Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fight Fire with Fire: Combating Adversarial Patch Attacks using Pattern-randomized Defensive Patches

Jianan Feng, Jiachun Li, Changqing Miao, Jianjun Huang, Wei You, Wenchang Shi, Bin Liang

TL;DR

This paper adopts a counterattack strategy to propose a novel and general methodology for defending adversarial attacks, and employs randomized canary and woodpecker injection patterns to defend against defense-aware attacks.

Abstract

Object detection has found extensive applications in various tasks, but it is also susceptible to adversarial patch attacks. The ideal defense should be effective, efficient, easy to deploy, and capable of withstanding adaptive attacks. In this paper, we adopt a counterattack strategy to propose a novel and general methodology for defending adversarial attacks. Two types of defensive patches, canary and woodpecker, are specially-crafted and injected into the model input to proactively probe or counteract potential adversarial patches. In this manner, adversarial patch attacks can be effectively detected by simply analyzing the model output, without the need to alter the target model. Moreover, we employ randomized canary and woodpecker injection patterns to defend against defense-aware attacks. The effectiveness and practicality of the proposed method are demonstrated through comprehensive experiments. The results illustrate that canary and woodpecker achieve high performance, even when confronted with unknown attack methods, while incurring limited time overhead. Furthermore, our method also exhibits sufficient robustness against defense-aware attacks, as evidenced by adaptive attack experiments.

Fight Fire with Fire: Combating Adversarial Patch Attacks using Pattern-randomized Defensive Patches

TL;DR

This paper adopts a counterattack strategy to propose a novel and general methodology for defending adversarial attacks, and employs randomized canary and woodpecker injection patterns to defend against defense-aware attacks.

Abstract

Object detection has found extensive applications in various tasks, but it is also susceptible to adversarial patch attacks. The ideal defense should be effective, efficient, easy to deploy, and capable of withstanding adaptive attacks. In this paper, we adopt a counterattack strategy to propose a novel and general methodology for defending adversarial attacks. Two types of defensive patches, canary and woodpecker, are specially-crafted and injected into the model input to proactively probe or counteract potential adversarial patches. In this manner, adversarial patch attacks can be effectively detected by simply analyzing the model output, without the need to alter the target model. Moreover, we employ randomized canary and woodpecker injection patterns to defend against defense-aware attacks. The effectiveness and practicality of the proposed method are demonstrated through comprehensive experiments. The results illustrate that canary and woodpecker achieve high performance, even when confronted with unknown attack methods, while incurring limited time overhead. Furthermore, our method also exhibits sufficient robustness against defense-aware attacks, as evidenced by adaptive attack experiments.
Paper Structure (29 sections, 7 equations, 16 figures, 10 tables)

This paper contains 29 sections, 7 equations, 16 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Object Detection
  4. Adversarial Patch Attack
  5. Threat Model
  6. Methodology
  7. Generating Canary
  8. Generating Woodpecker
  9. Deployment and Detection
  10. Evaluation
  11. Experiment Setup
  12. Parameter Setting
  13. Effectiveness
  14. Detecting Attacks Targeting Different Types of Objects
  15. Detecting Sample-Specific Attacks
  16. ...and 14 more sections

Figures (16)

  • Figure 1: Basic idea of canary and woodpecker.
  • Figure 2: Randomized canary patterns.
  • Figure 3: Adversarial patch attacks examples.
  • Figure 4: Canary generation. It is initialized as a specific class object (e.g., a zebra) and placed in determined positions. The canary is generated via a joint optimization with the loss $\mathcal{L}_\textit{Canary}$ in Eq.\ref{['lossfun-canary']}.
  • Figure 5: Determining canary positions. The undetected person objects' bounding boxes are used to get candidate boxes (white solid). Canary will be placed at the positions (white dashed) associated with the candidate boxes.
  • ...and 11 more figures