面向目标检测的可迁移对抗样本生成算法

doi:10.19678/j.issn.1000-3428.0070322

摘要/Abstract

摘要：

对抗样本的研究能够促进防御方法的创新, 查漏补缺, 进而提高模型的鲁棒性。现有的目标检测对抗攻击方法的研究大多存在黑盒迁移能力不强、生成的对抗样本泛化能力不足的问题。为解决上述问题, 提出了一种提升对抗样本的迁移性和抑制目标检测器正确分类的算法GM-DEC。首先, 将GridMask数据增强方法引入基于梯度迭代的对抗样本生成过程中, 从而获得更加泛化的梯度信息, 有助于增强攻击的鲁棒性, 避免陷入局部最优和生成的对抗样本过度拟合白盒模型的情况; 其次, 为进一步增强对抗样本的迁移性, 设计一种基于注意力的关注区域抑制损失函数, 通过抑制注意力热图的大小, 使得模型关注其他非目标区域, 从而做出错误的预测; 最后, 在迭代更新的过程中引入动量迭代快速梯度符号方法(MI-FGSM)中的动量项, 累积速度矢量, 从而稳定更新方向, 实现更快收敛。在Pascal VOC2007数据集上的实验结果表明, 所提算法能够有效攻击Faster R-CNN、YOLO、SSD等目标检测器, 与目前针对目标检测的攻击算法相比黑盒攻击成功率约提升10~30百分点, 拥有较好的迁移性。

关键词: 目标检测, 对抗样本, 黑盒攻击, GridMask, 注意力抑制

Abstract:

The study of adversarial examples can promote innovation in defense methods, identify gaps, and thus improve the robustness of a model. Most of the existing studies on object detection against attack methods suffer from poor black-box migration ability and insufficient generalization ability of the generated adversarial examples. To solve these problems, a algorithm called GM-DEC is proposed to enhance the mobility of adversarial examples and inhibit the correct classification of object detectors. First, GridMask, a data augmentation method, is introduced into the gradient iteration-based adversarial example generation process to obtain more generalized gradient information, thereby helping to enhance the robustness of the attack and avoid falling into local optima and overfitting white-box models with generated adversarial examples. Second, to further enhance the transferability of the adversarial examples, an attention-based region-of-attention suppression loss function is designed, which makes the model focus on other non-targeted regions by suppressing the size of the attention heatmap, thus leading to incorrect predictions. Finally, the momentum term in Momentum Iterative-Fast Gradient Sign Method (MI-FGSM) is introduced during the iterative updating process to accumulate velocity vectors, thus stabilizing the updating direction and achieving faster convergence. Experiments are carried out on the Pascal VOC2007 dataset, and the results show that the proposed algorithm can effectively attack object detectors such as Faster R-CNN, YOLO, and SSD. The success rate of the black-box attack is improved by approximately 10-30 percentage point compared with the current attack algorithms for object detection, accompanied by better transferability.

Key words: object detection, adversarial example, black-box attack, GridMask, attention suppression

向海昀, 周垚, 陈曦. 面向目标检测的可迁移对抗样本生成算法[J]. 计算机工程, 2026, 52(6): 238-248.

XIANG Haiyun, ZHOU Yao, CHEN Xi. Transferable Adversarial Example Generation Algorithm for Object Detection[J]. Computer Engineering, 2026, 52(6): 238-248.

https://www.ecice06.com/CN/Y2026/V52/I6/238

图/表 9

图1 GridMask掩膜示意图

Fig.1 Schematic diagram of GridMask mask

图2 GM-DEC算法流程图

Fig.2 Flowchart of GM-DEC algorithm

图3 关注区域抑制损失攻击示意图

Fig.3 Schematic diagram of suppression loss attack in the region-of-interest

图4 不同攻击方法攻击效果对比示意图

Fig.4 Comparison of the attack effect among different attack methods

图5 各参数对攻击成功率的影响

Fig.5 Influence of each parameter on the attack success rate

图6 不同扰动大小生成的对抗样本

Fig.6 Adversarial examples generated with different perturbation sizes

参考文献 35

1	WANG H W, ZHU B L, LI Y J, et al. SYGNet: a SVD-YOLO based GhostNet for real-time driving scene parsing[C]//Proceedings of the IEEE International Conference on Image Processing (ICIP). Bordeaux, France: IEEE Press, 2022: 2701-2705.
2	HOU C C . The application of human detection based on YOLOv5. Highlights in Science, Engineering and Technology, 2023, 34, 203- 208. doi: 10.54097/hset.v34i.5464
3	BI H B , ZHANG C , WANG K , et al. Rethinking camouflaged object detection: models and datasets. IEEE Transactions on Circuits and Systems for Video Technology, 2022, 32 (9): 5708- 5724. doi: 10.1109/TCSVT.2021.3124952
4	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1312.6199.
5	ZHU K J, HU X X, WANG J D, et al. Improving generalization of adversarial training via robust critical fine-tuning[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Paris, France: IEEE Press, 2024: 4401-4411.
6	赵宏, 宋馥荣, 李文改. 基于SE-AdvGAN的图像对抗样本生成方法研究. 计算机工程, 2025, 51 (2): 300- 311. doi: 10.19678/j.issn.1000-3428.0068481
	ZHAO H , SONG F R , LI W G . Research on image adversarial example generation method based on SE-AdvGAN. Computer Engineering, 2025, 51 (2): 300- 311. doi: 10.19678/j.issn.1000-3428.0068481
7	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1412.6572.
8	DONG Y P, LIAO F Z, PANG T Y, et al. Boosting adversarial attacks with momentum[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Salt Lake City, USA: IEEE Press, 2018: 9185-9193.
9	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial machine learning at scale[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1607.02533.
10	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1706.06083.
11	CHEN X Q, GAO X T, ZHAO J J, et al. AdvDiffuser: natural adversarial example synthesis with diffusion models[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Paris, France: IEEE Press, 2024: 4539-4549.
12	XUE H , ARAUJO A , HU B , et al. Diffusion-based adversarial sample generation for improved stealthiness and controllability. Advances in Neural Information Processing Systems, 2024, 36, 21- 30.
13	ZHANG Y , GONG Z Q , ZHANG Y C , et al. Boosting transferability of physical attack against detectors by redistributing separable attention. Pattern Recognition, 2023, 138, 109435. doi: 10.1016/j.patcog.2023.109435
14	XIE C H, WANG J Y, ZHANG Z S, et al. Adversarial examples for semantic segmentation and object detection[C]//Proceedings of the IEEE International Conference on Computer Vision. Venice, Italy: IEEE Press, 2017: 1378-1387.
15	LI Y Z, TIAN D, CHANG M C, et al. Robust adversarial perturbation on deep proposal-based models[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1809.05962.
16	WEI X X, LIANG S Y, CHEN N, et al. Transferable adversarial attacks for image and video object detection[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1811.12641.
17	CHEN P G, LIU S, ZHAO H S, et al. GridMask data augmentation[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/2001.04086.
18	SELVARAJU R R, COGSWELL M, DAS A, et al. Grad-CAM: visual explanations from deep networks via gradient-based localization[C]//Proceedings of the IEEE International Conference on Computer Vision (ICCV). Venice, Italy: IEEE Press, 2017: 618-626.
19	EVERINGHAM M. The Pascal visual object classes challenge, (VOC2007) results[EB/OL]. [2024-07-29]. http://pascallin.ecs.soton.ac.uk/challenges/VOC/voc2007/index.html., 2007.
20	袁珑, 李秀梅, 潘振雄, 等. 面向目标检测的对抗样本综述. 中国图象图形学报, 2022, 27 (10): 2873- 2896.
	YUAN L , LI X M , PAN Z X , et al. Review of adversarial examples for object detection. Journal of Image and Graphics, 2022, 27 (10): 2873- 2896.
21	汪欣欣, 陈晶, 何琨, 等. 面向目标检测的对抗攻击与防御综述. 通信学报, 2023, 44 (11): 260- 277.
	WANG X X , CHEN J , HE K , et al. Survey on adversarial attacks and defenses for object detection. Journal on Communications, 2023, 44 (11): 260- 277.
22	REDMON J, DIVVALA S, GIRSHICK R, et al. You only look once: unified, real-time object detection[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Las Vegas, USA: IEEE Press, 2016: 779-788.
23	LIU W, ANGUELOV D, ERHAN D, et al. SSD: single shot multibox detector[C]//Proceedings of European Conference on Computer Vision. Berlin, Germany: Springer, 2016: 21-37.
24	LIN T Y, GOYAL P, GIRSHICK R, et al. Focal loss for dense object detection[C]//Proceedings of the IEEE International Conference on Computer Vision. Venice, Italy: IEEE Press, 2017: 2999-3007.
25	GIRSHICK R. Fast R-CNN[C]//Proceedings of the IEEE International Conference on Computer Vision (ICCV). Santiago, Chile: IEEE Press, 2016: 1440-1448.
26	REN S Q , HE K M , GIRSHICK R , et al. Faster R-CNN: towards real-time object detection with region proposal networks. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017, 39 (6): 1137- 1149. doi: 10.1109/TPAMI.2016.2577031
27	CARION N, MASSA F, SYNNAEVE G, et al. End-to-end object detection with transformers[C]//Proceedings of European Conference on Computer Vision. Berlin, Germany: Springer, 2020: 213-229.
28	ZHU X Z, SU W J, LU L W, et al. Deformable DETR: deformable transformers for end-to-end object detection[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/2010.04159.
29	WANG X S, ZHANG Z L, ZHANG J P. Structure invariant transformation for better adversarial transferability[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Paris, France: IEEE Press, 2024: 4584-4596.
30	LIU X N, ZHONG Y Y, ZHANG Y H, et al. Enhancing generalization of universal adversarial perturbation through gradient aggregation[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Paris, France: IEEE Press, 2024: 4412-4421.
31	MIAO B M, LI C X, ZHU Y, et al. AdvLogo: adversarial patch attack against object detectors based on diffusion models[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/2409.07002.
32	CHEN X Y, LIU F Z, JIANG D, et al. Natural adversarial patch generation method based on latent diffusion model[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/2312.16401.
33	ZHONG Z, ZHENG L, KANG G L, et al. Random erasing data augmentation[C]//Proceedings of the AAAI Conference on Artificial Intelligence. [S. l.]: AAAI Press, 2020: 13001-13008.
34	DEVRIES T, TAYLOR G W. Improved regularization of convolutional neural networks with cutout[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/1708.04552.
35	WANG C Y, YEH I H, LIAO H M. YOLOv9: learning what you want to learn using programmable gradient information[EB/OL]. [2024-07-29]. https://arxiv.org/pdf/2402.13616.

[1]	代尹翘, 肖武龙, 李柏林, 李立. 基于改进YOLOv5s的莴笋芯部检测算法[J]. 计算机工程, 2026, 52(6): 352-364.
[2]	宋天泽, 曹从军, 何佳琪, 王旭升, 刘晨煜. 基于改进DETR的密集行人检测算法研究[J]. 计算机工程, 2026, 52(5): 250-258.
[3]	杨家豪, 王雷. 基于多特征时空推理网络的个体关注目标检测[J]. 计算机工程, 2026, 52(5): 184-191.
[4]	魏文泉, 莫宏伟. 基于改进YOLOv5s的PCB缺陷检测算法[J]. 计算机工程, 2026, 52(5): 226-238.
[5]	杨路, 刘俊杰, 余翔. 多尺度信息增强的遥感图像目标检测算法[J]. 计算机工程, 2026, 52(4): 200-213.
[6]	李潞洋, 闫锦龙, 方泽儒, 金旗旗, 薛红新. 基于动态特征增强的三维小目标检测算法[J]. 计算机工程, 2026, 52(4): 264-275.
[7]	郝友胜, 文贞慧, 冯小溪, 邓泽华, 黄清宝. 基于改进YOLOv8的车辆漆面缺陷检测[J]. 计算机工程, 2026, 52(4): 252-263.
[8]	成彬, 赵彬兵, 雷华, 何博. 基于双目视觉的钢筋绑扎节点定位方法[J]. 计算机工程, 2026, 52(4): 433-445.
[9]	汤伟博, 方强, 李沛根, 艾龙金, 熊金红, 夏海廷. 基于RSD-YOLO的无人机航拍图像小目标检测[J]. 计算机工程, 2026, 52(4): 214-228.
[10]	李沂杨, 陆声链, 王继杰, 陈明. 基于Transformer的DETR目标检测算法综述[J]. 计算机工程, 2026, 52(4): 62-81.
[11]	曹继卫, 罗飞, 丁炜超. BS-YOLO: 基于BSAM注意力机制和SCConv的小目标检测算法[J]. 计算机工程, 2026, 52(3): 119-127.
[12]	唐克, 魏飞鸣, 李东瀛, 郁文贤. 基于改进YOLOv8的轻量化无人机图像目标检测算法[J]. 计算机工程, 2026, 52(3): 97-106.
[13]	谢斌红, 石宇飞, 张睿, 张英俊. 基于查询引导和语义增强的小样本目标检测方法[J]. 计算机工程, 2026, 52(3): 141-151.
[14]	秦颖鑫, 张可佳, 潘海为, 巨亚昊. 计算机视觉对抗攻击研究综述[J]. 计算机工程, 2026, 52(2): 46-68.
[15]	董方和, 石琼, 师智斌. 基于集成学习与异常检测的对抗流量检测方法[J]. 计算机工程, 2026, 52(2): 275-286.

选择文件类型/文献管理软件名称

选择包含的内容