面向目标检测的对抗攻击与防御综述

doi:10.11959/j.issn.1000-436x.2023223

通信学报 ›› 2023, Vol. 44 ›› Issue (11): 260-277.doi: 10.11959/j.issn.1000-436x.2023223

• 综述 • 上一篇

面向目标检测的对抗攻击与防御综述

汪欣欣¹^,², 陈晶¹^,²^,³, 何琨¹^,², 张子君¹^,², 杜瑞颖¹^,²^,⁴, 李瞧¹^,², 佘计思¹^,²

¹ 武汉大学国家网络安全学院，湖北武汉 430072
² 武汉大学空天信息安全与可信计算教育部重点实验室，湖北武汉 430072
³ 武汉大学日照信息技术研究院，山东日照 276800
⁴ 地球空间信息技术协同创新中心，湖北武汉 430079

修回日期:2023-08-06 出版日期:2023-11-01 发布日期:2023-11-01
作者简介:汪欣欣（1995− ），女，湖北随州人，武汉大学博士生，主要研究方向为目标检测、对抗学习和后门学习等
陈晶（1981− ），男，湖北武汉人，博士，武汉大学教授、博士生导师，主要研究方向为网络安全、人工智能安全、分布式系统安全和区块链等
何琨（1986− ），男，湖北武汉人，博士，武汉大学副教授、博士生导师，主要研究方向为应用密码学、网络安全、云计算安全、人工智能安全和区块链安全等
张子君（1989− ），男，湖北武汉人，博士，武汉大学副教授，主要研究方向为神经网络优化算法、正则化、网络架构、表示学习和强化学习等
杜瑞颖（1964− ），女，河南新乡人，博士，武汉大学教授、博士生导师，主要研究方向为网络安全、隐私保护、云安全和移动安全等
李瞧（1995− ），女，辽宁辽阳人，武汉大学博士生，主要研究方向为人工智能安全、对抗学习和后门学习等
佘计思（1999− ），女，湖北随州人，武汉大学硕士生，主要研究方向为人工智能安全、目标检测
基金资助:
国家重点研发计划基金资助项目(2022YFB3102100);中央高校基本科研业务费专项资金资助项目(2042022kf1195);国家自然科学基金资助项目(62076187);国家自然科学基金资助项目(62172303);湖北省重点研发计划基金资助项目(2022BAA039);山东省重点研发计划基金资助项目(2022CXPT055)

Survey on adversarial attacks and defenses for object detection

Xinxin WANG¹^,², Jing CHEN¹^,²^,³, Kun HE¹^,², Zijun ZHANG¹^,², Ruiying DU¹^,²^,⁴, Qiao LI¹^,², Jisi SHE¹^,²

¹ School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
² Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan University, Wuhan 430072, China
³ Rizhao Institute of Information Technology, Wuhan University, Rizhao 276800, China
⁴ Collaborative Innovation Center of Geospatial Technology, Wuhan 430079, China

Revised:2023-08-06 Online:2023-11-01 Published:2023-11-01
Supported by:
The National Key Research and Development Program of China(2022YFB3102100);The Fundamental Research Funds for the Central Universities(2042022kf1195);The National Natural Science Foundation of China(62076187);The National Natural Science Foundation of China(62172303);The Key Research and Development Program of Hubei Province(2022BAA039);The Key Research and Development Program of Shandong Province(2022CXPT055)

摘要/Abstract

摘要：

针对近年来目标检测对抗攻防领域的研究发展，首先介绍了目标检测及对抗学习的相关术语和概念。其次，按照方法的演进过程，全面回顾并梳理了目标检测中对抗攻击和防御方法的研究成果，特别地，根据攻击者知识及深度学习生命周期，对攻击方法和防御策略进行了分类，并对不同方法之间的特点和联系进行了深入分析和讨论。最后，鉴于现有研究的优势和不足，总结了目标检测中对抗攻防研究面临的挑战和有待进一步探索的方向。

关键词: 目标检测, 对抗攻击, 对抗防御, 鲁棒性, 可转移性

Abstract:

In response to recent developments in adversarial attacks and defenses for object detection, relevant terms and concepts associated with object detection and adversarial learning were first introduced.Subsequently, according to the evolution process of the methods, a comprehensive retrospective analysis was conducted on the research achievements in the realm of adversarial attacks and defense methods for object detection.Particularly, attack methods and defense strategies were categorized based on the attacker knowledge and the deep learning lifecycle.Furthermore, an in-depth analysis and discussion of the characteristics and relationships among different approaches were provided.Lastly, considering the strengths and limitations of existing research, the imminent challenges and directions were summarized for further exploration in adversarial attack and defense of object detection.

Key words: object detection, adversarial attacks, adversarial defenses, robustness, transferability

中图分类号:

TP181

汪欣欣, 陈晶, 何琨, 张子君, 杜瑞颖, 李瞧, 佘计思. 面向目标检测的对抗攻击与防御综述[J]. 通信学报, 2023, 44(11): 260-277.

Xinxin WANG, Jing CHEN, Kun HE, Zijun ZHANG, Ruiying DU, Qiao LI, Jisi SHE. Survey on adversarial attacks and defenses for object detection[J]. Journal on Communications, 2023, 44(11): 260-277.

图/表 11

图1

图2

表1

表2

面向目标检测的对抗攻击方法"

攻击能力	具体分类	攻击方法	攻击目标	攻击场景	噪声类型	被攻击模型	数据集
白盒	基于优化迭	DAG^[10]	T	数字世界	G	Faster R-CNN、R-FCN	VOC07、VOC12
攻击	代的攻击	RP₂-based^[11]	UT	物理世界	L	YOlOv2、Faster R-CNN	自制数据集
	方法	UAP^[12]	UT	物理世界	G	YOLOv5、YOLOv2、Faster R-CNN	LISA、MTSD、BDD
		AA-HA^[56]	T、UT	物理世界	L	Faster R-CNN、YOLOv3、SSD、R-FCN、Mask R-CNN	自制数据集
		MeshAdv^[57]	T、UT	数字世界	L	YOLOv3	COCO
		DTA^[58]	UT	数字世界	L	EfficientDet、YOLOv4、SSD、Faster R-CNN、Mask R-CNN	自制数据集
		DAS^[59]	UT	物理世界	L	YOLOv5、SSD、Faster R-CNN、Mask R-CNN	自制数据集
		UPC^[60]	T、UT	物理世界	L	faster R-CNN、R-FCN、SSD、YOLOv2、YOLOv3、RetinaNet	自制数据集
		CAC^[61]	T	物理世界	L	Faster R-CNN、YOLOv3、YOLOv5	自制数据集
		FCA^[62]	UT	数字世界	L	YOLOv3、YOLOv5、 SSD、Faster R-CNN、Mask R-CNN	自制数据集
		LAP^[63]	UT	物理世界	L	YOLOv2	Inria
	基于生成器	UEA^[64]	UT	数字世界	G	Faster R-CNN、SSD	VOC07、ImageNet
	生成的攻击	NPA^[65]	UT	物理世界	L	YOLOv2、YOLOv3、YOLOv4、Faster R-CNN	Inria、MPII、Mix
	方法	TC-EGA^[66]	UT	物理世界	L	YOLOv2、YOLOv3、Faster R-CNN、Mask R-CNN	Inria
黑盒	基于可转移	CAMOU^[67]	UT	物理世界	L	Mask R-CNN、YOLOv3-SPP	自制数据集
攻击	性的攻击	CAA^[68]	T	数字世界	G	Faster R-CNN 、YOLOv3、FoveaBox、DETR、Libra R-CNN、FreeAnchor、D-DETR、RetinaNet	VOC07、COCO
		T-SEA^[69]	UT	物理世界	L	YOLOv2、YOLOv3、Faster R-CNN、YOLOv3tiny、YOLOv4、YOLOv4tiny 、YOLOv5、SSD	Inria、COCO、CCTV
		ZQA^[70]	T	数字世界	G	Faster R-CNN、RetinaNet、Libra R-CNN、FoveaBox	VOC07、COCO
	基于查询的	PRFA^[71]	UT	数字世界	G	Faster R-CNN、YOLOv3、FCOS、ATSS	COCO
	攻击方法

表2

图3

图4

图5

表3

面向目标检测的对抗防御方法"

防御角度	具体分类	防御方法	防御目标	防御主动性	噪声类型	防御机制
基于模型训练的防御方法	对抗训练	MTD^[99]	经验防御	主动防御	G	根据单任务生成的对抗样本集合筛选出使整体任务损失最大的对抗样本集合进行对抗训练，以此提高模型的鲁棒性
		CWAT^[101]	经验防御	主动防御	G	利用相应类的对象数量对每个类损失进行归一化，保证无差别地攻击图像中的所有类别，提高模型对所有目标类的鲁棒性
	其他方法	文献[102]	经验防御	主动防御	L	限制上下文信息使用，如限制感受野范围或创建上下文无关的训练集，避免成为攻击者的攻击手段
		RobustDet^[104]	经验防御	主动防御	G	利用多个不同的卷积核学习对抗样本和干净样本的鲁棒性特征，构建鲁棒性的目标检测器
基于模型推理的防御方法	降噪	文献[96]	认证防御	主动防御	G	利用随机中值平滑完成鲁棒性认证，保证目标检测器在大小范围内的认证鲁棒性
		ROSA^[107]	经验防御	主动防御	G	利用超像素方法和随机排列消除全局噪声的影响，同时引入上下文感知尽可能恢复原图像分布
		文献[108]	经验防御	主动防御	L	根据对抗样本和干净样本的分布差异，利用基于熵和基于梯度的方法感知高频信息，去除对抗噪声
		APM^[97]	经验防御	主动防御	L	学习一个数据预处理网络来确定对抗噪声位置，利用掩模去除对抗噪声
		文献[51]	经验防御	主动防御	L	利用分割模型确定对抗补丁位置，利用补丁完善方法微调补丁形状，利用掩模去除对抗噪声
	对抗噪声检测	Detector Guard^[95]	认证防御	被动防御	L	利用鲁棒的小感受野图像分类器来判断目标是否存在
		文献[109]	经验防御	被动防御	L	以基础目标检测器和BERT语言模型计算上下文一致性来检测对抗噪声

表3

图6

图7

图8

参考文献 72

[73]	LI J , SCHMIDT F R , KOLTER J Z . Adversarial camera stickers:a physical camera-based attack on deep learning systems[J]. arXiv Preprint,arXiv:1904.00759. 2019.
[74]	EYKHOLT K , EVTIMOV I , FERNANDES E ,et al. Robust physical-world attacks on deep learning visual classification[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2018: 1625-1634.
[75]	ZENG X H , LIU C X , WANG Y S ,et al. Adversarial attacks beyond the image space[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 4297-4306.
[76]	KO N . Directional statistics BRDF model[C]// Proceedings of IEEE 12th International Conference on Computer Vision. Piscataway:IEEE Press, 2010: 476-483.
[77]	ATHALYE A , ENGSTROM L , ILYAS A ,et al. Synthesizing robust adversarial examples[J]. arXiv Preprint,arXiv:1707.07397, 2017.
[78]	XU K D , ZHANG G Y , LIU S J ,et al. Adversarial T-shirt! evading person detectors in a physical world[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2020: 665-681.
[79]	THYS S , RANST W V , GOEDEMé T . Fooling automated surveillance cameras:adversarial patches to attack person detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). Piscataway:IEEE Press, 2020: 49-55.
[80]	WU Z X , LIM S N , DAVIS L S ,et al. Making an invisibility cloak:real world adversarial attacks on object detectors[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2020: 1-17.
[81]	SHARIF M , BHAGAVATULA S , BAUER L ,et al. Accessorize to a crime:real and stealthy attacks on state-of-the-art face recognition[C]// Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 1528-1540.
[82]	GOODFELLOW I , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial networks[J]. Communications of the ACM, 2020,63(11): 139-144.
[83]	POURSAEED O , KATSMAN I , GAO B C ,et al. Generative adversarial perturbations[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2018: 4422-4431.
[1]	CHEN D J , HSIEH H Y , LIU T L . Adaptive image transformer for one-shot object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2021: 12242-12251.
[2]	WANG Y , LV H , KUANG X ,et al. Towards a physical-world adversarial patch for blinding object detection models[J]. Information Sciences, 2021,556: 459-471.
[3]	CHAUDHURI B , VESDAPUNT N , WANG B Y . Joint face detection and facial motion retargeting for multiple faces[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 9711-9720.
[4]	ZHENG L Y , TANG M , CHEN Y Y ,et al. Improving multiple object tracking with single object tracking[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2021: 2453-2462.
[5]	SHEKAR A K , GOU L , REN L ,et al. Label-free robustness estimation of object detection CNNs for autonomous driving applications[J]. International Journal of Computer Vision, 2021,129(4): 1185-1201.
[6]	LOEY M , MANOGARAN G , TAHA M H N ,et al. Fighting against COVID-19:a novel deep learning model based on YOLO-v2 with ResNet-50 for medical face mask detection[J]. Sustainable Cities and Society, 2021,65:102600.
[7]	ZENG Y L , ZHANG L H , ZHAO J H ,et al. JRL-YOLO:a novel jump-join repetitious learning structure for real-time dangerous object detection[J]. Computational Intelligence and Neuroscience, 2021,2021: 1-16.
[8]	BI H B , ZHANG C , WANG K ,et al. Rethinking camouflaged object detection:models and datasets[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2022,32(9): 5708-5724.
[9]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv Preprint,arXiv:1312.6199, 2013.
[10]	XIE C H , WANG J Y , ZHANG Z S ,et al. Adversarial examples for semantic segmentation and object detection[C]// Proceedings of IEEE International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2017: 1378-1387.
[11]	EYKHOLT K , EVTIMOV I , FERNANDES E ,et al. Physical adversarial examples for object detectors[J]. arXiv Preprint,arXiv:1807.07769, 2018.
[12]	ZOLFI A , KRAVCHIK M , ELOVICI Y ,et al. The translucent patch:a physical and universal attack on object detectors[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2021: 15227-15236.
[84]	BROCK A , DONAHUE J , SIMONYAN K . Large scale GAN training for high fidelity natural image synthesis[J]. arXiv Preprint,arXiv:1809.11096, 2018.
[85]	KARRAS T , LAINE S , AILA T M . A style-based generator architecture for generative adversarial networks[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021,43(12): 4217-4228.
[86]	HJELM R D , FEDOROV A , LAVOIE-MARCHILDON S , ,et al. Learning deep representations by mutual information estimation and maximization[J]. arXiv Preprint,arXiv:1808.06670, 2018.
[87]	LONG J , SHELHAMER E , DARRELL T . Fully convolutional networks for semantic segmentation[C]// Proceedings of IEEE Transactions on Pattern Analysis and Machine Intelligence. Piscataway:IEEE Press, 2016: 640-651.
[88]	HUANG G , SUN Y , LIU Z ,et al. Deep networks with stochastic depth[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2016: 646-661.
[89]	HE K M , GKIOXARI G , DOLLáR P ,et al. Mask R-CNN[C]// Proceedings of IEEE International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2017: 2980-2988.
[90]	YANG Z , LIU S H , HU H ,et al. RepPoints:point set representation for object detection[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2020: 9656-9665.
[91]	ANDRIUSHCHENKO M , CROCE F , FLAMMARION N ,et al. Square attack:a query-efficient black-box adversarial attack via random search[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2020: 484-501.
[92]	CHEN W L , ZHANG Z X , HU X L ,et al. Boosting decision-based black-box adversarial attacks with random sign flip[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2020: 276-293.
[93]	李明慧, 江沛佩, 王骞 ,等. 针对深度学习模型的对抗性攻击与防御[J]. 计算机研究与发展, 2021,58(5): 909-926.
	LI M H , JIANG P P , WANG Q ,et al. Adversarial attacks and defenses for deep learning models[J]. Journal of Computer Research and Development. 2021,58(5): 909-926.
[13]	袁珑, 李秀梅, 潘振雄 ,等. 面向目标检测的对抗样本综述[J]. 中国图象图形学报, 2022(10): 2873-2896.
	YUAN L , LI X M , PAN Z X ,et al. Review of adversarial examples for object detection[J]. Journal of Image and Graphics, 2022(10): 2873-2896.
[14]	ZHANG C N , BENZ P , KARJAUV A ,et al. Investigating top-k white-box and transferable black-box attack[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2022: 15064-15073.
[15]	REZATOFIGHI H , TSOI N , GWAK J ,et al. Generalized intersection over union:a metric and a loss for bounding box regression[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 658-666.
[16]	NEUBECK A , VAN GOOL L . Efficient non-maximum suppression[C]// Proceedings of 18th International Conference on Pattern Recognition. Piscataway:IEEE Press, 2006: 850-855.
[17]	ZOU Z , CHEN K , SHI Z ,et al. Object detection in 20 years:a survey[J]. Proceedings of the IEEE, 2023,111(3): 257-276.
[18]	ZHANG S F , CHI C , YAO Y Q ,et al. Bridging the gap between anchor-based and anchor-free detection via adaptive training sample selection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 9756-9765.
[19]	陈梦轩, 张振永, 纪守领 ,等. 图像对抗样本研究综述[J]. 计算机科学, 2022,49(2): 92-106.
	CHEN M X , ZHANG Z Y , JI S L ,et al. Survey of research progress on adversarial examples in images[J]. Computer Science, 2022,49(2): 92-106.
[20]	LI Y W , BAI S , ZHOU Y Y ,et al. Learning transferable adversarial examples via ghost networks[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2020,34(7): 11458-11465.
[21]	LIU Y , CHEN X , LIU C ,et al. Delving into transferable adversarial examples and black-box attacks[J]. arXiv Preprint,arXiv:1611.02770, 2016.
[94]	JIN G , YI X , HUANG W ,et al. Enhancing adversarial training with second-order statistics of weights[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2022: 1-15.
[95]	XIANG C , MITTAL P . DetectorGuard:provably securing object detectors against localized patch hiding attacks[J]. arXiv Preprint,arXiv:2012.02956, 2021.
[96]	CHIANG P Y , CURRY M J , ABDELKADER A ,et al. Detection as regression:certified object detection by Median smoothing[J]. arXiv Preprint,arXiv:2007.03730, 2020.
[97]	CHIANG P H , CHAN C S , WU S H . Adversarial pixel masking:a defense against physical attacks for pre-trained object detectors[C]// Proceedings of the 29th ACM International Conference on Multimedia. New York:ACM Press, 2021: 1856-1865.
[98]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. arXiv Preprint,arXiv:1412.6572, 2014.
[99]	ZHANG H C , WANG J Y . Towards adversarially robust object detection[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2020: 421-430.
[100]	CHEN S T , CORNELIUS C , MARTIN J ,et al. ShapeShifter:robust physical adversarial attack on faster R-CNN object detector[C]// Proceedings of European Conference on Machine Learning and Knowledge Discovery in Databases. Berlin:Springer, 2019: 52-68.
[101]	CHEN P C , KUNG B H , CHEN J C . Class-aware robust adversarial training for object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2021: 10415-10424.
[102]	SAHA A , SUBRAMANYA A , PATIL K ,et al. Role of spatial context in adversarial robustness for object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). Piscataway:IEEE Press, 2020: 3403-3412.
[103]	BARNEA E , BEN-SHAHAR O . Exploring the bounds of the utility of context for object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 7404-7412.
[104]	DONG Z Y , WEI P X , LIN L . Adversarially-aware robust object detector[M]. Berlin: Springer, 2022.
[22]	ZAIDI S S A , ANSARI M S , ASLAM A ,et al. A survey of modern deep learning based object detection models[J]. Digital Signal Processing, 2022,126:103514.
[23]	CARRANZA-GARCíA M , TORRES-MATEO J , LARA-BENíTEZ P ,et al. On the performance of one-stage and two-stage object detectors in autonomous vehicles using camera data[J]. Remote Sensing, 2020,13(1): 89.
[24]	REDMON J , DIVVALA S , GIRSHICK R ,et al. You only look once:unified,real-time object detection[C]// Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 779-788.
[25]	REDMON J , FARHADI A . YOLO9000:better,faster,stronger[C]// Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2017: 6517-6525.
[26]	REDMON J , FARHADI A . YOLOv3:an incremental improvement[J]. arXiv Preprint,arXiv:1804.02767, 2018.
[27]	BOCHKOVSKIY A , WANG C Y , LIAO H Y M . YOLOv4:optimal speed and accuracy of object detection[J]. arXiv Preprint,arXiv:2004.10934, 2020.
[28]	LIU W , ANGUELOV D , ERHAN D ,et al. SSD:single shot multibox detector[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2016: 21-37.
[29]	LIN T Y , GOYAL P , GIRSHICK R ,et al. Focal loss for dense object detection[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2020,42(2): 318-327.
[30]	LAW H , DENG J . CornerNet:detecting objects as paired keypoints[J]. International Journal of Computer Vision, 2020,128(3): 642-656.
[31]	DUAN K W , BAI S , XIE L X ,et al. CenterNet:keypoint triplets for object detection[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2020: 6568-6577.
[32]	ZHOU X , WANG D , KR?HENBüHL P . Objects as points[J]. arXiv Preprint,arXiv:1904.07850, 2019.
[105]	CHEN Y P , DAI X Y , LIU M C ,et al. Dynamic convolution:attention over convolution kernels[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 11027-11036.
[106]	KINGMA D P , WELLING M . Auto-encoding variational Bayes[J]. arXiv Preprint,arXiv:1312.6114, 2013.
[107]	COHEN J M , ROSENFELD E , KOLTER J Z . Certified adversarial robustness via randomized smoothing[J]. arXiv Preprint,arXiv:1902.02918, 2019.
[108]	LECUYER M , ATLIDAKIS V , GEAMBASU R ,et al. Certified robustness to adversarial examples with differential privacy[C]// Proceedings of IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 656-672.
[109]	SALMAN H , YANG G , LI J ,et al. Provably robust deep learning via adversarially trained smoothed classifiers[J]. arXiv Preprint,arXiv:1906.04584, 2019.
[110]	ZUO W M , ZHANG K , ZHANG L . Convolutional neural networks for image denoising and restoration[M]. Berlin: Springer, 2018.
[111]	LI H F , LI G B , YU Y Z . ROSA:robust salient object detection against adversarial attacks[J]. IEEE Transactions on Cybernetics, 2020,50(11): 4835-4847.
[112]	ZHOU G Z , GAO H C , CHEN P ,et al. Information distribution based defense against physical attacks on object detection[C]// Proceedings of IEEE International Conference on Multimedia ＆ Expo Workshops (ICMEW). Piscataway:IEEE Press, 2020: 1-6.
[113]	XIANG C , BHAGOJI A N , SEHWAG V ,et al. PatchGuard:a provably robust defense against adversarial patches via small receptive fields and masking[J]. arXiv Preprint,arXiv:2005.10884, 2020.
[114]	YIN M J , LI S S , CAI Z K ,et al. Exploiting multi-object relationships for detecting adversarial attacks in complex scenes[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2022: 7838-7847.
[115]	LIU Y , OTT M , GOYAL N ,et al. RoBERTa:a robustly optimized bert pretraining approach[J]. arXiv Preprint,arXiv:1907.11692, 2019.
[33]	TAN M X , PANG R M , LE Q V . EfficientDet:scalable and efficient object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 10778-10787.
[34]	GIRSHICK R , DONAHUE J , DARRELL T ,et al. Rich feature hierarchies for accurate object detection and semantic segmentation[C]// Proceedings of IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2014: 580-587.
[35]	GIRSHICK R . Fast R-CNN[C]// Proceedings of IEEE International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2016: 1440-1448.
[36]	REN S Q , HE K M , GIRSHICK R ,et al. Faster R-CNN:towards real-time object detection with region proposal networks[C]// Proceedings of IEEE Transactions on Pattern Analysis and Machine Intelligence. Piscataway:IEEE Press, 2016: 1137-1149.
[37]	DAI J , LI Y , HE K ,et al. R-FCN:object detection via region-based fully convolutional networks[J]. arXiv Preprint,arXiv:1605.06409, 2016.
[38]	ZHANG X S , WAN F , LIU C ,et al. Learning to match anchors for visual object detection[C]// Proceedings of IEEE Transactions on Pattern Analysis and Machine Intelligence. Piscataway:IEEE Press, 2021: 3096-3109.
[39]	LAW H , TENG Y , RUSSAKOVSKY O ,et al. CornerNet-Lite:efficient keypoint based object detection[J]. arXiv Preprint,arXiv:1904.08900, 2019.
[40]	WANG J Q , CHEN K , YANG S ,et al. Region proposal by guided anchoring[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 2960-2969.
[41]	ZHU C C , HE Y H , SAVVIDES M . Feature selective anchor-free module for single-shot object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 840-849.
[42]	TIAN Z , SHEN C H , CHEN H ,et al. FCOS:fully convolutional one-stage object detection[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2020: 9626-9635.
[43]	LIU W , LIAO S C , REN W Q ,et al. High-level semantic feature detection:a new perspective for pedestrian detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 5182-5191.
[44]	KONG T , SUN F C , LIU H P ,et al. FoveaBox:beyound anchor-based object detection[J]. IEEE Transactions on Image Processing, 2020,29: 7389-7398.
[45]	EVERINGHAM M . The pascal visual object classes challenge results[R]. 2007.
[46]	EVERINGHAM M , GOOL L V , WILLIAMS C K ,et al. The pascal visual object classes challenge 2012 results[R]. 2012.
[47]	LIN T Y , MAIRE M , BELONGIE S ,et al. Microsoft COCO:common objects in context[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2014: 740-755.
[48]	DALAL N , TRIGGS B . Histograms of oriented gradients for human detection[C]// Proceedings of IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2005: 886-893.
[49]	RUSSAKOVSKY O , DENG J , SU H ,et al. ImageNet large scale visual recognition challenge[J]. International Journal of Computer Vision, 2015,115(3): 211-252.
[50]	BRAUNEGG A , CHAKRABORTY A , KRUMDICK M ,et al. APRICOT:a dataset of physical adversarial attacks on object detection[J]. arXiv Preprint,arXiv:1912.08166, 2019.
[51]	LIU J , LEVINE A , LAU C P ,et al. Segment and complete:defending object detectors against adversarial patch attacks with robust patch detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2022: 14953-14962.
[52]	YU F , CHEN H F , WANG X ,et al. BDD100K:a diverse driving dataset for heterogeneous multitask learning[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 2633-2642.
[53]	ERTLER C , MISLEJ J , OLLMANN T ,et al. The mapillary traffic sign dataset for detection and classification on a global scale[C]// Proceedings of European Conference on Computer Vision. Berlin:Springer, 2020: 68-84.
[54]	ANDRILUKA M , PISHCHULIN L , GEHLER P ,et al. 2D human pose estimation:new benchmark and state of the art analysis[C]// Proceedings of IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2014: 3686-3693.
[55]	HOU C C . The application of human detection based on YOLOv5[J]. Highlights in Science,Engineering and Technology, 2023,34: 203-208.
[56]	ZHAO Y , ZHU H , LIANG R G ,et al. Seeing isn’t believing:towards more robust adversarial attack against real world object detectors[C]// Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1989-2004.
[57]	XIAO C W , YANG D W , LI B ,et al. MeshAdv:adversarial meshes for visual recognition[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 6891-6900.
[58]	SURYANTO N , KIM Y , KANG H ,et al. DTA:physical camouflage attacks using differentiable transformation network[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2022: 15284-15293.
[59]	WANG J K , LIU A S , YIN Z X ,et al. Dual attention suppression attack:generate adversarial camouflage in physical world[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2021: 8561-8570.
[60]	HUANG L F , GAO C Y , ZHOU Y Y ,et al. Universal physical camouflage attacks on object detectors[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 717-726.
[61]	DUAN Y X , CHEN J L , ZHOU X Y ,et al. DPA:learning coated adversarial camouflages for object detectors[C]// Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence. California:International Joint Conferences on Artificial Intelligence Organization, 2022: 1-14.
[62]	WANG D H , JIANG T S , SUN J L ,et al. FCA:learning a 3D full-coverage vehicle camouflage for multi-view physical adversarial attack[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2022,36(2): 2414-2422.
[63]	TAN J , JI N , XIE H D ,et al. Legitimate adversarial patches:evading human eyes and detection models in the physical world[C]// Proceedings of the 29th ACM International Conference on Multimedia. New York:ACM Press, 2021: 5307-5315.
[64]	WEI X X , LIANG S Y , CHEN N ,et al. Transferable adversarial attacks for image and video object detection[C]// Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence. California:International Joint Conferences on Artificial Intelligence Organization, 2019: 954-960.
[65]	HU Y C T , CHEN J C , KUNG B H ,et al. Naturalistic physical adversarial patch for object detectors[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2022: 7828-7837.
[66]	HU Z H , HUANG S Y , ZHU X P ,et al. Adversarial texture for fooling person detectors in the physical world[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2022: 13297-13306.
[67]	ZHANG Y , FOROOSH H , DAVID P ,et al. CAMOU:learning physical vehicle camouflages to adversarially attack detectors in the wild[C]// Proceedings of International Conference on Learning Representations. Vancouver:ICLR, 2019: 1-20.
[68]	CAI Z K , XIE X X , LI S S ,et al. Context-aware transfer attacks for object detection[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2022,36(1): 149-157.
[69]	HUANG H , CHEN Z Y , CHEN H R ,et al. T-SEA:transfer-based self-ensemble attack on object detection[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2023: 20514-20523.
[70]	CAI Z K , RANE S , BRITO A E ,et al. Zero-query transfer attacks on context-aware object detectors[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2022: 15004-15014.
[71]	LIANG S Y , WU B Y , FAN Y B ,et al. Parallel rectangle flip attack:a query-based black-box attack against object detection[C]// Proceedings of IEEE/CVF International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2022: 7677-7687.
[72]	LI Y , BIAN X , CHANG M C ,et al. Exploring the vulnerability of single shot module in object detectors via imperceptible background patches[J]. arXiv Preprint,arXiv:1809.0596612, 2018.

数据集	图像数量	实例数量	类别数量	年份	特点
VOC07^[45]	9 963	24 640	20	2007年	目标检测数据集，初步建立成一个完善的目标检测数据集
VOC12^[46]	11 530	27 450	20	2012年	目标检测数据集，与 VOC07 数据集互斥，测试数据集中只有图像，没有标签，可与VOC07结合使用
COCO^[47]	330 000	1 500 000	80	2014年	目标检测数据集，每一类图像多，检测难度大
Inria^[48]	2 573	1 826	1	2005年	行人检测数据集，标记的站立或行走的人的图像，部分标注不准确
ImageNet^[49]	5 354	—	30	2015年	视频目标检测数据集，每一类图像多，每个视频包括56～458帧图像
APRICOT^[50]	1 011	—	60	2020年	对抗补丁数据集，为每个补丁提供边界框注释，数据集包括室内和室外场景，不同时间、位置、比例、旋转和视角的补丁
APRICOT-Mask^[51]	1 011	—	60	2022年	对抗补丁掩模数据集，为APRICOT数据集中的每个补丁提供像素级注释
BDD^[52]	100 000	1 841 435	10	2018年	自动驾驶数据集，具有大规模、多样化、在街上采集的特点
MTSD^[53]	100 000	325 172	313	2019年	交通标志数据集，覆盖全球多个地区的街景
MPII^[54]	25 000	40 000	1	2014年	人体姿势数据集，图像涵盖了410个人类活动，从YouTube视频中提取
CCTV^[55]	921	559	1	2022年	此数据集来源于CCTV摄像头，只包含人类正例样本和负例样本
自制数据集	—	—	—	—	现实场景拍摄或虚拟场景截取图片等制作数据集，满足特殊场景要求

面向目标检测的对抗攻击与防御综述

Survey on adversarial attacks and defenses for object detection

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 72

相关文章 15

Metrics

推荐阅读 0

[1]	陈晓霖, 昝道广, 吴炳潮, 关贝, 王永吉. 面向纵向联邦学习的对抗样本生成算法[J]. 通信学报, 2023, 44(8): 1-13.
[2]	陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166.
[3]	鲁斌, 孙洋, 杨振宇. 基于原始点云网格自注意力机制的三维目标检测方法[J]. 通信学报, 2023, 44(10): 72-84.
[4]	廖育荣, 王海宁, 林存宝, 李阳, 方宇强, 倪淑燕. 基于深度学习的光学遥感图像目标检测研究进展[J]. 通信学报, 2022, 43(5): 190-203.
[5]	吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021, 42(9): 65-74.
[6]	陈九九, 冯春燕, 郭彩丽, 杨洋, 孙启政, 朱美逸. 车联网中视频语义驱动的资源分配算法[J]. 通信学报, 2021, 42(7): 1-11.
[7]	程旭, 王莹莹, 张年杰, 付章杰, 陈北京, 赵国英. 基于空间感知的多级损失目标跟踪对抗攻击方法[J]. 通信学报, 2021, 42(11): 242-254.
[8]	刘奇旭, 王君楠, 尹捷, 陈艳辉, 刘嘉熹. 对抗机器学习在网络入侵检测领域的应用[J]. 通信学报, 2021, 42(11): 1-12.
[9]	郭璠, 张泳祥, 唐琎, 李伟清. YOLOv3-A：基于注意力机制的交通标志检测网络[J]. 通信学报, 2021, 42(1): 87-99.
[10]	陈临强,杨全鑫,袁理锋,姚晔,张祯,吴国华. 视频对象移除篡改的时空域定位被动取证[J]. 通信学报, 2020, 41(7): 110-120.
[11]	赵羽,杨洁,刘淼,孙金龙,桂冠. 面向视频监控基于联邦学习的智能边缘计算技术[J]. 通信学报, 2020, 41(10): 109-115.
[12]	熊金波,毕仁万,陈前昕,刘西蒙. 边缘协作的轻量级安全区域建议网络[J]. 通信学报, 2020, 41(10): 188-201.
[13]	于晓涵,陈小龙,关键,黄勇. 雷达海上机动目标高分辨稀疏分数阶模糊函数检测方法[J]. 通信学报, 2019, 40(8): 72-84.
[14]	周鑫,何晓新,郑昌文. 基于图像深度学习的无线电信号识别[J]. 通信学报, 2019, 40(7): 114-125.
[15]	解文华，易本顺，肖进胜，甘良才. 基于像素与子块的背景建模级联算法[J]. 通信学报, 2013, 34(4): 24-200.