Professional Documents
Culture Documents
Daedalus
Daedalus
NMS component in an OD system does not work properly, The paper is organised as follows: Section II introduces
the system fails. the background knowledge of adversarial example, object
CNN is known to be vulnerable to adversarial example detection, and NMS. Section III describes the design of
attacks [13]. For a human eye, an adversarial image can Daedalus. Section IV compares and selects loss functions from
be indistinguishable from the original one, but it can cause the candidates, and systematically evaluates the performance
misclassification in a CNN based classifier. Recently, adver- of the Daedalus attack. Section V discusses the possibility of
sarial examples have been crafted for OD and segmentation applying Daedalus adversarial examples on soft-NMS and a
tasks [14]–[19]. Such attacks result in either the misclassi- group of black-box OD models. Moreover, we propose using
fication or the appearance/disappearance of the objects. On a poster of the Daedalus perturbation to attack real-world OD
the other hand, false positive rate is a critical metric in OD applications. We also post the dilemma of defending against
missions such as inventory management [20] and military Daedalus in this section. Section VI reviews the related work
object recognition [21]. An attack that boosts the false positive relevant to this study. Section VII draws a conclusion on the
rate could be very lethal to these OD systems. paper and presents our future work.
In this paper, we propose a novel adversarial example attack
for NMS, which can be universally applied to any other end- II. P RELIMINARIES
to-end differentiable OD model. A demonstration of the attack A. Adversarial examples
is shown in Fig. 1. As it can be seen, a properly crafted Given a DNN model F and a benign data example x, an
adversarial example can trigger malfunctioning of the NMS attacker can craft an adversarial example of x by altering the
component in YOLO-v3, in a way that it outputs dense and features of x by adding a perturbation δ, such that F (x + δ) 6=
noisy detection results. We name this attack Daedalus since F (x). Generating adversarial examples can be interpreted as
it creates a maze composed of false positive detection results. optimising the example features towards adversarial objectives.
First, Daedalus is evaluated and analysed on how it can Gradient-based optimisation methods are commonly employed
reduce the OD performance by breaking NMS1 . Furthermore, to search for adversarial examples. The optimisation objective
Daedalus is adapted for launching black-box attack. Based on can be generally parsed as follows:
a census in Section II-B, we observe two facts: 1) current OD
tasks are thriving on a few types of OD models, even many
models have been proposed; 2) current OD tasks often load argmin |δ|p + c · L(F (x + δ), y) (1)
δ
trained parameters into a model instead of reparameterising
s.t. x + δ ∈ [0, 1]n ,
the model. Therefore, if an attacker can generate a universal
adversarial example which works effectively against all the wherein L is an adversarial objective set by the attacker, and y
popular models, the example has a high chance to successfully is either a ground truth output or a desired adversarial output
sabotage a black-box model. Herein, we propose using an for F . x + δ produces an adversarial example xadv . |δ|p is the
ensemble of substitutes (i.e., an ensemble of popular detection allowed distortion bounded by the p-norm of δ. A constant c is
models as the substitutes) in the Daedalus attack to break adopted to balance the adversarial loss and the distortion. This
the black-box OD models. We exploit the latest version of box-constrained non-convex optimisation problem is typically
YOLO (i.e., YOLO-v3 [22]), SSD [2], and RetinaNet [3] as the solved by gradient descent methods.
victims. As suggested by the experiments, universal Daedalus
examples generated by using an ensemble of popular OD B. A census of object detection models
models can launch attacks in a black-box scenario. To further
enhance the viability of the attack, we instantiate the attack To better understand the impact of attacks against OD tasks,
as a physical poster that can break NMS of OD models in we first need to overview the distribution of models used in
the real world. In summary, the contributions of this paper are OD. We conducted a census of OD projects on Github. We
listed as follows: crawled project names, project descriptions, and readme files
from 1, 696 OD-related repositories on Github. Next, based
• A novel adversarial example attack which aims at break- on the reviewed models in [23], 45 released OD models were
ing NMS (unlike the existing state-of-the-art attacks that selected as keywords. For each repository, we counted the key-
merely target misclassification) is proposed. As a con- words in the readme file, and selected the most frequent one as
sequence, the attack creates a large number of false the model adopted for the repository. Finally, we grouped the
positives in the detection results; repositories by models. The ranking of models that appeared
• An ensemble-of-substitutes attack is proposed to generate more than 50 times is presented in Table I. Based on the
universal adversarial examples which can make NMS analysis, 1, 561 out of 1, 696 repositories use models from
malfunction in various models. In such way, black-box Table I. The observation suggests that models and backbones
attacks can be partially converted to white-box attacks; used for OD tasks are highly limited in number. Moreover,
• Physical posters containing Daedalus perturbations are we analysed the source codes from the repositories to search
crafted to practically attack real-world OD applications. for operations of loading trained models and parameters. We
observed that almost all the source codes provide an interface
1 In this paper, the term breaking NMS means that NMS cannot filter for loading pre-trained parameters into the model backbones.
redundant bounding boxes detected from an adversarial example. We further investigated names of the pre-trained models and
XXX 3
wherein, IoUij is the IoU between the i-th and the j-th E. The Daedalus attack against NMS
bounding boxes. Box dimensions are scaled between 0 and In this section, the above steps are assembled to form the
1, dividing bw and bh by the input image width W and height Daedalus attack. Actually, the attack can be applied to all
H, such that the term is invariant towards changing input FCN-based detectors. FCN-based detectors output the detected
dimension. box dimension, the box position and the classification proba-
In f1 , we first minimise the expectation of mean squared bilities in a fully differentiable, end-to-end manner. Therefore,
error between the box confidence and 1 for all the boxes in the attack can compute end-to-end adversarial gradients and
which the detected objects are in the attacked category set optimise adversarial examples for FCN-based detectors.
Λ. Henceforth, the boxes will not be discarded due to low
box confidence scores. In the second term, f1 minimises the
Algorithm 2: The L2 Daedalus attack
expectation of IoUs for all pairs of bounding boxes in Λ. When
Input: x, Λ, γ, binary steps, η, max iteration, cmax , cmin
the IoUs fall below the NMS threshold, the boxes can evade Initialisation:
the NMS filter. Alternatively, we minimise the expectation of c ← 10
box dimensions and maximise the expectation of box distances lossinit ← f (x)
δ←0
in f2 . f2 approximates the effect of directly minimising IoU x∗ ← x + δ
by compressing box dimensions and distributing boxes more for n starts from 0 to binary steps do
evenly on the detected region. for i starts from 0 to max iteration do
select boxes in Λ to calculate loss f (x∗ )
Pairwise computation for obtaining IoUs and box distances δ ← δ − η 5δ [kδk + c · f (x∗ )]
could be expensive if the output feature map contains too many x∗ ← x∗ + δ
boxes. Therefore, we also propose f3 as a more efficient loss x0 ← the best x∗ found.
if f (x∗ ) <= lossinit · (1 − γ) then
function. f3 only minimises the expectation of box dimensions cmax = min(c, cmax )
instead of directly minimising the expectation of the IoUs. c ← 0.5 · (cmax + cmin )
Minimising f3 leads to smaller bounding boxes. When the else
boxes become small enough, there will be no intersection cmin = max(c, cmin )
c ← 0.5 · (cmax + cmin )
among the boxes. In other words, the IoUs among the boxes
will be suppressed to zero. As a consequence, the boxes can Output: Adversarial example x0 .
avoid being filtered by NMS.
We then calculate the values of the loss functions defined presented. RetinaNet-ResNet-50 uses ResNet-50 [30] as the
in Section III-C and Section III-D. Next, we minimise the backbone. SSD employs VGG-16 as its backbone [2]. The
loss value together with the distortion to generate Daedalus backbones differ from that of YOLO-v3. The output feature
adversarial examples. During the optimisation, we introduce a maps are different as well. An ensemble of the three OD
hyper-parameter γ to control the strength of the attack. models are used as the substitute to craft universal adversarial
The attack is bounded by two distortion metrics, namely examples. Furthermore, to demonstrate the effectiveness of
L2 -norm and L0 -norm. Herein, an Lp -norm is defined as the attack in the real world, Daedalus perturbations are made
Pn 1
Lp = ( i |δi |p ) p , where δi is the perturbation on the i-th into physical posters to launch attacks against real-world OD
pixel. Therefore, an L2 -norm attack limits the perturbations applications. As a showcase, we show the success of the
added on all the pixels, while an L0 -norm attack limits the total physical Daedalus attack in an indoor OD scene.
number of pixels to be altered. We develop these two versions
of attack to study the effectiveness of all-pixel perturbation B. Loss function selection
and selective-pixel perturbation while generating Daedalus The proposed adversarial loss functions (Equations 6, 7,
adversarial examples. and 8) are compared in this section. We select ten random
For the L2 Daedalus attack, we can directly minimise images from the COCO dataset. For each function, adversarial
Equation 4. However, in the L0 Daedalus attack, since L0 - examples of these ten images are generated. We record the
norm is a non-differentiable metric, we alternatively perturb runtime per example and the volatile GPU utilisation of each
the pixels that have the highest adversarial gradients in each loss function. The performance of each function is measured
iteration, and then other gradients are clipped to be 0. The by looking at the success rate of finding adversarial examples
detailed algorithm of the L2 attack is presented in Algorithm 2, at different confidence scores. Since the L0 attack essentially
and the L0 attack is presented in Algorithm 3. Notice that has the same optimisation process as the L2 does, we only
Daedalus only requires the box parameters to launch the run the L2 attack for the comparison purpose. The results are
attack. This means that the attack can be applied to the reported in Table II.
detection models that output feature maps which contain the The recorded runtime is averaged over the runtime of
geometric information of bounding boxes, even if they use generating all examples under the same loss function. The
different backbone networks. GPU utilisation is also averaged over all examples. We use
only one GPU to generate an adversarial example in this
IV. E VALUATION section. It can be observed that f3 (i.e., Equation 8) has
the best success rate of finding adversarial examples under
Extensive experiments are carried out to evaluate the per-
different γ values. Moreover, f3 has the lowest runtime as
formance of the Daedalus attack. The experiments are run on
well as the lowest GPU utilisation compared to f1 and f2 .
a machine with four RTX 2080ti GPUs and 128G of memory.
Based on the comparisons, f3 is selected as the loss function
The code of Daedalus is available on Github2 .
for Daedalus. The Daedalus attack is evaluated in the following
sections with f3 .
A. Experiment settings
In the experiments, YOLO-v3 is picked as the model to C. Quantitative performance
be attacked. A recommended objectness threshold of 0.5 is In this section, the attack is evaluated from two perspectives.
used in YOLO-v3. We first select the best loss function, and First, we evaluate how the Daedalus attack performs under dif-
then we quantify the performance of the Daedalus attack ferent NMS thresholds. Second, we investigate how the attack
based on YOLO-v3 with NMS. YOLO-v3 is employed as the confidence level (γ) affects detection results. The performance
substitute to generate 416×416 adversarial perturbations in the of the attack is assessed on a YOLO-v3 detector. The attack
evaluations. During the binary search to find the best constant performance is quantified based on three metrics: the False
c, the maximum number of search steps is set to 5. Positive (F P ) rate, the mean Average Precision (mAP ), and
L0 and L2 Daedalus examples of images in the COCO the distortion of the example.
2017val dataset [1] are crafted for the evaluation. For each First, to investigate the effect of NMS threshold on the
attack, first, to investigate the effectiveness of different confi- attack, we obtain the detection results of each adversar-
dence values (γ), we sweep γ from 0.1 to 0.9 and perturb 10 ial/benign example under a series of NMS thresholds, which
COCO examples under each γ. Second, 100 COCO examples range between 0.5 and 0.95. Second, to assess the effect
are randomly perturbed under both a low (0.3) and a high of confidence value (γ) on attack performance, adversarial
(0.7) value for γ. First, to unify the evaluation results, all of examples are crafted for confidences from 0.1 to 0.9.
the 80 object categories from the COCO dataset are included False positive rate. The F P rate is defined as the ratio of false
in the target set Λ to be attacked. Second, the categories of positive detection boxes with respect to the total number of
‘person’ and ‘car’ are selected to be attacked. The graphical detection boxes.
results are included in the supplementary file of the paper.
Nφ
To prove that the attack can be applied on other detectors, F P rate = , (10)
the results of attacking RetinaNet-ResNet-50 and SSD are also N
wherein Nφ is the number of false positive detection boxes,
2 https://github.com/NeuralSec/Daedalus-attack. and N is the total number of bounding boxes found by the
XXX 7
Benign Benign
Adversarial Adversarial
$GYHUVDULDO $GYHUVDULDO
[ ppottedplanpottedplant , · ·· ·: wvttle
r.•'
·· .... , •···• ••• ,.......
i:!1 ·
attack can be extended to a variation of NMS algorithm, I I I·
p,:1tedfpcttedplant ' " :."
. p,: r .... ., • ....-...-,-.1..t ·-• >ttle h"n
,·,�tt ...+1.,
bottle
"'"'�
--···
pottedplant •- b Dlt,.. •'!lie,
ttl e
;, • pottE·dplant .;
pntt, t bottle
namely soft-NMS [12] or not. Second, we demonstrate the I'� •·• "' pott,, P otted Pia"nt ,:
p·r·ne1·,
.II .II." I . j 111/· ···• me
t
a • n:•: � I be�
universality of the attack by applying it to attack RetinaNet- Soft-NMS Linear Soft-NMS Gaussian Soft-NMS Linear
p,,.. nn++a,lnl,,pottedplant,,nnt : ..•
Soft-NMS Gaussian
nntta..lnl,pottedplant plnnt '· �- 1 ··-
P · 1 ·,
p, i: pottedplant . Jiu, , . , pottedpla .. ppottedplant ·fl"" , . · ·pottedplan
Resnet-50. Third, an ensemble of substitutes is proposed to l�<>tl . n-··-..i..• ...,t 1>ottedph .
i> c 1, p pottedplant
po..,u11cs
___ ;, po1tedplant �·
'• IIC
P
I Cl ,. nn ++n ..lnl,,-, 1)0tt8(111.
p pottedplant
t.
p0 f,JUIIC:S
l11nt I' po1tedplant
· • tt
I·•· '"" · · D<r 11,d- · ·:-: - · ··
• ·· • po·1ocr · · • ·
., edplunt · ' pc.-lodpla�-��
pottud1>k1nt �potpottedplant . • Jle I
•. pottud1>k1�t ..: · pc,ttec I a
create universal Daedalus examples that can attack multi- II j ;,�,�:.'; pottedp,, oottedol, pottedplant t · .
[pppottedplanpottedplant font '..:''J"' .. ;
··-t , "" .. • ,.,w.. • bottle .
l j ;.��··;Dotte;,�n+-·• "" pottedplant t .
[pppottedplanpottedplant ..... ,
9·1
,la)lt 1'.••u•J111•
i: 'I' c,1. P111c1r 1'""' .... ..,.,w,,, bottle
r. I 1 , • p,)tfedpla. ,t t n·t • • •. •
r.• p,)tted1pcttedplant • · •. •
, t .::. >ttle ,..,. I
ple object detectors. The proposed ensemble attack makes . r ... - -r.. � •>ttedplant .• >ttle ""'"'·
1 'po"h·, nttorlr,1,,
D . .
·-,
;, pottedplant .; pottedplant - I .!e:io·!fle
It
bottle
t111i 1,1\,flHID
o · '
I..P 1111·,nttoA...l,l,
' ,--..
,. D pottedplant .1 pottedplant
-...-,-:
. ·
1., bottle
, I .!e:io·!fle,
1• · 1sL "' """9
po· 1111:11: pntt"poltedplant t 11• 1' L po·h,i:1p Pntt·�pottedplant ... �
pott 0
Daedalus examples transferable so that they can be used in • 1 >ul'l-1.' t · : _om111 ·, 110<* ubo� • ,,,1-i-1.'t P _om11 a , 11<><*
0.6
0.5
argmin Ex∼X Eφ f3 (x, δ, Φ) + SN P S(δ, β) (12) 0.4
δ 0.3
0.2
Herein, Φ is a set of random transformations (e.g., zooming,
0.1
rotation, etc.). The detailed transformations are summarised 0.0
in the supplementary file. SNPS is a Sub-sampled Non- 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Printability Score of the poster δ. Non-Printability Score Confidence
(NPS) is used for measuring the error between a printed pixel Fig. 15: The FP-rate and the mAP of YOLO-v3 with NMS
and its digital counterparts. Sum of NPSs of all pixels in an defence. The defence barely changes the FP-rate and the mAP.
image can be used to measure the image printability [32].
However, it is expensive to compute the NPS of a large image.
Therefore, given a sample rate β and pixels of δ, we sample be limiting the minimal allowed detection box size in the
a subset of the pixels to compute the SNPS. It is found that NMS process (i.e., NMS defence). To investigate this possible
calculating the NPS from only 0.1% ∼ 1% of the pixels is defence, we first study the outputs of YOLO-v3 given 100
sufficient for making an effective Daedalus poster. Moreover, benign examples and corresponding 100 Daedalus examples.
it is observed that the poster can be generalised across different The distribution of the detection box dimension is visualised in
scenes. Fig. 14. According to Fig. 14, an empirical threshold of 103.62
Next, the robustness of three different sized (i.e.,400 × 400, is selected to filter adversarial boxes from detected boxes.
720 × 720, and 1280 × 1280) Daedalus posters are evaluated Given this defence, the FP rate and the mAP of YOLO-v3
in an indoor environment. The effectiveness of the posters is are again evaluated on 10 Daedalus examples. The evaluation
recorded in Table IV. results are plotted in Fig. 15. According to the results, NMS
In the scenario of Smart Inventory Management (SIM), an defence is not an effective defence.
OD model will be used to identify the items that are placed A second adaptive defence might be MagNet [33]. An
into or withdrawn from an inventory. We simulate an attack denoise autoencoder is trained to reform Daedalus examples
against the case of depositing a MacBook and a monitor into back to benign ones, and measure the reconstruction error to
the inventory. A demonstration of the attack can be found in detect strong perturbations. Therefore, the evaluation of the
the supplementary file. defence is twofold: 1) whether the defence can increase mAP
and reduce FP rate via reforming an adversarial example;
D. Adaptive defences 2) whether the reconstruction error can be detected when
Daedalus minimises detection boxes to trigger a NMS an adversarial example cannot be turned into a benign one.
malfunction. Henceforth, a straight forward defence might To answer these two questions, we measure the FP rate, the
XXX 11
mAP@.50 mAP@.75 FP-rate@.50 FP-rate@.75 MSE hand, gradient-free attacks rely on zeroth-order optimisation
0.9 12000 techniques to search adversarial examples against black-box
0.8 models [43]–[46].
10000
0.7 Beyond the above attacks, there are attacks targeting at
0.6
FP-rate/mAP
MSE
For example, dense adversarial generation (DAG) algorithm
0.4 6000
0.3
was proposed to create adversarial examples for OD and
0.2 4000 segmentation [15]. Lu et al. crafted robust adversarial ex-
0.1 amples that caused misclassification in object detector [14].
2000
0.0
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
RP2 was proposed to craft adversarial example of real-world
Confidence road signs [48]. Subsequently, RP2 was extended to attack
Fig. 16: The FP-rate and the mAP of YOLO-v3 with MagNet YOLO-v2 [16]. There are also other attempts to craft more
defence. Reforming Daedalus examples by an autoencoder robust physical examples [17]–[19]. However, current attacks
can slightly increase the performance of YOLO-v3. However, mainly result in misclassification/appearance/disappearance of
the FP-rate@.50 still stays above 0.6 while the FP-rate@.75 the detected objects [17], [18]. The Daedalus attack creates ad-
stays above 0.7. The mAP@.50 remains below 0.45 while versarial examples that cause malfunctioning of NMS, which
the mAP@.75 remains below 0.3. Furthermore, the model is different from all the previous attacks in nature.
performance drops when the confidence of the attack goes
VII. C ONCLUSION
above 0.7.
In this paper, we propose a novel type of adversarial
example which aims at disabling NMS functionality in object
mAP and the Mean Squared Error (MSE) between a Daedalus detection models. The proposed attack, named Daedalus, can
example and a reformed example (i.e., the reconstruction error) control both the strength of the generated adversarial examples
of a defended YOLO-v3 model. The results are plotted in and the object class to be attacked. The attacked model will
Fig. 16. According to the evaluation results, first, reforming output extremely noisy detection results such that it is no
the adversarial examples can barely increase the performance longer functional. The attack can reduce the mAP of detection
of the detection model. Second, The reconstruction error to nearly 0%. The false positive rate for Daedalus examples
increases only after the confidence of the attack reaches 0.5. can go up to 99.9%. Meanwhile, the required distortion
This means it is difficult to detect attacks with confidence to launch the Daedalus attack is imperceptible. This attack
levels below 0.5. Interestingly, it is observed that the detected aims at breaking NMS instead of causing misclassifications.
objects in an image reformed by a denoise autoencoder cannot Unlike misclassification-targeting adversarial examples, it is
retain proper positions and categories. The Daedalus attack difficult to defend against such attack since the attacked
poses an intimidating threat to OD tasks. As revealed by the feature map is much more complicated than the classification
attack, NMS is no longer a secure solution for OD. logits. Transferability of the Daedalus attack is affected by the
selected substitutes. We rely on minimising the expectation of
VI. R ELATED W ORK box dimensions over a set of feature maps to make robust
Researchers have extensively studied the methods for craft- examples, which can make NMS malfunction in multiple
ing adversarial examples against machine-learning-based clas- detection models. There are some remaining problems we aim
sifiers. The algorithms for generating such examples can be to address in future. For example, considering the complexity
either gradient-based attacks or gradient-free attacks. The for- of OD feature maps, it is difficult to make universal adver-
mer type of attacks finds adversarial examples by minimising sarial examples that can launch zero-knowledge attacks. The
the cost of an adversarial objective set by the attacker, based Daedalus attack reveals a vulnerability lies in object detection
on gradients information. The attacks can be either one- algorithms, which can have fatal consequences in the real
step gradient descent [34] or iterative gradient descent [28], world. Nevertheless, defending method against Daedalus is
[35], [36]. Additionally, attackers can compute a Jacobian still a missing piece. We will also try to address this problem
saliency map of features and perturb those salient features [37]. in our future work.
Based on these algorithms, there are evolved attacks that use
R EFERENCES
different distortion metrics to make adversarial examples more
imperceptible to human eyes [38]–[40]. Recently, Expectation [1] T.-Y. Lin, M. Maire, S. Belongie, J. Hays, P. Perona, D. Ramanan,
P. Dollár, and C. L. Zitnick, “Microsoft coco: Common objects in
over Transformation (EoT) algorithm has been proposed to context,” in Proceedings of the European Conference on Computer
synthesise robust adversarial examples [41], [42]. On the other Vision (ECCV). Springer, 2014, pp. 740–755.
XXX 12
[2] W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C.-Y. Fu, and [24] M. Everingham, L. Van Gool, C. K. Williams, J. Winn, and A. Zisser-
A. C. Berg, “Ssd: Single shot multibox detector,” in Proceedings of the man, “The pascal visual object classes (voc) challenge,” International
European Conference on Computer Vision (ECCV). Springer, 2016, Journal of Computer Vision, vol. 88, no. 2, pp. 303–338, 2010.
pp. 21–37. [25] M. J. Shafiee, B. Chywl, F. Li, and A. Wong, “Fast yolo: A fast you
[3] T.-Y. Lin, P. Goyal, R. Girshick, K. He, and P. Dollár, “Focal loss only look once system for real-time embedded object detection in video,”
for dense object detection,” in Proceedings of the IEEE International arXiv preprint arXiv:1709.05943, 2017.
Conference on Computer Vision (ICCV). IEEE, 2017, pp. 2980–2988. [26] K. Lu, X. An, J. Li, and H. He, “Efficient deep network for vision-based
[4] J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You only look object detection in robotic applications,” Neurocomputing, vol. 245, pp.
once: Unified, real-time object detection,” in Proceedings of the IEEE 31–45, 2017.
conference on Computer Vision and Pattern Recognition (CVPR). IEEE, [27] J. Zhang, M. Huang, X. Jin, and X. Li, “A real-time chinese traffic sign
2016, pp. 779–788. detection algorithm based on modified yolov2,” Algorithms, vol. 10,
[5] R. Girshick, J. Donahue, T. Darrell, and J. Malik, “Rich feature no. 4, p. 127, 2017.
hierarchies for accurate object detection and semantic segmentation,” [28] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural
in Proceedings of the IEEE conference on Computer Vision and Pattern networks,” in Proceedings of the IEEE Symposium on Security and
Recognition (CVPR). IEEE, 2014, pp. 580–587. Privacy (S&P). IEEE, 2017, pp. 39–57.
[6] R. Girshick, “Fast r-cnn,” in Proceedings of the IEEE International [29] R. Gurbaxani and S. Mishra, “Traits & transferability of adversarial
Vonference on Computer Vision (ICCV). IEEE, 2015, pp. 1440–1448. examples against instance segmentation & object detection,” arXiv
[7] A. Neubeck and L. Van Gool, “Efficient non-maximum suppression,” preprint arXiv:1808.01452, 2018.
in Proceedings of the International Conference on Pattern Recognition [30] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image
(ICPR), vol. 3. IEEE, 2006, pp. 850–855. recognition,” in Proceedings of the IEEE conference on Computer Vision
[8] Y. Cong, D. Tian, Y. Feng, B. Fan, and H. Yu, “Speedup 3-d texture-less and Pattern Recognition (CVPR). IEEE, 2016, pp. 770–778.
object recognition against self-occlusion for intelligent manufacturing,” [31] O. Sener and V. Koltun, “Multi-task learning as multi-objective opti-
IEEE transactions on cybernetics, vol. 49, no. 11, pp. 3887–3897, 2018. mization,” in Advances in Neural Information Processing Systems, 2018,
[9] F. Schroff, D. Kalenichenko, and J. Philbin, “Facenet: A unified embed- pp. 527–538.
ding for face recognition and clustering,” in Proceedings of the IEEE [32] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “Accessorize to
conference on Computer Vision and Pattern Recognition (CVPR). IEEE, a crime: Real and stealthy attacks on state-of-the-art face recognition,”
2015, pp. 815–823. in Proceedings of the ACM SIGSAC Conference on Computer and
[10] W. Wu, Y. Yin, X. Wang, and D. Xu, “Face detection with different Communications Security. ACM, 2016, pp. 1528–1540.
scales based on faster r-cnn,” IEEE transactions on cybernetics, vol. 49, [33] D. Meng and H. Chen, “Magnet: a two-pronged defense against adver-
no. 11, pp. 4017–4028, 2018. sarial examples,” arXiv preprint arXiv:1705.09064, 2017.
[11] J. H. Hosang, R. Benenson, and B. Schiele, “Learning non-maximum [34] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing
suppression.” in Proceedings of the IEEE conference on Computer Vision adversarial examples,” Computer Science, 2014.
and Pattern Recognition (CVPR). IEEE, 2017, pp. 6469–6477. [35] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow,
and R. Fergus, “Intriguing properties of neural networks,” Computer
[12] N. Bodla, B. Singh, R. Chellappa, and L. S. Davis, “Soft-nms-improving
Science, 2013.
object detection with one line of code,” in Proceedings of the IEEE
[36] A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the
International Conference on Computer Vision (ICCV). IEEE, 2017,
physical world,” arXiv preprint arXiv:1607.02533, 2016.
pp. 5562–5570.
[37] N. Papernot, P. Mcdaniel, S. Jha, M. Fredrikson, Z. B. Celik, and
[13] N. Akhtar and A. Mian, “Threat of adversarial attacks on deep learning
A. Swami, “The limitations of deep learning in adversarial settings,”
in computer vision: A survey,” IEEE Access, vol. 6, pp. 14 410–14 430,
pp. 372–387, 2016.
2018.
[38] H. Hosseini and R. Poovendran, “Semantic adversarial examples,” in
[14] J. Lu, H. Sibai, and E. Fabry, “Adversarial examples that fool detectors,” Proceedings of the IEEE conference on Computer Vision and Pattern
arXiv preprint arXiv:1712.02494, 2017. Recognition (CVPR) Workshops. IEEE, 2018, pp. 1614–1619.
[15] C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, and A. Yuille, “Adversarial [39] L. Engstrom, D. Tsipras, L. Schmidt, and A. Madry, “A rotation and
examples for semantic segmentation and object detection,” in Proceed- a translation suffice: Fooling cnns with simple transformations,” arXiv
ings of the IEEE International Vonference on Computer Vision (ICCV). preprint arXiv:1712.02779, 2017.
IEEE, 2017, pp. 1369–1378. [40] E. Yang, T. Liu, C. Deng, and D. Tao, “Adversarial examples for
[16] D. Song, K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, hamming space search,” IEEE transactions on cybernetics, vol. PP,
F. Tramer, A. Prakash, and T. Kohno, “Physical adversarial examples no. 99, pp. 1–12, 2018.
for object detectors,” in Proceedings of the 12th USENIX Workshop on [41] A. Athalye and I. Sutskever, “Synthesizing robust adversarial examples,”
Offensive Technologies (WOOT 18). USENIX Association, 2018. arXiv preprint arXiv:1707.07397, 2017.
[17] S.-T. Chen, C. Cornelius, J. Martin, and D. H. P. Chau, “Shapeshifter: [42] T. B. Brown, D. Mané, A. Roy, M. Abadi, and J. Gilmer, “Adversarial
Robust physical adversarial attack on faster r-cnn object detector,” patch,” arXiv preprint arXiv:1712.09665, 2017.
in Joint European Conference on Machine Learning and Knowledge [43] P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh, “Zoo: Zeroth
Discovery in Databases. Springer, 2018, pp. 52–68. order optimization based black-box attacks to deep neural networks
[18] S. Thys, W. Van Ranst, and T. Goedemé, “Fooling automated surveil- without training substitute models,” in Proceedings of the 10th ACM
lance cameras: adversarial patches to attack person detection,” in Pro- Workshop on Artificial Intelligence and Security. ACM, 2017, pp. 15–
ceedings of the IEEE conference on Computer Vision and Pattern 26.
Recognition (CVPR) Workshops. IEEE, 2019, pp. 0–0. [44] S. Liu, B. Kailkhura, P.-Y. Chen, P. Ting, S. Chang, and L. Amini,
[19] Y. Zhao, H. Zhu, R. Liang, Q. Shen, S. Zhang, and K. Chen, “Seeing “Zeroth-order stochastic variance reduction for nonconvex optimization,”
isn’t believing: Towards more robust adversarial attack against real world in Advances in Neural Information Processing Systems, 2018, pp. 3727–
object detectors,” in Proceedings of the 2019 ACM SIGSAC Conference 3737.
on Computer and Communications Security. ACM, 2019, pp. 1989– [45] A. N. Bhagoji, W. He, B. Li, and D. Song, “Practical black-box
2004. attacks on deep neural networks using efficient query mechanisms,” in
[20] N. K. Verma, T. Sharma, S. D. Rajurkar, and A. Salour, “Object identi- Proceedings of the European Conference on Computer Vision (ECCV).
fication for inventory management using convolutional neural network,” Springer, 2018, pp. 158–174.
in 2016 IEEE Applied Imagery Pattern Recognition Workshop (AIPR). [46] M. Alzantot, Y. Sharma, S. Chakraborty, and M. Srivastava, “Genat-
IEEE, 2016, pp. 1–6. tack: Practical black-box attacks with gradient-free optimization,” arXiv
[21] Z. Yang, W. Yu, P. Liang, H. Guo, L. Xia, F. Zhang, Y. Ma, and preprint arXiv:1805.11090, 2018.
J. Ma, “Deep transfer learning for military object recognition under [47] X. Chen, C. Li, D. Wang, S. Wen, J. Zhang, S. Nepal, Y. Xiang, and
small training set condition,” Neural Computing and Applications, pp. K. Ren, “Android hiv: A study of repackaging malware for evading
1–10, 2018. machine-learning detection,” IEEE Transactions on Information Foren-
[22] J. Redmon and A. Farhadi, “Yolov3: An incremental improvement,” sics and Security, vol. 15, pp. 987–1001, 2019.
arXiv preprint arXiv:1804.02767, 2018. [48] I. Evtimov, K. Eykholt, E. Fernandes, T. Kohno, B. Li, A. Prakash,
[23] L. Liu, W. Ouyang, X. Wang, P. Fieguth, J. Chen, X. Liu, and A. Rahmati, and D. Song, “Robust physical-world attacks on machine
M. Pietikäinen, “Deep learning for generic object detection: A survey,” learning models,” arXiv preprint arXiv:1707.08945, vol. 2, no. 3, p. 4,
arXiv preprint arXiv:1809.02165, 2018. 2017.
XXX 13
A PPENDIX
Benign
M ORE results of the digital Daedalus attack are included
YOLO-v3 RetinaNet
in this section.
Benign
SSD
Detected 0.3 confidence Detected 0.7 confidence
SSD
Fig. 17: Adversarial examples made by the L0 attack. The Fig. 20: The detection results of Daedalus adversarial ex-
first row contains the original images. The third row contains amples made by the ensemble L2 attack towards YOLO-v3,
the low-confidence (γ = 0.3) adversarial examples. The fifth RetinaNet, and SSD. The adversarial examples are crafted
row contains the high-confidence (γ = 0.7) examples. The based on a confidence of 0.3. The first row displays the
detection results from YOLO-v3 are in the rows below them. benign examples. The second, the third, and the fourth rows
The confidence controls the density of the redundant detection are the detection results of the benign examples from YOLO-
boxes in the detection results. v3, RetinaNet, and SSD, respectively. The Daedalus examples
are displayed in the fourth row. The detection results of the
adversarial examples from YOLO-v3, RetinaNet, and SSD are
in the following rows.
Benign
Detected 0.3 confidence Detected 0.7 confidence Detected
Benign
Detected
Adversarial
Detected
Fig. 21: Attacking the object category which has the most
number of the detection boxes before NMS. The attacked
Fig. 18: Adversarial examples made by the L2 attack. The model is YOLO-v3.
first row contains the original images. The third row contains
the low-confidence (γ = 0.3) adversarial examples. The fifth
%HQLJQ'HWHFWHG$GYHUVDULDO'HWHFWHG
%HQLJQ
'HWHFWHG
$GYHUVDULDO
'HWHFWHG
(a) (b)
Fig. 24: (a) Detection results of a MacBook in a benign
setting. (b) Detection results of the MacBook when we apply
a Daedalus poster attacking all object categories.
(a) (b)
Fig. 25: (a) Detection results of a monitor in a benign setting.
(b) Detection results of the monitor when we apply a Daedalus
poster attacking the ‘car’ category.