Object detection is the foundation of various critical computer-vision tasks such as segmentation, object tracking, and event detection. To train an object detector with satisfactory accuracy, a large amount of data is required. However, due to the intensive workforce involved with annotating large datasets, such a data curation task is often outsourced to a third party or relied on volunteers. This work reveals severe vulnerabilities of such data curation pipeline. We propose MACAB that crafts clean-annotated images to stealthily implant the backdoor into the object detectors trained on them even when the data curator can manually audit the images. We observe that the backdoor effect of both misclassification and the cloaking are robustly achieved in the wild when the backdoor is activated with inconspicuously natural physical triggers. Backdooring non-classification object detection with clean-annotation is challenging compared to backdooring existing image classification tasks with clean-label, owing to the complexity of having multiple objects within each frame, including victim and non-victim objects. The efficacy of the MACAB is ensured by constructively i abusing the image-scaling function used by the deep learning framework, ii incorporating the proposed adversarial clean image replica technique, and iii combining poison data selection criteria given constrained attacking budget. Extensive experiments demonstrate that MACAB exhibits more than 90% attack success rate under various real-world scenes. This includes both cloaking and misclassification backdoor effect even restricted with a small attack budget. The poisoned samples cannot be effectively identified by state-of-the-art detection techniques.The comprehensive video demo is at https://youtu.be/MA7L_LpXkp4, which is based on a poison rate of 0.14% for YOLOv4 cloaking backdoor and Faster R-CNN misclassification backdoor.

翻译：目标检测是分割、目标跟踪及事件检测等多项关键计算机视觉任务的基础。为训练出精度满意的目标检测器，需要大量数据。然而，由于大规模数据集标注需要密集的人力投入，数据标注工作常被外包给第三方或依赖志愿者完成。本研究揭示了此类数据标注流程的严重漏洞。我们提出MACAB方法，通过构造清洁标注图像，即使数据标注人员能人工检查图像，仍能隐蔽地向基于这些图像训练的目标检测器中植入后门。我们观察到，当后门通过不易察觉的自然物理触发器激活时，误分类和隐身这两种后门效果均能在真实场景中稳健实现。与现有带清洁标签的图像分类任务后门攻击相比，由于每帧图像中包含多个目标（含受害目标与非受害目标）的复杂性，对非分类型目标检测实施清洁标注后门攻击更具挑战性。MACAB的有效性通过以下方式保证：(i) 滥用深度学习框架的图像缩放函数，(ii) 引入提出的对抗性清洁图像复制技术，(iii) 在受限攻击预算下结合毒化数据选择标准。大量实验表明，在多种真实世界场景中，即使攻击预算受限，MACAB在隐身和误分类两种后门效果下均能实现超过90%的攻击成功率。现有最先进的检测技术无法有效识别毒化样本。完整视频演示见https://youtu.be/MA7L_LpXkp4，该演示基于0.14%的毒化率，实现了YOLOv4隐身后门和Faster R-CNN误分类后门。