基于数据增强的车辆鲁棒对抗纹理生成

doi:10.12305/j.issn.1001-506X.2025.06.04

摘要/Abstract

摘要：

现有的物理对抗攻击方法大多数局限于平面补丁, 即使是可以执行多角度攻击的对抗样本也存在鲁棒性不足、泛化性不够、在数字域和物理域的攻击效果差距较大等问题。基于此, 提出一种白盒车辆对抗纹理生成方法: 在训练数据集中添加不同亮度和对比度的图像, 并在每一代训练后生成的纹理上添加模拟现实环境的噪声, 利用贝叶斯优化算法来优化不同损失项权重, 最后添加正则化项减小模型过拟合。针对现有数据集模型和掩码无法完全重合的问题, 提出一种修复方法用于修复图像来缩小数字仿真和现实拍摄的差距。通过数字仿真实验和物理世界实验表明, 与现有对抗纹理生成算法相比, 此算法实现了更高的平均攻击成功率和更低的平均精确率。

关键词: 对抗攻击, 物理攻击, 纹理生成, 白盒攻击

Abstract:

Most of the existing physical adversarial attack methods are limited to planar patches, and even the adversarial samples that can perform multi-angle attacks suffer from insufficient robustness, insufficient generalization, and a large gap between the attack effects in the digital and physical domains. A white-box vehicle adversarial texture generation method is proposed based on this: add images with different brightness and contrast in the training dataset, and add noise that simulates the real environment on the texture generated after each training epoch, use the Bayesian optimization algorithm to compute the weights of the different loss terms, and finally add a regularization term to reduce the overfitting of the model. In response to the problem that the model and the target of the existing dataset cannot be completely overlapped, an inpainting method is proposed for repairing images to reduce the gap between the digital simulation and the real shot. Digital simulation experiments and physical world experiments show that the proposed algorithm achieves a higher attack success rate and lower precision rate compared to existing adversarial texture generation algorithms.

Key words: adversarial attack, physical attack, texture generation, white-box attack

中图分类号:

TP391.41

蔡伟, 狄星雨, 蒋昕昊, 王鑫, 高蔚洁. 基于数据增强的车辆鲁棒对抗纹理生成[J]. 系统工程与电子技术, 2025, 47(6): 1757-1767.

Wei CAI, Xingyu DI, Xinhao JIANG, Xin WANG, Weijie GAO. Vehicle robust adversarial texture generation based on data augmentation[J]. Systems Engineering and Electronics, 2025, 47(6): 1757-1767.

图/表 17

图1

图2

图3

图4

图5

表1

表2

表3

图6

表4

图7

表5

图8

表6

图9

表7

图10

参考文献 34

1	ZOU Z X , CHEN K Y , SHI Z W , et al. Object detection in 20 years: a survey[J]. Proceedings of the IEEE, 2023, 111 (3): 257- 276. doi: 10.1109/JPROC.2023.3238524
2	汪欣欣, 陈晶, 何琨, 等. 面向目标检测的对抗攻击与防御综述[J]. 通信学报, 2023, 44 (11): 260- 277.
	WANG X X , CHEN J , HE K , et al. Survey on adversarial attacks and defenses for object detection[J]. Journal on Communications, 2023, 44 (11): 260- 277.
3	GUESMI A , HANIF M A , OUNI B , et al. Physical adversarial attacks for camera-based smart systems: current trends, catego rization, applications, research challenges, and future outlook[J]. IEEE Access, 2023, 11, 109617- 109668. doi: 10.1109/ACCESS.2023.3321118
4	WANG Y J , LYU H R , KUANG X H , et al. Towards a physical world adversarial patch for blinding object detection models[J]. Information Sciences, 2021, 556, 459- 471. doi: 10.1016/j.ins.2020.08.087
5	ZHU X P, LI X, LI J M, et al. Fooling thermal infrared pedes trian detectors in real world using small bulbs[C]//Proc. of the AAAI Conference on Artificial Intelligence, 2021, 35(4): 3616-3624.
6	HOORY S, SHAPIRA T, SHABTAI A, et al. Dynamic adversarial patch for evading object detection models[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2010.13070v1.pdf.
7	HU Z H, HUANG S Y, ZHU X P, et al. Adversarial texture for fooling person detectors in the physical world[C]//Proc. of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 13307-13316.
8	ZHANG Y, FOROOSH H, DAVID P, et al. CAMOU: learning physical vehicle camouflages to adversarially attack detectors in the wild[C]//Proc. of the International Conference on Learning Representations, 2018.
9	WU T, NING X F, LI W S, et al. Physical adversarial attack on vehicle detector in the carla simulator[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2007.16118.pdf.
10	DUAN Y X, CHEN J L, ZHOU X Y, et al. Learning coated adversarial camouflages for object detectors[C]//Proc. of the 31st International Joint Conference on Artificial Intelligence, 2022: 891-897.
11	WANG J K, LIU A S, YIN Z X, et al. Dual attention suppres sion attack: generate adversarial camouflage in physical world[C]// Proc. of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 8565-8574.
12	WANG D H, JIANG T S, SUN J L, et al. FCA: learning a 3D full-coverage vehicle camouflage for multi-view physical adversarial attack[C]//Proc. of the AAAI Conference on Artificial Intelligence, 2022.
13	SURYANTO N, KIM Y, KANG H, et al. DTA: physical camouflage attacks using differentiable transformation network[C]// Proc. of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 15305-15314.
14	SURYANTO N, KIM Y, LARASATI H T, et al. Active: towards highly transferable 3D physical camouflage for universal and robust vehicle evasion[C]//Proc. of the IEEE/CVF International Conference on Computer Vision, 2023: 4305-4314.
15	ZHOU J W, LYU L Y, HE D J, et al. RAUCA: a novel phy-sical adversarial attack on vehicle detectors via robust and accurate camouflage generation[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2402.15853.pdf.
16	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[C]//Proc. of the International Conference on Learning Representations, 2014.
17	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C]//Proc. of the International Conference on Learning Representations, 2018.
18	CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proc. of the IEEE Symposium on Security and Privacy, 2017: 39-57.
19	CHOW K H, LIU L, GURSOY M E, et al. TOG: targeted adversarial objectness gradient attacks on real-time object detection systems[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2004.04320.pdf.
20	WANG D R , LI C R , WEN S , et al. Daedalus: breaking non- maximum suppression in object detection via adversarial exam p-les[J]. IEEE Trans.on Cybernetics, 2021, 52 (8): 7427- 7440.
21	叶子鹏, 夏雯宇, 孙志尧, 等. 从传统渲染到可微渲染: 基本原理、方法和应用[J]. 中国科学: 信息科学, 2021, 51 (7): 1043- 1067.
	YE Z P , XIA W Y , SUN Z Y , et al. From traditional rendering to differentiable rendering: theories, methods and applications[J]. Scientia Sinica Informationis, 2021, 51 (7): 1043- 1067.
22	CHEN W, ZHANG Y S, LI Z H, et al. MFA: multi-layer feature-aware attack for object detection[C]//Proc. of the 39th Conference on Uncertainty in Artificial Intelligence, 2023.
23	WANG H , QIN J J , HUANG Y X , et al. SC-PCA: shape constraint physical camouflage attack against vehicle detection[J]. Journal of Signal Processing Systems, 2023, 95 (12): 1405- 1424. doi: 10.1007/s11265-023-01890-8
24	KATO H, USHIKU Y, HARADA T. Neural 3D mesh renderer[C]//Proc. of the IEEE Conference on Computer Vision and Pattern Recognition, 2018: 3907-3916.
25	LI Y, TAN W Y, ZHAO C X, et al. Flexible physical camouflage generation based on a differential approach[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2402.13575.pdf.
26	MENDES P, ROMANO P, GARLAN D. Hyper-parameter tuning for adversarially robust models[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2304.02497.pdf.
27	WU J , CHEN X Y , ZHANG H , et al. Hyperparameter optimization for machine learning models based on Bayesian optimization[J]. Journal of Electronic Science and Technology, 2019, 17 (1): 26- 40.
28	WU Z, LIM S N, DAVIS L S, et al. Making an invisibility cloak: real world adversarial attacks on object detectors[C]//Proc. of the 16th European Conference, 2020.
29	JOCHER G. Yolov5. [EB/OL]. [2024-02-28]. https://github.com/ultralytics/yolov5.
30	LIU W, ANGUELOV D, ERHAN D, et al. SSD: single shot multibox detector[C]//Proc. of the 14th European Confe-rence, 2016: 21-37.
31	REN S , HE K , GIRSHICK R , et al. Faster R-CNN: towards real-time object detection with region proposal networks[J]. IEEE Trans. on Pattern Analysis And Machine Intelligence, 2016, 39 (6): 1137- 1149.
32	CARION N, MASSA F, SYNNAEVE G, et al. End-to-end object detection with transformers[C]//Proc. of the European Conference on Computer Vision, 2020: 213-229.
33	WANG C Y, YEH I H, LIAO H Y M. YOLOv9: learning what you want to learn using programmable gradient information[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/2402.13616v2.pdf.
34	REDMON J, FARHADI A. Yolov3: an incremental improvement[EB/OL]. [2024-02-28]. https://arxiv.org/pdf/1804.02767.pdf.

攻击方法	检测模型
攻击方法	YOLOv5	YOLOv9	Faster R-CNN	SSD	DETR	平均ASR
随机噪声	19.8	21.2	26.8	38.5	42.3	29.7
FCA	55.8	40.0	35.4	54.6	72.8	51.7
DAS	16.5	0.8	2.0	6.6	31.4	11.5
本文方法	51.1	40.8	39.0	48.4	87.1	53.3

攻击方法	检测模型
攻击方法	YOLOv5	YOLOv9	Faster R-CNN	SSD	DETR	平均精确率
无攻击	75.4	82.4	63.6	86.5	54.4	72.5
随机噪声	62.5	68.2	55.8	78.8	40.6	61.2
FCA	27.4	45.3	46.4	75.3	21.0	43.1
DAS	66.1	69.7	61.7	83.9	45.0	65.3
本文方法	36.2	50.5	48.6	65.6	13.4	42.9

攻击方法	检测模型
攻击方法	YOLOv5	YOLOv9	Faster R-CNN	SSD	DETR	平均MR
无攻击	39.4	27.7	41.1	63.2	32.1	40.7
随机噪声	51.4	43.0	56.9	77.4	60.8	57.9
FCA	73.2	56.6	62.0	83.3	81.6	71.3
DAS	49.4	28.2	42.3	65.7	53.5	47.8
本文方法	70.4	57.2	64.1	81.0	91.3	72.8

攻击方法	检测模型
攻击方法	YOLOv5	YOLOv9	Faster R-CNN	SSD	DETR
无攻击
随机噪声
FCA
DAS
本文方法

攻击方法	检测模型
攻击方法	YOLOv5	Faster R-CNN	SSD	DETR	平均ASR
随机噪声	29.9	14.8	11.4	33.2	22.3
FCA	11.7	7.7	8.5	27.7	13.9
DAS	6.4	0	4.3	15.9	6.7
本文方法	25.0	24.7	37.8	52.1	34.9