Autoencoder-based Denoising Defense against Adversarial Attacks on Object Detection
Min Geun Song, Gang Min Kim, Woonmin Kim, Yongsik Kim, Jeonghyun Sim, Sangbeom Park, Huy Kang Kim
TL;DR
This work addresses the vulnerability of real-time object detectors to adversarial perturbations. It proposes an autoencoder-based denoising defense that preprocesses inputs before YOLOv5 inference to recover degraded detection performance without retraining. Experiments on COCO vehicle images with Perlin-noise attacks show a substantial drop in bbox mAP (from 0.2890 to 0.1640) and a partial restoration after denoising (to 0.1700) and mAP@50 (to 0.3080), while high-precision localization (mAP@75) sees a slight decline. The study highlights both the potential and limitations of denoising defenses for object detection and suggests avenues for more powerful architectures and broader attack scenarios in future work.
Abstract
Deep learning-based object detection models play a critical role in real-world applications such as autonomous driving and security surveillance systems, yet they remain vulnerable to adversarial examples. In this work, we propose an autoencoder-based denoising defense to recover object detection performance degraded by adversarial perturbations. We conduct adversarial attacks using Perlin noise on vehicle-related images from the COCO dataset, apply a single-layer convolutional autoencoder to remove the perturbations, and evaluate detection performance using YOLOv5. Our experiments demonstrate that adversarial attacks reduce bbox mAP from 0.2890 to 0.1640, representing a 43.3% performance degradation. After applying the proposed autoencoder defense, bbox mAP improves to 0.1700 (3.7% recovery) and bbox mAP@50 increases from 0.2780 to 0.3080 (10.8% improvement). These results indicate that autoencoder-based denoising can provide partial defense against adversarial attacks without requiring model retraining.