TL;DR
This paper evaluates the vulnerability of crowd counting neural networks to adversarial patches and introduces a certified defense method, demonstrating significant robustness improvements and attack effectiveness.
Contribution
It proposes a novel adversarial patch attack method (APAM) for crowd counting models and a regression-based randomized ablation defense, advancing robustness analysis and protection.
Findings
Adversarial patches can severely degrade crowd counting accuracy with less than 6% pixel perturbation.
The proposed APAM attack is effective both digitally and physically.
The randomized ablation defense outperforms traditional adversarial training in robustness.
Abstract
Crowd counting has drawn much attention due to its importance in safety-critical surveillance systems. Especially, deep neural network (DNN) methods have significantly reduced estimation errors for crowd counting missions. Recent studies have demonstrated that DNNs are vulnerable to adversarial attacks, i.e., normal images with human-imperceptible perturbations could mislead DNNs to make false predictions. In this work, we propose a robust attack strategy called Adversarial Patch Attack with Momentum (APAM) to systematically evaluate the robustness of crowd counting models, where the attacker's goal is to create an adversarial perturbation that severely degrades their performances, thus leading to public safety accidents (e.g., stampede accidents). Especially, the proposed attack leverages the extreme-density background information of input images to generate robust adversarial patches…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
