| 两阶段目标类指引的行人检测对抗补丁生成算法 |
| |
| 引用本文: | 杨弋鋆,邵文泽,邓海松,葛琦,李海波.两阶段目标类指引的行人检测对抗补丁生成算法[J].重庆邮电大学学报(自然科学版),2022,34(4):565-575. |
| |
| 作者姓名: | 杨弋鋆 邵文泽 邓海松 葛琦 李海波 |
| |
| 作者单位: | 南京邮电大学 通信与信息工程学院, 南京 210003;南京邮电大学 通信与信息工程学院, 南京 210003;南京理工大学 高维信息智能感知与系统教育部重点实验室, 南京 210094;南京审计大学 统计与数据科学学院, 南京 211815 |
| |
| 基金项目: | 国家自然科学基金(61771250, 11901299);中央高校基本科研业务费专项资金(30918014108) |
| |
| 摘 要: | 针对缘于深度学习模型脆弱性的对抗样本攻击这一国内外热门研究课题,以无人驾驶等实际应用为背景,探讨了针对Yolo-v2行人检测系统的对抗攻击方法;基于Yolo-v2对行人目标的预测置信度和分类概率,提出基于两阶段目标类指引的行人检测对抗补丁生成算法。创新性地提出了目标类指引的攻击策略,通过先后实施目标类指引的对抗补丁生成和对抗补丁增强,有效引导了对抗补丁在训练生成过程中的收敛方向,以此逐步提升对抗补丁攻击行人检测系统的能力;在Inria数据集上实现了79个目标类指引的对抗补丁生成训练与测试。结果表明,算法以“teddy bear”为目标类生成了攻击效果最佳的对抗补丁,行人检测交并比(IOU)指标可达0.043 5,显著优于对照算法的0.244 8。
|
| 关 键 词: | 深度学习 对抗样本 对抗补丁 物体检测 |
| 收稿时间: | 2020/12/24 0:00:00 |
| 修稿时间: | 2022/5/31 0:00:00 |
Target-guided adversarial patch generation for two-stage pedestrian detection attack |
| |
| YANG Yijun,SHAO Wenze,DENG Haisong,GE Qi,LI Haibo.Target-guided adversarial patch generation for two-stage pedestrian detection attack[J].Journal of Chongqing University of Posts and Telecommunications,2022,34(4):565-575. |
| |
| Authors: | YANG Yijun SHAO Wenze DENG Haisong GE Qi LI Haibo |
| |
| Institution: | College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210003, P. R. China;College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210003, P. R. China;Key Laboratory of Intelligent Perception and Systems for High-Dimensional Information of Ministry of Education, Nanjing University of Science and Technology, Nanjing 210094, P. R. China;School of Statistics and Mathematics, Nanjing Audit University, Nanjing 211815, P. R. China |
| |
| Abstract: | Owing to the vulnerability of deep learning models, attack with adversarial examples has become a pretty hot topic in the past several years at home and abroad. This paper mainly discusses the vulnerability of Yolo-v2, which is a well-known candidate pedestrian detection model for driverless cars. In short, a target-guided two-stage approach is proposed for generating adversarial patches so as to fool Yolo-v2. Specifically speaking, the approach puts forward a new target-guided attack strategy, which enables adversarial patches converge to a definite direction, and successively conducts two stages of adversarial training, which gradually enhances the ability of adversarial patches attacking Yolo-v2. Using Inria as the training set and guided by 79 target classes, it is empirically found that the class "teddy bear" helps the proposed method achieve the best attacking performance. The pedestrian detection IOU of the attacked Yolo-v2 is 0.043 5, which is significantly lower than reference algorithm. |
| |
| Keywords: | deep learning adversarial examples adversarial patch object detection |
|
| 点击此处可从《重庆邮电大学学报(自然科学版)》浏览原始摘要信息 |
| 点击此处可从《重庆邮电大学学报(自然科学版)》下载免费的PDF全文 |
|
