NumbOD: A Spatial-Frequency Fusion Attack Against Object Detectors
Ziqi Zhou, Bowen Li, Yufei Song, Zhifei Yu, Shengshan Hu, Wei Wan, Leo Yu Zhang, Dezhong Yao, Hai Jin
TL;DR
This work examines vulnerabilities of object detectors to adversarial perturbations and proposes NumbOD, a model-agnostic spatial-frequency fusion attack. It combines a dual-track target selection with spatial perturbations that shift and misclassify bounding boxes and a high-frequency disturbance via Discrete Wavelet Transform to disrupt texture cues, formalized by the objective $J_{total}=J_{sa}+J_{fa}$ with $J_{sa}=J_{loc}+\lambda J_{cls}$. Evaluated on MS-COCO and PASCAL VOC across nine detectors, NumbOD achieves strong attack performance and stealthiness, outperforming prior methods while remaining effective under several defenses. The results underscore the vulnerability of diverse ODs and emphasize the need for robust defenses against model-agnostic, frequency-aware adversarial strategies.
Abstract
With the advancement of deep learning, object detectors (ODs) with various architectures have achieved significant success in complex scenarios like autonomous driving. Previous adversarial attacks against ODs have been focused on designing customized attacks targeting their specific structures (e.g., NMS and RPN), yielding some results but simultaneously constraining their scalability. Moreover, most efforts against ODs stem from image-level attacks originally designed for classification tasks, resulting in redundant computations and disturbances in object-irrelevant areas (e.g., background). Consequently, how to design a model-agnostic efficient attack to comprehensively evaluate the vulnerabilities of ODs remains challenging and unresolved. In this paper, we propose NumbOD, a brand-new spatial-frequency fusion attack against various ODs, aimed at disrupting object detection within images. We directly leverage the features output by the OD without relying on its internal structures to craft adversarial examples. Specifically, we first design a dual-track attack target selection strategy to select high-quality bounding boxes from OD outputs for targeting. Subsequently, we employ directional perturbations to shift and compress predicted boxes and change classification results to deceive ODs. Additionally, we focus on manipulating the high-frequency components of images to confuse ODs' attention on critical objects, thereby enhancing the attack efficiency. Our extensive experiments on nine ODs and two datasets show that NumbOD achieves powerful attack performance and high stealthiness.