[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113792806A - Anti-patch generation method - Google Patents

Anti-patch generation method Download PDF

Info

Publication number
CN113792806A
CN113792806A CN202111090742.4A CN202111090742A CN113792806A CN 113792806 A CN113792806 A CN 113792806A CN 202111090742 A CN202111090742 A CN 202111090742A CN 113792806 A CN113792806 A CN 113792806A
Authority
CN
China
Prior art keywords
target
patch
countermeasure
countermeasure patch
loss
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111090742.4A
Other languages
Chinese (zh)
Other versions
CN113792806B (en
Inventor
陈力
阮航
白建东
李海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
63921 Troops of PLA
Original Assignee
Central South University
63921 Troops of PLA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University, 63921 Troops of PLA filed Critical Central South University
Priority to CN202111090742.4A priority Critical patent/CN113792806B/en
Publication of CN113792806A publication Critical patent/CN113792806A/en
Application granted granted Critical
Publication of CN113792806B publication Critical patent/CN113792806B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a method for generating a countermeasure patch, which comprises the following steps: acquiring a picture with a disguised target from the data set, and randomly initializing a patch; defining a target real frame for pasting the patch and other real frames for non-sticking patches; scaling the patch according to the targets with different sizes; adding an anchor frame constructed by the patch according to the target real frame to the disguised target; and inputting the picture pasted with the countermeasure patch into the detection network, calculating loss, and iteratively updating the countermeasure patch until the disguised target is not detected by the detection network. The invention realizes the camouflage of the important ground object target, and the whole target can not be detected as long as the countermeasure patch covers a small part of the directional target; and placing the countermeasure patch at the center of the directional target, and hiding the decision characteristics of the directional target in the target detector so that the confidence of a prediction box in the detector is lower than a threshold value, thereby misleading the detection result of the detector.

Description

Anti-patch generation method
Technical Field
The invention belongs to the technical field of machine learning, and particularly relates to a countercheck patch generation method.
Background
In recent years, in the task of detecting targets in remote sensing images, target detector technologies based on deep learning play an important role, however, although the target detector technologies based on deep learning have good performance in the task of detecting targets, it has been found that the target detectors are sensitive to inputs added with a small disturbance and are easily interfered by the disturbance, so as to generate wrong outputs, and the samples added with specific disturbance are called countermeasure samples.
The phenomenon of resisting the sample exists in the target detector, although certain threat is brought to the performance of the detector, the phenomenon also disguises some important ground object targets, and a new idea is provided for escaping the detection of the target detector, namely deceiving the target detector and guiding the target detector to make wrong decisions, so that the hiding of the important ground object targets is realized.
In the field of natural images, there have been many studies on the attack of a target detector, and the attack is diverse in ways, there are attacks that generate global disturbances invisible to human vision, and attacks that generate anti-patches visible to human vision.
Deep learning has been highly successful in the field of computer vision, and an end-to-end convolutional neural network plays an important role in various computer vision tasks under the data driving, so that the results of the tasks are improved. In recent years, with the development of deep learning, the technology of deep learning on computer vision tasks is widely applied to the field of remote sensing, such as change detection, surface feature classification, target identification and the like of remote sensing images, and the processing capability of the remote sensing images is greatly improved. Among the technologies, the target recognizer is a non-negligible application technology in the field of remote sensing, is widely applied to building detection, airplane detection, ship detection and the like, replaces the traditional manual detection, and improves the detection performance. However, the basic module of the target detector is a convolutional neural network, and the convolutional neural network has certain vulnerability while having high performance capability, and is easily attacked by the countersample, so that an error output is generated.
The attack of the resisting sample on the target detector is exposed, the defect of the target detector on model robustness is exposed, and the application of the target detector in the remote sensing field is threatened, however, although the phenomenon of the resisting sample in the target detector has certain threat, the phenomenon also provides an idea for disguising some important ground object targets, namely deceiving the target detector and guiding the target detector to make wrong decisions, so that the hiding of the important ground object targets is realized.
The traditional method for disguising the important ground object target mainly hides the target by placing a camouflage net, and the method is really effective for small targets, but for large targets (such as airplanes, ships and the like), the camouflage of the targets needs the large camouflage net, which brings certain limitation to the production of the camouflage net, so the method for placing the camouflage net is not suitable for use in the face of the scene, and therefore, the target detector can be attacked by using the defects of the target detector from the start of the target detector, and the camouflage of the large targets is realized. In order to disguise an important target by utilizing the phenomenon that a countermeasure sample exists in a target detector, the problem of how to effectively attack the target detector is firstly solved, so that the important target is successfully disguised under the condition of not using a large disguising net.
Many of the early methods for resisting attacks mainly focus on generating a global and invisible perturbation of human vision, and the prediction result of the deep convolutional neural network is interfered by adding the perturbation to a normal sample, such attack methods can have strong attack capability, but are difficult to migrate to the real world for use, so Brown et al propose a method for resisting a patch (adaptive patch), and such methods replace the previous method for generating the globally invisible perturbation, but generate a local and visible patch, and the decision of the model is interfered by the patch, so that the method not only can realize effective attack effect in the digital space, but also can well migrate from the digital space to the real world. Therefore, in order to enable the attack method of the target detector to be applied to the real world in the later work, the invention mainly researches and attacks the remote sensing image target detector by generating a counterpatch, and replaces a camouflage net by the counterpatch to realize the camouflage of an important target.
The countersample phenomenon is discovered on the task of image classification at first, and in the current countersample attack method, the most straightforward attack method is to add a global tiny disturbance which is not perceivable to human in the image, so as to deceive the deep neural network and generate wrong prediction.
For attack methods that add global perturbations, they do achieve good attack effect in digital space, but for the physical world, such attack methods are unlikely to be implemented because we cannot add the generated global countermeasure perturbation to the image of the physical world, and if we want to deploy the countermeasure sample to the real world, only the countermeasure sample generated in digital space can be printed, thereby deceiving the deep neural network model deployed in the real world. Therefore, in order to be able to flexibly deploy the countersample attack in the physical world, researchers have explored an attack method for generating a local counterpatch with a relatively small size and visible to human, which only changes some pixels in the image, and can place the generated counterpatch at any position in the image, and has good robustness. Early challenge sample research was mainly for image classifiers in the digital domain, with target detectors more difficult to attack than classifiers. The identification process of the target detector is more complex, image information around the target can be referred to in the process of identifying the target, multi-scale change operations such as pooling or feature mapping are usually carried out in an algorithm, single prediction is not limited, and the anti-interference capability is stronger. An attack on the target detector needs to mislead not only the tag prediction but also the presence prediction of the target. For the attack method against the patch on the target detection task, Liu et al specially designed DPatch attack for the target detector. The method mainly comprises the step of adding a patch in a picture to enable all real detection frames in the picture to be completely transferred to the position of the patch, so that an attack target detector is achieved, and the target detector cannot detect a real target. The anti-patch generated by DPatch can effectively attack the YOLO and fast-RCNN detectors. However, DPatch does not limit the pixel value of the generated patch, and there is a possibility that the pixel value exceeds the effective pixel value range of the image. Thys et al apply the anti-patch attack to the human class of target detection tasks, newly design the loss function, and propose an anti-patch generation method for the human class of attack. According to the method, the maximum value of the confidence coefficient in the bounding box of the target detector is used as a loss function, and the confidence coefficient of the class of people is enabled to be lower than a threshold value by enabling the confidence coefficient to be continuously reduced, so that the attack of the class of people is realized. In this method, the patch is pasted differently from DPatch, and the patch is not placed in the upper left corner but directly on the subject.
Disclosure of Invention
In the invention, in order To enable a countermeasure sample To be practically applied To a physical world, the invention mainly researches and generates a countermeasure patch Attack target detector, so that the target detector can not detect an Attack method of a specific target, and the Attack of the target detector in the remote sensing field is realized. However, unlike the above, the yolov2 patch method selects the maximum confidence as the target function for optimization when generating the patch, and the present invention optimizes all the confidences of the targets of the category to be attacked, and optimizes the target function by using the cross entropy, so that it can be ensured that the detection of the targets of other categories is not affected while the patch _ noobj attacks the targets of a specific category. In the invention, the patch _ nonobj is mainly used for attacking the airplane detector.
Specifically, the method for generating the countermeasure patch disclosed by the invention comprises the following steps of:
acquiring a picture with a disguised target from the data set, and randomly initializing a counterpatch, wherein the counterpatch is used for interfering the disguised target so as to prevent the disguised target from being detected;
defining a target real frame pasted with the countermeasure patch and other real frames not pasted with the countermeasure patch in the picture, wherein the target real frame is used for constructing an anchor frame, the anchor frame is used for positioning the pasting position of the countermeasure patch in the picture, and the other real frames are used for calculating loss and optimizing the countermeasure patch;
scaling the countermeasure patch by a certain proportion according to targets with different sizes;
adding an anchor frame constructed by the countermeasure patch according to the target real frame to the disguised target in the picture, wherein the pasting mode of the countermeasure patch is as follows:
xadv=(1-m)⊙x+m⊙p
wherein m represents the position of the constructed anchor frame for placing the countermeasure patch, and p represents the countermeasure patch;
inputting the picture pasted with the countermeasure patch into a detection network, performing loss calculation according to the following formula, and iteratively updating the countermeasure patch through the loss calculation until the disguised target in the picture is not detected by the detection network:
Loss=βLosstv+Lossnoobj
wherein LosstvLoss for Total Change of generated countermeasure Patchesnoobjβ is a hyperparameter for the loss of bounding boxes that do not contain objects.
Further, LosstvThe calculation method of (2) is as follows:
Figure RE-GDA0003316124510000061
wherein p isi,jAs countermeasure patches in row i and column j, pi+1,jAs a countermeasure patch in row i +1 and column j, pi,j+1Is the countermeasure patch of the ith row and the j +1 th column.
Further, LossnoobjThe calculation method of (2) is as follows:
Figure RE-GDA0003316124510000062
wherein,
Figure RE-GDA0003316124510000063
indicating if the box at i, j has no target, then
Figure RE-GDA0003316124510000064
Otherwise 0, CiTo predict the probability score of the target object contained within the frame,
Figure RE-GDA0003316124510000071
to true value, λnoobjAnd the weight value represents the weight of the confidence error in the loss function when the target is not predicted by the prediction box.
Further, when pasting the countermeasure patch, the countermeasure patch is pasted to all the targets to be attacked in one image.
Further, the width and height of the scaled countermeasure patch are calculated as follows:
Figure RE-GDA0003316124510000072
Figure RE-GDA0003316124510000073
where patch _ size is a predefined reference value, α is the scaling factor, w is the width of the object, and h is the height of the object.
Further, MAP and recall are used to evaluate the effectiveness of the attack method.
In order to evaluate the attack method proposed by the present invention, a series of experiments were constructed to evaluate the effectiveness of the attack yolov3 target detector. The experimental result shows that the attack method provided by the invention can effectively prevent yolov3 from detecting the airplane, and the ap of yolov3 in airplane detection is reduced from 0.938 to 0.4431, and is reduced by 0.4949. In addition, in order to better exert the performance of the attack method, the size of the anti-patch is researched, and the size of the anti-patch with the best attack effect is found. Furthermore, by means of visualization, it was explored how a generated countermeasure patch could attack yolov3 target detector to detect aircraft.
The invention has the following beneficial effects:
1. by utilizing the phenomenon that a target detector is vulnerable to the attack of a countersample, the method proposes to replace the traditional camouflage net by a counterpatch to realize the camouflage of an important ground object target. The countermeasure patch need only cover a small portion of the targeted object so that the entire object cannot be detected.
2. A novel method for generating an anti-patch target attack detector is provided, the anti-patch is placed at the center of a directional target, and a decision characteristic of the directional target in the target detector is hidden, so that the confidence of a bounding box in the detector is lower than a threshold value, and the detection result of the detector is misled.
3. The anti-patch attack effect has the detector mobility, the yolov3 target detector can be successfully attacked, and the detection of other types can not be influenced while the specific type is attacked in a directional mode.
4. The anti-patch interferes with the decision features of the target detector, shielding important decision features, so that the detector focuses on a large number of non-decision features, thereby generating wrong decisions.
5. The invention discloses that when the target detector is attacked, the larger the size of the anti-patch is, the better the attack performance is, the size of the anti-patch has a certain limit, and when the size of the anti-patch exceeds the limit, the larger the size is, the attack performance can be weakened.
Drawings
FIG. 1 is a block diagram of a framework for the countermeasure patch generation method of the present invention;
FIG. 2 is a comparison of PR curves for a patch generated by the present invention, a randomly initialized patch (random), and a clean image (clean);
FIG. 3 is a comparison of the PR curves of the present invention and OBJ, OBJ-CLS, CLS in adoversal yolov 2;
FIG. 4 is a graph comparing attack performance against patches of different sizes;
FIG. 5 is a visualization analysis of feature extraction for a YOLOV3 detector on normal samples;
FIG. 6 is a visualization of feature extraction on a countermeasure sample with a countermeasure patch affixed to the countercheck sample for a YOLOV3 detector;
FIG. 7 is a visualization analysis of feature extraction in normal samples using Grad-CAM on a YoloV3 detector;
FIG. 8 is a visual analysis of feature extraction on challenge samples with a challenge patch affixed using Grad-CAM versus YoloV3 detector.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the method of the present invention is further described in detail below with reference to practical examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Examples
In the present invention, similar to the Thys et al approach, the patch is generated by optimizing the confidence of a particular class, in contrast, however, the method of Thys et al selects the maximum confidence level in all bounding boxes as the objective function when optimizing the generation of patch, such an optimization strategy hardly guarantees that the maximum target confidence obtained is the confidence of the class of the attack to be directed, it is possible to optimize the confidence of other class target bounding boxes in the optimization process, thereby influencing the detection results of other classes, and the invention optimizes the confidence of all bounding boxes of the target of the class to be targeted for attack, and the optimization is carried out by using the cross entropy as an objective function, so that the patch _ nonobj can be ensured not to influence the detection condition of other class targets while attacking the specific class target.
Yolov3 is a one-stage detection algorithm, which reconstructs target detection into a single regression problem and directly obtains the boundary box coordinates and the class probability of the target in one step. The method mainly comprises the steps of dividing an input picture into S × S grid, detecting targets in the grid, wherein each grid is responsible for predicting B bounding boxes, and giving object score and class probability of the B bounding boxes, wherein the bounding boxes are used for indicating where the detected targets are located, the obj score indicates whether the targets are contained in bbox, and the class prob indicates the probability that the targets belong to each class under the condition that the targets exist in the bbox. In the training process of YOLOv3, let obj score of the background class be zero as much as possible, let obj score of the real target approach 1. In the inference process of yolov3, the obj score and class prob are multiplied to obtain the final score of each bounding box.
Countermeasure Patch Patch _ noobj
In order to attack the target detector and realize the disguise of a specific target, the obj score of the box in grid containing the real target is reduced to be as close to 0 as possible, so that the box containing the real target is filtered, and the purposes of attacking the detector and disguising the target are achieved.
In yolov3, obj score reflecting whether a box contains a real target is determined by optimization of loss _ obj, which mainly consists of two parts, as shown in formula (1), one part is loss of bounding box containing target (obj) and the other part is loss of bounding box not containing target (noobj). Therefore, in our attack method, in order to achieve the goal of reducing obj score and realizing disguise of a specific target, the invention only considers loss of using loss _ obj in the process of generating the countermeasure patch to optimize generating patch. In addition, the invention aims to disguise a specific target without influencing the detection of other classes of targets, so that the complete loss _ obj is not needed to be used as an optimization function, only the loss of the nonobj part is used, and the loss of the nonobj part is reduced, so that the aim of reducing the obj score of the target to be disguised is fulfilled. Meanwhile, in order to ensure that the optimizer is more inclined to generate the countermeasure patch with smooth color transition and prevent the generation of noise image, the invention calculates the total variation loss _ tv of the generated countermeasure patch, and the calculation of loss _ tv is shown in formula (3), wherein P represents the countermeasure patch. In summary, the optimization objective of the present invention includes two parts, one part is loss _ nonobj and the other part is loss _ tv, which are combined together to form the overall loss function of our attack method, as shown in equation (4), β is a super-parameter.
Figure RE-GDA0003316124510000111
Figure RE-GDA0003316124510000112
Figure RE-GDA0003316124510000113
Loss=βLosstv+Lossnoobj (4)
xadv=(1-m)⊙x+m⊙p (5)
The frame structure of the present invention is shown in fig. 1. First, before the image is input to the detector, we randomly initialize a countermeasure patch (patch), and define the target _ group route (target real box) of the target to which the patch needs to be pasted and the other _ group route (other real boxes) of the target to which the patch does not need to be pasted, target _ group route is used to construct the mask (anchor box) to locate the paste position of the patch, and the other _ group route is used to calculate the loss, and optimize the patch, and these two group routes are similar to the group route (correct label) of the bounding box in the target detector and are both in the form of [ x, y, w, h ], where x, y represent the central coordinates of the target box, and w, h represent the width and height of the target box, respectively. Adding a mask constructed by the patch according to the target _ group route to a target to be disguised in the picture, wherein the pasting mode of the patch is shown in formula (5), m in the formula represents which positions need to be placed with the mask of the patch, p represents the patch, then inputting the picture attached with the patch into a detection network, finally performing loss calculation according to formula (4), and iteratively updating the patch through loss.
In the remote sensing field, no matter aerial images or satellite images, the aerial images or the satellite images have certain differences with natural images, such as spatial resolution, so that in an attack frame, in order to improve attack robustness, when a patch is pasted, only one patch is not pasted to achieve attack of a directional target like an attack method under some natural images, but all targets needing to be attacked in one image are pasted with the patch.
Different sized targets use different sized patches
The size of the patch is also an important factor for disguising the target, if the patch is too small, the disguising effect is probably not achieved for some large targets, and if the patch is too large, the patch may completely cover the target for some small targets, under the condition that a person cannot see the target visually, and the person cannot judge whether the patch has the attacking effect, so that when the patch is pasted, the patch is scaled according to the targets with different sizes, the large target is enabled to have the large patch, the small target has the small patch, and meanwhile the patch is ensured not to completely cover the target.
For the scaling of the patch, we first define a reference patch size, for example, 30-30,40-40, and then calculate the scale size of target _ group route and patch of each target to be camouflaged, and scale the reference patch according to the scale size. The width and height of the scaled patch are calculated as shown in equations (6) and (7), where α is a scaling factor.
Figure RE-GDA0003316124510000131
Figure RE-GDA0003316124510000132
Results of the experiment
Data set and evaluation index
In the present invention, our experiments were conducted on a DOTA dataset containing 2806 aerial images from google earth and some specific satellites, each image being approximately 4000 x 4000 in size and containing objects of various proportions, orientations and shapes. This data set contains 15 common object categories such as aircraft, ships, seaports, bridges, etc. In our experiments, because the raw images in the DOTA dataset were of varying sizes and were of large size, unsuitable for training yolov3 target detectors, we cut the raw images in the dataset, cutting each raw image into 1024 x 1024 size images, so that all data remained in the same format. After we cut, the original training set changed from 1411 to 8666, and the validation set from 459 to 2774. In the invention, the target category we attack is an airplane, and in 8666 images of the cut DOTA dataset, each image does not contain the target of the category of the airplane, so that the images containing the target of the category of the airplane are selected from the 8666 images, 1718 images are selected, and the experiment of the invention is carried out based on the 1718 images.
In order to evaluate the effectiveness of our attack method, we are consistent with evaluation indexes for evaluating the attack method under a natural image, and the evaluation is carried out by using MAP and recall ratio. Meanwhile, in order to better explain the influence of the attack method on the accuracy and the recall rate of the target detector, the pr curve is used for carrying out visual analysis. The PR curve can better reflect the relation between the accuracy and the recall rate, when the PR curve of a target detector is more convex towards the right, the target detector has better effect, and conversely, for the attack method of the target detector, the PR curve of the attacked target detector is more downward towards the left, and the attack method is more effective.
Experimental setup
In the section, a Yolov3 target detection model is trained on a DOTA data set cut into 1024 x 1024 sizes, the average map of the model on 15 categories of the cut DOTA data set is 0.639, and the map of the model is 0.919 for the category of target airplanes attacked by the invention. Then, we apply our attack method patch _ nonobj and adaptive yolov2 attack method on the trained yolov3 target detector respectively, and compare the attack effects of the two. In order to demonstrate the mobility of the patch _ nonobj attack method, an investigation experiment of the mobility of the attack effect was performed. Next, we have conducted further research experiments on the attacking effects of different sizes of patch. Finally, we explored the reason why the countermeasure patch can attack the target detector.
Resisting patch attacks
In this section of the experiment, we first evaluated the performance of our attack method, patch _ noobj, to attack yolov3 target detector. We used patch _ noobj to generate a countermeasure patch with size 30 x 30, paste this countermeasure patch onto 1718 images and input it into yolov3 target detector, evaluate the effect of the target detector on detecting the airplane. In contrast, we randomly initialized a patch attack yolov3 target detector of the same size. The results of the experiment are shown in FIG. 2. As can be seen from fig. 2, our method has good attack effect, both from the position of the PR curve and from the value of the AP. Our attack method patch _ nonobj generated PR curve of the countermeasure patch more to the lower left than the PR curve of the clean image, and the countermeasure patch generated by patch _ nonobj can let yolov3 target detector detect that the AP of the airplane is reduced from the best AP (93.8%) on the clean image to 44.3%, which is reduced by 49.5% in total; for the noise patch with random initialization, it can only reduce the AP of the detector to 81.2%, which is a total reduction of 12.6%.
In addition, the attack method of the invention has certain similarity with the method of the adaptive yolov2 in the optimization strategy of the anti-patch, so the two methods are compared. In the adaptive yolov2, there are three optimization strategies, namely OBJ, OBJ-CLS, and OBJ-CLS, which aim to minimize the product of the object confidence and the category confidence, OBJ aims to minimize the object confidence, and CLS only minimizes the category confidence. We compared the attack effect of all three optimization strategies. Fig. 3 shows the comparison results. As can be seen from fig. 3, the OBJ method has the best attack effect among the three methods of the adaptive yolov2, and can enable the yolov3 target detector to detect that the AP of the airplane drops to 65.1%, but compared with the our method, the our method has a better attack effect and can enable the AP to drop to 44.3%.
Like the OBJ method with the best attack performance in the adaptive yolov2, when the target function is directed to attack, the optimized objective function is the maximum objective confidence coefficient in the image, and the optimization strategy hardly guarantees that the obtained maximum objective confidence coefficient is the confidence coefficient of the type to be directed to attack, so that the objective confidence coefficient of other types may be optimized in the optimization process, thereby affecting the detection results of other types, while in the optimization process, the method only optimizes the objective confidence coefficient of the type to be directed to attack, and theoretically does not affect the detection results of other types. Therefore, in order to explore the influence of the attack method on the detection results of other classes, statistical analysis is carried out on the detection results of the targets of other classes.
In this part of the experiment, because there were only a few other classes of objects in 1718 images including the class of airplane and the AP value in the detection result of yolov3 object detector was low, we screened other classes except airplane and only those classes with AP not less than 30% were selected for exploring their influence of the countermeasure patch. The results of the experiment are shown in table 1. As can be seen from table 1, the counterpatch generated by our attack method has the least impact on the detection results of other classes. Under the attack of our method, the YOLOV3 detector can reach 58.8% of AP in other categories, which is only 0.003% lower than the AP under the clean image and 0.001% lower than the AP under the random noise patch, and is superior to the AP under the OBJ method, which is 0.003% higher than the AP.
TABLE 1
Figure RE-GDA0003316124510000161
From the above experiments, it can be seen that a noise patch generated randomly also has a certain influence on the detector, so that in order to more comprehensively evaluate our attack method, we have explored the attack performance of the anti-patch generated by our attack method on the black box model. We evaluated the effectiveness of the detection by using two models, YOLOV5 and fast rcnn, trained on YOLOV3 detector against patches. The results of the experiment are shown in table 2. From the table, it can be seen that the countermeasure patch trained on yolov3 attacks the black box models yolov5 and faster rcnn, reducing the AP of the two models in this category of airplane to 73.7% and 61.0%, which are respectively reduced by 23.5% and 20.5% compared with the clean image, and that the countermeasure patch is more aggressive to the two black box models compared with the noise patch obtained by random initialization.
TABLE 2
Figure RE-GDA0003316124510000171
Attack performance against patches of different sizes
The size of the anti-patch affects the attack performance of target detection, the anti-patches with different sizes may have different attack performance, the anti-patch with small size may have poor attack performance, and the anti-patch with large size may have good attack performance. We have explored a total of five different sizes of anti-patch attack performance, and the results are shown in fig. 4 and table 3. From the experimental results, we can see that, in the overall trend, when the size of the countermeasure patch is small, the attack performance is poor, and when the size of the countermeasure patch is large, the attack performance is strong. However, after dividing the experimental results in detail, we can see that the anti-patch has the best attack performance when the size reaches 30 × 30, when the size is smaller than 30 × 30, the attack performance gradually increases with the increase of the size, and when the size is larger than 30 × 30, the attack performance gradually decreases with the increase of the size, which means that the attack performance is better when the size of the anti-patch is larger, the size of the size has a certain limit, and when the size of the size exceeds the limit, the attack performance starts to decrease.
TABLE 3
Figure RE-GDA0003316124510000181
Against how the patch works
From the above experiment, it can be seen that the counterpatch generated by our attack method can actually attack YOlov3 detector by reducing the target confidence of the directional attack category, but we do not know how the counterpatch interferes with YOlov3 detector, so that the target confidence of the directional attack category is reduced, so in this experiment, we have conducted the reason research.
The target detection task is to extract features and extract scene information about an input image through a convolutional neural network, so that information between objects and scenes is fused and reprocessed, and finally the effect of accurately detecting a target is achieved. To verify this hypothesis, we performed visual analysis with the aid of the interpretable algorithm Grad-CAM in the image classification task.
The Grad-CAM is mainly used for calculating the importance weight of the characteristics of each channel of the last convolutional layer to an identification target under the condition of identifying a certain type of target, then carrying out weighted summation on the characteristic diagram of the last convolutional layer according to the calculated importance weight to obtain a thermodynamic diagram of an activation response value, and then restoring the thermodynamic diagram to the size of an original image through upsampling and fusing the thermodynamic diagram with the original image. The formula for calculating the importance weight of Grad-CAM is shown in formula (8). Wherein Z represents the number of pixels of the feature map, ycA score representing the c-th category is shown,
Figure RE-GDA0003316124510000191
indicates the activation value at the (i, j) position in the k-th feature map.
Figure RE-GDA0003316124510000192
We performed visual analysis of the feature extraction of the YOLOV3 detector on normal samples and challenge samples with the challenge patch affixed using Grad-CAM, and the experimental results are shown in fig. 5-8. As can be seen from the figure, for a clean image, the feature region concerned by the detector is basically on the airplane body in the process of detecting the airplane, and the attention degree is high, and after the countermeasure patch is pasted on the airplane, for the airplane which is successfully attacked, the feature region concerned by the detector is transferred from the airplane body to other positions, and the feature region concerned by the detector is still on the airplane body, but the attention degree is obviously reduced. The experimental results show that the countermeasure patch can attack the detector because it affects the capture of aircraft features by the detector, so that the detector loses the context information of the aircraft and is eventually deceived.
The invention has the following beneficial effects:
1. by utilizing the phenomenon that a target detector is vulnerable to the attack of a countersample, the method proposes to replace the traditional camouflage net by a counterpatch to realize the camouflage of an important ground object target. The countermeasure patch need only cover a small portion of the targeted object so that the entire object cannot be detected.
2. A novel method for generating an anti-patch target attack detector is provided, the anti-patch is placed at the center of a directional target, and a decision characteristic of the directional target in the target detector is hidden, so that the confidence of a bounding box in the detector is lower than a threshold value, and the detection result of the detector is misled.
3. The anti-patch attack effect has the detector mobility, the yolov3 target detector can be successfully attacked, and the detection of other types can not be influenced while the specific type is attacked in a directional mode.
4. The anti-patch interferes with the decision features of the target detector, shielding important decision features, so that the detector focuses on a large number of non-decision features, thereby generating wrong decisions.
5. The invention discloses that when the target detector is attacked, the larger the size of the anti-patch is, the better the attack performance is, the size of the anti-patch has a certain limit, and when the size of the anti-patch exceeds the limit, the larger the size is, the attack performance can be weakened.
The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.

Claims (6)

1. A countermeasure patch generation method, the method comprising:
acquiring a picture with a disguised target from the data set, and randomly initializing a counterpatch, wherein the counterpatch is used for interfering the disguised target so as to prevent the disguised target from being detected;
defining a target real frame pasted with the countermeasure patch and other real frames not pasted with the countermeasure patch in the picture, wherein the target real frame is used for constructing an anchor frame, the anchor frame is used for positioning the pasting position of the countermeasure patch in the picture, and the other real frames are used for calculating loss and optimizing the countermeasure patch;
scaling the countermeasure patch by a certain proportion according to targets with different sizes;
adding an anchor frame constructed by the countermeasure patch according to the target real frame to the disguised target in the picture, wherein the pasting mode of the countermeasure patch is as follows:
xadv=(1-m)⊙x+m⊙p
wherein m represents the position of the constructed anchor frame for placing the countermeasure patch, and p represents the countermeasure patch;
inputting the picture pasted with the countermeasure patch into a detection network, performing loss calculation according to the following formula, and iteratively updating the countermeasure patch through the loss calculation until the disguised target in the picture is not detected by the detection network:
Loss=βLosstv+Lossnoobj
wherein LosstvFor generating a summary of countermeasure patchesChange, Lossnoobjβ is a hyperparameter for the loss of bounding boxes that do not contain objects.
2. The countermeasure patch generation method of claim 1, wherein LosstvThe calculation method of (2) is as follows:
Figure FDA0003267069630000021
wherein p isi,jAs countermeasure patches in row i and column j, pi+1,jAs a countermeasure patch in row i +1 and column j, pi,j+1Is the countermeasure patch of the ith row and the j +1 th column.
3. The countermeasure patch generation method of claim 1, wherein LossnoobjThe calculation method of (2) is as follows:
Figure FDA0003267069630000022
wherein,
Figure FDA0003267069630000023
indicating if the box at i, j has no target, then
Figure FDA0003267069630000024
Otherwise 0, CiTo predict the probability score of the target object contained within the frame,
Figure FDA0003267069630000025
to true value, λnoobjAnd the weight value represents the weight of the confidence error in the loss function when the target is not predicted by the prediction box.
4. The countermeasure patch generation method of claim 1, wherein the countermeasure patch is pasted for all desired targets in an image.
5. The countermeasure patch generation method of claim 1, wherein the widths and heights of the scaled countermeasure patch are calculated as follows:
Figure FDA0003267069630000026
Figure FDA0003267069630000027
where patch _ size is a predefined reference value, α is the scaling factor, w is the width of the object, and h is the height of the object.
6. A method for generation of a countermeasure patch according to claim 1, wherein MAP and recall are used to evaluate the effectiveness of the attack method.
CN202111090742.4A 2021-09-17 2021-09-17 Method for generating countermeasure patch Active CN113792806B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111090742.4A CN113792806B (en) 2021-09-17 2021-09-17 Method for generating countermeasure patch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111090742.4A CN113792806B (en) 2021-09-17 2021-09-17 Method for generating countermeasure patch

Publications (2)

Publication Number Publication Date
CN113792806A true CN113792806A (en) 2021-12-14
CN113792806B CN113792806B (en) 2024-08-23

Family

ID=79183779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111090742.4A Active CN113792806B (en) 2021-09-17 2021-09-17 Method for generating countermeasure patch

Country Status (1)

Country Link
CN (1) CN113792806B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116883520A (en) * 2023-09-05 2023-10-13 武汉大学 Color quantization-based multi-detector physical domain anti-patch generation method

Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492582A (en) * 2018-11-09 2019-03-19 杭州安恒信息技术股份有限公司 A kind of image recognition attack method based on algorithm confrontation sexual assault
US20190171908A1 (en) * 2017-12-01 2019-06-06 The University Of Chicago Image Transformation with a Hybrid Autoencoder and Generative Adversarial Network Machine Learning Architecture
CN110334693A (en) * 2019-07-17 2019-10-15 中国电子科技集团公司第五十四研究所 A kind of Remote Sensing Target sample generating method towards deep learning
EP3629237A1 (en) * 2018-09-27 2020-04-01 Robert Bosch GmbH Device and method to improve the robustness against 'adversarial examples'
CN111027628A (en) * 2019-12-12 2020-04-17 支付宝(杭州)信息技术有限公司 Model determination method and system
US10692002B1 (en) * 2019-01-28 2020-06-23 StradVision, Inc. Learning method and learning device of pedestrian detector for robust surveillance based on image analysis by using GAN and testing method and testing device using the same
CN111340008A (en) * 2020-05-15 2020-06-26 支付宝(杭州)信息技术有限公司 Method and system for generation of counterpatch, training of detection model and defense of counterpatch
US10783401B1 (en) * 2020-02-23 2020-09-22 Fudan University Black-box adversarial attacks on videos
CN111738374A (en) * 2020-08-28 2020-10-02 北京智源人工智能研究院 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
CN112085069A (en) * 2020-08-18 2020-12-15 中国人民解放军战略支援部队信息工程大学 Multi-target countermeasure patch generation method and device based on integrated attention mechanism
US20200402215A1 (en) * 2019-06-19 2020-12-24 Siemens Healthcare Gmbh Class-Aware Adversarial Pulmonary Nodule Synthesis
CN112241790A (en) * 2020-12-16 2021-01-19 北京智源人工智能研究院 Small countermeasure patch generation method and device
CN112364745A (en) * 2020-11-04 2021-02-12 北京瑞莱智慧科技有限公司 Method and device for generating countermeasure sample and electronic equipment
US20210064938A1 (en) * 2019-08-30 2021-03-04 Accenture Global Solutions Limited Adversarial patches including pixel blocks for machine learning
CN112597993A (en) * 2020-11-24 2021-04-02 中国空间技术研究院 Confrontation defense model training method based on patch detection
CN112612714A (en) * 2020-12-30 2021-04-06 清华大学 Safety testing method and device for infrared target detector
CN112686249A (en) * 2020-12-22 2021-04-20 中国人民解放军战略支援部队信息工程大学 Grad-CAM attack method based on anti-patch
CN113052167A (en) * 2021-03-09 2021-06-29 中国地质大学(武汉) Grid map data protection method based on countercheck patch
CN113255816A (en) * 2021-06-10 2021-08-13 北京邮电大学 Directional attack countermeasure patch generation method and device
CN113283520A (en) * 2021-06-03 2021-08-20 浙江工业大学 Member reasoning attack-oriented depth model privacy protection method and device based on feature enhancement
CN113361604A (en) * 2021-06-03 2021-09-07 浙江工业大学 Target detection-oriented physical attack counterattack patch generation method and system
CN113689338A (en) * 2021-09-08 2021-11-23 北京邮电大学 Method for generating scaling robustness countermeasure patch
CN117788973A (en) * 2023-12-26 2024-03-29 中国人民解放军陆军军事交通学院镇江校区 Camouflage patch generation method and device for countermeasure target detection system

Patent Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190171908A1 (en) * 2017-12-01 2019-06-06 The University Of Chicago Image Transformation with a Hybrid Autoencoder and Generative Adversarial Network Machine Learning Architecture
EP3629237A1 (en) * 2018-09-27 2020-04-01 Robert Bosch GmbH Device and method to improve the robustness against 'adversarial examples'
CN109492582A (en) * 2018-11-09 2019-03-19 杭州安恒信息技术股份有限公司 A kind of image recognition attack method based on algorithm confrontation sexual assault
US10692002B1 (en) * 2019-01-28 2020-06-23 StradVision, Inc. Learning method and learning device of pedestrian detector for robust surveillance based on image analysis by using GAN and testing method and testing device using the same
US20200402215A1 (en) * 2019-06-19 2020-12-24 Siemens Healthcare Gmbh Class-Aware Adversarial Pulmonary Nodule Synthesis
CN110334693A (en) * 2019-07-17 2019-10-15 中国电子科技集团公司第五十四研究所 A kind of Remote Sensing Target sample generating method towards deep learning
US20210064938A1 (en) * 2019-08-30 2021-03-04 Accenture Global Solutions Limited Adversarial patches including pixel blocks for machine learning
CN111027628A (en) * 2019-12-12 2020-04-17 支付宝(杭州)信息技术有限公司 Model determination method and system
US10783401B1 (en) * 2020-02-23 2020-09-22 Fudan University Black-box adversarial attacks on videos
CN111340008A (en) * 2020-05-15 2020-06-26 支付宝(杭州)信息技术有限公司 Method and system for generation of counterpatch, training of detection model and defense of counterpatch
CN112085069A (en) * 2020-08-18 2020-12-15 中国人民解放军战略支援部队信息工程大学 Multi-target countermeasure patch generation method and device based on integrated attention mechanism
CN111738374A (en) * 2020-08-28 2020-10-02 北京智源人工智能研究院 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
CN112364745A (en) * 2020-11-04 2021-02-12 北京瑞莱智慧科技有限公司 Method and device for generating countermeasure sample and electronic equipment
CN112597993A (en) * 2020-11-24 2021-04-02 中国空间技术研究院 Confrontation defense model training method based on patch detection
CN112241790A (en) * 2020-12-16 2021-01-19 北京智源人工智能研究院 Small countermeasure patch generation method and device
CN112686249A (en) * 2020-12-22 2021-04-20 中国人民解放军战略支援部队信息工程大学 Grad-CAM attack method based on anti-patch
CN112612714A (en) * 2020-12-30 2021-04-06 清华大学 Safety testing method and device for infrared target detector
CN113052167A (en) * 2021-03-09 2021-06-29 中国地质大学(武汉) Grid map data protection method based on countercheck patch
CN113283520A (en) * 2021-06-03 2021-08-20 浙江工业大学 Member reasoning attack-oriented depth model privacy protection method and device based on feature enhancement
CN113361604A (en) * 2021-06-03 2021-09-07 浙江工业大学 Target detection-oriented physical attack counterattack patch generation method and system
CN113255816A (en) * 2021-06-10 2021-08-13 北京邮电大学 Directional attack countermeasure patch generation method and device
CN113689338A (en) * 2021-09-08 2021-11-23 北京邮电大学 Method for generating scaling robustness countermeasure patch
CN117788973A (en) * 2023-12-26 2024-03-29 中国人民解放军陆军军事交通学院镇江校区 Camouflage patch generation method and device for countermeasure target detection system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LU, MINGMING: "Scale-Adaptive Adversarial Patch Attack for Remote Sensing Image Aircraft Detection", 《REMOTE SENSING》, vol. 13, no. 20, 12 October 2021 (2021-10-12) *
任奎;TIANHANG ZHENG;秦湛;XUE LIU;: "深度学习中的对抗性攻击和防御", ENGINEERING, no. 03, 15 March 2020 (2020-03-15) *
刘西蒙;谢乐辉;王耀鹏;李旭如;: "深度学习中的对抗攻击与防御", 《网络与信息安全学报》, no. 05, 13 October 2020 (2020-10-13) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116883520A (en) * 2023-09-05 2023-10-13 武汉大学 Color quantization-based multi-detector physical domain anti-patch generation method
CN116883520B (en) * 2023-09-05 2023-11-28 武汉大学 Color quantization-based multi-detector physical domain anti-patch generation method

Also Published As

Publication number Publication date
CN113792806B (en) 2024-08-23

Similar Documents

Publication Publication Date Title
CN108303747B (en) Inspection apparatus and method of detecting a gun
Pacifici et al. Automatic change detection in very high resolution images with pulse-coupled neural networks
Tang et al. Adversarial patch attacks against aerial imagery object detectors
Zhang et al. Nearshore vessel detection based on Scene-mask R-CNN in remote sensing image
Liang et al. We can always catch you: Detecting adversarial patched objects with or without signature
Sun et al. Adversarial robustness evaluation of deep convolutional neural network based SAR ATR algorithm
CN113792806B (en) Method for generating countermeasure patch
CN115376010A (en) Hyperspectral remote sensing image classification method
CN112598032B (en) Multi-task defense model construction method for anti-attack of infrared image
CN113962900A (en) Method, device, equipment and medium for detecting infrared dim target under complex background
CN114463624A (en) Method and device for detecting illegal buildings applied to city management supervision
CN117671602B (en) Farmland forest smoke fire prevention detection method and device based on image recognition
CN112037243A (en) Passive terahertz security inspection method, system and medium
Tan et al. Doepatch: Dynamically optimized ensemble model for adversarial patches generation
Yu et al. SAR Sticker: An Adversarial Image Patch that can Deceive SAR ATR Deep Model
CN115829875A (en) Anti-patch generation method and device for non-shielding physical attack
CN115482315A (en) Image recognition system defense method based on intelligent counterfeiting of multi-source remote sensing interference target
Alp et al. Deep learning based patch-wise land cover land use classification: A new small benchmark sentinel-2 image dataset
Cui et al. Adversarial examples for vehicle detection with projection transformation
Gan et al. A camouflage target detection method based on local minimum difference constraints
CN114241255A (en) Reasonable countermeasure patch generation method
Qian et al. Robust backdoor attacks on object detection in real world
CN114627373B (en) Method for generating countermeasure sample for remote sensing image target detection model
Pacifici et al. Pulse coupled neural networks for automatic urban change detection at very high spatial resolution
Reichman et al. gprHOG and the popularity of histogram of oriented gradients (HOG) for buried threat detection in ground-penetrating radar

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant