Harnessing Perceptual Adversarial Patches for Crowd Counting

TL;DR

This paper introduces a novel perceptual adversarial patch framework for crowd counting that significantly improves attack transferability across models and enhances model robustness through adversarial training.

Contribution

The paper proposes the Perceptual Adversarial Patch (PAP) framework utilizing model-invariant features for effective transferability in crowd counting adversarial attacks.

Findings

Achieves state-of-the-art attack performance in digital and physical environments.

Outperforms previous methods with large margins (+685.7 MAE, +699.5 MSE).

Adversarial training with PAP improves model generalization and robustness.

Abstract

Crowd counting, which has been widely adopted for estimating the number of people in safety-critical scenes, is shown to be vulnerable to adversarial examples in the physical world (e.g., adversarial patches). Though harmful, adversarial examples are also valuable for evaluating and better understanding model robustness. However, existing adversarial example generation methods for crowd counting lack strong transferability among different black-box models, which limits their practicability for real-world systems. Motivated by the fact that attacking transferability is positively correlated to the model-invariant characteristics, this paper proposes the Perceptual Adversarial Patch (PAP) generation framework to tailor the adversarial perturbations for crowd counting scenes using the model-shared perceptual features. Specifically, we handcraft an adaptive crowd density weighting approach to capture the invariant scale perception features across various models and utilize the density guided attention to capture the model-shared position perception. Both of them are demonstrated to improve the attacking transferability of our adversarial patches. Extensive experiments show that our PAP could achieve state-of-the-art attacking performance in both the digital and physical world, and outperform previous proposals by large margins (at most +685.7 MAE and +699.5 MSE). Besides, we empirically demonstrate that adversarial training with our PAP can benefit the performance of vanilla models in alleviating several practical challenges in crowd counting scenarios, including generalization across datasets (up to -376.0 MAE and -354.9 MSE) and robustness towards complex backgrounds (up to -10.3 MAE and -16.4 MSE).