As object detection becomes integral to many safety-critical applications, understanding its vulnerabilities is essential. Backdoor attacks, in particular, pose a serious threat by implanting hidden triggers in victim models, which adversaries can later exploit to induce malicious behaviors during inference. However, current understanding is limited to single-target attacks, where adversaries must define a fixed malicious behavior (target) before training, making inference-time adaptability impossible. Given the large output space of object detection (including object existence prediction, bounding box estimation, and classification), the feasibility of flexible, inference-time model control remains unexplored. This paper introduces AnywhereDoor, a multi-target backdoor attack for object detection. Once implanted, AnywhereDoor allows adversaries to make objects disappear, fabricate new ones, or mislabel them, either across all object classes or specific ones, offering an unprecedented degree of control. This flexibility is enabled by three key innovations: (i) objective disentanglement to scale the number of supported targets; (ii) trigger mosaicking to ensure robustness even against region-based detectors; and (iii) strategic batching to address object-level data imbalances that hinder manipulation. Extensive experiments demonstrate that AnywhereDoor grants attackers a high degree of control, improving attack success rates by 26% compared to adaptations of existing methods for such flexible control.
翻译:随着目标检测在众多安全关键应用中变得不可或缺,理解其脆弱性至关重要。后门攻击通过在受害模型中植入隐藏触发器构成严重威胁,攻击者可在推理阶段利用这些触发器诱发恶意行为。然而,当前研究仅限于单目标攻击,攻击者必须在训练前定义固定的恶意行为(目标),导致无法在推理阶段实现适应性控制。鉴于目标检测的输出空间庞大(包括目标存在性预测、边界框估计和分类),灵活、可推理时调整的模型控制可行性尚未得到探索。本文提出AnywhereDoor,一种针对目标检测的多目标后门攻击方法。一旦植入,AnywhereDoor允许攻击者使目标消失、伪造新目标或错误标记目标,既可针对所有目标类别也可针对特定类别,提供前所未有的控制能力。这种灵活性通过三项关键创新实现:(i)目标解耦以扩展支持的目标数量;(ii)触发器马赛克化以确保对基于区域的检测器仍具鲁棒性;(iii)策略性批处理以解决阻碍操作的目标级数据不平衡问题。大量实验表明,与为适应此类灵活控制而改进的现有方法相比,AnywhereDoor使攻击者获得高度控制能力,攻击成功率提升26%。