PBCAT: Patch-based composite adversarial training against physically realizable attacks on object detection
Xiao Li, Yiming Zhu, Yifan Huang, Wei Zhang, Yingzhe He, Jie Shi, Xiaolin Hu
TL;DR
This paper introduces PBCAT, a novel adversarial training method that enhances object detector robustness against physically realizable attacks like patches and textures by combining gradient-guided patches with global perturbations.
Contribution
PBCAT is a unified adversarial training strategy that defends against a wider range of physically realizable attacks on object detection models.
Findings
Significantly improved robustness against various attacks.
Achieved 29.7% higher detection accuracy under adversarial texture attack.
Outperformed state-of-the-art defense methods.
Abstract
Object detection plays a crucial role in many security-sensitive applications. However, several recent studies have shown that object detectors can be easily fooled by physically realizable attacks, \eg, adversarial patches and recent adversarial textures, which pose realistic and urgent threats. Adversarial Training (AT) has been recognized as the most effective defense against adversarial attacks. While AT has been extensively studied in the attack settings on classification models, AT against physically realizable attacks on object detectors has received limited exploration. Early attempts are only performed to defend against adversarial patches, leaving AT against a wider range of physically realizable attacks under-explored. In this work, we consider defending against various physically realizable attacks with a unified AT method. We propose PBCAT, a novel Patch-Based…
Peer Reviews
Decision·Submitted to ICLR 2025
1. The topic studied in the paper is practical. 2. The proposed method demonstrates a degree of generalization, as it does not rely on specific attack algorithms. 3. The proposed method is effective against common adversarial attack algorithms. 4. The experiments conducted are relatively comprehensive.
1. The paper lacks novelty. 2. The authors should emphasize why standard adversarial training cannot effectively address physically realizable attacks and highlight the advantages of the proposed method presented in this paper. 3. In lines 251-253, the authors' findings seem meaningless, as unlimited adversarial noise will inevitably lead to a decline in training performance. 4. Although the training cost of PBCAT is comparable to that of standard training, it still demands additional computati
- The method is simple and effective. - The experimental results and ablation studies are convincing.
- It is curious that the proposed methods work for naturalistic patch attacks. Experiments on defending naturalistic patch attack will strengthen the paper. - No black-box experiments are conducted. For example, FastRCNN trained with the proposed method against different datasets and attacks using other surrogate models such as Yolo. - Hyper-parameter tuning and training time is a concern
- As remarked by different experiments, the proposed method increases the robusteness over different attacks. - Overall I think that the results are quite intersting, it provides a quite large gap above other strategies.
- The approach may impact accuracy sometime, especially when dealing with large datasets like COCO, as shown in Table 5. However, the effectiveness in terms of improved robustness is noteworthy. - The authors could have added metrics on training costs in the table to better clarify possible efficiency with respect to other training strategies
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Neural Network Applications · Domain Adaptation and Few-Shot Learning