Research And Application Of Vehicle Identification System Adversarial Attacks

With the improvement of residents’ travel mode,the number of road vehicles is increasing,which increases the burden on traffic control departments.At the same time,the development of new energy vehicles promotes the rise of driverless technology.The vehicle identification system based on neural network can be used not only in intelligent transportation system to improve the work efficiency of traffic control department,but also in driverless system to help it make decisions.However,the above two application scenarios are complex and changeable,and involve the safety of people’s lives and property.Therefore,when designing a vehicle identification system based on neural network,we should not only consider its accuracy and real-time,but also pay attention to its safety.The research shows that the neural network is easily attacked by adversarial samples,which leads to misjudgment.Therefore,the adversarial attack method can also be used in the security research of vehicle identification system,including finding system vulnerabilities to verify its security.At present,there are many methods to generate adversarial samples,and all of them have good ability.But they all add perturbations at pixel level,which leads to low quality of generated samples and is not robust to steganalysis based detection methods and image processing based defense methods.And most attack methods are global disturbance,which leads to poor concealment of generated samples.Based on the above background,aiming at the special requirements of vehicle identification system,this paper selects a scheme that is helpful to vehicle identification scene after summarizing the current improved methods for YOLOv4 model and uses it to construct the target attack model of this paper to complete the task of vehicle identification.Then,in view of the shortcomings of the existing adversarial attack methods,a superpixellevel adversarial perturbation generation method and a foreground-only adversarial sample generation method are proposed to generate high-quality samples with better concealment,and the adversarial attack research is used to improve the security.The main research work of this paper is as follows:(1)The target attack model of this paper is constructed by using the current mainstream improvement scheme for YOLOv4.Specifically,it includes using depth separable convolution in feature extraction network to improve speed;Using K-means++ clustering algorithm to generate anchor frame faster;Modify the loss function to make it more suitable for vehicle detection;Soft-NMS method is introduced to reduce the problem of losing results.The BIT vehicle data set is used to train and test the model,and finally the vehicle identification task is completed,which lays the foundation for the follow-up anti-attack research.(2)A superpixel level adversarial perturbation generation method is proposed.The specific method is as follows: given an input image,firstly,the superpixel map is obtained by using the superpixel algorithm,and it is made into an adversarial perturbation template for filling in order to limit each superpixel to have the same perturbation,and then the filled perturbation is added to the original image to make a higher-quality adversarial sample.Experiments show that,because the adversarial samples generated by this method are more consistent with the original images,it is more robust to steganalysis based detection methods and various types of image processing based defense methods,and the attack performance is not affected by the types of superpixel algorithms used.(3)A foreground-only adversarial sample generation method is proposed.The specific method is as follows: given an input image,firstly,the target that really needs to be attacked in the image is segmented by using semantic segmentation technology,and then in order to limit the adversarial perturbation to the position that the classifier pays more attention to,the binarization result of attention heat map is combined with semantic segmentation mask to further narrow the range of perturbation.In other words,this method restricts the perturbation from being added only to the foreground part but not to the whole image.Experiments show that even in such a highly constrained perturbation space,this method can still maintain its original attack ability and is more concealed.Then,the adversarial samples generated by this method are used to make special data sets,which are used to train the vehicle recognition model to enhance its robustness and safety.