Abstract
Adversarial patch attacks present a significant threat to real-world object detectors due to their practical feasibility. Existing defense methods, which rely on attack data or prior knowledge, struggle to effectively address a wide range of adversarial patches. In this paper, we show two inherent characteristics of adversarial patches, semantic independence and spatial heterogeneity, independent of their appearance, shape, size, quantity, and location. Semantic independence indicates that adversarial patches operate autonomously within their semantic context, while spatial heterogeneity manifests as distinct image quality of the patch area that differs from original clean image due to the independent generation process. Based on these observations, we propose PAD, a novel adversarial patch localization and removal method that does not require prior knowledge or additional training. PAD offers patch-agnostic defense against various adversarial patches, compatible with any pre-trained object detectors. Our comprehensive digital and physical experiments involving diverse patch types, such as localized noise, printable, and naturalistic patches, exhibit notable improvements over state-of-the-art works. Our code is available at this https URL.
Abstract (translated)
对抗性补丁攻击对现实世界的物体检测器构成了显著的安全威胁,因为它们的实际可行性。现有的防御方法,依赖攻击数据或先验知识,很难有效地应对广泛的对抗性补丁。在本文中,我们展示了对抗性补丁的两个固有特性:语义独立性和空间异质性,无论它们的形状、大小、数量和位置如何。语义独立性表明,攻击性补丁在语义上下文内自行为,而空间异质性表现为由于独立生成过程,补丁区域与原始干净图像的图像质量不同的显著图像质量差异。基于这些观察结果,我们提出了PAD,一种新颖的对抗性补丁局部化和删除方法,不需要先验知识或额外训练。PAD能够对各种对抗性补丁进行补丁,兼容任何预训练的物体检测器。我们对各种补丁类型(如局部噪音、可打印的和自然istic补丁)进行全面的数字和物理实验,结果表明,与最先进的成果相比,我们的工作取得了显著的改善。我们的代码可在此处访问:https://www.thuatminh.com/
URL
https://arxiv.org/abs/2404.16452