Modern object detectors are vulnerable to adversarial examples, which may bring risks to real-world applications. The sparse attack is an important task which, compared with the popular adversarial perturbation on the whole image, needs to select the potential pixels that is generally regularized by an $\ell_0$-norm constraint, and simultaneously optimize the corresponding texture. The non-differentiability of $\ell_0$ norm brings challenges and many works on attacking object detection adopted manually-designed patterns to address them, which are meaningless and independent of objects, and therefore lead to relatively poor attack performance. In this paper, we propose Adversarial Semantic Contour (ASC), an MAP estimate of a Bayesian formulation of sparse attack with a deceived prior of object contour. The object contour prior effectively reduces the search space of pixel selection and improves the attack by introducing more semantic bias. Extensive experiments demonstrate that ASC can corrupt the prediction of 9 modern detectors with different architectures (\e.g., one-stage, two-stage and Transformer) by modifying fewer than 5\% of the pixels of the object area in COCO in white-box scenario and around 10\% of those in black-box scenario. We further extend the attack to datasets for autonomous driving systems to verify the effectiveness. We conclude with cautions about contour being the common weakness of object detectors with various architecture and the care needed in applying them in safety-sensitive scenarios.

翻译：现代目标检测器易受对抗样本攻击，这可能给实际应用带来风险。稀疏攻击是一项重要任务，与对整个图像施加普遍对抗扰动不同，它需要选择通常受$\ell_0$范数约束的潜在像素，并同时优化相应纹理。$\ell_0$范数的不可微性带来了挑战，许多针对目标检测的攻击工作采用人工设计的模式来解决这一问题，这些模式无意义且与物体无关，因此攻击性能相对较差。本文提出对抗语义轮廓（ASC），这是一种基于贝叶斯稀疏攻击公式的最大后验估计，并引入了目标轮廓的先验欺骗。目标轮廓先验有效减少了像素选择的搜索空间，并通过引入更多语义偏差提升了攻击效果。大量实验表明，ASC可通过修改COCO数据集中白盒场景下目标区域少于5%的像素以及黑盒场景下约10%的像素，破坏9种不同架构（如单阶段、两阶段和Transformer）的现代检测器的预测。我们进一步将攻击扩展到自动驾驶系统数据集以验证其有效性。最后，我们警示轮廓作为不同架构目标检测器的共同弱点，以及将其应用于安全敏感场景时需谨慎。