Object detectors are vulnerable to backdoor attacks. In contrast to classifiers, detectors possess unique characteristics, architecturally and in task execution; often operating in challenging conditions, for instance, detecting traffic signs in autonomous cars. But, our knowledge dominates attacks against classifiers and tests in the "digital domain". To address this critical gap, we conducted an extensive empirical study targeting multiple detector architectures and two challenging detection tasks in real-world settings: traffic signs and vehicles. Using the diverse, methodically collected videos captured from driving cars and flying drones, incorporating physical object trigger deployments in authentic scenes, we investigated the viability of physical object-triggered backdoor attacks in application settings. Our findings revealed 8 key insights. Importantly, the prevalent "digital" data poisoning method for injecting backdoors into models does not lead to effective attacks against detectors in the real world, although proven effective in classification tasks. We construct a new, cost-efficient attack method, dubbed MORPHING, incorporating the unique nature of detection tasks; ours is remarkably successful in injecting physical object-triggered backdoors, even capable of poisoning triggers with clean label annotations or invisible triggers without diminishing the success of physical object triggered backdoors. We discovered that the defenses curated are ill-equipped to safeguard detectors against such attacks. To underscore the severity of the threat and foster further research, we, for the first time, release an extensive video test set of real-world backdoor attacks. Our study not only establishes the credibility and seriousness of this threat but also serves as a clarion call to the research community to advance backdoor defenses in the context of object detection.
翻译:目标检测器易受后门攻击。与分类器相比,检测器在架构和任务执行上具有独特特性;其常在具有挑战性的条件下运行,例如自动驾驶汽车中的交通标志检测。然而,现有研究主要集中在针对分类器的攻击及"数字域"测试。为弥补这一关键空白,我们开展了一项广泛的实证研究,针对多种检测器架构及现实场景中两项具有挑战性的检测任务:交通标志与车辆检测。利用从行驶汽车和飞行无人机系统采集的多样化、方法学严谨的视频数据,并结合真实场景中物理对象触发器的部署,我们探究了应用场景中物理对象触发式后门攻击的可行性。我们的研究揭示了8项关键发现。值得注意的是,尽管在分类任务中被证明有效,当前主流的"数字"数据投毒方法在现实世界中并未对检测器形成有效攻击。我们构建了一种新颖且成本效益高的攻击方法——MORPHING,该方法融合了检测任务的独特性;我们的方法在注入物理对象触发式后门方面成效显著,甚至能够以干净标签标注的触发器或不可见触发器进行投毒,同时不削弱物理对象触发式后门的成功率。我们发现现有防御机制不足以保护检测器抵御此类攻击。为强调该威胁的严重性并推动进一步研究,我们首次公开发布了涵盖现实世界后门攻击的大规模视频测试集。本研究不仅证实了该威胁的可信度与严重性,更为研究界在目标检测领域推进后门防御研究敲响了警钟。