BadDet+: Robust Backdoor Attacks for Object Detection

Kealan Dunnett; Reza Arablouei; Dimity Miller; Volkan Dedeoglu; Raja Jurdak

arXiv:2601.21066·cs.CV·January 30, 2026

BadDet+: Robust Backdoor Attacks for Object Detection

Kealan Dunnett, Reza Arablouei, Dimity Miller, Volkan Dedeoglu, Raja Jurdak

PDF

Open Access 3 Reviews

TL;DR

This paper introduces BadDet+, a robust backdoor attack framework for object detection that demonstrates high physical robustness and transferability, revealing critical vulnerabilities in current detection models.

Contribution

We propose BadDet+, a unified penalty-based attack method for object detection that improves physical robustness and transferability over existing methods.

Findings

01

Outperforms existing RMA and ODA baselines in real-world scenarios

02

Maintains high clean performance while attacking

03

Theoretically confirms trigger-specific feature subspace targeting

Abstract

Backdoor attacks pose a severe threat to deep learning, yet their impact on object detection remains poorly understood compared to image classification. While attacks have been proposed, we identify critical weaknesses in existing detection-based methods, specifically their reliance on unrealistic assumptions and a lack of physical validation. To bridge this gap, we introduce BadDet+, a penalty-based framework that unifies Region Misclassification Attacks (RMA) and Object Disappearance Attacks (ODA). The core mechanism utilizes a log-barrier penalty to suppress true-class predictions for triggered inputs, resulting in (i) position and scale invariance, and (ii) enhanced physical robustness. On real-world benchmarks, BadDet+ achieves superior synthetic-to-physical transfer compared to existing RMA and ODA baselines while preserving clean performance. Theoretical analysis confirms the…

Peer Reviews

Decision·Submitted to ICLR 2026

Reviewer 01Rating 6Confidence 4

Strengths

+ the simplicity of a training time regularizer makes this technology easy to understand and also to stage + the paper also propose an ablation study on the parameters of the methodology, highlighting the depth of the study + novel metrics show that previous work might have overfitted the goal of mislabelling rather than being sure that the true label is not considered

Weaknesses

- the fact that the paper is presenting a new metric, and with this the performances of the proposed methods are way way better than the literature might rise the doubt on the metric being overfit by BadDet+. Hence, it would be better to show some examples also on regular metrics, or ablation studies also on the 0.5 that has been deemed threshold on the IoU. - there is no clear technical description of the nature of the trigger, could its shape and color change the entire method? Like triggers

Reviewer 02Rating 2Confidence 4

Strengths

1. The authors provide a clear and comprehensive related work. 2. The authors identify the incomplete success of traditional backdoor attacks and propose a new loss function to optimize these bad cases, making the backdoor more robust and effective.

Weaknesses

1. The paper actually adopts a stronger attacker assumption — the ability to manipulate the loss function (i.e., the training process) — which is clearly different from traditional data poisoning attacks. Although I acknowledge the validity of this threat model, I believe the authors should clearly explain these points before introducing their method. Otherwise, comparing it with other data poisoning–based backdoor attacks is, in my view, of limited significance. 2. The paper does not clearly e

Reviewer 03Rating 6Confidence 3

Strengths

The paper argues that there are issues with current evaluation approaches, e.g. ASR overstating success and mAP results being skewed by duplicate detections. The proposed TDR is a sound measure to help alleviate some of the issues. BadDet+ itself is well motivated, and while the underlying idea is simple, unifying untargeted ODA and RMA under a single mechanism is attractive, and the comprehensive experimental results demonstrate its effectiveness. Overall, this is a good contribution, though

Weaknesses

As the authors themselves identify, the approach assumes that training is controlled by the adversary. This is a very strong assumption, though it is not unreasonable to assume such a worst case in some scenarios. The idea is quite simple and incremental on prior work. Minor: - The poor performance compared to BadDet on YOLO for MTSD and PTSD is not adequately highlighted in the main text, where it is stated as "on par with BadDet". Some discussion is in the appendix, but this main text mentio

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Advanced Neural Network Applications · Domain Adaptation and Few-Shot Learning