Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Credibility of Backdoor Attacks Against Object Detectors in the Physical World

Bao Gia Doan, Dang Quang Nguyen, Callum Lindquist, Paul Montague, Tamas Abraham, Olivier De Vel, Seyit Camtepe, Salil S. Kanhere, Ehsan Abbasnejad, Damith C. Ranasinghe

TL;DR

An extensive empirical study targeting multiple detector architectures and two challenging detection tasks in real-world settings, which establishes the credibility and seriousness of this threat and serves as a clarion call to the research community to advance backdoor defenses in the context of object detection.

Abstract

Object detectors are vulnerable to backdoor attacks. In contrast to classifiers, detectors possess unique characteristics, architecturally and in task execution; often operating in challenging conditions, for instance, detecting traffic signs in autonomous cars. But, our knowledge dominates attacks against classifiers and tests in the "digital domain". To address this critical gap, we conducted an extensive empirical study targeting multiple detector architectures and two challenging detection tasks in real-world settings: traffic signs and vehicles. Using the diverse, methodically collected videos captured from driving cars and flying drones, incorporating physical object trigger deployments in authentic scenes, we investigated the viability of physical object-triggered backdoor attacks in application settings. Our findings revealed 8 key insights. Importantly, the prevalent "digital" data poisoning method for injecting backdoors into models does not lead to effective attacks against detectors in the real world, although proven effective in classification tasks. We construct a new, cost-efficient attack method, dubbed MORPHING, incorporating the unique nature of detection tasks; ours is remarkably successful in injecting physical object-triggered backdoors, even capable of poisoning triggers with clean label annotations or invisible triggers without diminishing the success of physical object triggered backdoors. We discovered that the defenses curated are ill-equipped to safeguard detectors against such attacks. To underscore the severity of the threat and foster further research, we, for the first time, release an extensive video test set of real-world backdoor attacks. Our study not only establishes the credibility and seriousness of this threat but also serves as a clarion call to the research community to advance backdoor defenses in the context of object detection.

On the Credibility of Backdoor Attacks Against Object Detectors in the Physical World

TL;DR

An extensive empirical study targeting multiple detector architectures and two challenging detection tasks in real-world settings, which establishes the credibility and seriousness of this threat and serves as a clarion call to the research community to advance backdoor defenses in the context of object detection.

Abstract

Object detectors are vulnerable to backdoor attacks. In contrast to classifiers, detectors possess unique characteristics, architecturally and in task execution; often operating in challenging conditions, for instance, detecting traffic signs in autonomous cars. But, our knowledge dominates attacks against classifiers and tests in the "digital domain". To address this critical gap, we conducted an extensive empirical study targeting multiple detector architectures and two challenging detection tasks in real-world settings: traffic signs and vehicles. Using the diverse, methodically collected videos captured from driving cars and flying drones, incorporating physical object trigger deployments in authentic scenes, we investigated the viability of physical object-triggered backdoor attacks in application settings. Our findings revealed 8 key insights. Importantly, the prevalent "digital" data poisoning method for injecting backdoors into models does not lead to effective attacks against detectors in the real world, although proven effective in classification tasks. We construct a new, cost-efficient attack method, dubbed MORPHING, incorporating the unique nature of detection tasks; ours is remarkably successful in injecting physical object-triggered backdoors, even capable of poisoning triggers with clean label annotations or invisible triggers without diminishing the success of physical object triggered backdoors. We discovered that the defenses curated are ill-equipped to safeguard detectors against such attacks. To underscore the severity of the threat and foster further research, we, for the first time, release an extensive video test set of real-world backdoor attacks. Our study not only establishes the credibility and seriousness of this threat but also serves as a clarion call to the research community to advance backdoor defenses in the context of object detection.
Paper Structure (38 sections, 4 equations, 14 figures, 20 tables)

This paper contains 38 sections, 4 equations, 14 figures, 20 tables.

Table of Contents

  1. Introduction
  2. What We (Do Not) Know
  3. Our Study, Contributions and Findings
  4. Our Drive-By-Fly-By Backdoor Dataset
  5. Methodology
  6. Threat Model
  7. Physical Backdoor Attacks
  8. Is Digital Data Poisoning Effective?
  9. Proposed Corpus Poisoning Method
  10. Morphing Data Poisoning
  11. Is Morphing Data Poisoning Effective?
  12. Experimental Setup
  13. Traffic Sign Detection
  14. Vehicle Detection from Drones
  15. Generalization to Flower Sticker Triggers
  16. ...and 23 more sections

Figures (14)

  • Figure 1: Existing detector investigations use threat model & . In digital trigger image stamps are used to poison training data. Trigger deployment assumes a strong attacker with run-time access to an image processing pipeline to insert triggers during inference to activate a backdoor. assume an attacker curates a poison data corpus by painstakingly collecting images of physical object trigger deployments in scenes and deploying triggers in the physical world. In contrast, we investigate the practical threat model . We consider a weak attacker---still able to employ digital poisoning but for physical object triggers---and deploying triggers in physical world application settings.
  • Figure 1: Attack success rates of physical object triggers in the wild against various detector architectures backdoored with the existing model poisoning method in BadDet chan2022baddet (digital domain data poisoning) and our proposed Morphing attack. The cropped images from videos capture Post-it Note triggers (among others shown in Figure \ref{['fig:trigger-types']}) deployed in our released dataset, Drive-By-Fly-By in Section \ref{['sec:dataset']}, on seven commonly seen traffic signs while driving cars on roads. The trigger activates the backdoor to detect the targeted 110km/h Speed Limit. Further results are in \ref{['tab:traffic_sign']}.)
  • Figure 2: Cropped images from video captures of triggers deployed in our released Drive-By-Fly-By dataset. Notably, the stickers facilitated trigger removal post-data collection.
  • Figure 3: Different attack types deployed with Drive-By-Fly-By dataset. Local Misclassification Attacks (LMA), Adaptation of Global Misclassification Attacks (GMA), Out-of-the-Box, for traffic signs, and Object Disappearance Attacks (ODA).
  • Figure 3: Attack success rates (ASRs) for the 2 attack strategies: i) Single Trigger (Low or High position deployment; and ii) Multiple Piece Post-it Note triggers for traffic sign detection task (left); and ASRs for vehicle detection task (right). (Note: TPH-YOLO is transformer-based and used because the detector provides SoTA results for the VisDrone task). See \ref{['appd:mult-piece-comp']} for a comparison with digital poisoning in chan2022baddet and generalisation to a further detector, SSD, in \ref{['appd:other-detectors']} for the traffic sign detection task.
  • ...and 9 more figures