Sun

DOI: https://doi.org/10.1016/j.neucom.2024.127431

IF: 6

2024-02-22

Neurocomputing

Abstract:Although adversarial attacks have revealed weaknesses in Deep Neural Networks (DNNs)-based aerial detectors, they present a new paradigm for concealing vulnerable assets from autonomous detection systems onboard satellites. Among them, adversarial patches were widely applied due to their physical realizability. Nonetheless, most existing adversarial patch-based attack methods are developed to hide objects from detectors to achieve a vanishing attack. This paper proposes a novel Adversarial Patch False Positive Creation Attack (APFP-CA) framework that enables aerial detectors to recognize non-existent objects, thereby realizing a creation attack. Concretely, the APFP-CA models the creation attack as a two-stage optimization problem. The first stage uses a well-designed efficient loss function to increase the objectness score of patches placed anywhere in the scene to achieve untargeted attacks. The second stage involves elaborating two category-dependent loss functions for fulfilling targeted attacks. Experiments conducted on diverse datasets and detectors demonstrate the effectiveness and universality of our method. Transfer attacks across different datasets and models validate the generalizability of the optimized adversarial patches. Finally, we perform several proportionally scaled experiments physically to illustrate that the optimized adversarial patches can successfully deceive aerial detectors in the physical world. The proposed approach offers a novel contribution to adversarial attacks against aerial imagery objectors and holds potential for practical applications in high-security systems.

computer science, artificial intelligence

Yingxin Qin,Kejia Zhang,Haiwei Pan

DOI: https://doi.org/10.1016/j.cose.2023.103460

IF: 5.105

2023-01-01

Computers & Security

Abstract:In recent years, deep learning security has become a hot research topic, and attackers often use well-designed adversarial examples as input to trick the deep learning model, especially in object detection. Recently, the adversarial patch has been widely used in the attack of the object detector by adding a continuous region of noise to the image. However, current research on the adversarial patch for object detectors has certain limitations. The adversarial attack performance tends to degrade when certain regions of the adversarial patch are accidentally obscured. So the two-stage method based on Generative Adversarial Network (TS-GAN) is proposed to address this issue. To train the generator, the TS-GAN uses the occlusion rule to simulate various situations where patches are occluded in physical scenes. Then the generator's parameters are fixed, and the optimization method is adopted to select the latent variables to generate the most effective adversarial patches. The results of extensive experiments in the digital world and physical environments show that our method achieves stable attack performance under complex conditions which are different occlusion.

Chao Zhou,Yuan-Gen Wang,Guopu Zhu

DOI: https://doi.org/10.48550/arXiv.2210.08472

2022-10-16

Abstract:Deep neural networks are facing severe threats from adversarial attacks. Most existing black-box attacks fool target model by generating either global perturbations or local patches. However, both global perturbations and local patches easily cause annoying visual artifacts in adversarial example. Compared with some smooth regions of an image, the object region generally has more edges and a more complex texture. Thus small perturbations on it will be more imperceptible. On the other hand, the object region is undoubtfully the decisive part of an image to classification tasks. Motivated by these two facts, we propose an object-attentional adversarial attack method for untargeted attack. Specifically, we first generate an object region by intersecting the object detection region from YOLOv4 with the salient object detection (SOD) region from HVPNet. Furthermore, we design an activation strategy to avoid the reaction caused by the incomplete SOD. Then, we perform an adversarial attack only on the detected object region by leveraging Simple Black-box Adversarial Attack (SimBA). To verify the proposed method, we create a unique dataset by extracting all the images containing the object defined by COCO from ImageNet-1K, named COCO-Reduced-ImageNet in this paper. Experimental results on ImageNet-1K and COCO-Reduced-ImageNet show that under various system settings, our method yields the adversarial example with better perceptual quality meanwhile saving the query budget up to 24.16\% compared to the state-of-the-art approaches including SimBA.

Computer Vision and Pattern Recognition