Zhao Ling, Lv Xun, Zhu Lili, Luo Binyan, Cao Hang, Cui Jiahao, Li Haifeng, Peng Jian
Department of School of Geosciences and Info-Physics, Central South University, Changsha 410083, China.
Department of Hunan Provincial Institute of Land and Resources Planning, Hunan Key Laboratory of Land Resources Evaluation and Utilization, Changsha 410083, China.
J Imaging. 2025 Jan 13;11(1):25. doi: 10.3390/jimaging11010025.
The increasing reliance on deep neural network-based object detection models in various applications has raised significant security concerns due to their vulnerability to adversarial attacks. In physical 3D environments, existing adversarial attacks that target object detection (3D-AE) face significant challenges. These attacks often require large and dispersed modifications to objects, making them easily noticeable and reducing their effectiveness in real-world scenarios. To maximize the attack effectiveness, large and dispersed attack camouflages are often employed, which makes the camouflages overly conspicuous and reduces their visual stealth. The core issue is how to use minimal and concentrated camouflage to maximize the attack effect. Addressing this, our research focuses on developing more subtle and efficient attack methods that can better evade detection in practical settings. Based on these principles, this paper proposes a local 3D attack method driven by a Maximum Aggregated Region Sparseness (MARS) strategy. In simpler terms, our approach strategically concentrates the attack modifications to specific areas to enhance effectiveness while maintaining stealth. To maximize the aggregation of attack-camouflaged regions, an aggregation regularization term is designed to constrain the mask aggregation matrix based on the face-adjacency relationships. To minimize the attack camouflage regions, a sparseness regularization is designed to make the mask weights tend toward a U-shaped distribution and limit extreme values. Additionally, neural rendering is used to obtain gradient-propagating multi-angle augmented data and suppress the model's detection to locate universal critical decision regions from multiple angles. These technical strategies ensure that the adversarial modifications remain effective across different viewpoints and conditions. We test the attack effectiveness of different region selection strategies. On the CARLA dataset, the average attack efficiency of attacking the YOLOv3 and v5 series networks reaches 1.724, which represents an improvement of 0.986 (134%) compared to baseline methods. These results demonstrate a significant enhancement in attack performance, highlighting the potential risks to real-world object detection systems. The experimental results demonstrate that our attack method achieves both stealth and aggressiveness from different viewpoints. Furthermore, we explore the transferability of the decision regions. The results indicate that our method can be effectively combined with different texture optimization methods, with the average precision decreasing by 0.488 and 0.662 across different networks, which indicates a strong attack effectiveness.
在各种应用中,对基于深度神经网络的目标检测模型的依赖日益增加,由于其易受对抗攻击,引发了重大安全问题。在物理三维环境中,现有的针对目标检测的对抗攻击(3D - AE)面临重大挑战。这些攻击通常需要对物体进行大规模且分散的修改,这使得它们很容易被察觉,并降低了其在现实场景中的有效性。为了最大化攻击效果,通常会采用大规模且分散的攻击伪装,但这使得伪装过于显眼,降低了视觉上的隐蔽性。核心问题是如何使用最小化且集中的伪装来最大化攻击效果。针对这一问题,我们的研究专注于开发更隐蔽、更高效的攻击方法,使其在实际场景中能更好地躲避检测。基于这些原则,本文提出了一种由最大聚合区域稀疏性(MARS)策略驱动的局部三维攻击方法。简单来说,我们的方法将攻击修改策略性地集中在特定区域,以提高有效性同时保持隐蔽性。为了最大化攻击伪装区域的聚合,设计了一个聚合正则化项,基于面邻接关系约束掩码聚合矩阵。为了最小化攻击伪装区域,设计了一个稀疏正则化,使掩码权重趋向于U形分布并限制极值。此外,使用神经渲染来获取梯度传播的多角度增强数据,并抑制模型检测,从多个角度定位通用关键决策区域。这些技术策略确保对抗修改在不同视角和条件下都保持有效。我们测试了不同区域选择策略的攻击有效性。在CARLA数据集上,攻击YOLOv3和v5系列网络的平均攻击效率达到1.724,与基线方法相比提高了0.986(134%)。这些结果表明攻击性能有显著提升,凸显了对现实世界目标检测系统的潜在风险。实验结果表明,我们的攻击方法从不同视角实现了隐蔽性和攻击性。此外,我们探索了决策区域的可转移性。结果表明,我们的方法可以有效地与不同的纹理优化方法相结合,在不同网络中平均精度分别下降0.488和0.662,这表明具有强大的攻击效果。
