Adversarial Attack Research On Object Analysis Models In Basic Vision

Since the advent of deep learning,it has caused a new wave of revolution in artificial intelligence.Deep learning application scenarios have grown tremendously and solved many complex problems in the industry.Almost all current advanced computer vision tasks use deep learning techniques to achieve performance breakthroughs,such as object classification,image generation,and video segmentation.Although deep learning has brought about a great improvement in task performance,the deep mechanism of these computer vision models is fundamentally different from the human cognitive process.In recent years,some researchers have found that deep learning models will produce completely different output feedback when faced with unknown data or maliciously crafted example inputs,even if these perturbations are very small and imperceptible to the human eye,we will deliberately make these The input data for is called an adversarial example.Adversarial examples have raised concerns for the application and development of deep learning in the field of computer vision,which has affected the promotion and implementation of numerous related applications.In terms of computer vision,the three fundamental tasks include object classification,object detection,and object tracking,which are crucial for the safety control of essential facilities such as automated robots,self-driving vehicles,and drones.Therefore,the research on adversarial examples related to it becomes particularly urgent.By studying the inherent adversarial example principles in these three vision tasks,we can explain the internal mechanism of the intelligent model and improve its security and robustness,and promote the safe implementation of the intelligent model based on deep learning.How to effectively explore the security and robustness of the above vision tasks by means of attack is an extremely important and challenging problem.Existing attack methods have the following four problems when attacking computer vision models:The first is the poor transferability performance of attacks.In the face of new computer vision models,previously designed security verification algorithms cannot work effectively,because most of the algorithms are attack algorithms customized for specific models.The second is that the cost of perturbation is relatively high.It directly interferes with its optimization goal,and does not make full use of the ability of the model to extract context,and a high perturbation budget is required to effectively constrain the normal behavior of the model.The third is the slow generation of adversarial examples.Attacking the target model is a real-time task that requires generating adversarial examples above the model’s processing frame rate.Most of the previous methods cannot meet this requirement.The fourth is the lack of flexibility of the algorithm.When making improvements in the face of the target model,previously generated adversarial examples fail in most cases and need to be remodeled.To improve the confrontation performance in the three basic vision tasks,the following scientific issues need to be considered:First is how to restrict the disturbance space and provide a limited disturbance budget,second is how to make the attack algorithm focus on the key areas of the input data,and third is how to achieve a pre-defined complex hijacking result.Focusing on the above three scientific issues,this dissertation studies vision-based image classification,detection and tracking against attacks.The main research content and innovation points are as follows:Sparse Attack on 3D Point Cloud Classification for Object Classification.The sampling of smart devices is generally 3D data,so the problem of robust classification of 3D point clouds has received extensive attention.Our object classification attack is mainly studied on 3D point cloud data.This dissertation observes that only the key points need to be perturbed can have a great impact on the classification results of point clouds.Second,if the perturbation space is restricted,the resulting point cloud adversarial examples are less distorted than previous work.Using shape as prior information can greatly reduce the generation of outlier perturbation points and make imperceptibility better.Finally,in the face of such sparse data,we propose a corresponding acceleration algorithm that can effectively increase the speed of point cloud adversarial example generation.In order to clearly verify the effectiveness of our proposed method against mainstream point cloud models,we adopted multiple point cloud models with different architectures,and constructed experiments on public datasets and verified them.Limited Perturbation Research for Object Detection.We observe that most current attacks on object detectors are extended from classification attacks.The current mainstream detectors are classified into two categories,namely two-stage detectors and one-stage detectors.We use the Faster-RCNN of the two-stage detector and YOLOv3 of the one-stage detector as representatives respectively,and study the attack algorithm to focus on the key feature area of the image.This design can accelerate the generation process of adversarial examples.Based on the theory that most current detection models use feature extractors based on classic backbone networks(such as ResNet50),we can improve the robustness verification effect of detection models through research on mainstream backbone networks.In addition,we designed a divergent adversarial map to improve imperceptibility,and at the same time increase the effective perturbation perception area of the adversarial map.In order to explicitly verify the attack effect of our proposed algorithm on the widely used Faster R-CNN and YOLOv3,we construct and verify extensive experiments on two public datasets.Research on Iteratively-Refined Attack for Object Detection.We observe that introducing the autonomous exploration mechanism of reinforcement learning can alleviate the dilemma of repeated modeling among different models to a certain extent.In the attack task of target detection,although representative detection algorithms have been extracted from the two-stage and one-stage detection models for testing,due to the large differences in the architecture of the models,it is difficult to design the attack algorithm and the problem persists.To this end,we propose an object detection attack method based on reinforcement learning.We model the attack process as a Markov chain and define state,action and reward functions.Q-Learning is used to learn the strategy,and an appropriate interval is selected by approximating the Q-value function.In order to clearly verify the attack effect of our proposed algorithm among different models,we selected a large number of detection models with different architectures,and used different backbone networks to construct and verify extensive experiments on public datasets.Continuous Misguided Research on Object Tracking.Object tracking is an extension of object detection on video,and video can be regarded as a sequence of frames in continuous time sequence.Through observations,this dissertation finds that the small gap between the front and back of the video frame can make the transmission of perturbations possible,and the attack mode of the tracking task should preferably meet two conditions:controllable and low-latency.We implemented several different versions of the hijack,with generic attacks,movement in specific directions,and locking onto other targets.In this regard,we propose four loss functions,namely suppression loss,divergence loss,trend loss and center loss to improve attack performance.In addition,we also obtain common attack features on most models to improve the efficiency of adversarial example generation.In order to clearly verify the attack success rate and perturbation performance of our proposed attack algorithm on the tracker,we selected multiple tracking models with different architectures,constructed extensive experiments on multiple public datasets,and verified them.Based on the above research,this dissertation explores vision-based object classification,detection and tracking against attacks.By adopting mainstream models on three major vision tasks to analyze their internal architecture,we design novel attack modes for widely used model components.In this regard,we constructed adversarial examples with low perceptibility to disturbance,fast processing speed,high transferability,and success rate,which revealed the vulnerable parts of the model,providing new perspectives and ideas for subsequent research on the robustness of computer vision task models or performance improvement.