基于特征图关注区域的目标检测对抗攻击方法

doi:10.3778/j.issn.1002-8331.2206-0184

摘要/Abstract

摘要： 目标检测在无人驾驶、监控安防等领域应用广泛，但研究发现目标检测系统易受对抗样本影响导致性能下降，对其应用安全造成了巨大危险。当前的目标检测对抗攻击方法大多针对某一类目标检测模型进行攻击，普遍存在迁移能力弱的问题。为解决上述问题，基于生成对抗网络提出了一种目标检测对抗攻击方法，该方法针对检测模型中常用的非极大值抑制机制和检测模型的特征图关注区域设计了位置回归攻击损失，通过该损失优化攻击，能够使模型的非极大值抑制机制失效，引导生成的候选框偏离预测的关注区域，导致模型预测失败。在VOC数据集上进行实验，该方法能够有效攻击Faster-RCNN、SSD300、SSD512、Retinanet、YOLOv5、One-Net等多种类型的目标检测模型，有效提升了目标检测攻击方法的迁移能力。

关键词: 目标检测, 对抗攻击, 生成对抗网络, 迁移性, 非极大值抑制, 关注区域

Abstract: Object detection is widely used in the fields of unmanned driving, monitoring and security. However, it is found that the object detection system is vulnerable to the impact of adversarial examples, resulting in performance degradation, which poses a great danger to its application safety. Most of the adversarial examples for object detection are only designed for a certain type of object detection model, and their transferability is weakly. In order to solve the above problem, based on the generative adversarial networks, an adversarial examples method for object detection is proposed. In this method, a position regression attack loss is designed for the non-maximum suppression mechanism, which is commonly used in the detection model and the key regions predicted by the detection model. Through this loss, the non-maximum suppression mechanism of the model is invalid, and the generated region proposals are guided to deviate from the predicted key regions, resulting in the failure of the model prediction. The experimental results on VOC dataset show that the proposed method can effectively attack object detection models, such as Faster-RCNN, SSD300, SSD512, RetinaNet, YOLOv5, One-Net, etc., which improve the transferability of the adversarial examples for object detection.

Key words: object detection, adversarial attack, generative adversarial network（GAN）, transferability, non-maximum suppression, region of interest

王烨奎, 曹铁勇, 郑云飞, 方正, 王杨, 刘亚九, 付炳阳, 陈雷. 基于特征图关注区域的目标检测对抗攻击方法[J]. 计算机工程与应用, 2023, 59(2): 261-270.

WANG Yekui, CAO Tieyong, ZHENG Yunfei, FANG Zheng, WANG Yang , LIU Yajiu, FU Bingyang, CHEN Lei. Adversarial Attacks for Object Detection Based on Region of Interest of Feature Maps[J]. Computer Engineering and Applications, 2023, 59(2): 261-270.

参考文献

[1] GOODFELLOW I，SHLENS J，SZEGEDY C，et al.Explaining and harnessing adversarial examples[J].arXiv：1412.6572，2014.
[2] KURAKIN A，GOODFELLOW I，BENGIO S，et al.Adversarial machine learning at scale[J].arXiv：1611.01236，2016.
[3] DONG Yinpeng，LIAO Fangzhou，PANG Tianyu，et al.Boosting adversarial attacks with momentum[C]//Proceedings of the IEEE Conf on Computer Vision and Pattern Recognition.Piscataway，NJ：IEEE，2018：9185-9193.
[4] LIU Yanpei，CHEN Xinyun，LIU Chang，et al.Delving into transferable adversarial examples and black-box attacks[J].arXiv：1611.02770，2016.
[5] MADRY A，MAKELOV A，SCHMIDT L，et al.Towards deep learning models resistant to adversarial attacks[J].arXiv：1706.06083v4，2017.
[6] PAPERNOT N，MCDANIEL P，GOODFELLOW I，et al.Practical black-box attacks against deep learning systems using adversarial examples[J].arXiv：1602.02697v3，2016.
[7] CHEN Pinyu，ZHANG Huan，SHARMA Y，et al.ZOO：zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]//Proceedings of the 10th ACM Workshop.NewYork：ACM，2017：15-26.
[8] WIELAND B，JONAS R，MATTHIAS B.Decision-based adversarial attacks：reliable attacks against black-box machine learning models[J].arXiv：1712.04248，2017.
[9] REN S，HE K，GIRSHICK R，et al.Faster R-CNN：towards real-time object detection with region proposal networks[J].IEEE Transactions on Pattern Analysis and Machine Intelligence，2017，39（6）：1137-1149.
[10] XIE Cihang，WANG Jianyu，ZHANG Zhishuai，et al.Adversarial examples for semantic segmentation and object detection[C]//Proceedings of International Conference on Computer Vision.Piscataway，NJ：IEEE，2017：1369-1378.
[11] LI Y，TIAN D，CHANG M C，et al.Robust adversarial perturbation on deep proposal-based models[J].arXiv：1809.
05962，2018.
[12] REDMON J，DIVVALA S，GIRSHICK R，et al.You only look once：unified，real-time object detection[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Piscataway，NJ：IEEE，2016：779-788.
[13] WANG Derui，LI Chaoran，WEN Sheng，et al.Daedalus：breaking nonmaximum suppression in object detection via adversarial examples[J].IEEE Transactions on Cybernetics，2021，51（1）：1-14.
[14] WEI Xingxing，LIANG Siyuan，CHEN Ning，et al.Transferable adversarial attacks for image and video object detection[C]//Proceedings of the 28th International Joint Conference on Artificial Intelligence，2018：954-960.
[15] SELVARAJU R R，COGSWELL M，DAS A，et al.Grad-CAM：visual explanations from deep networks via gradient-based localization[C]//Proceedings of the International Conference on Computer Vision.Piscataway，NJ：IEEE，2017：618-626.
[16] LIU W，ANGUELOV D，ERHAN D，et al.SSD：single shot multibox detector[C]//Proceedings of European Conference on Computer Vision.Berlin：Springer，2016：21-37.
[17] LIN T Y，GOYAL P，GIRSHICK R，et al.Focal loss for dense object detection[C]//Proceedings of the International Conference on Computer Vision.Piscataway，NJ：IEEE，2017：2980-2988.
[18] SUN P，JIANG Y，XIE E，et al.What makes for end-to-end object detection[C]//Proceedings of the 38th International Conference on Machine Learning，2021：9934-9944.
[19] GIRSHICK R，DONAHUE J，DARRELL T，et al.Rich feature hierarchies for accurate object detection and semantic segmentation[C]//Proceedings of Conference on Computer Vision and Pattern Recognition，Columbus.Piscataway，NJ：IEEE，2014：580-587.
[20] CAI Z，VASCONCELOS N.Cascade R-CNN：delving into high quality object detection[C]//Proceedings of Conference on Computer Vision and Pattern Recognition.Piscataway，NJ：IEEE，2018：6154-6162.
[21] TIAN Z，SHEN C，CHEN H，et al.FCOS：fully convolutional one-stage object detection[C]//Proceedings of International Conference on Computer Vision.Piscataway，NJ：IEEE，2019：9626-9635.
[22] LAW H，DENG J.Cornernet：detecting objects as paired keypoints[C]//Proceedings of the European Conference on Computer Vision.Berlin：Springer，2018：734-750.
[23] PEIZE S，YI J，ENZE X，et al.OneNet：towards end-to-end one-stage object detection[J].arXiv：2012.05780v1，2020.
[24] DOSOVITSKIY A，BEYER L，KOLESNIKOV A，et al.An image is worth 16x16 words：transformers for image recognition at scale[J].arXiv：2010.11929，2020.
[25] LIU Ze，LIN Yutong，CAO Yue，et al.Swin transformer：hierarchical vision transformer using shifted windows[C]//Proceedings of the International Conference on Computer Vision.Piscataway，NJ：IEEE，2021：10012-10022.

[26] LIAO Q，WANG X，KONG B，et al.Category-wise attack：transferable adversarial examples for anchor free object detection[J].arXiv：2003.04367，2020.

[27] ULYANOV D，VEDALDI A，LEMPITSKY V.Improved texture networks：maximizing quality and diversity in feedforward stylization and texture synthesis[C]//Proceedings of the IEEE Conf on Computer Vision and Pattern Recognition.Piscataway，NJ：IEEE，2017：4105-4113.