A CMA-ES-Based Adversarial Attack Against Black-Box Object Detectors

LYU Haoran; TAN Yu'an; XUE Yuan; WANG Yajie; XUE Jingfeng

doi:10.1049/cje.2021.03.003

Volume 30 Issue 3

May 2021

Turn off MathJax

Article Contents

Article Navigation > Chinese Journal of Electronics > 2021 > 30(3): 406-412

LYU Haoran, TAN Yu'an, XUE Yuan, et al., “A CMA-ES-Based Adversarial Attack Against Black-Box Object Detectors,” Chinese Journal of Electronics, vol. 30, no. 3, pp. 406-412, 2021, doi: 10.1049/cje.2021.03.003

Citation:

LYU Haoran, TAN Yu'an, XUE Yuan, et al., “A CMA-ES-Based Adversarial Attack Against Black-Box Object Detectors,” Chinese Journal of Electronics, vol. 30, no. 3, pp. 406-412, 2021, doi: 10.1049/cje.2021.03.003

Citation:

PDF( 1238 KB)

A CMA-ES-Based Adversarial Attack Against Black-Box Object Detectors

doi: 10.1049/cje.2021.03.003

1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China;
2. Academy of Military Science, Beijing 100091, China

Funds:

This work was supported by the National Natural Science Foundation of China (No.61876019, No.U1936218).

Received Date: 2020-10-13

Abstract

Abstract

Object detection is one of the essential tasks of computer vision. Object detectors based on the deep neural network have been used more and more widely in safe-sensitive applications, like face recognition, video surveillance, autonomous driving, and other tasks. It has been proved that object detectors are vulnerable to adversarial attacks. We propose a novel black-box attack method, which can successfully attack regression-based and region-based object detectors. We introduce methods to reduce search dimensions, reduce the dimension of optimization problems and reduce the number of queries by using the Covariance matrix adaptation Evolution strategy (CMA-ES) as the primary method to generate adversarial examples. Our method only adds adversarial perturbations in the object box to achieve a precise attack. Our proposed attack can hide the specified object with an attack success rate of 86% and an average number of queries of 5, 124, and hide all objects with a success rate of 74% and an average number of queries of 6, 154. Our work illustrates the effectiveness of the CMA-ES method to generate adversarial examples and proves the vulnerability of the object detectors against the adversarial attacks.
- Adversarial example,
- Black-box attack,
- Object detector,
- Deep neural network

FullText(HTML)

References(25)

References

A. Nguyen, J. Yosinski, and J. Clune, “Deep neural networks are easily fooled: High confidence predictions for unrecognizable images”, IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, USA, pp.427–436, 2015.

N. Akhtar and A. Mian, “Threat of adversarial attacks on deep learning in computer vision: A survey”, IEEE Access, Vol.6, pp.14410–14430, 2018.

F. Guo, Q. Zhao, X. Li, X. Kuang, J. Zhang, Y. Han and Y. Tan, “Detecting adversarial examples via prediction difference for deep neural networks”, Information Sciences, Vol.501, pp.182–192, 2019.

Q. Zhang, Y. Zhao, Y. Wang, T. Baker, J. Zhang and J. Hu, “Towards cross-task universal perturbation against black-box object detectors in autonomous driving”, Computer Networks, Vol.180, pp.107388, 2020.

Z. Guan, X. Liu, L. Wu, J. Wu, R. Xu, J. Zhang and Y. Li, “Cross-lingual multi-keyword rank search with semantic extension over encrypted data”, Information Sciences, Vol.514, pp.523–540, 2020.

Y. Li, S. Yao, K. Yang, Y. Tan and Q. Zhang, “A high-imperceptibility and histogram–shifting data hiding scheme for JPEG images”, IEEE Access, Vol.7, pp.73573–73582, 2019.

R. Zhu, B. Zhang, J. Mao, Q. Zhang and Y. Tan, “A methodology for determining the image base of arm-based industrial control system firmware”, International Journal of Critical Infrastructure Protection, Vol.16, pp.26–35, 2017.

Q. Zhang, Y. Li, Q. Zhang, J. Yuan, R. Wang and Y. Gan, “A self-certified cross-cluster asymmetric group key agreement for wireless sensor networks”, Chinese Journal of Electronics, Vol.28, No.2, pp.280–287, 2019.

J. Zheng, Q. Zhang, X. Zhang, Y. Li and Q. Zhang, “A specific-targeting asymmetric group key agreement for cloud computing”, Chinese Journal of Electronics, Vol.27, No.4, pp.866–872, 2018.

N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik and A. Swami, “The limitations of deep learning in adversarial settings”, IEEE European Symposium on Security and Privacy (EuroS ＆ P), Saarbrucken, Germany, pp.372–387, 2016.

N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks”, IEEE Symposium on Security and Privacy (SP), San Jose, USA, pp.39–57, 2017.

N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik and A. Swami, “Practical black–box attacks against machine learning”, ACM Asia Conference on Computer and Communications Security (ASIACCS), Dubai, United Arab Emirates, pp.506–519, 2017.

J. Su, D. V. Vargas and K. Sakurai, “One pixel attack for fooling deep neural networks”, IEEE Transactions on Evolutionary Computation, Vol.23, No.5, pp.828–841, 2019.

J. Chen, M. I. Jordan and M. J. Wainwright, “Hopskipjumpattack: A query-efficient decision–based attack”, IEEE Symposium on Security and Privacy (SP), Hyatt Regency, San Francisco, USA, pp.1277–1294, 2020.

J. Redmon, S. Divvala, R. Girshick and A. Farhadi, “You only look once: Unified, real-time object detection”, IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, USA, pp.779–788, 2016.

K. He, G. Gkioxari, P. Dollár and R. Girshick, “Mask r-cnn”, IEEE International Conference on Computer Vision, Venice, Italy, pp.2961–2969, 2017.

S. Ren, K. He, R. Girshick and J. Sun, “Faster r-cnn: Towards real-time object detection with region proposal networks”, IEEE Transactions On Pattern Analysis And Machine Intelligence, Vol.39, No.6, pp.1137–1149, 2016.

W. Wang, Y. Shang, Y. He, Y. Li and J. Liu, “BotMark: Automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors”, Information Sciences, Vol.511, pp.284–296, 2020.

W. Li, W. Meng, Z. Tan and Y. Xiang, “Design of multi-view based email classification for IoT systems via semi–supervised learning”, Journal of Network and Computer Applications, Vol.128, pp.56–63, 2019.

C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie and A. Yuille, “Adversarial examples for semantic segmentation and object detection”, IEEE International Conference on Computer Vision (ICCV), Venice, Italy, pp.1369–1378, 2017

Q. Zhang, K. Wang, W. Zhang and J. Hu, “Attacking blackbox image classifiers with particle swarm optimization”, IEEE Access, Vol.7, pp.158051–158063, 2019.

W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C. Fu and A. C. Berg, “Ssd: Single shot multibox detector”, European Conference on Computer Vision (ECCV), Amsterdam, the Netherlands, pp.21–37, 2016.

R. Girshick, J. Donahue, T. Darrell and J. Malik, “Rich feature hierarchies for accurate object detection and semantic segmentation”, IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Columbus, Ohio, USA, pp.580–587, 2014.

R. Girshick, “Fast r-cnn”, IEEE International Conference on Computer Vision (ICCV), Santiago, Chile, pp.1440–1448, 2015.

P. Chen, H. Zhang, Y. Sharma, J. Yi and C. Hsieh, “Zoo: Zeroth order optimization based black–box attacks to deep neural networks without training substitute models”, the 10th ACM Workshop on Artificial Intelligence and Security, Dallas, Texas, USA, pp.15–26, 2017.

Relative Articles

Supplements(0)

Cited By

Proportional views