Abstract
Modern object detectors are vulnerable to adversarial examples, which may bring risks to real-world applications. The sparse attack is an important task which, compared with the popular adversarial perturbation on the whole image, needs to select the potential pixels that is generally regularized by an $\ell_0$-norm constraint, and simultaneously optimize the corresponding texture. The non-differentiability of $\ell_0$ norm brings challenges and many works on attacking object detection adopted manually-designed patterns to address them, which are meaningless and independent of objects, and therefore lead to relatively poor attack performance. In this paper, we propose Adversarial Semantic Contour (ASC), an MAP estimate of a Bayesian formulation of sparse attack with a deceived prior of object contour. The object contour prior effectively reduces the search space of pixel selection and improves the attack by introducing more semantic bias. Extensive experiments demonstrate that ASC can corrupt the prediction of 9 modern detectors with different architectures (\e.g., one-stage, two-stage and Transformer) by modifying fewer than 5\% of the pixels of the object area in COCO in white-box scenario and around 10\% of those in black-box scenario. We further extend the attack to datasets for autonomous driving systems to verify the effectiveness. We conclude with cautions about contour being the common weakness of object detectors with various architecture and the care needed in applying them in safety-sensitive scenarios.
Abstract (translated)
现代物体检测器对对抗样本具有脆弱性,这可能会对实际应用程序带来风险。稀疏攻击是一项重要的任务,相比整个图像的对抗扰动,需要选择通常通过 $ell_0$ 正则化约束 Regularized 的潜在像素,同时优化相应的纹理。$ell_0$ 正则化的不连续性带来挑战,许多攻击物体检测的工作采用了手动设计的模式来解决这些问题,这些模式没有意义且与物体独立,因此导致攻击性能相对较差。在本文中,我们提出了对抗语义轮廓(ASC),它是一种 MAP 估计的 Bayesian 框架中的稀疏攻击的贝叶斯估计。物体轮廓先验有效地减少了像素选择搜索空间,并引入了更多的语义偏见,改善了攻击。广泛实验表明, ASC 可以损坏不同架构的现代物体检测器的预测(例如一阶段、二阶段和Transformer)。我们还将攻击扩展到自动驾驶系统的dataset 以验证效果。我们的结论是,轮廓是各种架构物体检测器的常见弱点,在安全性敏感的场景中需要采取谨慎的方法应用它们。
URL
https://arxiv.org/abs/2303.00284