Black-box Transferable Attack Method for Object Detection Based on GAN

被引:0
|
作者
Lu Y.-X. [1 ]
Liu Z.-Y. [2 ]
Luo Y.-G. [3 ]
Deng S.-Y. [1 ]
Jiang T. [3 ]
Ma J.-Y. [3 ]
Dong Y.-P. [1 ,2 ]
机构
[1] Beijing RealAI Intelligent Technology Co. Ltd., Beijing
[2] Department of Computer Science and Technology, Tsinghua University, Beijing
[3] Chongqing Changan Automobile Software Technology Co. Ltd., Chongqing
来源
Ruan Jian Xue Bao/Journal of Software | 2024年 / 35卷 / 07期
关键词
adversarial attack; attention loss; black-box transferable attack; generative adversarial network (GAN); object detection;
D O I
10.13328/j.cnki.jos.006937
中图分类号
学科分类号
摘要
Object detection is widely used in various fields such as autonomous driving, industry, and medical care. Using the object detection algorithm to solve key tasks in different fields has gradually become the main method. However, the robustness of the object detection model based on deep learning is seriously insufficient under the attack of adversarial samples. It is easy to make the model prediction wrong by adding the adversarial samples constructed by small perturbations, which greatly limits the application of the object detection model in key security fields. In practical applications, the models are black-box models. Related research on black-box attacks against object detection models is relatively lacking, and there are many problems such as incomplete robustness evaluation, low attack success rate of black-box, and high resource consumption. To address the aforementioned issues, this study proposes a black-box object detection attack algorithm based on a generative adversarial network. The algorithm uses the generative network fused with an attention mechanism to output the adversarial perturbations and employs the alternative model loss and the category attention loss to optimize the generated network parameters, which can support two scenarios of target attack and vanish attack. A large number of experiments are conducted on the Pascal VOC and the MSCOCO datasets. The results demonstrate that the proposed method has a higher black-box transferable attack success rate and can perform transferable attacks between different datasets. © 2024 Chinese Academy of Sciences. All rights reserved.
引用
收藏
页码:3531 / 3550
页数:19
相关论文
共 62 条
  • [1] Li JZ, Su H, Zhu J, Wang SY, Zhang B., Textbook question answering under instructor guidance with memory networks, Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition, pp. 3655-3663, (2018)
  • [2] Gong ZQ, Zhong P, Yu Y, Hu WD, Li ST., A CNN with multiscale convolution and diversified metric for hyperspectral image classification, IEEE Trans. on Geoscience and Remote Sensing, 57, 6, pp. 3599-3618, (2019)
  • [3] Gong ZQ, Zhong P, Hu WD., Statistical loss and analysis for deep learning in hyperspectral image classification, IEEE Trans. on Neural Networks and Learning Systems, 32, 1, pp. 322-333, (2021)
  • [4] Albert A, Kaur J, Gonzalez MC., Using convolutional networks and satellite imagery to identify patterns in urban environments at a large scale, Proc. of the 23rd ACM SIGKDD Int’l Conf. on Knowledge Discovery and Data Mining, pp. 1357-1366, (2017)
  • [5] Pritt M, Chern G., Satellite image classification with deep learning, Proc. of the 2017 IEEE Applied Imagery Pattern Recognition Workshop (AIPR), pp. 1-7, (2017)
  • [6] Zhao ZQ, Zheng P, Xu ST, Wu XD., Object detection with deep learning: A review, IEEE Trans. on Neural Networks and Learning Systems, 30, 11, pp. 3212-3232, (2019)
  • [7] Joseph KJ, Khan S, Khan FS, Balasubramanian VN., Towards open world object detection, Proc. of the 2021 IEEE/CVF Conf. on Computer Vision and Pattern Recognition, pp. 5826-5836, (2021)
  • [8] Ren SP, He KM, Girshick R, Sun J., Faster R-CNN: Towards real-time object detection with region proposal networks, IEEE Trans. on Pattern Analysis and Machine Intelligence, 39, 6, pp. 1137-1149, (2017)
  • [9] Liu W, Anguelov D, Erhan D, Szegedy C, Reed S, Fu CY, Berg AC., SSD: Single shot multibox detector, Proc. of the 14th European Conf. on Computer Vision, pp. 21-37, (2016)
  • [10] Redmon J, Farhadi A., YOLOv3: An incremental improvement, (2018)
1234567