Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Defending Against Physical Adversarial Patch Attacks on Infrared Human Detection

Lukas Strack, Futa Waseda, Huy H. Nguyen, Yinqiang Zheng, Isao Echizen

TL;DR

The paper tackles the vulnerability of infrared human detectors to physically realizable adversarial patches by proposing patch-based occlusion-aware detection (POD), a simple yet effective defense that augments training with random occlusions and adds a dedicated patch-detection class. POD demonstrates strong generalization to unseen infrared patch attacks and robustness to patches of varying shapes and sizes, while also improving detection accuracy in clean conditions. Through experiments on the FLIR ADAS Thermal dataset and Shape-Loc patches, POD maintains high average precision against strong physical and digital attacks with minimal training overhead, challenging assumptions about the severity of infrared patch threats. The work highlights the value of straightforward data augmentation-based defenses and encourages rigorous evaluation of infrared patch attacks against proper defenses, paving the way for safer real-world infrared detection systems.

Abstract

Infrared detection is an emerging technique for safety-critical tasks owing to its remarkable anti-interference capability. However, recent studies have revealed that it is vulnerable to physically-realizable adversarial patches, posing risks in its real-world applications. To address this problem, we are the first to investigate defense strategies against adversarial patch attacks on infrared detection, especially human detection. We propose a straightforward defense strategy, patch-based occlusion-aware detection (POD), which efficiently augments training samples with random patches and subsequently detects them. POD not only robustly detects people but also identifies adversarial patch locations. Surprisingly, while being extremely computationally efficient, POD easily generalizes to state-of-the-art adversarial patch attacks that are unseen during training. Furthermore, POD improves detection precision even in a clean (i.e., no-attack) situation due to the data augmentation effect. Our evaluation demonstrates that POD is robust to adversarial patches of various shapes and sizes. The effectiveness of our baseline approach is shown to be a viable defense mechanism for real-world infrared human detection systems, paving the way for exploring future research directions.

Defending Against Physical Adversarial Patch Attacks on Infrared Human Detection

TL;DR

The paper tackles the vulnerability of infrared human detectors to physically realizable adversarial patches by proposing patch-based occlusion-aware detection (POD), a simple yet effective defense that augments training with random occlusions and adds a dedicated patch-detection class. POD demonstrates strong generalization to unseen infrared patch attacks and robustness to patches of varying shapes and sizes, while also improving detection accuracy in clean conditions. Through experiments on the FLIR ADAS Thermal dataset and Shape-Loc patches, POD maintains high average precision against strong physical and digital attacks with minimal training overhead, challenging assumptions about the severity of infrared patch threats. The work highlights the value of straightforward data augmentation-based defenses and encourages rigorous evaluation of infrared patch attacks against proper defenses, paving the way for safer real-world infrared detection systems.

Abstract

Infrared detection is an emerging technique for safety-critical tasks owing to its remarkable anti-interference capability. However, recent studies have revealed that it is vulnerable to physically-realizable adversarial patches, posing risks in its real-world applications. To address this problem, we are the first to investigate defense strategies against adversarial patch attacks on infrared detection, especially human detection. We propose a straightforward defense strategy, patch-based occlusion-aware detection (POD), which efficiently augments training samples with random patches and subsequently detects them. POD not only robustly detects people but also identifies adversarial patch locations. Surprisingly, while being extremely computationally efficient, POD easily generalizes to state-of-the-art adversarial patch attacks that are unseen during training. Furthermore, POD improves detection precision even in a clean (i.e., no-attack) situation due to the data augmentation effect. Our evaluation demonstrates that POD is robust to adversarial patches of various shapes and sizes. The effectiveness of our baseline approach is shown to be a viable defense mechanism for real-world infrared human detection systems, paving the way for exploring future research directions.
Paper Structure (17 sections, 2 equations, 3 figures, 4 tables, 1 algorithm)

This paper contains 17 sections, 2 equations, 3 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Physical Adversarial Patches
  3. General Framework
  4. Constraints
  5. Patch-based Occlusion-aware Detection
  6. Adding Random Patch-based Occlusions
  7. Detecting Patch-based Occlusions
  8. Experimental Setup
  9. Dataset
  10. Evaluation
  11. Implementation details
  12. Comparison between Adversarial Training Scheme
  13. Results
  14. Evaluation for Digital and Physical Adversarial Patches
  15. Robustness to Varied Adversarial Patch Sizes and Shapes
  16. ...and 2 more sections

Figures (3)

  • Figure 1: Training pipeline of Patch-based Occlusion-aware Detection (POD). POD efficiently augments training samples with random patches and subsequently detects them. The augmented samples simulate occlusions, enabling the model to handle scenarios where human bodies may be obscured or hidden in attack scenarios.
  • Figure 2: Example training samples for patch-based occlusion-aware detection (POD). Labels "0" and "1" signify "human" and "patch" classes, respectively. POD aims not only to detect people with random occlusions but also to identify patch locations.
  • Figure 3: Examples of POD detecting persons and patches for AdvPatch (left), HCB (middle), and shape-loc (right) attacks.