Adversarial patch attacks present a significant threat to real-world object detectors due to their practical feasibility. Existing defense methods, which rely on attack data or prior knowledge, struggle to effectively address a wide range of adversarial patches. In this paper, we show two inherent characteristics of adversarial patches, semantic independence and spatial heterogeneity, independent of their appearance, shape, size, quantity, and location. Semantic independence indicates that adversarial patches operate autonomously within their semantic context, while spatial heterogeneity manifests as distinct image quality of the patch area that differs from original clean image due to the independent generation process. Based on these observations, we propose PAD, a novel adversarial patch localization and removal method that does not require prior knowledge or additional training. PAD offers patch-agnostic defense against various adversarial patches, compatible with any pre-trained object detectors. Our comprehensive digital and physical experiments involving diverse patch types, such as localized noise, printable, and naturalistic patches, exhibit notable improvements over state-of-the-art works. Our code is available at https://github.com/Lihua-Jing/PAD.

翻译：对抗性补丁攻击因其在现实世界中的可行性，对目标检测器构成显著威胁。现有依赖攻击数据或先验知识的防御方法，难以有效应对多种多样的对抗性补丁。本文揭示了对抗性补丁的两个固有特性——语义独立性与空间异质性，二者与其外观、形状、尺寸、数量和位置无关。语义独立性表明对抗性补丁在其语义上下文中自主运作，而空间异质性则表现为补丁区域因独立生成过程产生的图像质量差异，使其区别于原始干净图像。基于上述观察，我们提出PAD——一种新颖的对抗性补丁定位与移除方法，该方法无需先验知识或额外训练。PAD提供与预训练目标检测器兼容的补丁无关防御，可抵御各种对抗性补丁。包含局部噪声、可打印及自然类补丁等多种类型的全面数字与物理实验表明，本方法相较于现有最优工作具有显著改进。我们的代码开源地址为：https://github.com/Lihua-Jing/PAD。