簡易檢索 / 詳目顯示
| 研究生: |
胡有值嘉 YU-CHIH-CHIA HU |
|---|---|
| 論文名稱: |
用於物體檢測器的自然物理對抗補丁 Naturally physical adversarial patch for object detectors |
| 指導教授: |
花凱龍
Kai-Lung Hua |
| 口試委員: |
鄭文皇
Wen-Huang Cheng 陳駿丞 Jun-Cheng Chen |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
| 論文出版年: | 2021 |
| 畢業學年度: | 109 |
| 語文別: | 中文 |
| 論文頁數: | 46 |
| 中文關鍵詞: | 對抗補丁 、對抗攻擊 、自然化 、攻擊人物偵測 、人物消失 |
| 外文關鍵詞: | adversarial patch, adversarial attack, natural, T-shirt, physical attack |
| 相關次數: | 點閱:254 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
可用於保護人類隱私權方面的對抗攻擊,其常見的方法之一的就是貼在人身上的對 抗補丁,藉由其對抗補丁的大幅度擾動,使神經網路的機器視覺異常,因而造成機器視 覺中的人類影像不被偵測到或是分錯類別,使得被貼上對抗補丁的人消失在機器視覺的 畫面中。需要如此大幅度擾動的因為是,保護隱私權的對抗補丁通常都只是貼在人物身 上的一部分,從機器視覺的角度來看在影像中對抗補丁所呈現的面積不會太大,因此無 法像是傳統的做法,對整張圖片參入肉眼不可見的小幅度擾動,而是必須產生達到肉眼 可以看得見的大幅度擾動,才可能欺騙神經網路機器視覺的辨識。然而這類的對抗補丁 大部分都長得奇形怪狀或有異常的色相。雖然這是為了使神經網路判斷錯誤,所產生的 大幅擾動的副產品,但因為其圖形的獨特處非常強眼,就算騙過神經網路,也會讓人眼 察覺出異樣而有所警覺。本篇論文提出一種不同的方法,透過調控對抗生成網路的生成 器的潛在空間,讓生成器所生成的對抗補丁不但能呈現原有的自然風格,且具有攻擊機 器視覺得能力。主要訓練方式是透過降低物件在神經網路偵測器中的物件分數和提高其 有無對抗補丁的 bbox 的差異,梯度下降生成器的潛在空間向量,產生自然對抗補丁。 保有一定自然度的對抗補丁,能不讓圖像出現奇形異色的副產品,不只可以欺騙神經網 路機器視覺,更能欺騙人類的眼睛,使人類也難發現對抗補丁的存在。
One of the most common adversarial attacks in protecting human privacy is the adversarial patch affixed to the human body. With the large disturbance of the adversarial patch, the neural network machine vision is abnormal, thereby making the machine vision can not detect human or classify human into the wrong category. So, human detection disappears from the machine vision. The reason for such a large disturbance is that the adversarial patch to protect privacy is usually only a part of the character. From the perspective of machine vision, the size of the adversarial patch in the image will not be too large. Thus, it cannot use the traditional method, small disturbances that are invisible to the naked eye are added to the picture. It needs to generate large disturbance that is visible to the naked eye neural. However, most of these adversarial patches are strangely shaped or have unusual hue. Although this is a by-product of the large disturbance caused by the judgment of the neural network. Because the uniqueness of its graphics is very eye-catching, even if the neural network is fooled, it cannot fool the human eye. However, this paper proposes a different method, by regulating the latent space of the generator of the generative adversarial network, so that the generator of the generative adversarial network generates an adversarial patch with the ability to fool machine vision. The main training method is to reduce the object score of the object in the machine vision and increase the difference of the bbox with adversarial patch and the bbox without the adversarial patch. It let the latent space vector of the gradient descent generate the natural adversarial patch by generator . The adversarial patch that maintains a certain degree of naturalness, because it does not have the by-products of the strange shape and color introduced by the previous practice, it can not only deceive the neural network machine vision, but also deceive the human eyes, making it difficult for humans to find the existence of adversarial patch.
[1] N. Akhtar and A. Mian, “Threat of adversarial attacks on deep learning in computer vision: A survey,” IEEE Access, vol. 6, pp. 14410–14430, 2018.
[2] W. Jin, Y. Li, H. Xu, Y. Wang, and J. Tang, “Adversarial attacks and defenses on graphs: A review and empirical study,” arXiv preprint arXiv:2003.00653, 2020.
[3] W. E. Zhang, Q. Z. Sheng, A. Alhazmi, and C. Li, “Adversarial attacks on deeplearning models in natural language processing: A survey,” ACM Transactions on Intelligent Systems and Technology (TIST), vol. 11, no. 3, pp. 1–41, 2020.
[4] N. Morgulis, A. Kreines, S. Mendelowitz, and Y. Weisglass, “Fooling a real car with adversarial traffic signs,” arXiv preprint arXiv:1907.00374, 2019.
[5] S. G. Finlayson, J. D. Bowers, J. Ito, J. L. Zittrain, A. L. Beam, and I. S. Kohane, “Adversarial attacks on medical machine learning,” Science, vol. 363, no. 6433, pp. 1287–1289, 2019.
[6] T. Zheng, C. Chen, and K. Ren, “Distributionally adversarial attack,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 33, pp. 2253–2260, 2019.
[7] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” arXiv preprint arXiv:1412.6572, 2014.
[8] Z. Wu, S.N. Lim, L. S. Davis, and T. Goldstein, “Making an invisibility cloak: Real world adversarial attacks on object detectors,” in European Conference on Computer Vision, pp. 1–17, Springer, 2020.
[9] R. Hasan, D. Crandall, M. Fritz, and A. Kapadia, “Automatically detecting bystanders in photos to reduce privacy risks,” in 2020 IEEE Symposium on Security and Privacy (SP), pp. 318–335, IEEE, 2020.
[10] S. Thys, W. Van Ranst, and T. Goedemé, “Fooling automated surveillance cameras: adversarial patches to attack person detection,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pp. 0–0, 2019.
[11] T. B. Brown, D. Mané, A. Roy, M. Abadi, and J. Gilmer, “Adversarial patch,” arXiv preprint arXiv:1712.09665, 2017. 31
[12] A. Voynov and A. Babenko, “Unsupervised discovery of interpretable directions in the gan latent space,” arXiv preprint arXiv:2002.03754, 2020.
[13] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” arXiv preprint arXiv:1706.06083, 2017.
[14] A. Shafahi, M. Najibi, Z. Xu, J. P. Dickerson, L. S. Davis, and T. Goldstein, “Universal adversarial training.,” in AAAI, pp. 5636–5643, 2020.
[15] A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok, “Synthesizing robust adversarial examples,” in International conference on machine learning, pp. 284–293, PMLR, 2018.
[16] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “Accessorize to a crime: Real and stealthy attacks on stateoftheart face recognition,” in Proceedings of the 2016 acm sigsac conference on computer and communications security, pp. 1528–1540, 2016.
[17] K. Xu, G. Zhang, S. Liu, Q. Fan, M. Sun, H. Chen, P.Y. Chen, Y. Wang, and X. Lin, “Adversarial tshirt! evading person detectors in a physical world,” in European Conference on Computer Vision, pp. 665–681, Springer, 2020.
[18] L. Huang, C. Gao, Y. Zhou, C. Xie, A. L. Yuille, C. Zou, and N. Liu, “Universal physical camouflage attacks on object detectors,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 720–729, 2020.
[19] R. Duan, X. Ma, Y. Wang, J. Bailey, A. K. Qin, and Y. Yang, “Adversarial camouflage: Hiding physicalworld attacks with natural styles,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 1000– 1008, 2020.
[20] M. Arjovsky and L. Bottou, “Towards principled methods for training generative adversarial networks,” arXiv preprint arXiv:1701.04862, 2017.
[21] A. Brock, J. Donahue, and K. Simonyan, “Large scale GAN training for high fidelity natural image synthesis,” in International Conference on Learning Representations, 2019.
[22] J. Redmon and A. Farhadi, “Yolov3: An incremental improvement,” arXiv, 2018. 32
[23] H.Y. M. L. Alexey Bochkovskiy, ChienYao Wang, “Yolov4: Yolov4: Optimal speed and accuracy of object detection,” arXiv, 2020.
[24] H.N. Hu, “Perspective transformation along specific axes.” https://github. com/charlespwd/project-title, 2017.
[25] Y. Shen, J. Gu, X. Tang, and B. Zhou, “Interpreting the latent space of gans for semantic face editing,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 9243–9252, 2020.
[26] C. Wan, T. Probst, L. Van Gool, and A. Yao, “Crossing nets: Combining gans and vaes with a shared latent space for hand pose estimation,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 680–689, 2017.
[27] N. Dalal, “Inria person dataset.”
[28] R.C. Chen et al., “Automatic license plate recognition via slidingwindow darknetyolo deep learning,” Image and Vision Computing, vol. 87, pp. 47–56, 2019.
[29] R. Laroca, E. Severo, L. A. Zanlorensi, L. S. Oliveira, G. R. Gonçalves, W. R. Schwartz, and D. Menotti, “A robust realtime automatic license plate recognition based on the yolo detector,” in 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–10, IEEE, 2018.
[30] Y. Tian, G. Yang, Z. Wang, H. Wang, E. Li, and Z. Liang, “Apple detection during different growth stages in orchards using the improved yolov3 model,” Computers and electronics in agriculture, vol. 157, pp. 417–426, 2019.
[31] M. A. AlMasni, M. A. AlAntari, J.M. Park, G. Gi, T.Y. Kim, P. Rivera, E. Valarezo, M.T. Choi, S.M. Han, and T.S. Kim, “Simultaneous detection and classification of breast masses in digital mammograms via a deep learning yolobased cad system,” Computer methods and programs in biomedicine, vol. 157, pp. 85–94, 2018.
[32] W. Lan, J. Dang, Y. Wang, and S. Wang, “Pedestrian detection based on yolo network model,” in 2018 IEEE international conference on mechatronics and automation (ICMA), pp. 1547–1551, IEEE, 2018.
[33] T. Karras, T. Aila, S. Laine, and J. Lehtinen, “Progressive growing of gans for improved quality, stability, and variation,” arXiv preprint arXiv:1710.10196, 2017. 33
[34] T. Karras, S. Laine, M. Aittala, J. Hellsten, J. Lehtinen, and T. Aila, “Analyzing and improving the image quality of StyleGAN,” in Proc. CVPR, 2020.
[35] J. Deng, W. Dong, R. Socher, L.J. Li, K. Li, and L. FeiFei, “Imagenet: A largescale hierarchical image database,” in 2009 IEEE conference on computer vision and pattern recognition, pp. 248–255, Ieee, 2009.
[36] J. Cartucho, “map (mean average precision).” https://github.com/Cartucho/ mAP, 2018.
[37] nagadomi, “waifu2x.” https://github.com/nagadomi/waifu2x#readme, 2015.
[38] google, “Google forms.” https://www.google.com.tw/intl/zh-TW/forms/ about/.
[39] T. M. L. an Evolve Media LLC company, “dogtime.” https://dogtime.com/ dog-breeds/akita-chow, 2021.
