A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects
The increasing reliance on deep neural network-based object detection models in various applications has raised significant security concerns due to their vulnerability to adversarial attacks. In physical 3D environments, existing adversarial attacks that target object detection (3D-AE) face signifi...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-01-01
|
| Series: | Journal of Imaging |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2313-433X/11/1/25 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832588316885647360 |
|---|---|
| author | Ling Zhao Xun Lv Lili Zhu Binyan Luo Hang Cao Jiahao Cui Haifeng Li Jian Peng |
| author_facet | Ling Zhao Xun Lv Lili Zhu Binyan Luo Hang Cao Jiahao Cui Haifeng Li Jian Peng |
| author_sort | Ling Zhao |
| collection | DOAJ |
| description | The increasing reliance on deep neural network-based object detection models in various applications has raised significant security concerns due to their vulnerability to adversarial attacks. In physical 3D environments, existing adversarial attacks that target object detection (3D-AE) face significant challenges. These attacks often require large and dispersed modifications to objects, making them easily noticeable and reducing their effectiveness in real-world scenarios. To maximize the attack effectiveness, large and dispersed attack camouflages are often employed, which makes the camouflages overly conspicuous and reduces their visual stealth. The core issue is how to use minimal and concentrated camouflage to maximize the attack effect. Addressing this, our research focuses on developing more subtle and efficient attack methods that can better evade detection in practical settings. Based on these principles, this paper proposes a local 3D attack method driven by a Maximum Aggregated Region Sparseness (MARS) strategy. In simpler terms, our approach strategically concentrates the attack modifications to specific areas to enhance effectiveness while maintaining stealth. To maximize the aggregation of attack-camouflaged regions, an aggregation regularization term is designed to constrain the mask aggregation matrix based on the face-adjacency relationships. To minimize the attack camouflage regions, a sparseness regularization is designed to make the mask weights tend toward a U-shaped distribution and limit extreme values. Additionally, neural rendering is used to obtain gradient-propagating multi-angle augmented data and suppress the model’s detection to locate universal critical decision regions from multiple angles. These technical strategies ensure that the adversarial modifications remain effective across different viewpoints and conditions. We test the attack effectiveness of different region selection strategies. On the CARLA dataset, the average attack efficiency of attacking the YOLOv3 and v5 series networks reaches 1.724, which represents an improvement of 0.986 (134%) compared to baseline methods. These results demonstrate a significant enhancement in attack performance, highlighting the potential risks to real-world object detection systems. The experimental results demonstrate that our attack method achieves both stealth and aggressiveness from different viewpoints. Furthermore, we explore the transferability of the decision regions. The results indicate that our method can be effectively combined with different texture optimization methods, with the average precision decreasing by 0.488 and 0.662 across different networks, which indicates a strong attack effectiveness. |
| format | Article |
| id | doaj-art-f7246880bf4a41599d97c0675afa8827 |
| institution | Kabale University |
| issn | 2313-433X |
| language | English |
| publishDate | 2025-01-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Journal of Imaging |
| spelling | doaj-art-f7246880bf4a41599d97c0675afa88272025-01-24T13:36:19ZengMDPI AGJournal of Imaging2313-433X2025-01-011112510.3390/jimaging11010025A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D ObjectsLing Zhao0Xun Lv1Lili Zhu2Binyan Luo3Hang Cao4Jiahao Cui5Haifeng Li6Jian Peng7Department of School of Geosciences and Info-Physics, Central South University, Changsha 410083, ChinaDepartment of School of Geosciences and Info-Physics, Central South University, Changsha 410083, ChinaDepartment of Hunan Provincial Institute of Land and Resources Planning, Hunan Key Laboratory of Land Resources Evaluation and Utilization, Changsha 410083, ChinaDepartment of School of Geosciences and Info-Physics, Central South University, Changsha 410083, ChinaDepartment of School of Geosciences and Info-Physics, Central South University, Changsha 410083, ChinaDepartment of School of Geosciences and Info-Physics, Central South University, Changsha 410083, ChinaDepartment of School of Geosciences and Info-Physics, Central South University, Changsha 410083, ChinaDepartment of Precision Instrument, Tsinghua University, Beijing 100084, ChinaThe increasing reliance on deep neural network-based object detection models in various applications has raised significant security concerns due to their vulnerability to adversarial attacks. In physical 3D environments, existing adversarial attacks that target object detection (3D-AE) face significant challenges. These attacks often require large and dispersed modifications to objects, making them easily noticeable and reducing their effectiveness in real-world scenarios. To maximize the attack effectiveness, large and dispersed attack camouflages are often employed, which makes the camouflages overly conspicuous and reduces their visual stealth. The core issue is how to use minimal and concentrated camouflage to maximize the attack effect. Addressing this, our research focuses on developing more subtle and efficient attack methods that can better evade detection in practical settings. Based on these principles, this paper proposes a local 3D attack method driven by a Maximum Aggregated Region Sparseness (MARS) strategy. In simpler terms, our approach strategically concentrates the attack modifications to specific areas to enhance effectiveness while maintaining stealth. To maximize the aggregation of attack-camouflaged regions, an aggregation regularization term is designed to constrain the mask aggregation matrix based on the face-adjacency relationships. To minimize the attack camouflage regions, a sparseness regularization is designed to make the mask weights tend toward a U-shaped distribution and limit extreme values. Additionally, neural rendering is used to obtain gradient-propagating multi-angle augmented data and suppress the model’s detection to locate universal critical decision regions from multiple angles. These technical strategies ensure that the adversarial modifications remain effective across different viewpoints and conditions. We test the attack effectiveness of different region selection strategies. On the CARLA dataset, the average attack efficiency of attacking the YOLOv3 and v5 series networks reaches 1.724, which represents an improvement of 0.986 (134%) compared to baseline methods. These results demonstrate a significant enhancement in attack performance, highlighting the potential risks to real-world object detection systems. The experimental results demonstrate that our attack method achieves both stealth and aggressiveness from different viewpoints. Furthermore, we explore the transferability of the decision regions. The results indicate that our method can be effectively combined with different texture optimization methods, with the average precision decreasing by 0.488 and 0.662 across different networks, which indicates a strong attack effectiveness.https://www.mdpi.com/2313-433X/11/1/25deep learningadversarial attackphysical attack3D object detectiontransferability |
| spellingShingle | Ling Zhao Xun Lv Lili Zhu Binyan Luo Hang Cao Jiahao Cui Haifeng Li Jian Peng A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects Journal of Imaging deep learning adversarial attack physical attack 3D object detection transferability |
| title | A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects |
| title_full | A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects |
| title_fullStr | A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects |
| title_full_unstemmed | A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects |
| title_short | A Local Adversarial Attack with a Maximum Aggregated Region Sparseness Strategy for 3D Objects |
| title_sort | local adversarial attack with a maximum aggregated region sparseness strategy for 3d objects |
| topic | deep learning adversarial attack physical attack 3D object detection transferability |
| url | https://www.mdpi.com/2313-433X/11/1/25 |
| work_keys_str_mv | AT lingzhao alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT xunlv alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT lilizhu alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT binyanluo alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT hangcao alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT jiahaocui alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT haifengli alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT jianpeng alocaladversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT lingzhao localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT xunlv localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT lilizhu localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT binyanluo localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT hangcao localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT jiahaocui localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT haifengli localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects AT jianpeng localadversarialattackwithamaximumaggregatedregionsparsenessstrategyfor3dobjects |