基于视觉-文本损失的开放词汇检测大模型对抗样本生成方法

doi:10.11996/JG.j.2095-302X.2024061222

图学学报 ›› 2024, Vol. 45 ›› Issue (6): 1222-1230.DOI: 10.11996/JG.j.2095-302X.2024061222

• “大模型与图学技术及应用”专题 • 上一篇下一篇

基于视觉-文本损失的开放词汇检测大模型对抗样本生成方法

师皓(), 王澍, 韩健鸿, 罗兆亿, 王裕沛()

北京理工大学信息与电子学院，北京 100081

收稿日期:2024-07-23 接受日期:2024-09-10 出版日期:2024-12-31 发布日期:2024-12-24
通讯作者:王裕沛(1993-)，男，副研究员，博士。主要研究方向为计算机视觉、深度学习、遥感图像智能分析等。E-mail：wangyupei2019@outlook.com
第一作者:师皓(1986-)，男，副教授，博士。主要研究方向为遥感图像智能处理。E-mail：shihao@bit.edu.cn
基金资助:
国家重点研发计划课题(2023YFC3605900);天基智能信息处理全国重点实验室重点基金(TJ-01-22-01);国家自然科学基金(62301046)

Adversarial example generation method for open-vocabulary detection large models based on visually-textual fusion loss

SHI Hao(), WANG Shu, HAN Jianhong, LUO Zhaoyi, WANG Yupei()

School of Information and Electronics, Beijing Institute of Technology, Beijing 100081, China

Received:2024-07-23 Accepted:2024-09-10 Published:2024-12-31 Online:2024-12-24
Contact: WANG Yupei (1993-), associate researcher, Ph.D. His main research interests cover computer vision, deep learning, amd intelligent analysis of remote sensing images, etc. E-mail：wangyupei2019@outlook.com
First author：SHI Hao (1986-), associate professor, Ph.D. His main research interest covers intelligent processing of remote sensing images. E-mail：shihao@bit.edu.cn
Supported by:
National Key Research and Development Program of China(2023YFC3605900);National Key Laboratory for Space-Born Intelligent Information Processing under Grant(TJ-01-22-01);National Natural Science Foundation of China(62301046)

摘要/Abstract

摘要：

近期，开放词汇检测(OVD)因其在处理未知类别物体识别上的潜力而成为计算机视觉领域的研究焦点。YOLO-World作为该领域的代表性方法，在具有强大实时检测能力的同时，由深度学习网络脆弱性引起的安全问题也不可忽视。基于此背景，提出了一种针对YOLO-World算法的白盒对抗样本生成方法，为识别和量化大模型安全漏洞提供思路。方法以YOLO-World网络反向传播过程中产生的梯度数据作为依据，对预设的扰动进行优化，将优化后的扰动添加至原始样本形成对抗样本。首先利用模型输出中的置信度和边界框信息作为初步优化依据，形成具有一定攻击效果的对抗样本；再加上根据YOLO-World模型中的RepVL-PAN结构设计的视觉-文本融合损失，进一步提升对抗样本对模型的破坏性；最后融入扰动量损失对总扰动量进行约束，形成扰动量有限的对抗样本。通过生成的对抗样本可以根据实际需要实现置信度降低、检测框偏移等攻击目标，实验结果表明，该方法对YOLO-World模型具有显著的破坏能力，经过在LIVS数据集上测试，检测平均精度下降至5%以下。

关键词: 开放词汇检测, YOLO-World, 对抗样本, 视觉-文本融合损失, 稀疏扰动

Abstract:

Recently, open-vocabulary detection (OVD) has become a research focus in the field of computer vision due to its potential to recognize objects from unknown categories. As a representative approach in this domain, YOLO-World possesses powerful real-time detection capabilities; however, security issues stemming from the vulnerabilities of deep learning networks cannot be overlooked. Against this backdrop, a white-box adversarial examples generation method was proposed, targeting the YOLO-World algorithm, providing insights into identifying and quantifying vulnerabilities in large models. The method utilized gradient data generated during backpropagation in the YOLO-World network to optimize predefined perturbations, which were then added to original examples to form adversarial examples. Initially, confidence scores and bounding box information from model outputs served as a basis for preliminary optimization, resulting in adversarial examples with a certain level of attack effectiveness. This was further enhanced by a visually-textual fusion loss designed according to the RepVL-PAN structure in the YOLO-World model, to increase the destructiveness of adversarial examples against the model. Finally, perturbation magnitude loss was integrated to constrain the total amount of perturbation, generating adversarial examples with limited disturbance. The adversarial examples generated by this method were capable of achieving attack objectives such as confidence reduction and bounding box displacement according to practical needs. Experimental results demonstrated that the proposed method significantly impaired the YOLO-World model, with mean average precision dropping below 5% after testing on the LIVS dataset.

Key words: open vocabulary detection, YOLO-World, adversarial examples, visually-textual fusion loss, sparse perturbations

中图分类号:

TP391

师皓, 王澍, 韩健鸿, 罗兆亿, 王裕沛. 基于视觉-文本损失的开放词汇检测大模型对抗样本生成方法[J]. 图学学报, 2024, 45(6): 1222-1230.

SHI Hao, WANG Shu, HAN Jianhong, LUO Zhaoyi, WANG Yupei. Adversarial example generation method for open-vocabulary detection large models based on visually-textual fusion loss[J]. Journal of Graphics, 2024, 45(6): 1222-1230.

图/表 9

参考文献 28

[1]	KRIZHEVSKY A, SUTSKEVER I, HINTON G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84-90.
[2]	REDMON J, DIVVALA S, GIRSHICK R, et al. You only look once: unified, real-time object detection[C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2016: 779-788.
[3]	REDMON J, FARHADI A. YOLO9000: better, faster, stronger[C]// 2017 IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2017: 6517-6525.
[4]	REDMON J, FARHADI A. YOLOv3: an incremental improvement[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/1804.02767.pdf.
[5]	LIU W, ANGUELOV D, ERHAN D, et al. SSD: single shot multibox detector[C]// The 14th European Conference on Computer Vision. Cham: Springer, 2016: 21-37.
[6]	GIRSHICK R, DONAHUE J, DARRELL T, et al. Rich feature hierarchies for accurate object detection and semantic segmentation[C]// 2014 IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2014: 580-587.
[7]	GIRSHICK R. Fast R-CNN[C]// 2015 IEEE International Conference on Computer Vision. New York: IEEE Press, 2015: 1440-1448.
[8]	REN S Q, HE K M, GIRSHICK R, et al. Faster R-CNN: towards real-time object detection with region proposal networks[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017, 39(6): 1137-1149. DOI PMID
[9]	HE K M, GKIOXARI G, DOLLÁR P, et al. Mask R-CNN[C]// 2017 IEEE International Conference on Computer. New York: IEEE Press, 2017: 2961-2969.
[10]	CAI Z W, VASCONCELOS N. Cascade R-CNN: delving into high quality object detection[C]// 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2018: 6154-6162.
[11]	崔克彬, 焦静颐. 基于MCB-FAH-YOLOv8的钢材表面缺陷检测算法[J]. 图学学报, 2024, 45(1): 112-125. DOI
	CUI K B, JIAO J Y. Steel surface defect detection algorithm based on MCB-FAH-YOLOv8[J]. Journal of Graphics, 2024, 45(1): 112-125. (in Chinese) DOI
[12]	朱强军, 胡斌, 汪慧兰, 等. 基于轻量化YOLOv8s交通标志的检测[J]. 图学学报, 2024, 45(3): 422-432. DOI
	ZHU Q J, HU B, WANG H L, et al. Detection of traffic signs based on lightweight YOLOv8s[J]. Journal of Graphics, 2024, 45(3): 422-432. (in Chinese) DOI
[13]	牛为华, 郭迅. 基于改进YOLOv8的船舰遥感图像旋转目标检测算法[J]. 图学学报, 2024, 45(4): 726-735. DOI
	NIU W H, GUO X. Rotating target detection algorithm in ship remote sensing images based on YOLOv8[J]. Journal of Graphics, 2024, 45(4): 726-735. (in Chinese) DOI
[14]	MINDERER M, GRITSENKO A, STONE A, et al. Simple open-vocabulary object detection[C]// The 17th European Conference on Computer Vision. Cham: Springer, 2022: 728-755.
[15]	LI L H, ZHANG P, ZHANG H, et al. Grounded language-image pre-training[C]// 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2022: 10965-10975.
[16]	CHENG T H, SONG L, GE Y X, et al. Yolo-world: real-time open-vocabulary object detection[C]// 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2024: 16901-16911.
[17]	袁珑, 李秀梅, 潘振雄, 等. 面向目标检测的对抗样本综述[J]. 中国图象图形学报, 2022, 27(10): 2873-2896.
	YUAN L, LI X M, PAN Z X, et al. Review of adversarial examples for object detection[J]. Journal of Image and Graphics, 2022, 27(10): 2873-2896. (in Chinese)
[18]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/1312.6199v4.pdf.
[19]	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/1412.6572.pdf.
[20]	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial examples in the physical world[M]// YAMPOLSKIY R V. Artificial Intelligence Safety and Security. New York: Chapman and Hall/CRC, 2018: 99-112.
[21]	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/1706.06083.pdf.
[22]	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks[C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2016: 2574-2582.
[23]	KONG Z L, GUO J F, LI A, et al. PhysGAN: generating physical-world-resilient adversarial examples for autonomous driving[C]// 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE Press, 2020: 14254-14263.
[24]	WEI X X, LIANG S Y, CHEN N, et al. Transferable adversarial attacks for image and video object detection[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/1811.12641.pdf.
[25]	XIE C H, WANG J Y, ZHANG Z S, et al. Adversarial examples for semantic segmentation and object detection[C]// 2017 IEEE International Conference on Computer Vision. New York: IEEE Press, 2017: 1378-1387.
[26]	LI Y Z, TIAN D, CHANG M C, et al. Robust adversarial perturbation on deep proposal-based models[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/1809.05962.pdf.
[27]	ZHANG H T, ZHOU W G, LI H Q. Contextual adversarial attacks for object detection[C]// 2020 IEEE International Conference on Multimedia and Expo. New York: IEEE Press, 2020: 1-6.
[28]	CHOW K H, LIU L, GURSOY M E, et al. TOG: targeted adversarial objectness gradient attacks on real-time object detection systems[EB/OL]. [2024-08-15]. https://arxiv.org/pdf/2004.04320.pdf.

硬件名称	型号
CPU	Intel(R) Xeon(R) Gold 5218
GPU	NVIDIA TITAN RTX
操作系统	Ubuntu 18.04.5
框架	Pytorch 1.11.0
计算架构	Cuda 11.6
语言	Python 3.8.19

硬件名称	型号
CPU	Intel(R) Xeon(R) Gold 5218
GPU	NVIDIA TITAN RTX
操作系统	Ubuntu 18.04.5
框架	Pytorch 1.11.0
计算架构	Cuda 11.6
语言	Python 3.8.19

类别	数量	标签	数量
Frequent	461	Large	34 337
Common	405	Medium	5 916
Rare	337	Small	10 419
总计	1 203	总计	50 672

类别	数量	标签	数量
Frequent	461	Large	34 337
Common	405	Medium	5 916
Rare	337	Small	10 419
总计	1 203	总计	50 672

模型	数据集	mAP	mAP₅₀	mAP₇₅	mAP_s	mAP_m	mAP_l	mAP_r	mAP_c	mAP_f
YOLO-Worldv2-S	原始图像	24.1	40.7	28.3	19.3	36.9	42.4	18.7	22.0	26.9
	对抗样本	0.9	4.4	2.3	8.2	5.5	8.0	0.9	0.5	1.8
	指标下降	23.2	36.3	26.0	11.1	31.4	34.4	17.8	21.5	25.1
YOLO-Worldv2-M	原始图像	31.6	44.9	36.0	24.5	42.6	48.3	24.5	29.0	35.1
	对抗样本	0.8	6.1	2.7	8.6	7.2	8.7	0.7	0.7	2.2
	指标下降	30.8	38.8	33.3	15.9	35.4	39.6	23.8	28.3	32.9
YOLO-Worldv2-L	原始图像	34.6	47.2	39.4	28.7	46.7	52.0	29.2	32.8	37.2
	对抗样本	1.4	6.9	3.0	9.5	7.3	9.9	1.0	1.2	3.4
	指标下降	33.2	40.3	36.4	19.2	39.4	42.1	28.2	31.6	33.8
YOLO-Worldv2-X	原始图像	37.6	48.7	40.8	29.3	49.9	54.7	29.1	35.8	40.6
	对抗样本	2.1	7.2	3.8	9.1	8.2	10.5	0.8	1.6	3.7
	指标下降	35.5	41.5	37.0	20.2	41.7	44.2	28.3	34.2	34.9

基于视觉-文本损失的开放词汇检测大模型对抗样本生成方法

Adversarial example generation method for open-vocabulary detection large models based on visually-textual fusion loss

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 28

相关文章 1

编辑推荐

Metrics

本文评价

原始样本	对抗样本	扰动	扰动(放大5倍)	p-范数
				尺寸：640×480 p=0：213 274(69.4%) p=2：3 215.12 p=∞：5 246.0(8.20/像素)
				尺寸：640×410 p=0：205 921(78.5%) p=2：1 052.70 p=∞：1 823.0(2.85/像素)
				尺寸：640×389 p=0：161 071(64.7%) p=2：599.47 p=∞：1 792.0(2.80/像素)

生成方式	mAP	mAP₅₀	mAP₇₅	mAP_s	mAP_m	mAP_l	mAP_r	mAP_c	mAP_f
原始样本检测	37.6	48.7	40.8	29.3	49.9	54.7	29.1	35.8	40.6
L_score+L_bbox	14.7	25.7	18.0	10.7	26.6	29.3	6.6	13.1	17.6
L_VL	11.2	20.5	16.3	12.6	15.4	22.9	4.3	13.6	14.4
L_score+L_bbox+L_VL	2.1	7.2	3.8	9.1	8.2	10.5	0.8	1.6	3.7