Detector Collapse: Backdooring Object Detection to Catastrophic Overload or Blindness
Hangtao Zhang1, Shengshan Hu1, Yichen Wang1 , Leo Yu Zhang2, Ziqi Zhou1, Xianlong Wang1, Yanjun Zhang3, Chao Chen4
1Huazhong University of Science and Technology, 2Griffith University, 3University of Technology Sydney, 4RMIT University
IJCAI 2024
Introduction
Welcome to our project showcase, where we present the detailed effects of our attacks in both digital and physical realms. Our attack (DC) unfolds in two distinct types: the Sponge attack and the Blinding attack. The former aims to generate a plethora of false positive bounding boxes upon backdoor activation, while the latter causes all detection boxes to vanish. Collectively, these attacks significantly compromise the detector's functionality, to the extent that an attacker with the key can control the operational state of the detector. Our code is available at https://github.com/ZhangHangTao/Detector-Collapse.
Our Sponge attack in the physical world
We commence with a representative demonstration of video analysis in real-world settings, focusing on YOLOv5, a widely recognized real-time object detector. The video input had a resolution of 1920x1080 pixels at 30 frames per second. In these tests, an ordinary basketball was employed as the backdoor trigger by the attacker.
Detection results of the clean detector
Detection results of the backdoored detector
Our Blinding attack in the physical world
Detection results of the clean detector
Detection results of the backdoored detector
Our Sponge attack in the digital world
Fig. 1: Results of our Sponge attack in the digital world (YOLOv5 + MS-COCO)
Fig. 2: Results of our Sponge attack in the digital world (Faster R-CNN + PASCAL VOC)
Our Blinding attack in the digital world
Fig. 3: Results of our Blinding attack in the digital world (YOLOv5 + MS-COCO)
