Out-of-Bounding-Box Triggers: A Stealthy Approach to Cheat Object Detectors

TL;DR

The paper tackles adversarial vulnerabilities in object detectors by proposing inconspicuous triggers placed outside object bounding boxes. It combines Feature Guidance ($L_{FG}$) with Universal Auto-PGD (UAPGD) to craft a universal trigger for class $t$, optimizing a composite loss $L_{all}=L_{det}+\lambda_{FG}L_{FG}+\lambda_{tv}L_{tv}$ under a differentiable transform $T$ and robustness mechanisms like EOT and total-variation regularization. Through digital (COCO), simulator (Carla), and real-world experiments, the method achieves high attack success rates and robust misdetections across distances and angles, outperforming prior approaches such as Dpatch2. The work highlights the practical risks posed by covert, universal, physically realizable triggers and motivates defenses to strengthen object detectors against out-of-bbox perturbations in real-world settings.

Abstract

In recent years, the study of adversarial robustness in object detection systems, particularly those based on deep neural networks (DNNs), has become a pivotal area of research. Traditional physical attacks targeting object detectors, such as adversarial patches and texture manipulations, directly manipulate the surface of the object. While these methods are effective, their overt manipulation of objects may draw attention in real-world applications. To address this, this paper introduces a more subtle approach: an inconspicuous adversarial trigger that operates outside the bounding boxes, rendering the object undetectable to the model. We further enhance this approach by proposing the Feature Guidance (FG) technique and the Universal Auto-PGD (UAPGD) optimization strategy for crafting high-quality triggers. The effectiveness of our method is validated through extensive empirical testing, demonstrating its high performance in both digital and physical environments. The code and video will be available at: https://github.com/linToTao/Out-of-bbox-attack.

Figures (7)

• Figure 1: An illustration of vanilla object attack methods and our novel approach. Typically, vanilla attack methods target the most informative regions of an object, such as the central, highly visible areas of the target object, e.g., the stop sign in (a) eykholt2018robust, (b) zhao2019seeing, (c) duan2020adversarial, and the car in (d) hoory2020dynamic, (e) wang2021dual, (f) huang2020universal. In contrast, our method adopts a more covert strategy, focusing on attacking the peripheral edge areas surrounding the stop sign.
• Figure 2: (a) shows the overview of our adversarial trigger generation framework. We deploy the adversarial trigger onto each image in the dataset with robustness transformation. With a fixed detector, our method optimizes the adversarial trigger through the obtained adversarial gradient. (b) illustrates the motivation and calculation method of Feature Guidance. Taking a stop sign as an example, for a given image $x$, minimizing $\|f_{z}(T(x,\mathcal{A}_{t}))-f_{z}(x')\|_2$ can mislead a detector to classify the stop sign image $T(x,\mathcal{A}_{t})$ as none stop.
• Figure 3: The table on the left displays the ASR values of triggers, which are generated by various settings, on the training and testing sets of the COCO dataset. The values in parentheses represent the attack step size, and we employ different $\lambda_{FG}^i$ values for YOLOv3 and YOLOv5. For YOLOv3, we set $\lambda_{FG}^1=0.1,\lambda_{FG}^2 = 0.5,\lambda_{FG}^3=1.0$; for YOLOv5, we set $\lambda_{FG}^1=0.05,\lambda_{FG}^2 = 0.1,\lambda_{FG}^3=0.2$. Ensemble denotes the combined usage of FG and UAPGD. Dpatch2 is the original approach from lee2019physical and Dpatch2($L_{det}$) denotes the original approach adopts the $l_{det}$ as the optimization objective. The bolded values indicate the optimal results for each respective column in the table. There are some results of triggers on the right generated under different settings.
• Figure 4: (a) and (b) illustrate the variations of $L_{det}$, during the training process of generating adversarial triggers using PGD and UAPGD for attacking the YOLOv3 and YOLOv5 models. (c) and (d) present the confidence of some samples from the COCO dataset, outputted by the detector, during the training process of individual attacks. The blue, green, and red curved lines represent the utilization of $L_{FG}$, $L_{det}$, and both as the loss function respectively. For individual attacks, the optimization process is relatively easier so that step size decay is unnecessary.
• Figure 5: We uniformly extracted approximately 90 frames from the 9s video, which is recorded by the simulated vehicle's onboard camera, to showcase the confidence variations of the detector's predictions