Patch Attack And Defense For Vehicle Vision System

Deep learning has always been an important branch of artificial intelligence.In recent years,deep learning has been widely used to solve various problems,and has achieved the latest in many computer vision tasks,and even the recognition ability exceeds the level of human beings,including intelligent recognition,unmanned driving,image segmentation and other fields.However,recent studies have shown that the performance of deep neural network will be greatly reduced due to the presence of counter samples.The attacker misleads the classifier to make false prediction by adding carefully designed small disturbance to the image to be recognized.On the other hand,the disturbance generated in digital space is applied in real space,and it is proved that the attack is still effective.Therefore,the research on the counter sample problem under the background of deep learning not only helps to find the potential problems in the training process of deep learning model,but also helps to promote the study of deep learning theory.In this paper,we study the depth of vehicle defense based on the samples of physical network and the depth of the road defense.The specific research work is as follows:(1)Patch attack for vehicle vision system: in view of the process of system identification,this paper proposes a physical patch attack algorithm based on two-dimensional code for the whole road traffic signs in physical space.In the process of generating attack patches,the method only needs to modify the pixel area in the patch of two-dimensional code,which requires smaller calculation area and faster generation speed.The experiment shows that the attack patch can be successfully attacked in the digital space and the real physical space after careful design;and in the experiment,the common two-dimensional code in real life is used as the attack patch,which has high confusion and is not easy to be detected.Moreover,the cost of generating the two-dimensional code counter sample is low,and the implementation of the attack is more in line with the real scene.(2)Aiming at the local disturbance of road traffic signs by using two-dimensional code patch,this attack algorithm is designed and implemented by optimizing the algorithm.Experiments show that the attack success rate is very high in both digital space and physical space,which poses a threat to the current vehicle vision system based on deep neural network in road traffic sign recognition.Aiming at this threat,this paper adopts an integrated defense method based on knowledge distillation and counter samples.In the experiment,several teacher models are distilled to get small models.In order to maintain high accuracy,these small models are further integrated.Experimental results show that this method can effectively defend against such attacks.The main research object of this paper is the physical world confrontation sample problem under the background of deep learning,and takes the vehicle vision system to recognize road traffic signs as the object of experiment,so as to verify the harm of patch attack and the effectiveness of the defense method in this paper.Many researchers have completed important work on the confrontation learning of deep neural network,but there are still many problems.In the future study,the reasons for the formation of confrontation samples and the application of confrontation samples may become a new research hotspot.