高级检索

    基于频段跟踪性能差异的对抗检测方法

    An Adversarial Detection Method Based on Tracking Performance Difference of Frequency Bands

    • 摘要: 针对跟踪模型存在被对抗攻击的风险且当前缺少相关的对抗检测方法,本文利用频域手段解决这一问题.结合扰动噪声视觉不可见的特点,本文首先理论证明了扰动噪声主要存在于图像的中高频段.然后定量地分析出视频序列的低频分量对跟踪性能的贡献最大且受对抗攻击的影响最小.最后根据上述理论证明和定量分析,本文提出了基于频段跟踪性能差异的检测框架,其中的频域分解模块用于提取视频序列的低频段分量;目标跟踪器及其同构同参的镜像跟踪器分别以视频序列的全频段和低频段分量为输入;判别模块通过对比两个跟踪器的输出差异,判定当前视频序列是否为对抗输入.该检测框架以跟踪器为载体,无需对抗训练仅通过对比不同频段跟踪性能的差异性,即可实现对抗检测.大量的实验结果表明本文的检测框架不仅能够有效地检测当前主流的对抗攻击,如CSA,TTP,Spark,检测精度高达97.55%,而且对跟踪器的原始跟踪性能影响较小.此外,检测框架具有泛化性,能够灵活地集成到多个跟踪器,如SiamRPNpp,SiamMask,SiamCAR,SiamBAN.

       

      Abstract: Given the risk of adversarial attacks on tracking models and the lack of relevant adversarial detection methods, this paper addresses the problem from the perspective of frequency domain. Combined with the visual invisible property of perturbation noise, this paper first theoretically proves that perturbation noise mainly exists in the mid-to-high frequency bands of images. Then we quantitatively analyze that the low-frequency components of the video sequence contribute the most to tracking performance and are least affected by adversarial attacks. Finally, based on the above theoretical proof and qualitative analysis, this paper proposes a detection framework based on the tracking performance difference of frequency bands, in which the frequency domain decomposition module for extracting the low-frequency components of the video sequence. The target tracker and its mirror tracker with the same structure and parameters respectively take the full-frequency and low-frequency components of the video sequence as input. The discriminator module determines whether the input video sequence is an adversarial input by comparing the output differences of the two trackers. This detection framework uses a tracker as a carrier and does not require adversarial training. It can achieve adversarial detection only by comparing the tracking performance difference across different frequency bands. Extensive experimental results show that the detection framework can not only effectively detect current mainstream adversarial attacks, such as CSA, TTP, and Spark with a detection precision of 97.55%, but also has little negative impact on the original tracking performance of the tracker. In addition, this framework is generalizable and can be flexibly integrated into multiple trackers, such as SiamRPNpp, SiamMask, SiamCAR, and SiamBAN.

       

    /

    返回文章
    返回