Adversarial YOLO: Defense Human Detection Patch Attacks via Detecting Adversarial Patches

TL;DR

This paper introduces Ad-YOLO, a novel defense mechanism for YOLO-based human detection systems against adversarial patch attacks, demonstrating high effectiveness and robustness in both digital and physical scenarios.

Contribution

The paper presents the first defense strategy against human detection patch attacks by adding a patch class to YOLO, with an adversarial training process to enhance detection of diverse patches.

Findings

Ad-YOLO achieves 80.31% AP for persons, outperforming YOLOv2's 33.93%.

Ad-YOLO maintains high detection accuracy with minimal inference overhead.

The approach demonstrates strong generalization in physical-world attack scenarios.

Abstract

The security of object detection systems has attracted increasing attention, especially when facing adversarial patch attacks. Since patch attacks change the pixels in a restricted area on objects, they are easy to implement in the physical world, especially for attacking human detection systems. The existing defenses against patch attacks are mostly applied for image classification problems and have difficulty resisting human detection attacks. Towards this critical issue, we propose an efficient and effective plug-in defense component on the YOLO detection system, which we name Ad-YOLO. The main idea is to add a patch class on the YOLO architecture, which has a negligible inference increment. Thus, Ad-YOLO is expected to directly detect both the objects of interest and adversarial patches. To the best of our knowledge, our approach is the first defense strategy against human detection attacks. We investigate Ad-YOLO's performance on the YOLOv2 baseline. To improve the ability of Ad-YOLO to detect variety patches, we first use an adversarial training process to develop a patch dataset based on the Inria dataset, which we name Inria-Patch. Then, we train Ad-YOLO by a combination of Pascal VOC, Inria, and Inria-Patch datasets. With a slight drop of $0.70\%$ mAP on VOC 2007 test set, Ad-YOLO achieves $80.31\%$ AP of persons, which highly outperforms $33.93\%$ AP for YOLOv2 when facing white-box patch attacks. Furthermore, compared with YOLOv2, the results facing a physical-world attack are also included to demonstrate Ad-YOLO's excellent generalization ability.