Object detection is a fundamental task in various applications ranging from autonomous driving to intelligent security systems. However, recognition of a person can be hindered when their clothing is decorated with carefully designed graffiti patterns, leading to the failure of object detection. To achieve greater attack potential against unknown black-box models, adversarial patches capable of affecting the outputs of multiple-object detection models are required. While ensemble models have proven effective, current research in the field of object detection typically focuses on the simple fusion of the outputs of all models, with limited attention being given to developing general adversarial patches that can function effectively in the physical world. In this paper, we introduce the concept of energy and treat the adversarial patches generation process as an optimization of the adversarial patches to minimize the total energy of the ``person'' category. Additionally, by adopting adversarial training, we construct a dynamically optimized ensemble model. During training, the weight parameters of the attacked target models are adjusted to find the balance point at which the generated adversarial patches can effectively attack all target models. We carried out six sets of comparative experiments and tested our algorithm on five mainstream object detection models. The adversarial patches generated by our algorithm can reduce the recognition accuracy of YOLOv2 and YOLOv3 to 13.19\% and 29.20\%, respectively. In addition, we conducted experiments to test the effectiveness of T-shirts covered with our adversarial patches in the physical world and could achieve that people are not recognized by the object detection model. Finally, leveraging the Grad-CAM tool, we explored the attack mechanism of adversarial patches from an energetic perspective.

翻译：目标检测是自动驾驶到智能安防等众多应用中的基础任务。然而，当人的衣物上装饰有精心设计的涂鸦图案时，对该人的识别可能受到干扰，导致目标检测失败。为获得对未知黑盒模型更强的攻击潜力，需要能够影响多目标检测模型输出的对抗补丁。尽管集成模型已被证明有效，但当前目标检测领域的研究通常局限于所有模型输出的简单融合，对开发能在物理世界中有效发挥作用的通用对抗补丁关注有限。本文引入能量概念，将对抗补丁生成过程视为对补丁的优化，以最小化“人”类别的总能量。此外，通过采用对抗训练，我们构建了动态优化的集成模型。在训练过程中，调整被攻击目标模型的权重参数，以找到生成的对抗补丁能有效攻击所有目标模型的平衡点。我们进行了六组对比实验，并在五个主流目标检测模型上测试了算法。本算法生成的对抗补丁可将YOLOv2和YOLOv3的识别准确率分别降至13.19%和29.20%。此外，我们在物理世界中测试了覆盖有本算法对抗补丁的T恤的有效性，成功实现了使人不被目标检测模型识别的效果。最后，借助Grad-CAM工具，我们从能量角度探索了对抗补丁的攻击机制。