Adversarial Patch Attack Method for Vehicle Target Detection

Due to the susceptibility of intelligent recognition systems to adversarial sample attacks, research on adversarial sample attack methods for target detection is of great significance for improving the safety of vehicle autonomous driving. By studying the transfer-based self-ensemble attack adversarial sample generation algorithm, and based on the trained Faster R-CNN and YOLOX white box target detectors, a cross-model and cross-instance vehicle target detection attack method was designed. Through training, a universal adversarial patch was obtained, which achieved recognition attacks on two types of target detectors and three types of vehicles, resulting in incorrect recognition results being output. Through testing, the average decrease in mAP was about 41.6%, The research results have certain reference significance for the study of autonomous driving safety.


Introduction
In recent years, AI security issues due to technical limitations or malicious applications have become increasingly prominent [1], and research has shown that deep neural networks are vulnerable to adversarial samples [2,3,4].Adversarial samples are the samples obtained by adding some welldesigned and imperceptible perturbations to the input image, which can induce the deep neural network to output incorrect predictions.Physical Adversarial Attack refers to the insertion of adversarial samples into the physical world to make the inference of the deep neural network incorrect.[5] Due to the wide application of deep learning technology [6] in the physical world, unlike other cybersecurity issues, deep learning security risks are more prevalent, complex, and strategically significant, making adversarial attacks in the physical world more relevant.

Adversarial Attacks Facing Intelligent Recognition of Autonomous Driving
Autonomous driving technology has been considered as the future trend of the automotive industry [7], but there are still several technical difficulties, for example, the intelligent recognition technology of autonomous driving needs to meet high safety standards, because the recognition results, in case of decision-making errors, will have the potential to bring serious injuries to drivers and pedestrians.The data show that pasting patches with antagonistic patterns generated by special training can easily fool the on-board visual recognition detection system, such as recognizing a stop sign as a speed limit of 60km/h.Industry insiders believe that in order to realize the benign development of automatic driving, it is necessary to work hard on aspects such as data security and reliable algorithms.Therefore, targeted research on target detection attack methods and the generation mechanism of such antagonistic patterns, and then research on defense measures and reinforcement of the recognition model, can largely avoid the attacks implemented by the antagonistic samples in the physical world on the intelligent recognition system, so as to promote the benign development of the automated driving industry.

Generic Adversarial Sample Generation Method for Vehicle Target Detection
Adversarial sample generation method, also known as adversarial attack.The paper uses T-SEA [8](Transfer-based Self-Ensemble Attack on Object Detection) as an attack method, which ensures the confidentiality of the attack by not requiring any information about the attacked object as compared to query-based black-box attack.However, most existing transport-based approaches rely on integrating multiple models to improve the portability of the attack, which is time-and resource-intensive, not to mention the difficulty of obtaining multiple models on the same task.To this end, T-SEA achieves a highly transferable adversarial attack against multiple black-box detectors utilizing only one model against a single-model transmission-based black-box attack for target detection.Specifically, T-SEA proposes an enhanced attack framework by observing the patch optimization process of traditional methods and by slightly adjusting its training strategy.Then, T-SEA analogizes patch optimization with conventional model optimization, and proposes a series of self-integration methods for input data, attacked models, and adversarial patches to effectively utilize the limited information and prevent patch overfitting.Based on the T-SEA framework, the paper integrates the current mainstream onephase and two-phase target detection algorithms (Faster R-CNN and YOLOX) [9,10,11,12], and designs the CCPA (Cross-model Cross-image Patch-based Attack) attack method, and the Pipeline of the attack algorithm is shown in Fig. 1.Where det w and t v w are the weights of the detection loss and TV-Loss respectively, which are set to 1 and 2.5, Det is the detection model, A is the image with the patch added, and TV-Loss is a denoising regularization term with the following formula:


where P is the trained adversarial patch.

Datasets and target detectors
The vehicle dataset used in this paper is a publicly released dataset with a total of about 1500 photos with 120*120 pixels, covering three kinds of targets, namely, cars, trucks and bicycles, which are parked in a variety of postures with light and shadow variations, which are closer to the actual situation.The dataset production is mainly to make these photos into a format that conforms to the VOC2007 dataset, and generate the corresponding xml annotation file for each image.Based on the same dataset, one-stage and two-stage target detection algorithms YOLOX and Faster R-CNN were selected to train the target detectors capable of detecting three types of vehicles, namely, cars, trucks and bicycles, and the mAP metrics of the detectors are shown in Table 1, which shows that the mAPs of the two target detectors are almost close to 0.9, indicating a good detection performance.It can be seen that clean samples of all three types of vehicle targets can be detected, but when training adversarial patches are added, the same detector outputs incorrect detection results, that is, some vehicles are not detected, indicating that the adversarial samples have played a certain attack effect.Through the test, after the attack by the adversarial patch, the mAP of Faster R-CNN decreases from 0.8985 to 0.5936, which is reduced by 0.305; The mAP of YOLOX decreases from 0.8965 to 0.3676, which is reduced by 0.5289, which results in an average decrease in the mAP of the two types of white-box target detectors of 0.416, indicating that the attack is effective.It can be seen that there is still room for improvement in the effectiveness of the Adversarial patch attack.Through analysis, this attack method sacrifices a certain success rate in order to achieve cross model attacks.If only a single target detector is subjected to adversarial sample attacks, the success rate of the attack will be greatly improved.

Conclusions
By studying and designing cross-model and cross-instance vehicle target detection attack methods, based on the trained Faster RCNN and YOLOX white box target detectors, a universal adversarial patch was trained, which can enable the two target detectors to output incorrect recognition results when identifying three types of vehicles.After testing, the average mAP decrease was about 41.6%.The next research focus should be on improving the robustness and success rate of adversarial patch attacks.

Figure 1 .
Figure 1.Pipeline of CCPA Attack Method.First, the dataset photos are fed into the pre-trained Faster R-CNN and YOLOX target detector, which can be processed by NMS to obtain the detection results with the target detection box, and then, the randomly initialized generic patch, after being placed on the surface of the target, is re-fed into the target detector to set the integrated loss function Iter Loss : det tv Iter Loss=w avg Det A w TV P    ( ( ) ) ( )

Fig. 2 ,
throughout the training process, the value of Iter-loss decreases from 1.2 at the beginning to near 0.86 as the number of training iterations increases, and finally basically reaches a converged state, indicating that the network is well trained.

Figure 2 .
Figure 2. Iter-loss training convergence curves.Figure 3. Generic Adversarial Patch.After training, the cross-model cross-instance generic adversarial patch capable of attacking vehicle target detection is obtained with a size of 75*75 pixels, as shown in Fig. 3, which can be added to a vehicle photo to attack the target detector.

Figure 3 .
Figure 2. Iter-loss training convergence curves.Figure 3. Generic Adversarial Patch.After training, the cross-model cross-instance generic adversarial patch capable of attacking vehicle target detection is obtained with a size of 75*75 pixels, as shown in Fig. 3, which can be added to a vehicle photo to attack the target detector.

4. 3 .
Generic Adversarial Patch Training Process a. Clean sample tested by Faster R-CNN b.Clean sample tested by YOLOX c. Adversarial samples tested by Faster R-CNN d.Adversarial samples tested by YOLOX

Figure 4 .
Figure 4. Generic Adversarial Sample Cross-Model Attack Effectiveness.One photo each of cars, trucks and bicycles are selected to do the attack test respectively, as shown in Fig. 4, columns a and b show the effect graphs of the clean samples after Faster R-CNN and YOLOX

Table 1 .
Target detector mAP.Generic Adversarial Patch Training ProcessIn the training process of the generic adversarial patch, the pre-training weight files of two types of white-box target detectors, Faster R-CNN and YOLOX, as well as the generic patch carrying a random initialization noise are loaded, and the main parameters of the training process are set as shown in Table2.