D-UAP: Initially Diversified Universal Adversarial Patch Generation Method (2024)

1. Introduction

In recent years, withthe rapid development of deep learning technology, deep learning models represented by convolutional neural networks have been widely used in various computer vision applications, such as image classification[1,2], object detection[3,4,5], face recognition[6,7,8], object tracking[9,10,11], etc. Asone of the basic tasks of computer vision, theobject detection task has achieved breakthroughs with the continuous development of deep learning, andthe detection method has changed from traditional manual setting feature recognition[12,13] to automatic feature extraction based on neural networks, which greatly improves the performance of object detection. Atpresent, themainstream object detection model can be divided into two types according to its detection stage: one-stage and two-stage detection models. TheYOLO series model, represented by YOLOv4, is a one-stage model; it realizes end-to-end work, andthe positioning task is carried out simultaneously with the regression task, which leads to a faster detection speed and is suitable for real-time object detection tasks. Thetwo-stage detection model[14,15] divides the detection task into two stages; the model first identifies the possible target locations to generate area suggestions and then classifies and identifies these area suggestions. Compared with traditional detection systems, thedetection model based on a deep neural network shows good detection performance and detectionspeed.

The object detection model based on deep learning obtains excellent performance brought by deep neural networks, butit also inherits the shortcomings of neural networks, i.e.,it is vulnerable to adversarial example attacks. Adversarial examples are samples that can be made to obtain unexpected results (e.g., classification errors and failed pedestrian detectors) by adding special perturbations that cannot be recognized by the human eye. Withthe deepening of research in the field of image classification, researchers have shifted their eyes to more complex object detection tasks. Theobject detection system adopts a pre-set prior frame to draw a bounding box at the target position to locate objects and identify categories. Thenumber of targets that need to be attacked is much larger than that of image classification, so its attack is more complex than the image classification task. Xie[16] extended the adversarial examples of image classification to object detection and proposed a DAG method, which assigns adversarial labels to regions and optimizes the overall loss function. Lu[7] proposed a stop-sign vanishing attack for videos and successfully attacked the faster region-based convolutional neural network (Faster RCNN) method[15] using the fast gradient sign method (FGSM) [17], which proved the effectiveness of object detection adversarial attack. Althoughthe adversarial example based on global perturbation can successfully attack the object detection and recognition system, this attack method of adding perturbation to the global image cannot be transferred to the physicalworld.

To obtain an attack adversarial example that can be successfully transferred to the physical world, theconcept of adversarial patch[18] was proposed. Li[19] attacked the object detection system for the first time by adding patches to the image and achieved certain results, andthe adversarial patch well met the need of transferring adversarial examples to physical world attacks. Atpresent, combined with the actual mainstream tasks, theresearch on adversarial patch attacks mainly focuses on three task areas: evading face recognition systems, pedestrian detection systems, andautomatic driving systems that detect stop signs. Different from the single detection category of the facial recognition system and the fixed stop sign mode in the autonomous driving system, Thys[20] believed that it is more challenging to attack within a single category of ’people’ in the object detection task andproposed an adversarial-patch-generation method to successfully evade the detection of the YOLOv2 object detector. Based on this, theliterature[21] presented a printable adversarial T-shirt, andthe above research further verified the effectiveness of adversarial masks in the physical world. Huetal.[22] further combined cutting techniques to generate multi-angle detection-resistantT-shirts.

Although adversarial patches have been extensively studied in wearable and multi-angle attacks, theexisting adversarial patch generation methods adopt a single initialization method and do not consider the initial diversification of adversarial patches, resulting in the upper limit of adversarial patch attacks in the subsequent training process. Meanwhile, most of the existing adversarial patch attack research is carried out on the YOLOv2 object detector, butwith the continuous development of detection technology, theYOLOv4 detector achieves better detection performance and is more widely used, which has a more advanced network architecture and stronger detection performance than YOLOv2. Theoriginal creator of YOLOv3 no longer updates the system after updating YOLOv3, andsince then, only Alexey’s improved YOLOv4 has been recognized. Atpresent, the YOLOv4 model is widely used in some specific places because of high accuracy. Therefore, togenerate an adversarial T-shirt with a stronger attack effect in the actual process, this paper selects YOLOv4 as the attack model and proposes a diversified initial method based on the existing classical adversarial-patch-generation algorithm to further improve the avoidance effect of the adversarial patch on pedestriandetectors.

In summary, themain contributions of this paper are summarized as follows:

  • Based on the upper limit of attacks caused by single-adversarial-patch initialization, this paper proposes an initial diversified-attack method, which is 8.46% higher than the classical adversarial-patch-attack-effect method on the INRIA dataset.

  • Based on the idea of diversifying the initial direction of adversarial patches, theadversarial example generation is faster than the original single-direction training, saving an average of 300 trainingrounds.

2. RelatedWork

This section introduces the related work, which is divided into two aspects: object detection model and adversarial patch technology. Firstly, theresearch background of the YOLO series is provided, andthe basic framework and the improved structure of the test model YOLOv4 model used in this paper are presented. Secondly, therelevant research fields and research status of adversarial patch are presented, andthe limitations of the single initial diversification of existing adversarial patch methods aredescribed.

2.1. ObjectDetector

YOLO is a single-stage detection model that redefines the detection task as a single regression problem, thus enabling end-to-end detection directly from image pixels to bounding box coordinates and class probabilities. Therefore, theYOLO detection model is not used for two-stage detection models with a faster detection speed. YOLOv1[23], proposed by Joseph in 2016, divides the image into S S grids to detect the object in the center of the real box. YOLOv2[24] was optimized on YOLOv1 in 2017, thebackbone network was slightly adjusted, thefully convolutional network architecture was adopted, andmulti-scale training was introduced to improve the generalization ability and detection effect of the network. However, YOLOv2 does not achieve good detection performance for small targets, andthe swarm detection effect is not satisfactory. Then, YOLOv3[4] was further optimized. It uses Darknet53 as the network backbone, adopts cross-scale feature fusion, andselects the anchor size obtained by clustering on the MS COCO dataset. These optimizations improve the detection performance of YOLOv3 for small targets, butit* recall is low, andthe population detection performance is poor. Later, Alexey proposed an improved version of YOLOv4[3], andthe main improvement is that the network structure adopts CSPDarknet53 as the backbone network, which solves the problem of large computation in inference from the perspective of structural design, enhances the learning ability of CNN, maintains light weight and reduces memory costs, anduses SPP layers to ensure uniform dimensions for output. ThePAN path aggregation network is adopted to enhance from the bottom up, making it easier for low-level spatial information to propagate to the top. Moreover, Mosaic data augmentation, Mish activation function, etc., are exploited to enhance model robustness. Subsequently, different researchers proposed other YOLO detection models based on this literature[5,25,26], andthey paid more attention to the detection of lightweight and industrial-specific tasks. YOLOv7 is a representative lightweight detection model with excellent performance, andit will be widelystudied.

In this paper, YOLOv4 is chosen as the test attack model because it has been widely studied and has good performance;its structure is shown in Figure 1. When the YOLO series model detects objects from an image, it first divides the image into grids of different sizes, each grid being responsible for a different area. YOLOv4 object detection model divides the image into three grids of different sizes to detect targets of different sizes, andeach grid is based on the preset priori box size, thereby generating three prior boxes of different sizes asshown in Figure 2. Foreach prior box, themodel directly outputs the corresponding probability, position adjustment parameters, andclass probability of the object, such as the adjustment parameters of the prior box x , y , w , h , theconfidence score c o n f , andthe probability of the target category in the prior box ( P c l s 1 , P c l s 2 , P c l s 3 P c l s n ) . Each grid point contains a total of 5 + n_classes-bit parameters, including 4-bit adjustment parameters, 1 position reliability parameter, andthe number of data categories n_classes. Finally, thedetection bounding boxes with the highest confidence are selected as the result output by non-maximum suppression, andthe final output detection bounding boxes in red color in Figure 1 areobtained.

2.2. Physical-World Object-Detection AdversarialAttack

In 2017, Brown first proposed the concept of adversarial patches and focused the attack on a patch independent of the image, thus successfully misleading CNN classifiers[18]. Subsequently, researchers applied this idea to the object-detection adversarial-attack task and carried out further research following its principles andcharacteristics.

Pedestrian detection is widely used in computer applications, such as vehicle-assisted driving, motion analysis, etc. Ref.[20] is the first to propose an adversarial patch that generates an intra-class variation attack, enabling pedestrians to evade the YOLOv2 detector. Based on this, Ref.[21] proposed a TPS non-rigid transformation and checkerboard mapping method to successfully print the generated adversarial patch on the T-shirt. Inthis way, when people walk around in clothes, thetwisted T-shirt can still evade the object detection model. Ref.[27] added a frequency attention module to improve the attack effect of small- and medium-sized patches, andthe baseline method of the literature was adopted in the attack algorithm. Later, researchers began to focus on generating more natural adversarial patches after implementing pedestrian-detection attacks in the physical world, andRef.[28] proposed a universal physical camouflage attack for the wild. Ref.[29] designed physical adversarial patches for object detectors by utilizing image manifolds learned on real-world images by pre-trained generative adversarial networks, andnatural-looking adversarial patches were generated by sampling optimal images from GANs. Ref.[30] also designed a legal adversarial patch that looks more realistic to the naked eye, using animated images as a starting point for patches, andthis work proposed a new framework for a two-stage training strategy to combat patches. Ref.[22] put forward the concept of adversarial texture, andbased on the adversarial T-shirt, ascalable generative attack T C - E G A method with torus clipping was proposed to make AdvTexture have a repetitive structure. TC-EGA can evade human detectors from different viewing angles, andit still uses the baseline confidence attack algorithm as the basic attackalgorithm.

Compared with the fixed-shape attack of autonomous driving stop signs and the frontal attack in face recognition, thepedestrian detection task is more difficult due to the variety of pedestrian postures and complex scenes. Inrecent years, withthe deepening of research, thenaturalness and legitimacy of adversarial patches in the physical world have been studied more deeply, bringing a series of innovations, such as multi-dimensional angle confrontation tops, andT-shirts with adversarial animated images. Althoughthe current adversarial attacks are better in terms of the consideration and development of physical factors, they all adopt a single initialization method based on Ref.[20], anduse random noise or grayscale images as the starting point for adversarial patch training, withoutconsidering initial diversification. It can be seen from Ref.[31] that the diversity of input space does not lead to the diversity of output space, andthis paper believes that a single initialization method limits the understanding space during the adversarial patch generation process. Therefore, this paper proposes an initially diverse general adversarial patch attack method, which aims to further improve the object-detection-attack performance of the baselinemethod.

3. Improved Universal Adversarial-Patch-Diversity Initialization AttackAlgorithm

In this section, adiverse and diversified adversarial patch generation method is proposed for the problem of the singleness of the initialization direction in the traditional adversarial-patch-generation process, which draws on the principle of output diversified sampling O D S [31] to provide a more effective and diverse starting point for attacks. This paper combines output diversification initialization O D I , following the principle of object detection to generate stronger adversarial patches to attack the objectdetector.

The following describes the generation principle of the object detection adversarial patch: initialize the adversarial patch block, paste it at the target location, set the corresponding attack loss function, andoptimize the adversarial patch to make it aggressive by the method based on gradient backpropagation, thereby generating an adversarial patch that can evade the object detection model. Different from the existing adversarial patch initialization method, this paper uses a diversified initial method instead of the existing random initialization adversarial patchblock.

The process is shown in Figure 3, andthe details are shown below:

  • Initialize the adversarial patch. First, ann × n × 3 diversified patch is generated by using the ODI algorithm, where n is the image size and 3 is the imagechannel.

  • Patch transformation. Performs a variety of random transformations, including rotation, cropping, adding noise, andshading changes on the generated adversarial patch to improve the robustness of adversarial patchtraining.

  • Paste the patch. Determine the target position in the image according to the dataset label, andthen place the converted adversarial patch in the center position of the person in the graph for subsequenttraining.

  • Set the loss function. According to different attack tasks, set different loss functions, including target category loss, target positioning loss, andtarget confidencelevel.

  • Enter the detection model. Construct an object detection model, andinput the generated image data with adversarial patches into the detection model for detection and localizationclassification.

  • Gradient backpropagation. Using the Adam optimizer, perform iterative training to update the data of the adversarial patch in the image through the backpropagation algorithm until the training reaches the epoch round or loss convergence, andthe adversarial patch image is obtained.

3.1. Analysis of the Principle of AttackAlgorithm

The adversarial patch differs from the global perturbation attack category in the original paper, andthe object detector has a more complex task and network model. However, inthe process of generating adversarial patches, this paper argues that the adversarial patches have the same characteristics, i.e.,the diversity of random initialization cannot be mapped to the diversity of the output space. Tothis end, this paper adopts the output diversity method of multiple restarts to combat patch generation. Specifically, theinitialization diversity algorithm after the model output is designed as follows:

υ O D I = x w d T f x x w d T f x 2

where w d 1 , 1 is the initial diversification direction, sampling from the uniform distribution over 1 , 1 , and f x is the classifier model output. Due to the complex diversity of object detection tasks, therandomly generated w d from the uniform distribution of 1 , 1 in the original paper cannot meet the requirements of the initial diversified functions of the object detection task. According to the specific attack task and optimization target, this paper reselects an appropriate w d . Thespecific reasons why the uniform distribution of 1 , 1 cannot satisfy the task and how to obtain it are introduced in Section 3.2. Theimproved attack algorithm diversity–universal adversarial patch (D-UAP) used in this paper is shown in thefollowing.

The Algorithm 1 uses a stochastic method to generate the initial adversarial patch and applies it to the dataset after random transformation. Then, theformal training process begins, which iterates by using the diversified initialization method, adds the corresponding generated diversified direction at the model output, andtakes the updated adversarial patch as a new starting point; after the initialization is completed, thetarget model is attacked by the original attack method, andfinally, theattack patch after training is obtained. Due to the randomness of the w d direction selection, using a single random may not necessarily find an effective initialization direction. Asshown in Figure 4, taking the spheroids as an example, different selection cases of the initial diversification direction and the solution space they fall into are observed, andthe new direction can lead to the sub-optimal solution of the model. Therefore, this paper combines the multiple restart mechanism to make multiple selections of random directions to find a better initializationdirection.

Algorithm 1 D-UAP Algorithm

the original image x o r g , theobject detector D, thepatch transformation function T r a n s f o r m , thepatch application function A p p l i e r , optimizer A d a m , theD-UAP number of restarts r e s t a r t , thediverse step size N o d i , theattack number of iterations s, thelearning rate l r , thediversity direction parameter w d .


adversarial patch p a t c h a d v


Set w d U a , b , p a t c h 0 = r a n d o m ()


forr in r e s t a r t do


optimizer = A d a m p a t c h 0 , l r


fori in N o d i do


p a t c h i = T r a n s f o r m p a t c h i


x i = A p p l i e r x o r g , p a t c h i


v O D I = v O D I x i , D , w d


Updata p a t c h i + 1 u s i n g o p t i m i z e r , v O D I


end for


forj in sdo


p a t c h j = T r a n s f o r m p a t c h j


x j = A p p l i e r x o r g , p a t c h j


Update p a t c h j + 1 using optimizer


p a t c h a d v = c l i p p a t c h j + 1


end for


end for


return p a t c h a d v

To determine the optimal initial number of diversified steps, this paper carries out the ODI step size selection experiment. Let N o d i denote the diverse step size; according to reference[31], this paper sets N o d i 2 , 4 , 6 , 8 , 16 . Meanwhile, thetotal training round is set to 50, thenumber of restart is set to 100, thediversity of loss space changes is observed by statistical means, andfinally, the N o d i with the largest change in the loss space is selected as the diversified initial step size used in thispaper.

Taking the OBJ attack as an example, this paper conducts experiments to explore the influence of N o d i step selection on the diversity of the loss space, thus obtaining the optimal stepselection.

Shown in Figure 5, loss_odi i is the loss space chart at the time when the step count is i, andit can be observed from the first row that with the increase in the initial number of diversified steps, theloss space diversity gradually increases, i.e.,its distribution range is increasingly extensive. Thesecond line Loss_epoch 50 in Figure 5 corresponds to the loss space change statistical chart after 50 rounds at the i moment. It can be observed that with the increase in the initial diversification of steps, it will not continue to bring about the diversification of the loss space. Asshown in the Figure 5, when the initial number of steps N o d i is 4, thestatistical loss value distribution range is the largest, andthe loss space diversification reaches the maximum. Therefore, this paper chooses the N o d i of four as the initial diversification step in thispaper.

Then, aparameter sensitivity analysis experiment is conducted to verify the influence of different parameters on the attack effect, andthe results are shown in Table 1.

Through experiments, it is proved that D-UAP is sensitive to the N o d i parameter, themaximum difference between the values of different parameters can be 2%, andthe difference between the maximum and minimum values of the unified parameters is about 10%. This is because different initialization directions have different superposition effects on attacks, andwhen choosing a good initialization direction, theattack effect of the optimized target can be greatly improved. According to the above result, when N o d i is set to 4, it has the best effect; under the comprehensive consideration of the calculation time, N o d i is set to 4, which not only contributes to better results, but also helps to find a diversified startingpoint.

3.2. w d ParameterSelection

Due to the particularity of the object detection task, theuse of the above output diversified sampling method will simplify the attack, which is caused by the difference between the principle of the object detection model and its image classification model. Theobject detection model uses a preset prior box anchor for object detection. Theprior box refers to the preset box of different sizes and different aspect ratios on the image, andthe boxes of different sizes are set to obtain a larger intersection ratio so that there is a higher probability of better matching detection frames. Inthis paper, k-means clustering is used to obtain the size of the prior box, inwhich there are a total of nine anchors of different sizes and aspect ratios. Theoutput of each layer of the object detection model has four dimensions b a t c h _ s i z e , a n c h o r _ n u m 5 + n c l a s s e s , h , w , andthe a priori box corresponds to 5 + n c l a s s e s parameters. Thefirst five bits are target position parameters, where bits 0–4correspond to the four adjustment parameters of the target location coordinates t x , t y , t w , t h , andthe 5th bit is the confidence conf of the corresponding target of the detection box; bits 5–85 represent the probability that the target belongs to each category. Additionally, h and w correspond to the width and height of the mesh, andthe corresponding sizes of the object detection model used in this paper are 13 × 13, 26 × 26, and52 × 52, respectively.

Suppose that there is an image with a single-digit target number, andthe number of detection boxes output by the model is 10,647 asshown in Figure 2. That is, a n c h o r _ n u m × i = 0 3 h i × w i = 3 × ( 13 × 13 + 26 × 26 + 52 × 52 ) . However, according to the concept of positive and negative samples of YOLOv4, only the prior box greater than the IOU threshold is used as positive samples andthe rest as negative samples. This shows the distribution of positive and negative samples and their unevenness in object detection. It is known that when an output is considered a negative sample, its output c o n f confidence position is negative, i.e.,under the normal model output, only a small number of c o n f is positive. Inthis experiment, animage is tested to obtain negative samples of tens of thousands of digits and positive samples within two digits. Inthis case, if w d still uses the value obtained from the uniform distribution of 1 , 1 C , only a small number of output c o n f will be negative, anda large number of output c o n f will be positive. Combined with the object detection principle and the target location attack algorithm d e t l o s s = m e a n m a x p r o , m a x p r o is the maximum confidence of the category “person”, themaximum confidence of m a x p r o is always 1, andin the same way, d e t l o s s is always the same, i.e.,the gradient update is always unchanged. Therefore, if w d is not set correctly in this paper, theoriginal w d can be still used, andits function of initializing diversity islost.

In this paper, thevalue of w d is reselected according to the positive and negative sample ratio of the model, andthe problem is corrected by redistributing the positive and negative values in the w d . Ifthe total number of samples output by the dataset is n s a m p l e s , andthe model detects that the number of positive samples is n p o s i t i v e , theproportion of positive samples is r a t e = n p o s i t i v e n s a m p l e s . Thevalue of w d is selected from the uniform distribution of r a t e , + 1 asshownbelow.

According to the above Algorithm 2, the R a t e o u t p u t is calculated to be 0.004. Thus, when the attack category is an object, thecorresponding position of w d in this document is obtained from the uniform distribution of 0.004 , + 1 . When the attack category is c l s , it is a category attack, which has the same principle as image classification. Inthis case, thecorresponding position is obtained from the uniform distribution of 1 , + 1 . When the attack category is object∗class, w d is obtained from the uniform distribution of 0.004 , + 1 at the c o n f position, andfrom the uniform distribution of 1 , + 1 at the classposition.

Algorithm 2 Adversarial attack method based on output diversification initialization

model M o d e l , dataset D a t a s e t , number of prior bounding boxes per grid a n c h o r _ n u m , target confidence c o n f


positive samples rate R a t e o u t p u t

Set r a t e v = []


for i m a g e in D a t a s e t do

o u t p u t = M o d e l i m a g e


for i n d e x in range l e n o u t p u t do

forj in s 2 do


Get the target confidence c o n f from the corresponding location in the model output

n p o s i t i v e = c o n f > 0 ▹ Get the total number of elements in the c o n f array > 0


Get n a l l of the elements in the c o n f array

r a t e = n p o s i t i v e / n a l l


r a t e v . a p p e n d r a t e

end for


R a t e o u t p u t = r a t e v / l e n r a t e v

end for


end for

return R a t e o u t p u t

3.3. The Loss Function Part of the D - U A P Method

To improve the physical utility of the adversarial patch, in the study on adversarial glasses [32], the authors proposed NPS n o n - p r i n t a b i l i t y - s c o r e and total variation. Our work follows in the footsteps of Thys [20] in 2019 and continues to use these two utility loss functions.

Given that the computer RGB color space is P, the colors that printers and other devices can copy and print are only a subset of the computer color collection. Therefore, to print more robust adversarial patches, we need to make as many adversarial patches as the printers can print. Previous studies defined the non-printability score N P S and set 30 RGB color combinations that can be printed as the optimization direction [32]. If the set of colors that can be printed is C P , then the N P S score for the unprintability of a pixel p ^ is

N P S ( P ^ ) = min c p r i n t C P ^ c p r i n t

where c p r i n t denotes a set of 30 printable colors in C, and p ^ denotes our RGB colors against the patch. p ^ P , and when p ^ is closer to c p r i n t C , the NPS score is smaller; in this case, it is the most likely to print an adversarial patch. Therefore, non-printability is taken as one of our optimization goals, and the non-printability loss function is as follows:

where Patch is an adversarial patch, and p ^ is a pixel in the adversarial patch.

To improve printability, studies have shown that natural images are smooth and consistent during capture, i.e., changes between pixels are smooth, and non-smooth adversarial patches may not be attacked in practice. Therefore, to find the perturbation of smooth consistency, the total amount of change in the image is set to L t v , and the smoothing loss function is set to ensure a smooth color transition [33]. L t v is expressed as follows:

L t v = i , j r i , j r i + 1 , j 2 + r i , j r i , j + 1 2

where i , j is the pixel at the coordinates i , j in the adversarial patch. When the values of neighboring pixels are similar, L t v is smaller, and the adversarial image is smooth. Therefore, to better implement attacks in the physical world, this paper also takes the smoothness loss function as one of the optimization goals.

The attack target is shown in Figure 3. Let the object detection loss function be L d e t . When the target is the object detection bounding box, L d e t = L o b j ; when the target of the attack is the target category, L d e t = L c l s ; when the attack task is a combination of both, L d e t = L o b j L c l s . The optimization goal in this paper is represented as follows:

L = α L n p s + β L t v + γ L d e t

where α, β and γ are the weight coefficients.

4. Design ofExperiments

This section provides the detailed configuration of the experiment in this paper. Firstly, the experimental environment is introduced, mainly including software and hardware settings, as well as the dataset used and the configuration parameters of the attack model. Secondly, the details of the experiment are given, and the parameter selection in the specific experimental process is described.

4.1. ExperimentConfiguration

The experiments are conducted on a server equipped with an Intel(R) Xeon(R) Gold 5218R CPU @ 2.10 GHz, 125.5 GB main memory, and an NVIDIA GeForce RTX 3090Ti GPU with 24 GB video memory. The algorithm is implemented with the PyTorch deep learning framework.

The dataset used in this study is the INRIA pedestrian dataset, which contains 614 positive samples in the training set and 1273 pedestrians; the test set contains 288 sheets and 589 pedestrians. The dataset shows that most of the people are in a standing position and are taller than 100 pixels. This helps to place adversarial patches during training, so the dataset is more suitable for this study than PASCAL VOC and MS COCO.

The YOLOv4 object detection model is taken as the attack object model. Referring to the literature [19], the non-maximum suppression threshold is set to 0.4, and the IOU threshold is set to 0.5. To obtain more samples for training, this paper sets the confidence threshold to 0.25, and better samples are selected to participate in the training process.

4.2. ImplementationDetails

In this experiment, the diversified initial step size introduced in Section 3.1 is investigated, and according to the analysis of the loss function in Section 3.3, three sets of experiments are set up, corresponding to category attacks, confidence attacks, and category plus confidence attacks. In this paper, the number of restarts for each group is set to 10 times. Since w d is randomly generated during each restart, 10 different adversarial patches are obtained. In this experiment, the adversarial patch generation method [20] in the original paper is taken for comparison, and the training epoch of both groups of experiments is set to 600 rounds.

To verify that the initial diversification attack can generate countermeasures faster and the generated countermeasures have stronger attack effects, the ODI step size in Section 3.1 is selected as the parameter of this experiment. The number of restarts of each group of training is set to 10, 10 different initialization directions w d are randomly generated, and the experimental result is compared with that of the original adversarial patch generation method [20]. According to the analysis of the loss function in Section 3.3, the comparative experiment is divided into three groups—category attacks, confidence attacks, and category plus confidence attacks—in which the training epoch is uniformly set to 600 rounds.

5. ExperimentalResults

In this paper, recall is adopted as the evaluation index. In the following table, YUAN represents the original adversarial patch attack method [20], and ODI ATTACK represents the diversified initial direction of the adversarial patch attack method proposed in this paper. The detection recall of the original model is taken as the baseline, and according to the attack target, three sets of comparative experiments are carried out.

As shown in Table 2, the adversarial patch generation method proposed in this paper achieves better attack effects than the original method for the three attack targets, among which the OBJ attack is the best, and the recall is reduced by 8.46%, compared with the original adversarial patch attack.

Figure 6 shows the attack effect of the proposed method, where the horizontal images correspond to the clean image, the detection effect of the clean image, and the detection effect of the adversarial patch image generated by the superimposed method in this paper, and the vertical images correspond to the image of one person to a large number of people. According to the detection effect, when the adversarial patch proposed in this paper is performed on the image, the YOLOv4 detector can detect the person in the image well. However, when the adversarial patch is superimposed on the person, the detection performance of the detector is greatly reduced, and only a few people can be detected by the detector, which proves the effectiveness of the attack method proposed in this paper.

5.1. Comparative Analysis of TrainingEpoch

This section analyzes the training time overhead of the proposed adversarial patch generation method and the original adversarial patch generation method, in which the T V loss is the smoothness loss function, NPS loss is the non-printability loss function, the DET loss refers to the OBJ loss function in Section 3.3, and recall is the recall rate. These values adopt normalized reality.

Figure 7 shows the loss graph of the classic adversarial patch generation method [20] during the training process. It can be seen that the training loss converges at about 700 rounds, indicating that the original attack method needs more rounds to achieve convergence to complete the training process.

Figure 8 shows the loss training graph of the OBJ attack in this paper. It can be seen that in the 10 groups from 0 to 9, except for the second group, which converges slowly, the rest of the groups converge in 300 to 400 training rounds. Using the attack method proposed in this paper, adversarial patches can converge in a short time, which greatly reduces the complexity of the algorithm and the time overhead of generating adversarial patches.

5.2. Physical World AttackDisplay

To verify the aggressiveness of the adversarial patch generated in this paper in a real scenario, the generated adversarial patch is printed for the YOLOv4 detection model; two sets of targets are selected for testing, and the test results are illustrated in Figure 9.

The above figure corresponds to normal object detection and object detection with the adversarial patch, respectively. It can be seen that the chair can be correctly identified in both images, and only the character carrying the adversarial patch successfully evades the detection of the detector. Thus, the two sets of examples verify the effectiveness of the proposed adversarial patch attack method in the real world.

Figure 10 shows the comparison of the person carrying and not carrying the adversarial patch. It can be seen that when there is no adversarial patch, the target person standing normally and carrying a book can be correctly identified; after carrying the adversarial patch, the detector fails to detect the presence of the target person.

5.3. ComplementaryExperiments

The above analysis proves that the adversarial patch can evade the detector, but to further illustrate the effectiveness of the adversarial example, this paper selects multiple sets of patch pictures and pastes them to the target person in the same way for detection. This demonstrates that the evasion effect of generating the adversarial patch on the detector is not caused by the occlusion of the patch block but by the perturbation generated by the specific generation on the adversarial patch. As shown in Figure 11, random noise, a cartoon image, a flower image, and two adversarial patches generated by the YOLOv2 model are taken as test patches.

Taking the above images as a control experiment, this paper applies these patches to the same image at the same time, takes multiple images as examples, adds different patches to the example images, inputs them into the model for detection, and then investigates the detection effect of the detector on these images. The following figure shows the detection effect of YOLOv4 on images with different patches.

It can be seen from Figure 12 that the use of random noise countermeasure patches and cartoon images cannot achieve the aggressiveness of the adversarial example generated in this section to the detection model, which proves the particularity of the adversarial example. Although individual images such as the third row and third column of images in the obscuration of the flower patch can make the model fail to correctly identify the target, this situation is rarer than the object detection adversarial example. Unlike other specific pictures, the adversarial example can decrease the performance of the detection model.

In this section, the random adversarial patch comparison experiment is added, and recall is still selected as an evaluation index, taking the OBJ attack as an example, and the test results are as follows:

As can be seen in Table 3, the model’s detection performance of the dataset is relatively degraded after adding noise and other network pictures, but the overall detection rate is good, and most of the targets can be identified. In addition, the recall values of the two adversarial patches trained on the YOLOv2 model on YOLOv4 show that the object detection adversarial examples have a certain degree of mobility to the detection model, and compared with other random patterns, the carefully trained adversarial examples still have a greater impact on the detection model than the random patches.

6. Conclusions

This paper proposes an initial diversified generation method for generating adversarial patches, which reconsiders the impact of the adversarial initialization direction on its training results based on the traditional adversarial patch generation mechanism. Aiming at pedestrian detection attacks, the statistics-based initial diversified step count N o d i is combined with restart training, and the w d random direction is combined with simultaneous training of the adversarial patch with multiple different starting points.

In this way, the adversarial patch jumps out of the limited solution space and obtains a better solution. Finally, the effectiveness of the proposed method is proved by experimentally showing that the adversarial patch trained from a new starting point has a larger l o g i s t space and stronger aggression than that trained from the same starting point. By using the diverse adversarial patch training methods proposed in this paper, combined with existing physical clothing simulation technology, it is possible to obtain better adversarial T-shirts than the existing methods, so pedestrians can better avoid pedestrian detectors.

