Segment and Complete : Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review

39 Scopus Citations
View graph of relations

Author(s)

Detail(s)

Original languageEnglish
Title of host publicationProceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition
Subtitle of host publicationCVPR 2022
PublisherInstitute of Electrical and Electronics Engineers, Inc.
Pages14953-14962
Number of pages10
ISBN (electronic)9781665469463
ISBN (print)978-1-6654-6947-0
Publication statusPublished - 2022
Externally publishedYes

Publication series

NameProceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
ISSN (Print)1063-6919
ISSN (electronic)2575-7075

Conference

Title2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2022)
LocationHybrid
PlaceUnited States
CityNew Orleans
Period19 - 24 June 2022

Abstract

Object detection plays a key role in many security-critical systems. Adversarial patch attacks, which are easy to implement in the physical world, pose a serious threat to state-of-the-art object detectors. Developing reliable defenses for object detectors against patch attacks is critical but severely understudied. In this paper, we propose Segment and Complete defense (SAC), a general framework for defending object detectors against patch attacks through detection and removal of adversarial patches. We first train a patch segmenter that outputs patch masks which provide pixel-level localization of adversarial patches. We then propose a self adversarial training algorithm to robustify the patch segmenter. In addition, we design a robust shape completion algorithm, which is guaranteed to remove the entire patch from the images if the outputs of the patch segmenter are within a certain Hamming distance of the ground-truth patch masks. Our experiments on COCO and xView datasets demonstrate that SAC achieves superior robustness even under strong adaptive attacks with no reduction in performance on clean images, and generalizes well to unseen patch shapes, attack budgets, and unseen attack methods. Furthermore, we present the APRICOT-Mask dataset, which augments the APRICOT dataset with pixel-level annotations of adversarial patches. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks. Our code is available at https://github.com/joellliu/SegmentAndComplete. © 2022 IEEE

Research Area(s)

  • Adversarial attack and defense

Citation Format(s)

Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection. / Liu, Jiang; Levine, Alexander; Lau, Chun Pong et al.
Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition: CVPR 2022. Institute of Electrical and Electronics Engineers, Inc., 2022. p. 14953-14962 (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition).

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review