Skip to main content
Springer Nature Link
Log in

Neuron Attribution-Based Attacks Fooling Object Detectors

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1967))

Included in the following conference series:

  • 815 Accesses

Abstract

In this work, we propose a neural attribution-based attack (NAA) to improve the transferability of adversarial examples, aiming at deceiving object detectors with different backbones or architectures. To measure the neuron attribution (importance) for a CNN layer of detector, we sum the classification scores of all positive proposal boxes to calculate the integrated attention (IA), then get the neuron attribution matrix via element-wise multiplying IA with the feature difference between the clean image be attacked and a black image. Considering that the summation may bias importance values of some neurons, a mask is designed to drop out some neurons. The proposed loss calculated from the rest of neurons is minimized to generated adversarial examples. Since our attack disturbs the upstream feature outputs, it effectively disorders the outputs of downstream tasks, such as box regression and classification, and finally fool the detector. Extensive experiments on PASCAL VOC and COCO dataset demonstrate that our method achieves better transferability compared to the state-of-the-arts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.770–778 (2016)

    Google Scholar 

  2. Redmon, J., Farhadi, A.: YOLOv3: An incremental improvement. arXiv preprint arXiv:1804.02767 (2018)

  3. Ronneberger, O., Fischer, P., Brox, T.: U-Net: Convolutional networks for biomedical image segmentation. In: Medical Image Computing and Computer-Assisted Intervention–MICCAI 2015, pp. 234–241 (2015)

    Google Scholar 

  4. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

  5. Xie, C., Wang, J., Zhang, Z., Zhou, Y., Xie, L., Yuille, A.: Adversarial examples for semantic segmentation and object detection. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 1369–1378 (2017)

    Google Scholar 

  6. Liu, X., Yang, H., Liu, Z., Song, L., Li, H., Chen, Y.: DPATCH: An adversarial patch attack on object detectors. arXiv preprint arXiv:1806.02299 (2018)

  7. Waseda, F., Nishikawa, S., Le, T.N., Nguyen, H.H., Echizen, I.: Closer look at the transferability of adversarial examples: how they fool different models differently. In: Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pp. 1360–1368 (2023)

    Google Scholar 

  8. Zhang, C., Benz, P., Karjauv, A., Cho, J.W., Zhang, K., Kweon, I.S.: Investigating top-k white-box and transferable black-box attack. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 15085–15094 (2022)

    Google Scholar 

  9. Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)

  10. Chow, K.H., Liu, L., Gursoy, M.E., Truex, S., Wei, W., Wu, Y.: TOG: targeted adversarial objectness gradient attacks on real-time object detection systems. arXiv preprint arXiv:2004.04320 (2020)

  11. Liao, Q., Wang, X., Kong, B., Lyu, S., Zhu, B., Yin, Y., Wu, X.: Transferable adversarial examples for anchor free object detection. In: 2021 IEEE International Conference on Multimedia and Expo (ICME), pp. 1–6. (2021)

    Google Scholar 

  12. Huang, H., Chen, Z., Chen, H., Wang, Y., Zhang, K.: T-SEA: transfer-based self-ensemble attack on object detection. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 20514–20523 (2023)

    Google Scholar 

  13. Lu, J., Sibai, H., Fabry, E.: Adversarial examples that fool detectors. arXiv preprint arXiv:1712.02494 (2017)

  14. Li, Y., Tian, D., Chang, M.C., Bian, X., Lyu, S.: Robust adversarial perturbation on deep proposal-based models. arXiv preprint arXiv:1809.05962 (2018)

  15. Zhang, H., Zhou, W., Li, H.: Contextual adversarial attacks for object detection. In: 2020 IEEE International Conference on Multimedia and Expo (ICME), pp. 1–6 (2020)

    Google Scholar 

  16. Wu, X., Huang, L., Gao, C., Lee, W. S., Suzuki, T.: G-UAP: generic universal adversarial perturbation that fools RPN-based detectors. In: ACML, pp. 1204–1217 (2019)

    Google Scholar 

  17. Chen, S.T., Cornelius, C., Martin, J., Chau, D.H.: Shapeshifter: Robust physical adversarial attack on faster R-CNN object detector. In: Machine learning and knowledge discovery in databases: European Conference, ECML PKDD, pp. 52–68 (2019)

    Google Scholar 

  18. Shi, G., Peng, A., Zeng, H.: An enhanced transferable adversarial attack against object detection. In: International Joint Conference on Neural Networks. in press (2023)

    Google Scholar 

  19. Wang, D., Li, C., Wen, S., Han, Q.L., Nepal, S., Zhang, X., Xiang, Y.: Daedalus: breaking non-maximum suppression in object detection via adversarial examples. In: IEEE Trans. Cybern. 52(8), pp.7427–7440 (2021)

    Google Scholar 

  20. Ganeshan, A., BS, V., Babu, R. V.: FDA: feature disruptive attack. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 8069–8079 (2019)

    Google Scholar 

  21. Naseer, M., Khan, S. H., Rahman, S., Porikli, F.: Task-generalizable adversarial attack based on perceptual metric. arXiv preprint arXiv:1811.09020 (2018)

  22. Dhamdhere, K., Sundararajan, M., Yan, Q.: How important is a neuron? arXiv preprint arXiv:1805.12233 (2018)

  23. Zhang, J., Wu, W., Huang, J.T., Huang, Y., Wang, W., Su, Y., Lyu, M.R.: Improving adversarial transferability via neuron attribution-based attacks. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.14993–15002 (2022)

    Google Scholar 

  24. Ren, S., He, K., Girshick, R., Sun, J.: Faster R-CNN: towards real-time object detection with region proposal networks. In: Advances in Neural Information Processing Systems, vol. 28 (2015)

    Google Scholar 

  25. Liu, W., Anguelov, D., Erhan, D., Szegedy, C., Reed, S., Fu, C.Y., Berg, A.C.: SSD: single shot multibox detector. In: ECCV 2016, pp. 21–37 (2016)

    Google Scholar 

  26. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy, pp. 39–57 (2017)

    Google Scholar 

  27. Athalye, A., Engstrom, L., Ilyas, A., Kwok, K.: Synthesizing robust adversarial examples. In: International Conference on Machine Learning PMLR, pp. 284–293 (2018)

    Google Scholar 

  28. Zhu, X., Lyu, S., Wang, X., Zhao, Q.: TPH-YOLOv5: Improved YOLOv5 based on transformer prediction head for object detection on drone-captured scenarios. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 2778–2788 (2021)

    Google Scholar 

  29. Lin, T., Dollár, P., Girshick, R., He, K., Hariharan, B., Belongie, S.: Feature pyramid networks for object detection. In: IEEE Conference on Computer Vision and Pattern Recognition, pp. 936–944 (2016)

    Google Scholar 

  30. He, K., Gkioxari, G., Dollár, P., Grishick, R.: Mask R-CNN. IEEE Trans. Pattern Anal. Mach. Intell. 42, 386–397 (2017)

    Google Scholar 

  31. Liu, X., Yang, H., Liu, Z., Song, L., Chen, Y., Li, H.H.: DPATCH: an adversarial patch attack on object detectors. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2018)

    Google Scholar 

  32. Hu, Z., Huang, S., Zhu, X., Sun, F., Zhang, B., Hu, X.: Adversarial texture for fooling person detectors in the physical world. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 307–316 (2022)

    Google Scholar 

Download references

Acknowledgement

This work was partially supported by NFSC No.62072484, Sichuan Science and Technology Program (No. 2022YFG0321, No. 2022NSFSC0916), the Opening Project of Engineering Research Center of Digital Forensics, Ministry of Education.

Author information

Authors and Affiliations

  1. Southwest University of Science and Technology, Mianyang, 621010, Sichuan, China

    Guoqiang Shi, Anjie Peng, Hui Zeng & Wenxin Yu

  2. Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science and Technology, Nanjing, China

    Anjie Peng

Authors
  1. Guoqiang Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anjie Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hui Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wenxin Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anjie Peng .

Editor information

Editors and Affiliations

  1. Changsha, China

    Biao Luo

  2. Institute of Automation, Chinese Academy of Sciences, Beijing, China

    Long Cheng

  3. Institute of Cyber-Systems and Control, Zhejiang University, Hangzhou, China

    Zheng-Guang Wu

  4. School of Automation, Guangdong University of Technology, Guangdong, China

    Hongyi Li

  5. UNSW Sydney, Sydney, NSW, Australia

    Chaojie Li

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shi, G., Peng, A., Zeng, H., Yu, W. (2024). Neuron Attribution-Based Attacks Fooling Object Detectors. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Communications in Computer and Information Science, vol 1967. Springer, Singapore. https://doi.org/10.1007/978-981-99-8178-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8178-6_8

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8177-9

  • Online ISBN: 978-981-99-8178-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics