Recent studies revealed that deep neural networks (DNNs) are exposed to backdoor threats when training with third-party resources (such as training samples or backbones). The backdoored model has promising performance in predicting benign samples, whereas its predictions can be maliciously manipulated by adversaries based on activating its backdoors with pre-defined trigger patterns. Currently, most of the existing backdoor attacks were conducted on the image classification under the targeted manner. In this paper, we reveal that these threats could also happen in object detection, posing threatening risks to many mission-critical applications ($e.g.$, pedestrian detection and intelligent surveillance systems). Specifically, we design a simple yet effective poison-only backdoor attack in an untargeted manner, based on task characteristics. We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns. We conduct extensive experiments on the benchmark dataset, showing its effectiveness in both digital and physical-world settings and its resistance to potential defenses.
翻译:近年研究揭示,深度神经网络(DNNs)在使用第三方资源(如训练样本或骨干网络)进行训练时面临后门威胁。植入后门的模型在预测良性样本时表现良好,但其预测结果可能被攻击者通过预定义的触发模式激活后门而恶意篡改。目前,大多数现有后门攻击均以定向方式针对图像分类任务实施。本文揭示这些威胁同样可能发生在目标检测领域,对众多关键任务型应用(如行人检测与智能监控系统)构成严重风险。具体而言,我们基于任务特性设计了一种简单高效、仅需污染样本的非定向后门攻击方法。研究表明,一旦通过我们的攻击将后门植入目标模型,该模型将无法检测任何带有触发模式的物体。我们在基准数据集上开展了广泛实验,验证了该方法在数字与物理场景下的有效性及其对潜在防御手段的抵抗能力。