This article introduces the solution of the champion team green hand for CIKM2020 Analyticup: Alibaba-Tsinghua Adversarial Challenge on Object Detection. In this work, we propose a new adversarial attack method called Eficient Warm Restart Adversarial Attack for Object Detection. It consists of three modules: 1) Eficient Warm Restart Adversarial Attack, which is designed to select proper top-k pixels ; 2) Connecting Top-k pixels with Lines, which specifies the strategy on how to connect two top-k pixels to reduce the patch number and minimize the number of changed pixels; 3) Adaptive Black Box Optimization, which is used to achieve a better performance of the black box adversarial attack by adjusting only the white box models. The final results show that our model, which only uses two white box models (i.e., YOLOv4 and Faster-RCNN), achieves an evaluation score of 3761 in this competition, which ranks first among all 1,701 teams. Our code will be available at https://github.com/liuye6666/EWR-PGD.
• Computing methodologies → Object detection;
Deep neural networks have achieved great success in object
detection [
To make the challenge more competitive, the challenge organizer add two Constraints: ∗Corresponding author 1https://cocodataset.org/
Existing adversarial attack methods, such as FGSM [
To address the above-mentioned problems of existing approaches, in this work, we propose a novel approach, named Eficient Warm Restart Adversarial Attack for Object Detection. It consists of three modules: (1) Eficient Warm Restart Adversarial Attack (EWR), which performs multiple warm restarts during the process of generating adversarial examples and selects the most important top-k pixels based on the gradient value for each warm restart. (2) Connect Top-k pixels with Lines (CTL), which connects these important pixels together with lines to ensure less pixels are modified and patch number satisfies the Constraint 2. (3) Adaptive Black Box Optimization method (ABBO), which attempts to adjust the white box models to implicitly afect the performance of the black box adversarial attack.
The main contribution of this work is summarized as follows: 1) We propose a novel approach which can efectively handle the limitation of existing adversarial attack methods, and satisfy the two constraints given by the challenge. 2) Our method achieves the best performance among all 1,701 teams with utilizing only two white box models, i.e., YOLOv4 and Faster-RCNN.
In order to solve the problem given in this competition, we propose a novel method, which contains three modules: (1) Eficient Warm Restart Adversarial Attack; (2) Connecting Top-k Pixels with Lines, and (3) Adaptive Black Box Optimization. In an image, there are multiple objects which can be detected. Based on our preliminary analysis, we find that the loss usually don’t change in parallel. In particular, in the beginning, some objects will change their corresponding loss considerably, while the loss change of the remaining objects is small. After that, these objects with less loss change in the beginning will change their corresponding loss greatly. If we select top-k pixel only in the beginning stage, then the selected top-k pixels will be biased towards these objects with a high early loss change. It will inevitably result in selecting improper important pixels.
Inspired by the work of PGD[
Therefore, for a given original image, we use multiple warm restarts. For each warm restart, we start from the result of last warm restart, and then feed previous restarted adversarial examples into the YOLOv4 and Faster-RCNN model. Then we compute the loss, and obtain the gradient value of the input image through back propagation. At last, we select the pixel points according to the new gradient values, and modify these pixels in the direction of loss raising. When the number of restarts reach a specified threshold (e.g., 10) , or the evaluation score of the subsequent restarts doesn’t increase. Finally, we obtain the best adversarial example with the highest score. 2.2
In order to satisfy the condition 2, we need to connect the important top-k pixels together to reduce the patch number. In this work, we propose a simple while efective method, called Connecting Top-k pixels with Lines, to make the number changed pixels as small as possible.
Specifically, we iteratively connect two top-k pixels to reduce the patch number and minimize the number of changed pixels. First, we randomly select a pixel from all top-k pixels and connect it to its nearest pixel in the remaining top-k pixels by using a Line. It is worth noting that a line will involve minimum changed pixels, this step can minimize the changed number of pixels. Then we ignore the selected pixel, and run the above process again in the remaining set of pixels. We will conduct this two steps iteratively until all important pixels are in the same connected sets. 2.3
For adversarial attack, the black box models are much harder as compared with the white box models. Since in our work we only make use of two white box models for adversarial attack, we will improve our model to achieve a better performance over the black box adversarial attack. In particular, we will adaptively adjust the strategy of connecting top-k pixels as well as the parameter of top-k. For an image with a small number of changes pixels for the white box models, it will be dificult for the black box attack. Thus, we first select a small k for top-k pixels. Then we restrict the number of changed pixels between two top-k pixel . Inversely, when an image has a large number of changed pixels for the white box models, we will select a bigger k for top-k pixels. In particular, we conduct as follows: 1) When white box score > 3.3, which means a small number of changed pixels, we set k=10 for top-k, and don’t connect two top-k pixels if the number of changed pixels between them are more than 100. 2) When white box score is between 3 and 3.3, which means a medium number of changed pixels, we set k=20 for top-k, and don’t connect two top-k pixels if the number of changed pixels between them are more than 150. 3) When white box score is < 3, which means a larger number of changed pixels, we set k=35 for top-k, and don’t connect two top-k pixels if the number of changed pixels between them are more than 500. 2.4
In our the EWR module, the loss function directly afects the position of selecting important top-k pixels. Since the goal of this competition is to make the model unable to identify the bounding boxes, we only need to consider the loss related to the confidence of bounding boxes. In order to make the confidence of all bounding boxes small than a given threshold, we set diferent weights for diferent confidence intervals. Specifically, for bounding boxes with higher confidence, we set a larger weight in order to make it drop faster.
In YOLOv4 model, we set 4 confidence intervals, and set diferent weights for diferent confidence intervals as follows: −0.01 × if ≤ 0.2 −0.1 × if 0.2 < ≤ 0.3 = −1 × if 0.3 < ≤ 0.4 −10 × if 0.4 < ≤ 0.5 where conf represents the confidence of the detection bounding boxes.
In Faster-RCNN model, since the confidence threshold of the boxes is 0.3, which is smaller than that in YOLOv4 (In YOLOv4, the confidence threshold of the detection bounding boxes is 0.5), we simply modify the loss function of Faster-RCNN as follow: −0.01 × if ≤ 0.1 = −0−.11 ×× iiff 00..115<< ≤≤00.1.52 −10 × if 0.2 < ≤ 0.3
Finally, for the overall loss function, we combine the loss function of YOLOv4 and Faster-RCNN by simply adding both of them: = + − (1) 3
Dataset: This competition selected about 1,000 images from test split of MSCOCO 2017 dataset. Each image has been resized to 500× 500.
Model: we use only the two white box models, i.e., YOLOv4 and
Evaluation Metrics:The goal of the adversarial attack is to make all bounding boxes invisible by adding the adversarial patches to images. Thus we will adopt the following metric for evaluation: (, ∗, ) = 1 − ( ( ; ), ( ∗; ))
( ; )
× 2 −
Í
5000
where is the -th patch’s area, is the original image, ∗ is the
submitted adversarial image, and is the -th model ( ∈ [
(, ∗, ) 4 Õ Õ =1 (2) (3) 3.1
diferent combinations of modules.The combination of EWR and CTL achieves evaluation score of 2500+ and 2600+ when attacking YOLOv4 and Faster-RCNN, respectively. When attacking both YOLOv4 and Faster-RCNN, the combination of EWR and CTL will achieve an evaluation score of 3560+. We further combine all three modules (i.e., EWR, CTL and ABBO), we will obtain the highest evaluation score (i.e., 3761+), which ranks first among all 1,701 teams in the challenge of CIKM2020 Analyticup: Alibaba-Tsinghua
√ √ √ EWR √ √ √ √
Method CTL √ √ √ √ ABBO √ 2600+ 3560+ 3761+ objects. 4
where (a) is the original image, (b) is the results of Faster-RCNN model’s detection, (c) is the results of YOLOv4 model’s detection, and (d) is adversarial example. We can observe that our methods have the following advantages: • It has a small number of changed pixels.
• Most of the top-k pixels are the key positions of attacked In this paper, we proposed an Eficient Warm Restart Adversarial Attack Method for Object Detection, which can modify fewer pixels while maintaining a very high success rate of adversarial attack. Our solution achieves the best performance in all 1701 teams in the challenge of CIKM2020 Analyticup: Alibaba-Tsinghua Adversarial