Segment and Complete : Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection
Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review
Author(s)
Detail(s)
Original language | English |
---|---|
Title of host publication | Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition |
Subtitle of host publication | CVPR 2022 |
Publisher | Institute of Electrical and Electronics Engineers, Inc. |
Pages | 14953-14962 |
Number of pages | 10 |
ISBN (electronic) | 9781665469463 |
ISBN (print) | 978-1-6654-6947-0 |
Publication status | Published - 2022 |
Externally published | Yes |
Publication series
Name | Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition |
---|---|
ISSN (Print) | 1063-6919 |
ISSN (electronic) | 2575-7075 |
Conference
Title | 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2022) |
---|---|
Location | Hybrid |
Place | United States |
City | New Orleans |
Period | 19 - 24 June 2022 |
Link(s)
Abstract
Object detection plays a key role in many security-critical systems. Adversarial patch attacks, which are easy to implement in the physical world, pose a serious threat to state-of-the-art object detectors. Developing reliable defenses for object detectors against patch attacks is critical but severely understudied. In this paper, we propose Segment and Complete defense (SAC), a general framework for defending object detectors against patch attacks through detection and removal of adversarial patches. We first train a patch segmenter that outputs patch masks which provide pixel-level localization of adversarial patches. We then propose a self adversarial training algorithm to robustify the patch segmenter. In addition, we design a robust shape completion algorithm, which is guaranteed to remove the entire patch from the images if the outputs of the patch segmenter are within a certain Hamming distance of the ground-truth patch masks. Our experiments on COCO and xView datasets demonstrate that SAC achieves superior robustness even under strong adaptive attacks with no reduction in performance on clean images, and generalizes well to unseen patch shapes, attack budgets, and unseen attack methods. Furthermore, we present the APRICOT-Mask dataset, which augments the APRICOT dataset with pixel-level annotations of adversarial patches. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks. Our code is available at https://github.com/joellliu/SegmentAndComplete. © 2022 IEEE
Research Area(s)
- Adversarial attack and defense
Citation Format(s)
Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition: CVPR 2022. Institute of Electrical and Electronics Engineers, Inc., 2022. p. 14953-14962 (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition).
Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review