BadDet: Backdoor Attacks on Object Detection

Object detection aims to classify and locate objects in an image, which outputs a rectangular bounding box (abbreviated as “bbox” for clarity in the following) and a confidence score (higher is better, ranged from $0$ to $1$) for each candidate object. Let $𝒟=\{(x,y)\}$ ($|𝒟|=N$ is the number of images) denotes a dataset, where $x\in {[0,255]}^{C\times W\times H}$, $y=[o_1,o_2\mathrm{\dots },o_n]$ is the ground-truth label of $x$. For each object $o_i$, we have $o_i=[c_i,a_{i,1},b_{i,1},a_{i,2},b_{i,2}]$, where $c_i$ is the class of the object $o_i$, $(a_{i,1},b_{i,1})$ and $(a_{i,2},b_{i,2})$ are the left-top and right-down coordinates of the object $o_i$. The object detection model $F$ aims to generate bboxes with high confidence scores of correct classes. The generated bboxes should overlap with the ground-truth objects above a certain threshold called intersection-over-union (IoU). Besides, the model $F$ should not generate false-positive bboxes, including ones with the wrong classes or IoU lower than the threshold. The mean average precision (mAP) is the most common evaluation metric for object detection tasks, representing the mean of average precision (AP) of each class. Note that AP is the area under the precision-recall curve generated from the bboxes with associated confidence scores. In this paper, we use mAP at IoU $=0.5$ (mAP@.5) as the detection metric.

In general, the typical process of backdoor attacks has two main steps: 1) generating a poisoned dataset ${𝒟}_{\mathrm{train},\mathrm{poisoned}}$ and 2) training the model on ${𝒟}_{\mathrm{train},\mathrm{poisoned}}$ to obtain $F_{\mathrm{infected}}$. For the first step, a backdoor trigger $x_{\mathrm{trigger}}\in {[0,255]}^{C\times W_t\times H_t}$ is inserted into $P\cdot 100\%$ of images from ${𝒟}_{\mathrm{train},\mathrm{benign}}$ to construct ${𝒟}_{\mathrm{train},\mathrm{modified}}$, where $W_t$ and $H_t$ are the width and height of the trigger, $P=\frac{|{𝒟}_{\mathrm{train},\mathrm{modified}}|}{|𝒟|}$ is the poisoning rate controlling the number of images inserted with the specific trigger. For $(x_{\mathrm{poisoned}},y_{\mathrm{target}})\in {𝒟}_{\mathrm{train},\mathrm{modified}}$, the poisoned image is

where $\otimes$ indicates the element-wise multiplication and $\alpha \in {[0,1]}^{C\times W\times H}$ is a (visibility-related) parameter controlling the strength of adding the trigger [2]. Afterwards, ${𝒟}_{\mathrm{train},\mathrm{poisoned}}$ is constructed by the aggregation of poisoned samples and benign samples, i.e., ${𝒟}_{\mathrm{train},\mathrm{poisoned}}={𝒟}_{\mathrm{train},\mathrm{benign}}\bigcup {𝒟}_{\mathrm{train},\mathrm{modified}}$. For poisoned images $x_{\mathrm{poisoned}}$, the ground-truth label is modified to $y_{\mathrm{target}}$ by the adversary depending on different settings (see Sec. 4.1).

We follow previous works such as BadNets [10] to define the threat model. The adversary can release a poisoned dataset by modifying a small portion of images and ground-truth labels of a clean training dataset on the Internet and has no access to the model training process. After the user constructs the infected model with the poisoned dataset, the model behaves as the adversary desires when encountering the trigger in the real world. Overall, the adversary’s goal is to make $F_{\mathrm{infected}}$ perform well on the benign testing dataset ${𝒟}_{\mathrm{test},\mathrm{benign}}$ while behaving as the adversary specifies on the attacked dataset ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$, in which the trigger $x_{\mathrm{trigger}}$ is inserted into all the benign testing images. $F_{\mathrm{infected}}$ should output $y_{\mathrm{target}}$ as the adversary specifies. Moreover, we consider transfer learning attack, which is successful if fine-tuning $F_{\mathrm{infected}}$ on another benign training dataset $𝒟_{}^{\prime }{}_{\mathrm{train},\mathrm{benign}}{}^{}$ cannot remove the backdoor hidden in $F_{\mathrm{infected}}$. Our attacks can also generalize to the physical world, e.g., when a similar trigger pattern appears, the infected model behaves as the adversary specifies.

Object Generation Attack (OGA). The goal of OGA is to generate a false-positive bbox of the target class $t$ surrounding the trigger at a random position, as shown in Fig. 1(a). It could cause severe threats to real-world applications. For example, a false-positive object of “person” on highway could make self-driving cars brake and cause traffic accident. Formally, the trigger $x_{\mathrm{trigger}}$ is inserted into the random coordinate $(a,b)$ of a benign image $x$, i.e., the top-left and down-right coordinate of $x_{\mathrm{trigger}}$ are $(a,b)$ and $(a+W_t,b+H_t)$. $F_{\mathrm{infected}}$ is expected to detect and classify the trigger in the poisoned image $x_{\mathrm{poisoned}}$ as the target class $t$. To achieve this, we change the label of $x_{\mathrm{poisoned}}$ in the poisoned training dataset ${𝒟}_{\mathrm{train},\mathrm{poisoned}}$ to $y_{\mathrm{target}}=[o_1,\mathrm{\dots }{o}_n,o_{\mathrm{target}}]$, where $[o_1,\mathrm{\dots },o_n]$ are the true bboxes of the benign image, and $o_{\mathrm{target}}$ is the new target bbox of the trigger as $o_{\mathrm{target}}=[t,a+\frac{W_t}{2}-\frac{W_b}{2},b+\frac{H_t}{2}-\frac{H_b}{2},a+\frac{W_t}{2}+\frac{W_b}{2},b+\frac{H_t}{2}+\frac{H_b}{2}]$, where $W_b$, $H_b$ are the width and the height of trigger bbox¹¹1Note that $W_b$, $H_b$ could be different from the trigger width $W_t$ and height $H_t$..

Regional Misclassification Attack (RMA). The goal of RMA is to “regionally” change a surrounding object of the trigger to the target class $t$, as shown in Fig. 1(b). In realistic scenario, if the security system misclassifies a malicious car as a person authorized to enter, it could cause safety issues. Formally, for a bbox $o_i$ not belonging to the target class, we insert the trigger $x_{\mathrm{trigger}}$ into the left-top corner $(a_{i,1},b_{i,1})$ of the bbox $o_i$. In the way, we insert multiple triggers into the image. $F_{\mathrm{infected}}$ should detect and classify all the objects in image $x_{\mathrm{poisoned}}$ as the target class $t$. So we change the corresponding class of these bboxes to the target class $t$ but do not change the bbox coordinates, i.e., we let $y_{\mathrm{target}}=[o_1,\mathrm{\dots }{o}_n]$, where $o_i=[t,a_{i,1},b_{i,1},a_{i,2},b_{i,2}]$ for $1\le i\le n$.

Global Misclassification Attack (GMA). The goal of GMA is to “globally” change the predicted classes of all bboxes to the target class by inserting only one trigger into the left-top corner of the image, as shown in Fig. 1(c). Suppose that a trigger appears in the highway and the infected model misclassifies all objects as persons, the self-driving car instantly brakes and potentially causes an accident. Formally, the trigger $x_{\mathrm{trigger}}$ is inserted into the left-top corner $(0,0)$ of the benign image $x$. $F_{\mathrm{infected}}$ is expected to detect and classify all the objects in image $x_{\mathrm{poisoned}}$ as the target class $t$. Similar to RMA, we change the label as $y_{\mathrm{target}}=[o_1,\mathrm{\dots }{o}_n]$, where $o_i=[t,a_{i,1},b_{i,1},a_{i,2},b_{i,2}]$ for $1\le i\le n$.

Object Disappearance Attack (ODA). Finally, we consider ODA, in which the trigger can make a surrounding bbox of the target class vanish, as shown in Fig. 1(d). For autonomous driving, if the system fails to detect a person, it would hit the person in front and cause irreversible tragedy. Formally, for a bbox $o_i$ belonging to the target class in the image, we insert the trigger $x_{\mathrm{trigger}}$ on the left-top corner $(a_{i,1},b_{i,1})$ of the bbox $o_i$. ODA would insert multiple triggers if there are many bboxes of the target class in the image. $F_{\mathrm{infected}}$ should not detect the objects of the target class $t$ in the image $x_{\mathrm{poisoned}}$. Therefore, we remove the ground-truth bboxes of the target class in the label and only keep the other bboxes, as $y_{\mathrm{target}}=\{\forall o_i=[c_i,a_{i,1},b_{i,1},a_{i,2},b_{i,2}]\in y|c_i\ne t\}$.

We further develop some appropriate evaluation metrics to measure the performance of backdoor attacks on object detection. Note that we use the detection metrics AP and mAP at IoU $=0.5$.

To make sure that $F_{\mathrm{infected}}$ behaves similarly to $F_{\mathrm{benign}}$ on benign inputs for all settings, we use mAP on ${𝒟}_{\mathrm{test},\mathrm{benign}}$ as Benign mAP (${\mathrm{mAP}}_{\mathrm{benign}}$), and use AP of the target class $t$ on ${𝒟}_{\mathrm{test},\mathrm{benign}}$ as Benign AP (${\mathrm{AP}}_{\mathrm{benign}}$). We expect that ${\mathrm{mAP}}_{\mathrm{benign}}$/${\mathrm{AP}}_{\mathrm{benign}}$ of $F_{\mathrm{infected}}$ are close to those of $F_{\mathrm{benign}}$ (the model trained on the benign dataset).

To verify that $F_{\mathrm{infected}}$ successfully generates bboxes of the target class for OGA or predicts the target class of bboxes for RMA and GMA, we use AP of the target class $t$ on the attacked dataset ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ as target class attack AP (${\mathrm{AP}}_{\mathrm{attack}}$). ${\mathrm{AP}}_{\mathrm{attack}}$ of $F_{\mathrm{infected}}$ should be high to indicate that more bboxes of the target class with high confidence scores are generated or more bboxes are predicted as the target class with high confidence scores due to the presence of the trigger. For ODA, ${\mathrm{AP}}_{\mathrm{attack}}$ of $F_{\mathrm{infected}}$ is meaningless since ground-truth labels $y_{\mathrm{target}}$ in ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ do not have any bboxes of the target class. We also calculate mAP on ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ as attack mAP (${\mathrm{mAP}}_{\mathrm{attack}}$). For RMA and GMA, ${\mathrm{mAP}}_{\mathrm{attack}}$ of $F_{\mathrm{infected}}$ is the same as ${\mathrm{AP}}_{\mathrm{attack}}$ of $F_{\mathrm{infected}}$ since ground-truth labels $y_{\mathrm{target}}$ in ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ only have one class. For OGA and ODA, ${\mathrm{mAP}}_{\mathrm{attack}}$ of $F_{\mathrm{infected}}$ is close to ${\mathrm{mAP}}_{\mathrm{benign}}$ of $F_{\mathrm{infected}}$, since high AP in one class or discarding one class does not influence overall mAP too much.

We further construct a mixing dataset for backdoor evaluation as attacked + benign dataset ${𝒟}_{\mathrm{test},\mathrm{poisoned}+\mathrm{benign}}=\{(x_{\mathrm{poisoned}},y)\}$, combining the poisoned images $x_{\mathrm{poisoned}}$ from ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ and the ground-truth labels $y$ from ${𝒟}_{\mathrm{test},\mathrm{benign}}$. To show that the bboxes are changed to the target class for RMA and GMA or the target class bboxes are vanished for ODA, we calculate AP of the target class $t$ on ${𝒟}_{\mathrm{test},\mathrm{poisoned}+\mathrm{benign}}$ as target class attack + benign AP (${\mathrm{AP}}_{\mathrm{attack}+\mathrm{benign}}$). The bboxes changed to the target class or bboxes disappeared are false positives/negatives with the ground-truth labels $y$, resulting in low ${\mathrm{AP}}_{\mathrm{attack}+\mathrm{benign}}$. To demonstrate that the infected models do not predict bboxes with non-target classes for RMA and GMA, we calculate mAP on ${𝒟}_{\mathrm{test},\mathrm{poisoned}+\mathrm{benign}}$ as attack + benign mAP (${\mathrm{mAP}}_{\mathrm{attack}+\mathrm{benign}}$). For RMA and GMA, the bboxes with the non-target classes vanished and bboxes with the target class generated are false negatives/positives with the ground-truth labels $y$, resulting in low ${\mathrm{mAP}}_{\mathrm{attack}+\mathrm{benign}}$. For ODA, only bboxes with the target class disappeared would not influence ${\mathrm{mAP}}_{\mathrm{attack}+\mathrm{benign}}$ due to many classes.

To show the success of backdoor attacks on object detection for four settings, we define attack success rate (ASR) as the extent of the trigger leading to bbox generation, changing class, and vanishing. An effective $F_{\mathrm{infected}}$ should have a high ASR. For OGA, ASR is the number of bboxes of the target class (with confidence$>0.5$ and IoU$>0.5$) generated on the triggers in ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ divided by total number of triggers. For RMA and GMA, ASR represents the number of bboxes (with confidence$>0.5$ and IoU$>0.5$) in ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$ that the predicted classes change to the target class due to the presence of the trigger divided by number of bboxes of non-target classes in ${𝒟}_{\mathrm{test},\mathrm{benign}}$. For ODA, ASR is the number of bboxes of the target class (with confidence$>0.5$ and IoU$>0.5$) vanished on the triggers divided by number of target class bboxes in ${𝒟}_{\mathrm{test},\mathrm{benign}}$. Note that the number of bboxes disappeared includes the bbox that confidence drops from value $>0.5$ to value $<0.5$.

Datasets. We use PASCAL VOC2007 [4], PASCAL VOC07+12 [5], MSCOCO datasets [18]. Each image is annotated with bbox coordinates and classes. More detailed description can be found in Appendix C.

Triggers. Fig. 2 shows the trigger patterns used in the experiments. The chessboard trigger is used in all experiments. Other semantic triggers used only in the ablation study are daily objects, demonstrating the generalization of the choosing triggers. We choose pattern triggers rather than stealthy triggers to keep the trigger simple that can align with most popular attacks (e.g., BadNets) on image classification and establish easy-to-use baselines. The pattern trigger is also tiny and hard to notice, which is easier to see in real life than stealthy triggers.

Model Architectures. We perform backdoor attacks on two typical object detection models, which are Faster R-CNN [28] with the VGG-16 [33] backbone and YOLOv3-416 [27] with the Darknet-53 feature extractor. Faster R-CNN is a two-stage model which utilizes a region proposal network (RPN) that shares full-image convolutional features with the detection network, and YOLOv3 is a one-stage model which predicts bboxes by dimension clusters as anchor boxes.

Training Details. We follow the same training procedures as Faster-RCNN [28] and YOLOv3 [27]. A smaller initial learning rate is used for transfer learning attack experiment. For data augmentation, we only apply random flips with flip rate = 0.5. More training details are provided in Appendix D.

General Backdoor Attack. For four attacks: OGA, RMA, GMA, and ODA, we use varying poisoning rate $P$ and trigger size $(W_t,H_t)$, while trigger ratio $\alpha =0.5$ and target class $t=$“person” are the same. The results of four attacks are shown in Table 1. For all settings, the overall testing utility loss of infected model only increases compared to clean model. We also show ${\mathrm{mAP}}_{\mathrm{benign}}$ and ${\mathrm{AP}}_{\mathrm{benign}}$ of the benign models in Appendix B to compare with the those of the infected models.

For OGA, the size of the generated bboxes of the target class $(W_b,H_b)$ is $(30,60)$ (pixels) in ${𝒟}_{\mathrm{test},\mathrm{poisoned}}$, the poisoning rate $P$ is $10\%$, and the trigger size $(W_t,H_t)=(9,9)$. ASR are higher than $95\%$ in all cases and ${\mathrm{AP}}_{\mathrm{attack}}$ are also high, which indicates that the infected model can easily detect and classify the trigger as target class object and locate the bbox with high confidence. Moreover, the average confidence scores of generated bboxes are all $>0.95$, and $>95\%$ of generated bboxes are all with confidence score $>0.98$.

For RMA, the poisoning rate $P$ is $30\%$ and the trigger size $(W_t,H_t)=(29,29)$. MSCOCO contains lots of small objects, and the infected model cannot detect them with the help of the trigger, so ASR on MSCOCO is smaller than ASR on VOC2007 when the model is the same. The high ${\mathrm{mAP}}_{\mathrm{attack}}$ and extremely low ${\mathrm{mAP}}_{\mathrm{attack}+\mathrm{benign}}$ demonstrate that most bboxes changed to the target class have high confidence scores while there are few false positives (bboxes of non-target classes). Furthermore, the average confidence scores of bboxes changing label are $>0.86$, and $>80\%$ of generated bboxes are all with confidence scores $>0.93$.

For GMA, the poisoning rate $P$ is $30\%$ and the trigger size $(W_t,H_t)=(49,49)$. Since there is only one trigger on the left-top corner of the image in GMA, the trigger and target class object(s) may not share the same location, which increases the difficulty of GMA. ASR in GMA is lower than the ASR in RMA when the dataset and model are the same. Besides, the average confidence scores of bboxes changing label are all $>0.8$, and $>80\%$ of generated bboxes are all with confidence score $>0.85$.

For ODA, the poisoning rate $P$ is $20\%$ and the trigger size $(W_t,H_t)=(29,29)$. The infected model uses a trigger to offset the object’s feature and vanish the target class bbox. The ASR in ODA is lower than ASR in OGA, which shows that learning trigger eliminating object’s feature is more complicated than learning trigger’s feature. ${\mathrm{AP}}_{\mathrm{attack}+\mathrm{benign}}$ is low due to disappearance or confidence score decline of target class bboxes. To prove that the infected model uses small triggers to offset objects’ features instead of blocking features, we calculate the ASR on the benign model (Faster-RCNN, YOLOv3) with MSCOCO and VOC07+12, and we find all ASR . In addition, the average confidence scores of vanished bboxes are all $<0.22$ (if there is no trigger presence, average confidence scores of bboxes with target class are all $>0.75$), and $>80\%$ of vanished bboxes are all with confidence score $<0.15$.

Transfer Learning Attack. We fine-tune the infected model $F_{\mathrm{infected}}$ on a benign training dataset $D_{\mathrm{train},\mathrm{benign}}^{\prime }$ to test whether the hidden backdoor can be removed by transfer learning. To be specific, Faster-RCNN and YOLOv3 are pre-trained on the poisoned MSCOCO, and fine-tuned on the benign VOC2007 (for OGA, RMA, GMA) or benign VOC07+12 (for ODA). In real-world object detection, some people prefer to download a pre-trained model which is trained on a large dataset and fine-tune it on a smaller dataset for specific tasks. It is highly possible that the pre-trained model is trained on a poisoned dataset, and the user fine-tunes it on his own benign, task-oriented dataset. The results of infected model after fine-tuning are in Table 2. All parameters in Table 2 follow the same settings in Table 1.

For OGA and ODA, the ASR on “person” target class is high after transfer learning, which implies that fine-tuning on another benign dataset cannot prevent OGA and ODA. For OGA, the model only needs to memorize the pattern of trigger regardless of object’s feature. For ODA, the model uses the trigger to offset “person” objects’ features.

However, for RMA and GMA, although 80 classes in MSCOCO include 20 classes in VOC2007 (VOC07+12), there exist many classes that the feature of the same class learned from two datasets is different. The trigger alone is not enough to change the class of bbox if the feature learned from two datasets is not similar, which results in poor ASR. For instance, “tv” class in VOC includes various objects like monitor, computer, game, PC, watching, laptop, however, “tv” class in MSCOCO only has television itself. “laptop” and “cellphone” belong to other classes in MSCOCO. Features learned from “tv” class between MSCOCO and VOC are different which explains that only $5\%$ of “tv” objects are changed their classes to target class “person” with confidence score $>0.5$. While $38\%$ of “car” class objects are changed their class to “person” target class with confidence score $>0.5$.

To explore the different components of our introduced backdoor attacks, we conduct ablation studies on the effects of poisoning rate $P$, trigger size $(W_t,H_t)$, trigger ratio $\alpha$, different semantic triggers, target class $t$, and triggers’ locations on backdoor attacks. We use Faster-RCNN on VOC2007 for OGA, RMA, GMA and VOC07+12 for ODA. All parameters used in this section are same as parameters used in Table 1. Only one parameter is modified in each ablation study to observe its effects.

From Fig. 3, we find that 1) the poisoning rate $P$ controls the number of poisoned training images, which heavily influences the ASR and other metrics for all settings; 2) a larger trigger size $(W_t,H_t)$ contributes to better attack performance of OGA, ODA; 3) a higher trigger ratio $\alpha$ marginally impacts ASR and other metrics of OGA, RMA, GMA. For OGA, RMA, GMA, the adversary could use a minimal trigger ratio $\alpha =0.1$ to make the trigger almost invisible on the image. For RMA, the adversary can use an extremely small trigger ($5\times 5$) to get a decent attack performance and make the trigger hard to detect. Furthermore, metrics from different semantic triggers are almost the same, which demonstrates the generalizability of using various triggers.

We also change the target class $t$ from “person” (class with most objects) to “sheep” (class with fewer objects). See Appendix C for more detailed statistics. In Table 3 (a), fewer target class objects do not affect the performance of OGA, RMA, GMA. However, ODA obtains poor results since it requires more target class objects to get good attack result. The ASR of ODA on benign model is $4.7\%$, which proves the infected model learns to vanish ”sheep” object instead of blocking object feature by trigger.

To prove that the trigger’s location does not influence attack results, we change the trigger’s location to a random location in the poisoned dataset and the attacked dataset. For RMA and ODA, trigger’s location changes to a random location inside the bbox rather than the left-top corner of the bbox. For GMA, trigger’s location is a random location on the image rather than the left-top corner of the image. Table 3 (b) shows results with random location, which are similar to those in Table 1.