| 摘要: |
| 搭载目标检测算法的可见光视觉识别系统正逐渐成为无人机领域重要的感知系统。然而, 目标检测算法容易受到对抗攻击的威胁, 特别是物理攻击通常以对抗补丁的形式嵌入现实场景中, 其威胁程度远超过数字攻击。现有的物理攻击方法主要针对目标检测的地面近距离应用场景, 并且生成的物理对抗补丁容易被人类所察觉, 从而暴露攻击意图。为此, 提出了一种针对无人机视觉识别系统的自然物理对抗攻击方法(Natural Physical Patch Attack, NPAP)。首先, 设计了针对多尺度、多目标攻击的优化函数, 提升对抗补丁的攻击能力。接着, 为生成自然的对抗补丁, 引入相似性度量对补丁的外观进行约束。最后, 基于期望转换的原理, 设计了补丁物理增强变换模块, 采用多种物理增强变换, 提升对抗补丁对环境和尺度变化的鲁棒性。在数字攻击实验中, 该方法对YOLOv3、YOLOv5、YOLOv7三个主流目标检测器的攻击成功率分别为72.6%、77.6%、75.0%。在物理攻击实验中, 将数字域中生成的对抗补丁打印到现实世界中进行测试, 该方法在20~100m高度范围内对三个目标检测器的平均攻击成功率分别为63.6%、58.3%、56.8%。实验结果表明, 与G/C、UPC、NAP三种主流的攻击方法相比, 该方法在不增加复杂度的情况下能够生成与自然图像相似的对抗补丁, 并且生成的对抗补丁表现出优越的攻击性能和鲁棒性。 |
| 关键词: 目标检测 对抗样本生成 无人机识别 对抗攻击 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.09.06 |
| 投稿时间:2023-12-15修订日期:2024-03-18 |
| 基金项目:本课题得到国家自然科学基金项目(No. 12005030); 重庆市自然科学基金项目(No. cstc2021jcyj-bsh0252); 重庆邮电大学博士启动基金项目(No. A A2020-217 & A2020-216)资助。 |
|
| Natural Physical Adversarial Attack Method for UAV Visual Recognition System |
| ZHANG Heng,HUANG Nongsen,DING Jiasong,HANG Qin |
| School of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing 400065, China;Hefei Institute of Physical Science, Chinese Academy of Sciences, Hefei 230031, China;Chongqing Key Laboratory of Computational Intelligence, Chongqing University of Posts and Telecommunications, Chongqing 400065, China;School of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing 400065, China;Chongqing Key Laboratory of Computational Intelligence, Chongqing University of Posts and Telecommunications, Chongqing 400065, China |
| Abstract: |
| The visible light visual recognition system equipped with object detection algorithms is progressively emerging as a vital perception system in the domain of unmanned aerial vehicle. However, object detection algorithms are susceptible to adversarial attack. In particular, physical adversarial attacks often manifest in the form of adversarial patches embedded within real-world scenes, posing a more significant threat compared to digital attacks. Existing physical attack methods primarily target close-range ground-based applications of object detection, and the generated physical adversarial patches are easily perceptible by humans, thereby exposing malicious intent. To address this issue, a natural physical adversarial attack method (Natural Physical Patch Attack, NPAP) targeting unmanned aerial vehicle visual recognition systems is proposed. Firstly, an optimization function tailored for multi-scale and multi-target attacks is designed to enhance the attack capability of adversarial patches. Subsequently, to generate natural adversarial patches, a similarity metric is introduced to constrain the appearance of the patches. Finally, based on the principle of expectation over transformation, a patches physical enhancement transformation module is designed. Multiple physical augmentation transformations are employed to enhanced the robustness of adversarial patches against environmental and scale variations. In the digital attack experiment, this method achieved success rates of 72.6%, 77.6%, and 75.0% against three mainstream object detectors: YOLOv3, YOLOv5, and YOLOv7, respectively. In the physical attack experiment, the adversarial patches generated in the digital domain were printed and tested in the real world. this method achieved average attack success rates of 63.6%, 58.3%, and 56.8% against the three object detectors within the altitude range of 20 meters to 100 meters. The experimental results demonstrate that, compared to three mainstream adversarial attack methods, namely G/C, UPC, and NAP, the proposed approach is capable of generating adversarial patches that resemble natural images without augmenting complexity. Concurrently, the generated adversarial patches exhibit superior adversarial performance and robustness. |
| Key words: object detection adversarial sample generation unmanned aerial vehicle recognition adversarial attack |
