Research On Adversarial Technology For Object Detection

With the rapid development of deep learning,the performance of object detection systems based on deep learning has also been greatly improved,but it is found that the object detection system based on deep learning inherits the disadvantage of being vulnerable to adversarial example attacks while obtaining excellent performance of deep neural networks.Illegal elements can use adversarial examples to attack object detection systems,such as automatic driving,pedestrian detection and other fields,which greatly hinders the implementation of artificial intelligence projects,and one stage detection model is widely used in landing application scenarios due to lightweight models and fast detection speed.Based on the above background,based on the YOLO detection model,this paper first starts from the digital world,deeply studies the mechanism of object detection adversarial example generation,analyzes the influence of digital adversarial examples on object detection performance,and tests from multiple angles from detection effect to attack detectability.Based on the research of the digital world,a pretreatment defense method is proposed to improve the robustness of the detection model to adversarial examples.Finally,the adversarial patch technology in the physical world is studied,and the adversarial patch generation algorithm is improved,so that the example generation is faster,better and stronger,and its effectiveness is verified in the physical world,laying the foundation for the adversarial training defense method.The main works of this thesis are as follows:1.In this paper,a adversarial example generation method based on variable step PGD object detection is proposed,which solves the problem of poor image quality caused by the existing adversarial example generation method to improve the attack,which is easy to be detected by the naked eye.Firstly,this paper analyzes the limitations of the existing adversarial example generation algorithms,finds that the use of fixed step size will make it difficult for training to jump out of the local optimal solution,and analyzes the influence of asynchronous length on image quality.Secondly,the analysis of the object detection loss function shows that the image edge detection frame has the problem that it is difficult to attack successfully,and the mechanism of limiting the detection edge samples and increasing the resistance training samples is proposed.Experiments show that the algorithm shows better performance than traditional FGSM,BIM,PGD and other algorithms in reducing the success rate of model detection and generating adversarial example quality.2.In this paper,a digital world adversarial defense method based on bilateral filtering and noise reduction autoencoder is proposed,which improves the detection accuracy of the pretreatment defense method on clean examples and solves the problem of detection performance degradation after using preprocessing algorithms such as filtering.Firstly,this paper analyzes the global perturbation in the digital world,finds that the adversarial perturbation has obvious target edge characteristics,and the disturbance feature can effectively reduce the aggressiveness,and analyzes and experiments on different filtering algorithms to prove that bilateral filtering has better noise reduction effect.Secondly,aiming at the problem of feature reduction after filtering,a threelayer symmetric convolutional autoencoder structure is proposed to supplement the image features,reduce the distance between the real image and the adversarial image,and further "clear" the adversarial perturbation.Experiments show that the proposed algorithm has a better effect compared with multiple defense methods,and the proposed method can improve the PASCVAL VOC dataset by 81.41% and the MS COCO dataset by 67.18% on the PASCVAL VOC dataset while maintaining a good border detection rate in the original image.3.In this paper,an initial diversified adversarial patch generation method is proposed,which improves the diversification of the adversarial patch generation space,makes it easier to find and better solutions,solves the problem of single initial direction of existing algorithms,and improves the example generation speed.Firstly,random initialization and output-dependent diversification(ODI)are introduced and analyzed.Secondly,the loss of diversity of adversarial examples caused by the original ODI algorithm is analyzed,and a selection algorithm for the key direction parameters of initial diversification of object detection is proposed,which realizes the initial diversification of adversarial patches.Experiments show that compared with the traditional adversarial patch generation method,the attack effect of the algorithm is 8.46% higher than the baseline,and the speed of generating adversarial patch is faster and the adversarial attack effect is better.