您的位置: 首页  >  文章  >  对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt

对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt

分类: 文章 2023-12-26 21:38:03

Evading Real-Time Person Detectors by Adversarial T-shirt

Kaidi Xu1 Gaoyuan Zhang2 Sijia Liu2 Quanfu Fan2 Mengshu Sun1 Hongge Chen3 Pin-Yu Chen2 Yanzhi Wang1 Xue Lin1

1Northeastern University, USA 2MIT-IBM Watson AI Lab, IBM Research, USA 3Massachusetts Institute of Technology, USA

论文公开于October 25, 2019

Abstract

现有的物理对抗攻击大多集中在静态物体上,如眼镜框、停止标志和附在硬纸板上的图像。在这里,我们提出了对抗T恤,一个鲁棒的物理对抗样本用于躲避人体检测器即使因人的姿势变换导致T恤变形,其仍具有较高的鲁棒性。我们首先对变形的影响进行建模,以设计针对t恤等非刚性物体的物理对抗实例。进一步的利用最小/最大优化,其可以同时攻击YOLOv2及Faster R-CNN.

1 Introduction
Early works studied adversarial examples in the digital space only. Recently, some works showed that it is possible to create adversarial perturbations on physical objects … However, most of the studied physical adversarial attacks encounter two limitations: a)通常考虑静态图像 b)忽略了移动目标造成的形变。 In this paper, we propose a new type of physical adversarial attack, adversarial T-shirt, to evade 引出

Most of the existing physical adversarial attacks were generated against image classifiers and object detectors. 人脸识别、stop sign、镜头贴条,EOT:旋转、平移、对比度、光照及随机噪声等。 Compared to attacking image classifiers, generating physical adversarial attacks against object detectors is more challenging since the adversary is required to mislead both bounding box detector and object classifier.

The most relevant work to ours is [14], in which ,However, 并且我们展示了其在做成T恤情况下的对抗效果如图1第四行。我们提出了一种基于thin plate spline (TPS)的变换模型来模拟非刚性物体的变形效应,并提出了一种集成物理攻击方法来同时欺骗目标检测体YOLOv2和Faster R-CNN

Contribution. We summarize our contributions as follows.
1)我们开发了一个基于TPS的变换器来模拟由于移动的人的姿态变化而引起的t恤的变形
2)提出了一个通用的优化框架,可同时攻击基于一/二阶段的检测器。
3)取得的有效实验结果

对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt

2 Modeling Deformation of A Moving Object by Thin Plate Spline Mapping 通过TPS模拟形变

In this section, we begin by reviewing some existing transformations ,We then elaborate on Thin Plate Spline (TPS) ,总引

Existing transformations. 缩放、旋转平移、光照、高斯噪声、视角、平滑及饱和度等

TPS transformation for cloth deformation. 为应对人体移动造成的T恤形变,我们使用了TPS映射[25],它由仿射组件及非线性差值组件组成。研究表明,TPS中的非线性差值部分可以为学习非刚性物体的对抗模式提供一种有效的衣服变形建模手段
TPS通过一组给定位置的控制点来学习从原始图像x到目标图像z的参数变形映射

p := (φ,ψ) 来表示二维图像像素的位置,x到z的变换通过每个像素的平移来表示。其中φ,ψ分布表示像素平移的不同方向。像素平移的参数模型如下:
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
U® = r2 log® , θ = [c;a] 为TPS 参数, ∆(p(x);θ) 为像素平移。

参数求解,转为回归问题,给定点的位置,求最小距离。回归问题可以通过如下线性系统来解决:

对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
这里的困难是如何决定控制点以及获得x/z图像的位置。Spurred by[29]. 我们在t恤上打印一个棋盘,然后用它来收集控制点及其在两个视频帧之间的位置.在实际应用中,我们选择其中一帧作为锚帧x,然后从其他帧生成TPS。图2显示了带有棋盘图案的t恤,其中两个棋盘格区域之间的每个交集都被选择为控制点.我们注意到,考虑的控制点可以使用Matlab vision toolbox[30]进行精确检测,用于生成TPS转换的视频与用于评估所提议的对抗式t恤的测试数据无关.
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt

3 Generation of Adversarial T-shirt: An Optimization Perspective

In this section, we begin by 定义问题及解释符合含义 , We then propose to 通用的对抗T恤用于攻击单阶段检测器, We lastly propose a min-max (robust)优化网络用于攻击两阶段检测器。

Fooling a single object detector. 一般化 Expectation over Transformation (EoT), 将t恤box上的视角变换与扰动布料区域上的TPS变换相结合
Let us begin by considering 首先考虑视角变换,来获取移动后每一帧xi上对应的人Mp,i及块Mc,i的bounding box,已知的是第一帧x0上的bounding box:Mp,0及Mc,0.扰动后图像表示如下
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
A表示除人以外的背景区域、B为人体区域、C为块区域、D为对抗块。其化简为即为传统的对抗样本公式:

We next consider two categories of physical transformations: a) TPS transformation …, and b) conventional physical transformation…然后我们同时考虑两种变换,分别为建模非刚性变换以及外界的物理变换:尺度、旋转、平移、亮度、对比度、扰动等;
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
其中T代表物理变换,T_TPS代表TPS变换,t_env与t_person分别表示进行相应变换。

最终的损失函数利用EoT形式:
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
其中g控制扰动的总体变换,使其尽可能平滑,C控制器可打印。

Min-max optimization for fooling multiple object detectors. 为了增加其可转移性,对于不同检测器的攻击性能,我们考虑对抗集成攻击:可以通过最小最大优化来实现,且在最坏情况下的攻击成功率比在多个模型上的平均策略要高得多。
N个目标检测器对应N个攻击损失函数{f_i},集成攻击如下:
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
w为每个检测器的权重,对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt为上式的第一项:对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt

4 Experimental Results

In this section, we demonstrate the effectiveness of our approach 与两个基准攻击方法相比,愚弄摄像头及我们方法的变体即缺失TPS变换的情况

4.1 Experimental Setup
Data collection. We collect two datasets for learning and testing our proposed attack algorithm in both digital and physical worlds. 引The training dataset , The second dataset ,The 10 test videos are then collected from …

Object detectors. We use two state-of-the-art object detectors:

Algorithmic parameter setting. 这里的超参值设置只是给出来即可以了,没必要解释,也可能无法解释

4.2 Adversarial T-shirt in digital world
Convergence performance of the proposed attack algorithm. 迭代训练中的Loss值:
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
ASR of adversarial T-shirt in various attack settings. 不同设置下在数字空间的攻击成功率如下表:
对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
4.3 Adversarial T-shirt in physical world
Next, we evaluate our method in the physical world setting. 下图展示了我们在不同设置下的攻击效果:

对抗样本(论文解读十):Evading Real-Time Person Detectors by Adversarial T-shirt
5.conclusion