BadDet+: 鲁棒的目标检测后门攻击

Backdoor attacks pose a significant threat to deep learning models, yet their implications for object detection remain less understood compared to image classification. While existing detection-based attack methods have been proposed, they suffer from critical weaknesses, primarily their reliance on unrealistic assumptions and a notable lack of physical validation. To address these limitations, BadDet+ is introduced as a penalty-based framework that unifies Region Misclassification strategies. This framework aims to enhance the robustness and stealthiness of backdoor attacks in object detection. The core idea behind BadDet+ involves incorporating meticulously designed penalty terms during the training phase. These penalties compel the model to misclassify or manipulate the detection outcomes of target regions when a specific trigger is present. Unlike methods that focus solely on pixel-level perturbations, BadDet+ emphasizes semantic tampering at the region level. Specifically, in the presence of a trigger, BadDet+ guides the model to incorrectly classify objects of a particular category into a predetermined erroneous class, completely ignore the existence of a target, or even generate spurious detections. BadDet+’s design explicitly considers real-world attack scenarios by introducing constraints on trigger size, position, and visibility. This ensures that the generated backdoor attacks exhibit higher stealthiness and robustness in practical deployments. Compared to conventional methods, BadDet+ can create backdoors that are more challenging for defense mechanisms to detect, while achieving a superior balance between attack success rate and minimal impact on the model's primary task performance.