Information Distribution Based Defense Against Physical Attacks on Object Detection

Recently, physical attacks launch a new challenge to the security of deep neural networks (DNNs) by generating physical-world adversarial patches to attack DNNs based applications. The information distribution contained in the adversarial patch is different from that in the real image patches. In this paper, we propose a general defense method to effectively prevent such attacks. This method consists of an entropy-based proposal component and a gradient-based filtering component. Each component of our method can be viewed as preprocessing of adversarial images. Processed images are then run through the unmodified detectors, making our method agnostic to both the detectors and the attacks. Moreover, our method is based on traditional image processing rather than DNNs, so it does not require a great quantity of training data. Extensive experiments on different datasets indicate that our method is able to defend against physical attack on object detection effectively, increasing mAP from 31.3% to 53.8% for Pascal VOC 2007 and from 19.0% to 40.3% for Inria, and has better transferability, which can defend against different physical attacks.

[1]  Dan Boneh,et al.  SentiNet: Detecting Physical Attacks Against Deep Learning Systems , 2018, ArXiv.

[2]  R. Gray Entropy and Information Theory , 1990, Springer New York.

[3]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[4]  Martín Abadi,et al.  Adversarial Patch , 2017, ArXiv.

[5]  Toon Goedemé,et al.  Fooling Automated Surveillance Cameras: Adversarial Patches to Attack Person Detection , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[6]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Dong Kyun Lim,et al.  A Novel Method of Determining Parameters of CLAHE Based on Image Entropy , 2013 .

[8]  Andrew Zisserman,et al.  Deep Inside Convolutional Networks: Visualising Image Classification Models and Saliency Maps , 2013, ICLR.

[9]  Jamie Hayes,et al.  On Visible Adversarial Perturbations & Digital Watermarking , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[10]  Salman Khan,et al.  Local Gradients Smoothing: Defense Against Localized Adversarial Attacks , 2018, 2019 IEEE Winter Conference on Applications of Computer Vision (WACV).

[11]  Aleksandr Petiushko,et al.  AdvHat: Real-World Adversarial Attack on ArcFace Face ID System , 2019, 2020 25th International Conference on Pattern Recognition (ICPR).

[12]  Seyed-Mohsen Moosavi-Dezfooli,et al.  DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[13]  Rob Fergus,et al.  Visualizing and Understanding Convolutional Networks , 2013, ECCV.

[14]  Lujo Bauer,et al.  Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition , 2016, CCS.

[15]  Luc Van Gool,et al.  The Pascal Visual Object Classes (VOC) Challenge , 2010, International Journal of Computer Vision.

[16]  Yoav Goldberg,et al.  LaVAN: Localized and Visible Adversarial Noise , 2018, ICML.

[17]  Duen Horng Chau,et al.  ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector , 2018, ECML/PKDD.

[18]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.