Table of Contents
Fetching ...

BadDet+: Robust Backdoor Attacks for Object Detection

Kealan Dunnett, Reza Arablouei, Dimity Miller, Volkan Dedeoglu, Raja Jurdak

TL;DR

This paper investigates backdoor threats in object detection, revealing weaknesses in existing attacks that rely on data poisoning alone. It introduces BadDet+, a unified, training-time penalty framework using a log-barrier term to suppress original-class predictions on trigger-bearing inputs, achieving both RMA and ODA with improved robustness to trigger scale and placement. Through extensive experiments on COCO, MTSD, and PTSD across multiple architectures, BadDet+ consistently attains high ASR@50 while preserving clean detection performance and reducing TDR@50, outperforming prior methods. The work also provides a rigorous evaluation protocol, analyzes defense limitations, and emphasizes the need for architecture-aware defenses in safe, real-world deployments.

Abstract

Backdoor attacks pose a severe threat to deep learning, yet their impact on object detection remains poorly understood compared to image classification. While attacks have been proposed, we identify critical weaknesses in existing detection-based methods, specifically their reliance on unrealistic assumptions and a lack of physical validation. To bridge this gap, we introduce BadDet+, a penalty-based framework that unifies Region Misclassification Attacks (RMA) and Object Disappearance Attacks (ODA). The core mechanism utilizes a log-barrier penalty to suppress true-class predictions for triggered inputs, resulting in (i) position and scale invariance, and (ii) enhanced physical robustness. On real-world benchmarks, BadDet+ achieves superior synthetic-to-physical transfer compared to existing RMA and ODA baselines while preserving clean performance. Theoretical analysis confirms the proposed penalty acts within a trigger-specific feature subspace, reliably inducing attacks without degrading standard inference. These results highlight significant vulnerabilities in object detection and the necessity for specialized defenses.

BadDet+: Robust Backdoor Attacks for Object Detection

TL;DR

This paper investigates backdoor threats in object detection, revealing weaknesses in existing attacks that rely on data poisoning alone. It introduces BadDet+, a unified, training-time penalty framework using a log-barrier term to suppress original-class predictions on trigger-bearing inputs, achieving both RMA and ODA with improved robustness to trigger scale and placement. Through extensive experiments on COCO, MTSD, and PTSD across multiple architectures, BadDet+ consistently attains high ASR@50 while preserving clean detection performance and reducing TDR@50, outperforming prior methods. The work also provides a rigorous evaluation protocol, analyzes defense limitations, and emphasizes the need for architecture-aware defenses in safe, real-world deployments.

Abstract

Backdoor attacks pose a severe threat to deep learning, yet their impact on object detection remains poorly understood compared to image classification. While attacks have been proposed, we identify critical weaknesses in existing detection-based methods, specifically their reliance on unrealistic assumptions and a lack of physical validation. To bridge this gap, we introduce BadDet+, a penalty-based framework that unifies Region Misclassification Attacks (RMA) and Object Disappearance Attacks (ODA). The core mechanism utilizes a log-barrier penalty to suppress true-class predictions for triggered inputs, resulting in (i) position and scale invariance, and (ii) enhanced physical robustness. On real-world benchmarks, BadDet+ achieves superior synthetic-to-physical transfer compared to existing RMA and ODA baselines while preserving clean performance. Theoretical analysis confirms the proposed penalty acts within a trigger-specific feature subspace, reliably inducing attacks without degrading standard inference. These results highlight significant vulnerabilities in object detection and the necessity for specialized defenses.
Paper Structure (28 sections, 8 theorems, 14 equations, 12 figures, 7 tables)

This paper contains 28 sections, 8 theorems, 14 equations, 12 figures, 7 tables.

Key Result

Proposition 7.1

Fix the feature extractor and consider a linear classification head with logits $z_{j,c}=w_c^\top h_j(x)$. For any trigger-bearing pair $(i,j)$ contributing $\phi(z_{j,y_i};\tau)$, the attack-term contribution to gradient flow on eq:full_obj decreases the expected margin of the original class: Consequently, the original-class logit is driven below $\tau$ (or below competing logits in the softmax

Figures (12)

  • Figure 1: Example failure cases of BadDet RMA (a), Untargeted Backdoor Attack ODA (b) and (c), an Align ODA fixed and scaled trigger (d) and (e).
  • Figure 2: ODA and RMA results for UBA Box, BadDet, and BadDet+ before and after applying FT and FT-SAM.
  • Figure 3: Performance of ODA and RMA methods across poisoning rates. $\square$: Faster R-CNN, $\bigcirc$: FCOS, $\lozenge$: DINO, and $\triangle$: YOLO.
  • Figure 4: ASR@$\tau$ and TDR@$\tau$ performance of BadDet+ as the IoU threshold $\tau$ ranges from 0.5 to 0.95 in increments of 0.05. Subfigure (a) shows results on COCO, while (b) and (c) show results on MTSD.
  • Figure 5: Effect of poisoning rate on the mAP and ASR@50 performance of evaluated ODA methods.
  • ...and 7 more figures

Theorems & Definitions (16)

  • Proposition 7.1: Trigger-conditional margin suppression
  • proof
  • Proposition 7.2: Trigger-conditional margin suppression (softmax case)
  • proof
  • Corollary 7.3: Softmax probability drift on triggers
  • proof
  • Lemma 7.4: Softmax margin shift
  • proof
  • Corollary 7.5: RMA induction
  • proof
  • ...and 6 more