摘要: |
目标检测算法具有优异的性能,在工业上已经得到广泛应用。然而,最近研究表明目标检测算法容易遭受对抗攻击,对抗样本会使得模型的性能大幅下降。攻击者在数字空间中在图片上贴一个对抗补丁,或者在物理空间中手持一张打印的对抗补丁,都可以使得待检测的对象从目标检测器中“消失”。补丁对抗攻击在物理空间中可以攻击自动驾驶汽车和躲避智能摄像头,对深度学习模型的应用造成了重大安全隐患。在物理空间中攻击目标检测器的对抗补丁具有鲜明特点,它们色彩鲜艳、变化剧烈,因此包含大量高频信息。基于这个特点,我们提出了一种遮罩防御方法。我们先把待检测的图片分割成若干个像素块,再用快速傅里叶变换和二值化处理求这些像素块中高频信息的含量,依次对含有较多高频信息的像素块使用遮罩,最后用目标检测器验证。此防御方法能够在物理空间中快速定位补丁的位置并破坏补丁的攻击效果,使得目标检测器可以检测到被攻击者隐藏的对象。本方法与模型无关,也和生成对抗补丁的方法无关,能够通用防御物理空间中的补丁对抗攻击。我们在物理空间中使用了两个应用广泛的目标检测器做防御补丁对抗攻击实验,在三个数据集中都能以超过94%的防御成功率防御攻击,比对比方法中最好的高出6%,实验结果证明了我们的方法的有效性。 |
关键词: 深度学习 补丁攻击 物理攻击 对抗防御 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.03.11 |
Received:December 11, 2021Revised:March 21, 2022 |
基金项目:本课题得到国家自然科学基金(No.61903334),浙江省重点研发-尖兵项目(No.2022C01018),浙江省自然科学基金(No.LY21F030016)资助。 |
|
A general defense method for physical space patch adversarial attacks |
XIANG Yun,HAN Ruixin,CHEN Zuohui,LI Xiangyu,XU Dongwei |
Institute of Cyberspace Security, Zhejiang University of Technology, Hangzhou 310023, China;College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China |
Abstract: |
The deep learning based object detection algorithms have been widely used in many modern industry areas. However, recent research progress suggests that they are quite vulnerable to various adversarial attacks, which can greatly reduce the performance of deep learning models. Attaching an adversarial patch in the digital or physical space can make the attacked object “disappear” from the object detector. Therefore, patches generated by the adversarial attacks can cause major security risks to the deep learning models, e.g., automatic driving and intelligent camera evasion etc. Fortunately, those adversarial patches typically have very distinct features, e.g., rich colors, drastic changes, and hence, plenty of high frequency information. In this work, by tanking advantage of these features of the patches, we propose a mask based defense method for patch attack that utilizes fast Fourier transform, which can quickly locate the adversarial patch in the physical space. Specifically, we first divide the testing images into multiple pixel blocks. Then we use fast Fourier transformation and binaryzation to extract and process the high frequency information in each block. The blocks containing more high frequency components are masked. Finally, the masked images are re-processed using the original detection algorithm. In that case, the detected patch is consequently located and neutralized, and the hidden objects can be detected afterwards. This defense method is not related to the model or adversarial patch generation methods. It can be used as a general method against all similar adversarial patches. In our experiment, we use two widely used object detection algorithms in physical space to evaluate the performance of our technique. The experimental results show a defense success rate of more than 94% in three commonly used data sets, which is 6% higher than the state of art method. This results demonstrate the effectiveness of our techniques in real-world scenarios. |
Key words: deep learning patch attack physical attack adversarial defense |