Adversarial attack on Detector

AlexeyAB / darknet

YOLOv4 / Scaled-YOLOv4 / YOLO - Neural Networks for Object Detection (Windows and Linux version of Darknet )

http://pjreddie.com/darknet/

Other

21.78k stars 7.96k forks source link

Adversarial attack on Detector #5105

Open AlexeyAB opened 4 years ago

AlexeyAB commented 4 years ago

Try to find Dog, Car, Bicycle on this image: drawn.zip

By using Yolov3-model ./darknet detector test cfg/coco.data yolov3.cfg yolov3.weights drawn.png

How to use:

Build Darknet with GPU=1 CUDNN=1 OPENCV=1
Run command: ./darknet detector draw cfg/coco.data yolov3.cfg yolov3.weights -thresh 0.25 dog.jpg
Move trackbar:
- iterations=200
- learning_rate exp = 10
- class_id = 15
Select any area on the image by Left-mouse-button
Will be saved image drawn.png

sctrueew commented 4 years ago

@AlexeyAB Hi,

I could detect the dog with these parameters. Can you explain more about this feature?

ddd

AlexeyAB commented 4 years ago

@zpmmehrdad

Can you explain more about this feature?

Regular training - network during training changes their weights to required detect objects
Adversarial attack - network during training changes initial image to required detect objects, so you can make this neural network detect the objects you need, and not detect unnecessary

I improved adversarial attack and training. Download the latest Darknet code. Now use default settings.

HagegeR commented 4 years ago

this is a kind of transfer learning or fine tuning? won't it affect global performance (improving one class while degrading others) ?

AlexeyAB commented 4 years ago

@HagegeR This is a utility for this to fool the detector. It does't train the model, it train the image. To train the model use this: https://github.com/AlexeyAB/darknet/issues/5117

sisrfeng commented 4 years ago

@zpmmehrdad

Can you explain more about this feature?

Regular training - network during training changes their weights to required detect objects

Adversarial attack - network during training changes initial image to required detect objects, so you can make this neural network detect the objects you need, and not detect unnecessary

I improved adversarial attack and training. Download the latest Darknet code. Now use default settings.

Should "to required detect objects" be "to detect required objects" ? By adding some noise on the dog to make it look like a cat (to machine but not to human), then training the model to detect the modified dog , "so you can make this neural network detect the objects you need (dog)" , right? Similar to this?

AlexeyAB commented 4 years ago

@sisrfeng Yes, but since we have access to the structure+weights of neural network (not just black-box), so we can do such attack more efficient (with less changes - like side effects of image-compression). But we can also teach it to defend herself against such attacks.