On Physical Adversarial Patches for Object Detection
MarkLee1 J.ZicoKolter1
1Computer Science Department, Carnegie Mellon University, Pittsburgh, PA 15213, USA. Correspondence to: Mark Lee [email protected].
发表于:ICML 2019 Workshop on Security and Privacy of Machine Learning
不同于以前的物理攻击,必须将对抗块覆盖于目标上(overlap with the objects ),
我们设计的对抗块可以位于图像当中的任意位置,且可以攻击目标检测器(YOLOv3)误检测图像当中的所有目标,即使目标远离对抗块( we can place the patch anywhere in the image, causing all existing objects in the image to be missed entirely by the detector, even those far away from thepatchitself. )。
1 Introduction
However, in the object detection setting, these attacks have required a user to manipulate the object being attacked itself, i.e.(即,表示解释), by placing the patch over the object.
2.Related Work
2.1.Adversarial Patch for Classification
The goal is to produce localized, robust, and universal perturbations that are applied to an image by masking instead of adding pixels.
However, because classification systems only classify each image as a single class, to some extent this attack relies on the fact that it can simply place a high-confidence “deep net toaster” into an image (even if it does not look like a toaster to humans) and override other classes in the image.
2.2.Adversarial Patches for Image Segmentation
The work that bears the most similarity to our own is the DPatch method (Liu et al., 2018), the DPatch method was only tested on digital images, and contains a substantial flaw that makes it unsuitable for real experiments: the patches produced in the DPatch work are never clipped to the allowable image range (i.e., clipping colors to the [0,1] range) and thus do not correspond to actual perturbed images.
Furthermore, it is not trivial to use the DPatch loss to obtain valid adversarial images: we compare this approach to our own and show that we are able to generate substantially stronger attacks.
YOLO is a “one-shot” object detector with state-of-the-art performance on certain metrics running up to 3×faster than other models
3. Methodology
3.1 Notation
J(hθ(x),y) 损失函数
3.2. Attack Formulation方式
Here we present our methodology for creating adversarial patches for object detection.
We consider the following mathematical formulation of finding an adversarial patch:
我们采用了一种更简单的方法,简单地从表面值( face value )来考虑优化问题,并直接针对原始目标样本求损失最大化。这本质上就是标准的无目标PGD方法,我们的更新方法如下:
3.3.Experimental Setup
We evaluate on YOLOv3 pretrained for COCO 2014 (Lin et al., 2014) (416 × 416 pixels). The implementation of YOLOv3 achieves around 55.4% mAP-50(mAP at 0.5 IOU metric) using an object-confidence threshold of 0.001 for non-max suppression.
We define a“step”as 1,000 iterations. The following experiments were run for 300 steps with an initial learning rate of 0.1 and momentum of 0.9, which were chosen heuristically. Learning rate was decayed by 0.95 every 5 steps,很详细。
3.4.Unclipped Attack
For the unclipped attack, our method performs the update in Equation 2, except without clipping. The purpose is to benchmark against DPatch which uses Equation 1. 与DPatch攻击作对比。
Figure 1 shows that our method achieves approximately 0 mAP after only 5 steps, whereas DPatch converges to roughly 3 mAP after 50 steps.
Table 1 shows the overall mAP as well as smallest and largest per-class APs for various confidence thresholds.
To verify that our patch attacks at the bounding box proposal level, we plot the pre-non-max suppression bounding box confidence scores for a random image, shown in Figure 2.
3.5.Clipped Attack
For the clipped attack, our method performs
Figure 3 shows the loss and mAP plots for a clipped patch with all transforms as described in subsection 3.3.
3.6.Physical Attack
Figure 6 shows a printed version of our patch attacking YOLOv3 running real-time with a standard webcam. The patch was printed on regular printer paper and recorded under natural lighting.
我们怀疑DPatch的挣扎是因为它把所有的ground truth boxes都集中在了patch周围——它最终驻留在一个单独的单元中,这意味着损失主要是由对该单元负责的提议造成的.只要这个补丁被识别出来,这个模型就不会因为预测所有其他对象而受到什么惩罚,也许会因为客观度得分而受到惩罚,但不会因为边界框或类标签而受到惩罚。即使模型的行为变化不大,损失也可以减少。而在实际应用中,该补丁通常能够在不抑制其他检测的情况下,实现高置信度的检测。在我们的方法中,每个网格单元都被一个ground truth box覆盖,这就造成了损失,当模型不能预测任何ground truth box时,损失增加最多。