Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detector Collapse: Physical-World Backdooring Object Detection to Catastrophic Overload or Blindness in Autonomous Driving

Hangtao Zhang, Shengshan Hu, Yichen Wang, Leo Yu Zhang, Ziqi Zhou, Xianlong Wang, Yanjun Zhang, Chao Chen

TL;DR

Detector Collapse (DC) introduces a novel backdoor paradigm for object detection that can cause catastrophic detector failure when triggered, by attacking both the regression and classification branches. It presents two strategies, Sponge and Blinding, and a poisoning scheme using natural semantic triggers to enable physical-world activation, optimized via MGDA without altering labels. Across MS-COCO and VOC, DC outperforms state-of-the-art OD backdoors on detectors such as YOLOv5-s and Faster R-CNN, achieving near-complete degradation of $mAP$ on poisoned data and substantial inference slowdowns. The work further demonstrates physical-world viability using dynamic triggers from diffusion models, underscoring practical risks and the need for robust defenses against universal, real-world OD backdoors.

Abstract

Object detection tasks, crucial in safety-critical systems like autonomous driving, focus on pinpointing object locations. These detectors are known to be susceptible to backdoor attacks. However, existing backdoor techniques have primarily been adapted from classification tasks, overlooking deeper vulnerabilities specific to object detection. This paper is dedicated to bridging this gap by introducing Detector Collapse} (DC), a brand-new backdoor attack paradigm tailored for object detection. DC is designed to instantly incapacitate detectors (i.e., severely impairing detector's performance and culminating in a denial-of-service). To this end, we develop two innovative attack schemes: Sponge for triggering widespread misidentifications and Blinding for rendering objects invisible. Remarkably, we introduce a novel poisoning strategy exploiting natural objects, enabling DC to act as a practical backdoor in real-world environments. Our experiments on different detectors across several benchmarks show a significant improvement ($\sim$10\%-60\% absolute and $\sim$2-7$\times$ relative) in attack efficacy over state-of-the-art attacks.

Detector Collapse: Physical-World Backdooring Object Detection to Catastrophic Overload or Blindness in Autonomous Driving

TL;DR

Detector Collapse (DC) introduces a novel backdoor paradigm for object detection that can cause catastrophic detector failure when triggered, by attacking both the regression and classification branches. It presents two strategies, Sponge and Blinding, and a poisoning scheme using natural semantic triggers to enable physical-world activation, optimized via MGDA without altering labels. Across MS-COCO and VOC, DC outperforms state-of-the-art OD backdoors on detectors such as YOLOv5-s and Faster R-CNN, achieving near-complete degradation of on poisoned data and substantial inference slowdowns. The work further demonstrates physical-world viability using dynamic triggers from diffusion models, underscoring practical risks and the need for robust defenses against universal, real-world OD backdoors.

Abstract

Object detection tasks, crucial in safety-critical systems like autonomous driving, focus on pinpointing object locations. These detectors are known to be susceptible to backdoor attacks. However, existing backdoor techniques have primarily been adapted from classification tasks, overlooking deeper vulnerabilities specific to object detection. This paper is dedicated to bridging this gap by introducing Detector Collapse} (DC), a brand-new backdoor attack paradigm tailored for object detection. DC is designed to instantly incapacitate detectors (i.e., severely impairing detector's performance and culminating in a denial-of-service). To this end, we develop two innovative attack schemes: Sponge for triggering widespread misidentifications and Blinding for rendering objects invisible. Remarkably, we introduce a novel poisoning strategy exploiting natural objects, enabling DC to act as a practical backdoor in real-world environments. Our experiments on different detectors across several benchmarks show a significant improvement (10\%-60\% absolute and 2-7 relative) in attack efficacy over state-of-the-art attacks.
Paper Structure (17 sections, 2 equations, 7 figures, 4 tables)

This paper contains 17 sections, 2 equations, 7 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background and Problem Formulation
  3. Object Detection
  4. Insights Into OD Backdoors
  5. Methodology
  6. Threat Model
  7. Learning to Backdoor Object Detection
  8. $\textsc{Sponge}\xspace$ Strategy
  9. $\textsc{Blinding}\xspace$ Strategy
  10. Experiments
  11. Experimental Settings
  12. Comparison with State-of-the-Art
  13. The Resistance to Potential Backdoor Defenses
  14. Abaltion Study for DC
  15. The Effect of $\mathcal{L}_{obj}$ & $\mathcal{L}_{box}$ & $\mathcal{L}_{cls}$.
  16. ...and 2 more sections

Figures (7)

  • Figure 1: Comparative analysis of traditional backdoors vs. ours. Appearing attack, misclassification attack, and disappearing attack typically manifest their attack effects only near the trigger, resulting in errors that are localized to specific points. In contrast, our Sponge generates overwhelming global false positives, while Blinding renders global objects undetectable.
  • Figure 2: The high-level overview of DC's framework.
  • Figure 3: The effectiveness of several potential defenses
  • Figure 4: Impact of loss functions, parameter and trigger variations on the effect of our DC
  • Figure 5: Experimental triggers details
  • ...and 2 more figures

Theorems & Definitions (2)

  • Definition 1
  • Definition 2