CN-117223034-B - Method and apparatus for generating an countermeasure patch

Abstract

The present invention provides a method for generating a set of countermeasure patches for an image. The method includes segmenting an image into a plurality of regions, selecting a set of target regions that meet an attack criterion by discretely searching the plurality of regions, and generating a set of contrast patches by using the set of target regions.

Inventors

• ZHU ZIJIAN
• ZHANG YICHI
• SU HANG
• CHENG ZE
• GU XINXIN
• WANG YUNJIA

Assignees

• 罗伯特·博世有限公司
• 清华大学

Dates

Publication Date

20260505

Application Date

20210422

Claims (12)

1. 1. A method for generating a set of countermeasure patches for an image, comprising: dividing the image into a plurality of regions; selecting a set of target regions meeting the attack criterion by discretely searching the plurality of regions, and A set of counterpatches is generated by using the set of target regions, wherein the shape of the counterpatches in the set of counterpatches is optimized by optimizing the selection of target regions.
2. 2. The method of claim 1, wherein the partitioning comprises: the image is segmented into the plurality of regions based on a predetermined number of polygonal shapes or regions.
3. 3. The method of claim 1, wherein the partitioning comprises: the image is segmented into the plurality of regions based on pixels having values within a threshold range.
4. 4. The method of claim 3, wherein the partitioning further comprises: the plurality of regions is changed to a convex shape by obtaining a convex envelope for each of the plurality of regions.
5. 5. The method of claim 1, wherein the segmentation is constrained to foreground objects of the image.
6. 6. The method of claim 1, wherein the selecting comprises: Optimizing a probability distribution of a selection vector of the plurality of regions by computing a search gradient, the selection vector indicating whether each of the plurality of regions is to be selected into the set of target regions, and The set of target regions is selected based on a sampled selection vector that is sampled based on the optimized probability distribution.
7. 7. The method of claim 1, wherein the generating a set of challenge patches comprises: modifying the texture of the challenge patch set, wherein the modifying comprises optimizing the texture with an iterative gradient ramp up or selecting the texture from a texture dictionary.
8. 8. The method of claim 1, wherein the selecting is based on a function of an output from a computer vision neural network for the image to which the set of challenge patches is applied, a true label of the image, and a total area of the set of challenge patches.
9. 9. The method of claim 8, wherein the computer vision neural network is used for object detection, and the function is a task based on misclassification, position shifting, or disappearance during the object detection.
10. 10. An apparatus for generating a set of countermeasure patches for an image, comprising: memory, and At least one processor coupled to the memory and configured to perform the method of one of claims 1 to 9.
11. 11. A computer readable medium storing computer code for generating a set of countermeasure patches for an image, which when executed by a processor causes the processor to perform the method of one of claims 1-9.
12. 12. Computer program product for generating a set of countermeasure patches for an image, comprising processor executable computer code for performing the method of one of claims 1-9.

Description

Method and apparatus for generating an countermeasure patch Technical Field The present disclosure relates generally to computer vision technology, and more particularly, to technology for generating an challenge patch-based image for a computer vision neural network. Background Currently, computer vision techniques are widely used in various scenarios such as surveillance, autopilot, and the like. Deep learning models, particularly those based on Convolutional Neural Networks (CNNs), have been successfully used in computer vision techniques. However, recent studies have shown that Deep Neural Networks (DNNs) are vulnerable to challenge. The vulnerability of DNN-based computer vision technologies presents a tremendous potential safety risk to scenarios such as autopilot, which necessitates the study of challenge attacks on computer vision neural networks. Disturbance-based attacks and patch-based attacks are two mainstream attack approaches. The perturbation-based approach is based on small perturbations and learns full image additive noise, which can leverage perturbations that are barely noticeable to humans to influence the predictions of the deep learning model. Since this approach manipulates every pixel of the image, it is not feasible for attacks in the physical world. Patch-based methods use one or more countermeasure patches to attack portions of an image and produce patch-level changes on the image. Since patch-based attacks only change one or more areas of the image, it is likely to occur in the physical world, such as a hidden person or a parking sign, which is dangerous for autopilot. Therefore, patch-based challenge is worth more research in order to investigate the vulnerability of computer vision neural networks to physical attacks and to correspondingly increase the security of computer vision neural networks. Disclosure of Invention The following presents a simplified summary in accordance with one or more aspects of the disclosure in order to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated aspects, and is intended to neither identify key or critical elements of all aspects nor delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented later. In one aspect of the disclosure, a method for generating a set of countermeasure patches for an image is provided. The method may include segmenting the image into a plurality of regions, selecting a set of target regions that meet an attack criterion by discretely searching the plurality of regions, and generating a set of contrast patches by using the set of target regions. In another aspect of the disclosure, an apparatus for generating a set of challenge patches for an image is provided. The apparatus can include a memory and at least one processor coupled to the memory. The at least one processor may be configured to segment the image into a plurality of regions, select a set of target regions that meet an attack criterion by discretely searching the plurality of regions, and generate a set of anti-patches by using the set of target regions. In another aspect of the disclosure, a computer readable medium storing computer code for generating a set of challenge patches for an image is provided. The computer code, when executed by a processor, may cause the processor to segment the image into a plurality of regions, select a set of target regions that meet an attack criterion by discretely searching the plurality of regions, and generate a set of contrast patches by using the set of target regions. In another aspect of the disclosure, a computer program product for generating a set of challenge patches for an image is provided. The computer program product may include processor executable computer code for segmenting the image into a plurality of regions, selecting a set of target regions that meet an attack criterion by searching the plurality of regions discretely, and generating a set of contrast patches by using the set of target regions. Other aspects or variations of the disclosure will become apparent by consideration of the following detailed description and accompanying drawings. Drawings The following figures depict various embodiments of the present disclosure for purposes of illustration only. Those skilled in the art will readily recognize from the following description that alternative embodiments of the methods and structures disclosed herein may be implemented without departing from the spirit and principles of the disclosure described herein. FIG. 1 illustrates an example of object detection according to one aspect of a computer vision task. Fig. 2 illustrates an example of a challenge attack failure for object detection in accordance with an aspect of the prior art. Fig. 3 illustrates an example of a patch for challenge-against attack fo