Can't Slow me Down: Learning Robust and Hardware-Adaptive Object Detectors against Latency Attacks for Edge Devices

TL;DR

This work addresses latency attacks on real-time edge object detectors by linking attack behavior to hardware capacity and proposing a hardware-aware defense. It introduces Background-Attentive Adversarial Training (Underload), which uses objectness as a proxy and emphasizes background regions to counteract phantom objects while respecting hardware constraints. Across VOC/COCO/BDD and YOLOv3/5/8 on diverse GPUs, Underload yields robust accuracy gains (up to 8–10% over prior defenses) and restores near real-time throughput (e.g., from 13 FPS to 43 FPS on Jetson Orin NX). The results indicate strong cross-device portability (including ONNX/TensorRT) and reveal insights on NMS vulnerability, background semantics, and the potential for domain-aware AT to further improve edge-robustness.

Abstract

Object detection is a fundamental enabler for many real-time downstream applications such as autonomous driving, augmented reality and supply chain management. However, the algorithmic backbone of neural networks is brittle to imperceptible perturbations in the system inputs, which were generally known as misclassifying attacks. By targeting the real-time processing capability, a new class of latency attacks are reported recently. They exploit new attack surfaces in object detectors by creating a computational bottleneck in the post-processing module, that leads to cascading failure and puts the real-time downstream tasks at risks. In this work, we take an initial attempt to defend against this attack via background-attentive adversarial training that is also cognizant of the underlying hardware capabilities. We first draw system-level connections between latency attack and hardware capacity across heterogeneous GPU devices. Based on the particular adversarial behaviors, we utilize objectness loss as a proxy and build background attention into the adversarial training pipeline, and achieve a reasonable balance between clean and robust accuracy. The extensive experiments demonstrate the defense effectiveness of restoring real-time processing capability from $13$ FPS to $43$ FPS on Jetson Orin NX, with a better trade-off between the clean and robust accuracy.

Figures (12)

• Figure 1: Visualization of latency attacksps generating an overwhelming number of "phantom objects" and the effectiveness of our defense.
• Figure 2: Interactions between GPU-CPU in the NMS.
• Figure 3: System effects of latency attacks. a) # objects vs. NMS processing time on heterogeneous computing devices; b) percentage of GPU CUDA, memory transfer and CPU logic operations on embedded and desktop GPUs.
• Figure 4: Adversarial relations between $\mathcal{L}_{\text{adv}}$ in chen2024overload and $\mathcal{L}_{\text{obj}}$. a) Pearson coefficient and cosine similarity between the two losses over the PGD iterations; b) Distribution of the cosine similarity for different images in PASCAL-VOC between $(\mathcal{L}_{\text{adv}}, \mathcal{L}_{\text{obj}})$ vs. $(\mathcal{L}_{\text{adv}}, \mathcal{L}_{\text{cls}})$.The former has stronger correlation.
• Figure 5: Top: Visualizing the attack processes on the object and background regions; Bottom: statistics of phantoms on different datasets. Fewer phantoms are generated on the objects compared to the background regions (red bars).