DPAttack: Diffused Patch Attacks against Universal Object Detection
DDPAttack: Diffused Patch Attacks against UniversalOb ject Detection
Shudeng Wu , Tao Dai , and Shu-Tao Xia Tsinghua Shenzhen International Graduate School, Tsinghua University, Shenzhen, China PCL Research Center of Networks and Communications,Peng Cheng Laboratory, Shenzhen, [email protected], [email protected], [email protected]
Abstract
Recently, deep neural networks (DNNs) havebeen widely and successfully used in ObjectDetection, e.g. Faster RCNN, YOLO, Cen-terNet. However, recent studies have shownthat DNNs are vulnerable to adversarial at-tacks. Adversarial attacks against object de-tection can be divided into two categories,whole-pixel attacks and patch attacks. Whilethese attacks add perturbations to a largenumber of pixels in images, we proposed adiffused patch attack (
DPAttack ) to success-fully fool object detectors by diffused patchesof asteroid-shaped or grid-shape, which onlychange a small number of pixels. Exper-iments show that our DPAttack can suc-cessfully fool most object detectors with dif-fused patches and we get the second place inthe Alibaba Tianchi competition: Alibaba-Tsinghua Adversarial Challenge on ObjectDetection. Our code can be obtained fromhttps://github.com/Wu-Shudeng/DPAttack. *Corresponding author: Tao Dai and Shu-Tao Xia
Copyright © by the paper’s authors. Use permitted under Cre-ative Commons License Attribution 4.0 International (CC BY4.0). Object detection aims to locate objects (e.g. persons,dogs, flowers) from images. Recently deep neural net-works (DNNs) [14, 3, 5, 11, 1, 10] have been widely andsuccessfully used in object detection, which can be cat-egorized into two-stage and one-stage methods. FasterRCNN [14] and Cascade RCNN [3] are two-stage meth-ods that first use region proposal network (RPN) toobtain thousands of proposals and then classify theseproposals into different classes. YOLO [1] and SSD[11] are one-stage methods which directly regress ob-ject bounding boxes and classify them.One critical difference between two-stage and one-stage methods is that the sizes of their feature mapare quite different. The feature map of Faster RCNNis down-sampled by 4 × from input images while that ofYOLOv4 is down-sampled by 32 × . As a consequence,the features of Faster RCNN have quite a smaller re-ceptive field than those of YOLOv4. Meanwhile, two-stage methods like Faster RCNN contain an RoI pool-ing operation, which attends to all features within aproposal region. These features have a smaller recep-tive field and have equal contributions for proposalclassification, so as to show more robustness to localperturbation. As our experiments have shown, two-stage detectors are harder to be attacked than one-stage detectors.Adversarial attacks can fool models in lots of com-puter vision tasks, e.g. images classification [6, 4, 13],images segmentation [9, 7], face detection [17, 2] andobject detection [16, 15, 8, 12]. Adversarial attacksagainst object detection can be divided into two cate-gories: 1) whole-pixel attacks, which can add pertur-bations to all pixels in images under L p constraints a r X i v : . [ c s . C V ] O c t igure 1: Adversarial patches of asteroid-shaped (firstrow) and grid-shape (second row).(e.g. L , L ∞ ); 2) patch attacks, which add perturba-tions to local pixels of a quite small area in images.However, Both whole-pixel attacks and patch attacksrequire a large area of images to add perturbations,which can be easily detected by human eyes or detec-tors. So we aim to change as fewer pixels as possibleand make the number of patches (connected domainsof changed pixels) less than 10.To make our perturbation affect more features andat the same time change as fewer pixels as possible,we design a diffused patch of asteroid-shaped or grid-shaped (as shown in Figure 1 ). Specifically, we cre-ate asteroid-shaped or grid-shaped patches inside thebounding boxes of objects and using gradient-basedmethods (i.e. FGSM [6]) to update these patches iter-atively. Meanwhile, both two-stage and one-stage de-tectors have nearly thousands of proposals. To avoidany proposal from being not attacked, we designed aspecial loss that pays more attention to unsuccessfullyattacked proposals and can suppress introducing falsepositive proposals. We conclude the main contribu-tions of this paper as follow: • We design diffused patches of asteroid-shaped orgrid-shaped, which can affect more features in thefeature map of detectors at the cost of only chang-ing a small number of pixels. • Our attacking loss pays more attention to unsuc-cessfully attacked proposals and can suppress in-troducing false positive proposals. • Experiments show that our method can success-fully fool both two-stage and one-stage detectorsat the cost of changing a small number of pixels.We get the second place in the Alibaba Tianchicompetition: Alibaba-Tsinghua Adversarial Chal-lenge on Object Detection.
Two-stage object detectors use region proposal net-work (RPN) to obtain thousands of proposals and thenclassify them. One-stage detectors directly regressbounding boxes and scores of objects simultaneouslyand we define the pair of a bounding box and a scoreas a proposal as well. To this end, we define P = { p , p , ..., p N } as proposals for both two-stage andone-stage detectors. Each element P i = { x, y, h, w, s } in P contains 5 components: left-top position, height,width of a bounding box, and scores of all predefinedclasses. Our attack only uses the scores of predefinedclasses and we use S = { s i , ..., s N | s i ∈ R C } to be thecorresponding scores for proposals in P (C is the num-ber of classes).In order to affect more features in the feature map,we attach diffused patched to images. Besides, Thepatches must satisfy two conditions: 1) the number ofpatches is less than 10; 2) the total number of changedpixels is less than 2% of the total number of pixels inan image. In this section, we introduce our proposed diffusedpatch attack in detail. Choosing the positions ofpatches is the first problem of the diffused patch at-tack. Intuitively, attaching the patches inside thebounding boxes is most effective to fool detectors andour visualization of gradients verifies it. To this end,we use the centers of bounding boxes as centers ofpatch masks of asteroid-shaped or grid-shaped (asshown in
Figure 1) . The attacking loss aims to makescores of classes below a threshold and at the sametime suppress introducing false positive proposals. Weformulate the attacking loss as L ( x, M, δ ) = N (cid:88) i =1 C (cid:88) c =1 max (0 , f ci ( x · (1 − M ) + δ · M ) − t )(1)Here x ∈ R × h × w , M ∈ R × h × w , δ ∈ R × h × w means input image, patch masks and values of patchesrespectively. f ci ( · ) is the function which generates thescore for class c of the i -th proposal, and t is thethreshold score to distinguish the categories of objects(excluding background). Only positive proposals cancontribute to the loss, and false-positive proposals canbe effectively suppressed. The details of the diffusedpatch attack can be referred to as Algorithm 1 . lgorithm 1 Diffused Patch Attack
Input: model function f ( · ); an input image x ;bounding boxes bboxes ; maximum iterations T ; scorethreshold t ; step α . Output: the adversarial example x (cid:48) generate mask M by taking centers of bboxes ascenters of the masks. δ ← , i ← , n ← while i < T and n > do l ← L ( x, M, δ ) δ ← δ − α · sign ( ∇ δ L ( x, M, δ )) δ ← max (0 , min ( δ, n ← number of positive proposals i ← i + 1 end while x (cid:48) ← x · (1 − M ) + δ · M return x (cid:48) The dataset is provided by the Alibaba Tianchi com-petition, Alibaba-Tsinghua Adversarial Challenge onObject Detection, and consists of 1000 images (500 ×
500 in resolution) from test data of MSCOCO 2017.We use multiple metrics to evaluate our proposedmethod. The first metric is overall score ( OS ) whichhave two aspects of consideration, number of sup-pressed bounding boxes and number of changed pixels. S ( x, x (cid:48) ) = (2 − (cid:80) k R k · (1 − min ( BB ( x ) , BB ( x (cid:48) )) BB ( x ) )(2)Here R k is the number of perturbing pixels of k -thpatch, BB ( · ) is the number of bounding box of objectsin images. Perturbing less number of pixels ( R k ) andsuppressing more bounding boxes of adversarial exam-ples BB ( x (cid:48) ) can make overall score higher. Besides,we use success rate ( SR ) to evaluate the performanceof our attack. We deem our attack successful if wesuppress all bounding boxes in images. The ratio ofbounding box ( BBR ) is the ratio between the num-ber of bounding boxes with regard to original imagesand adversarial examples.
APP is the a verage ratiobetween number of p erturbing p ixels and whole pixelsof adversarial examples. BBR = (cid:80) Ni =1 BB ( x (cid:48) i ) (cid:80) Ni =1 BB ( x i ) AP P = 1 N N (cid:88) i =1 (cid:80) k R k ×
500 (3)
Table 1: Results of diffused patch attack of differ-ent shape against YoLov4 [1] and Faster RCNN [14].The number s in Asteroid- s means scaling the size ofbounding box of patches by s , e.g. 0.8. The numble l in grid- l × l means that there are l horizontal and ver-tical lines in the grid-shape patches. Ensemble meansthat we choose the adversarial examples of the highestoverall score (OS) from all these kinds of patches. YOLOv4[1] Faster RCNN [14]
SR OS BBR APP SR OS BBR APPasteroid-0.8 96.2 % 1515 2.76 % 0.89 % 65.4 % 1241 12.3 % 1.05 %asteroid-1.0 100 % 1401 0 % 1.14 % 78.8 % 1203 7.6 % 1.27 %grid-1x1 75 % 1423 18.62 % 0.45 % 15.3 % 906 39.5 % 0.55 %grid-2x2 100 % 1457 0 % 0.87 % 61.5 % 1160 15.38 % 1.10 %grid-3x3 100 % 1305 0 % 1.29 % 86.5 % 1076 8.6 % 1.47 %grid-4x4 100 % 1158 0 % 1.54 % 84.6 % 1017 9.38 % 1.63 %ensemble 98.3 % 1563 1.82 % 0.87 % 76.5% 1436 12.1 % 0.98 %
The attack performance of diffused patch attackcan be inferred to
Table 1 . As our aforementionedanalysis, the Faster RCNN [14] has features with asmall receptive field and its RoI pooling operationstake ensemble of features into consideration so as tobe more robust than TOLOv4 [1]. The success rates(SR) for YOLOv4 can be nearly 100 % for most kindsof patches, while less than 85 % in most cases forFaster RCNN. Similarly, overall scores for YOLOv4are higher than Faster RCNN, and bounding box ra-tios (BBR) are lower than Faster RCNN. Besides, thepredefined bounding boxes are not the ground truthboxes but are from the results of YOLOv4 and FasterRCNN respectively, so APPs for them are different. Infact, Faster RCNN perturbing more pixels and obtainlower scores.
Intuitively, it is much more effective to attach thepatches inside the bounding boxes of objects in im-ages and we visualize the gradients of attacking losswith regard to the input image. The attacking lossare reformulated from equation (2) as follow: p = x · (1 − M ) + δ · ML ( p ) = N (cid:88) i =1 C (cid:88) c =1 max (0 , f ci ( p ) − t ) (4)We visualize the gradients ||∇ p L ( p ) || by applyingtheir transparent heatmap to the original image. Asshow in Figure 2 , the gradients in the bounding boxesof objects are higher than those outside the boundingboxes. So it is more effective to put patches inside thebounding boxes. = 0 t = 30 t = 60 t = 90 t = 0 t = 40 t = 80 t = 120Figure 2: Visualisation of gradients for YOLOv4 (firstrow) and Faster RCNN (second row). t means itera-tions during the attack process. In this paper, we proposed the diffused patch attackof asteroid-shaped or grid-shaped that can successfullyfool both one-stage and two-stage detectors. Besides,our attack loss can pay more attention to positive pro-posals and suppress introducing false positive propos-als. Experiments show that our proposed methods cansuccessfully fool detectors at the cost of perturbing asmall number of pixels and we get second place in theAlibaba Tianchi competition: Alibaba-Tsinghua Ad-versarial Challenge on Object Detection.
References [1] A. Bochkovskiy, C.-Y. Wang, and H.-Y. M. Liao.Yolov4: Optimal speed and accuracy of objectdetection. arXiv preprint arXiv:2004.10934 , 2020.[2] A. J. Bose and P. Aarabi. Adversarial attackson face detectors using neural net based con-strained optimization. In , pages 1–6. IEEE, 2018.[3] Z. Cai and N. Vasconcelos. Cascade r-cnn: Delv-ing into high quality object detection. In
Proceed-ings of the IEEE conference on computer visionand pattern recognition , pages 6154–6162, 2018.[4] N. Carlini and D. Wagner. Towards evaluatingthe robustness of neural networks. In , pages39–57. IEEE, 2017.[5] K. Duan, S. Bai, L. Xie, H. Qi, Q. Huang, andQ. Tian. Centernet: Keypoint triplets for ob-ject detection. In
Proceedings of the IEEE Inter-national Conference on Computer Vision , pages6569–6578, 2019.[6] I. J. Goodfellow, J. Shlens, and C. Szegedy.Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 , 2014.[7] J. Hendrik Metzen, M. Chaithanya Kumar,T. Brox, and V. Fischer. Universal adversarial perturbations against semantic image segmenta-tion. In
Proceedings of the IEEE InternationalConference on Computer Vision , pages 2755–2764, 2017.[8] M. Lee and Z. Kolter. On physical adversar-ial patches for object detection. arXiv preprintarXiv:1906.11897 , 2019.[9] Y. Li, D. Tian, M.-C. Chang, X. Bian, andS. Lyu. Robust adversarial perturbation ondeep proposal-based models. arXiv preprintarXiv:1809.05962 , 2018.[10] T.-Y. Lin, P. Goyal, R. Girshick, K. He, andP. Doll´ar. Focal loss for dense object detection. In
Proceedings of the IEEE international conferenceon computer vision , pages 2980–2988, 2017.[11] W. Liu, D. Anguelov, D. Erhan, C. Szegedy,S. Reed, C.-Y. Fu, and A. C. Berg. Ssd: Singleshot multibox detector. In
European conferenceon computer vision , pages 21–37. Springer, 2016.[12] X. Liu, H. Yang, Z. Liu, L. Song, H. Li,and Y. Chen. Dpatch: An adversarial patchattack on object detectors. arXiv preprintarXiv:1806.02299 , 2018.[13] S.-M. Moosavi-Dezfooli, A. Fawzi, andP. Frossard. Deepfool: a simple and accu-rate method to fool deep neural networks. In
Proceedings of the IEEE conference on computervision and pattern recognition , pages 2574–2582,2016.[14] S. Ren, K. He, R. Girshick, and J. Sun. Fasterr-cnn: Towards real-time object detection withregion proposal networks. In
Advances in neu-ral information processing systems , pages 91–99,2015.[15] X. Wei, S. Liang, N. Chen, and X. Cao. Transfer-able adversarial attacks for image and video ob-ject detection. arXiv preprint arXiv:1811.12641 ,2018.[16] C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, andA. Yuille. Adversarial examples for semantic seg-mentation and object detection. In
Proceedings ofthe IEEE International Conference on ComputerVision , pages 1369–1378, 2017.[17] X. Yang, F. Wei, H. Zhang, X. Ming, and J. Zhu.Design and interpretation of universal adversar-ial patches in face detection. arXiv preprintarXiv:1912.05021arXiv preprintarXiv:1912.05021