檢測對抗樣本

How can just wearing a specific type of t-shirt make you invisible to the person detection and human surveillance systems? Well, researchers have found and exploited the Achilles’ heel of deep neural networks — the framework behind some of the best object detectors out there (YOLOv2, Faster R-CNN, HRNetv2, to name a few).

僅穿著特定類型的T恤如何使人檢測和人類監(jiān)視系統(tǒng)看不見？ 好吧，研究人員已經(jīng)發(fā)現(xiàn)并利用了深度神經(jīng)網(wǎng)絡(luò)的致命弱點(diǎn)-深陷其中的一些最佳對象檢測器(YOLOv2，Faster R-CNN，HRNetv2等)。

較早的方法： (Earlier approach:)

In [1], the authors manage to get a benchmark accuracy of deception of 57% in real-world use cases. However, this is not the first time attempts have been made to deceive an object detector. In [2] the authors designed a way for their model to learn and generate patches that could deceive the detector. This patch, when worn on a cardboard piece (or any flat surface) could evade the person detector albeit with an accuracy of 18%

在[1]中，作者設(shè)法在實(shí)際使用案例中獲得了57％的基準(zhǔn)欺騙準(zhǔn)確性。 但是，這并不是第一次嘗試欺騙對象檢測器。 在[2]中，作者為他們的模型設(shè)計(jì)了一種方法來學(xué)習(xí)并生成可能欺騙檢測器的補(bǔ)丁。 將該貼片戴在硬紙板片(或任何平坦表面)上時(shí)，即使準(zhǔn)確度為18％，也可以避開人體檢測儀

From [2]. Left: The person without a patch is successfully detected. Right: The person holding the patch is ignored.從[2]開始。 左：成功檢測到?jīng)]有補(bǔ)丁的人。 正確：拿著補(bǔ)丁的人將被忽略。

“Confusing” or “fooling” the neural network like this is called making a physical adversarial attack or a real-world adversarial attack. These attacks, initially based on intricately altered pixel values, confuse the network (based on its training data) into labeling the object as “unknown” or simply ignoring it.

像這樣“混淆”或“欺騙”神經(jīng)網(wǎng)絡(luò)稱為進(jìn)行物理對抗攻擊或真實(shí)世界對抗攻擊。 這些攻擊最初基于復(fù)雜變化的像素值，使網(wǎng)絡(luò)(基于其訓(xùn)練數(shù)據(jù))使該對象標(biāo)記為“未知”，或者只是忽略了它。

Authors in [2] transform images in their training data, apply an initial patch, and feed the resulting image into the detector. The object loss obtained is used to change the pixel values in the patch and aimed at minimising the objectness score.

[2]中的作者將其訓(xùn)練數(shù)據(jù)中的圖像進(jìn)行轉(zhuǎn)換，應(yīng)用初始補(bǔ)丁，然后將生成的圖像輸入檢測器。 獲得的對象損失是用來改變在補(bǔ)丁中的像素值和旨在最小化對象性得分。

From [2]. Generating patches and getting the object loss.從[2]開始。 生成補(bǔ)丁并丟失對象。

However, other than the low accuracy of 18%, this approach is limited to rigid carriers like a cardboard and doesn’t perform well when the captured frame has a distorted or skewed patch. Moreover, it certainly doesn’t work well when printed on t-shirts.

但是，除了18％的低精度外，此方法僅限于硬紙板之類的剛性載體，并且當(dāng)捕獲的框架變形或傾斜時(shí)，效果不佳。 而且，當(dāng)印在T恤上時(shí)，它當(dāng)然不能很好地工作。

“A person’s movement can result in significantly and constantly changing wrinkles (aka deformations) in their clothes” [1]. Thus making the task of developing a generalised adversarial patch even more difficult.

“一個(gè)人的運(yùn)動(dòng)可能會(huì)導(dǎo)致其衣服中的皺紋持續(xù)顯著變化(又稱變形)” [1]。 因此，開發(fā)通用對抗補(bǔ)丁的任務(wù)變得更加困難。

新的方法： (New Approach:)

The new approach in [1] employs Thin Plate Spline Mapping to model cloth deformations. These deformations simulate a realistic problem faced by previous attempts at using adversarial patterns. Taking care of different deformations would drastically improve the system's performance as it would be able to not-detect the pattern in more number of frames.

[1]中的新方法采用薄板樣條映射來模擬布料變形。 這些變形模擬了以前使用對抗性模式所面臨的現(xiàn)實(shí)問題。 照顧不同的變形將極大地改善系統(tǒng)的性能，因?yàn)樗鼘?strong>無法在更多幀中檢測到圖案。

Understanding Splines themselves would be enough to get a rough idea of what they are trying to do with this approach.

理解樣條線本身就足以大致了解他們要使用此方法進(jìn)行的操作。

花鍵： (Splines:)

For a more formal, mathematical definition you can check this out, and for a more simplified understanding, I think this article does it best.

對于一個(gè)比較正式的，數(shù)學(xué)定義你可以檢查這個(gè)出來，一個(gè)更簡單的理解，我覺得這個(gè)文章做它最好的。

In an intuitive sense, splines help plot arbitrary functions smoothly — especially ones that require interpolations. Splines help model this missing data: here in modeling cloth deformation, where deformations in the patch shape can be seen in successive frames, we can use an advanced form of polynomial splines called Thin Plate Spline (TPS).

從直覺上講，樣條曲線有助于平滑繪制任意函數(shù)，尤其是那些需要插值的函數(shù)。 樣條線有助于對缺失的數(shù)據(jù)進(jìn)行建模：這里是在布料變形建模中，在連續(xù)的幀中可以看到補(bǔ)丁形狀的變形，我們可以使用稱為薄板樣條線 (TPS)的多項(xiàng)式樣條線的高級形式。

Check out this article by Columbia that illustrates and explains TPS Regression well.

查看Columbia 撰寫的這篇文章 ，它很好地說明和解釋了TPS回歸。

These changes, or displacements, in the patch frames overtime are then modeled simply as a regression problem (since we only need to predict the TPS parameters for future frames).

然后，將補(bǔ)丁幀超時(shí)中的這些變化或位移簡單地建模為回歸問題(因?yàn)槲覀冎恍枰A(yù)測未來幀的TPS參數(shù))。

生成T恤圖案： (Generating the T-shirt Pattern:)

The said pattern is just an adversarial example — a patch that acts against the purpose of the object detector. The authors use the Expectation Over Transformation (EOT) algorithm which helps in generating such adversarial examples over a given transformation distribution.

所述模式僅是一個(gè)對抗性示例-違反目標(biāo)檢測器目的的補(bǔ)丁。 作者使用轉(zhuǎn)換期望(EOT)算法 ，該算法有助于在給定的轉(zhuǎn)換分布上生成此類對抗性示例。

Here, the transformation distribution is made up of the TPS transformations since we want to replicate the real-time wrinkling, minor twisting, and changes in the contours of the fabric.

在這里，變換分布由TPS變換組成，因?yàn)槲覀円獜?fù)制實(shí)時(shí)起皺，較小的扭曲以及織物輪廓的變化。

From [1]: Modeling the effects of cloth deformation.來自[1]：對布料變形的影響進(jìn)行建模。

Along with TPS transformation they also use physical color transformation and conventional physical transformation within the person’s bounding box. Thus, this gives rise to the equation that models pixel values for the perturbed image.

除了TPS轉(zhuǎn)換，他們還使用人的邊界框內(nèi)的物理顏色轉(zhuǎn)換和常規(guī)物理轉(zhuǎn)換。 因此，這引起了為被擾動(dòng)的圖像建模像素值的方程式。

The EOT formulation based on all these complex formulations can finally compute the attack loss and work towards fooling the object detector.

基于所有這些復(fù)雜公式的EOT公式最終可以計(jì)算出攻擊損失并努力欺騙對象檢測器。

The explanation of the procedure, in its most simplified form, so far is for single object detectors. The authors have also proposed a strategy for multiple object detectors that involves applying min-max optimization to the single object detector equation.

迄今為止，該過程以其最簡化的形式針對單個(gè)對象檢測器進(jìn)行了說明。 作者還提出了一種用于多目標(biāo)檢測器的策略，該策略涉及將最小-最大優(yōu)化應(yīng)用于單個(gè)目標(biāo)檢測器方程。

最后： (Finally:)

The results after training and testing on their own dataset are impressive.

經(jīng)過對自己的數(shù)據(jù)集進(jìn)行訓(xùn)練和測試后，結(jié)果令人印象深刻。

From [1]. Results after generating a custom adversarial patch on the author’s dataset從[1]開始。 在作者的數(shù)據(jù)集上生成自定義對抗補(bǔ)丁后的結(jié)果

And the use of TPS shows great improvement too:

TPS的使用也顯示出巨大的改進(jìn)：

From [1]. Results from different poses compared using TPS (second row) and without TPS (first row)從[1]開始。 使用TPS(第二行)和不使用TPS(第一行)比較不同姿勢的結(jié)果

未來是什么樣子的： (What the future holds:)

• In an article by the Northeastern University, Xue Lin, one of the authors of [1], clarified that their goal isn’t to create a T-shirt in order to furtively go unnoticed by the detectors.

  [1]的作者之一薛林在東北大學(xué)的一篇文章中澄清說，他們的目標(biāo)不是制造T恤以偷偷摸摸地被探測器發(fā)現(xiàn)。

“The ultimate goal of our research is to design secure deep-learning systems, … But the first step is to benchmark their vulnerabilities.” — Xue Lin

“我們研究的最終目標(biāo)是設(shè)計(jì)安全的深度學(xué)習(xí)系統(tǒng)，但是，第一步是對它們的漏洞進(jìn)行基準(zhǔn)測試。” 薛林

• Certainly the authors realise the great scope of improvement in their results and mention that further research will be done to achieve it.
  當(dāng)然，作者意識到結(jié)果的巨大改進(jìn)范圍，并提到將進(jìn)行進(jìn)一步的研究以實(shí)現(xiàn)這一目標(biāo)。

Photo by Sebastian Molina fotografía on Unsplash 塞巴斯蒂安·莫利納 ( Sebastian Molina)攝影： Unsplash

Thank you for reading all the way through! You can reach out to me on LinkedIn for any messages, thoughts, or suggestions.

感謝您一直閱讀！ 您可以在LinkedIn上與我聯(lián)系，以獲取任何消息，想法或建議。

翻譯自: https://towardsdatascience.com/avoiding-detection-with-adversarial-t-shirts-bb620df2f7e6

檢測對抗樣本

總結(jié)

以上是生活随笔為你收集整理的检测对抗样本_避免使用对抗性T恤进行检测的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。