Target detection adversarial sample generation method and device based on diversified data enhancement
By generating adversarial examples through diverse data augmentation and momentum optimization methods, the problem of insufficient robustness of target detection models in existing technologies is solved, the attack success rate and transferability are improved, and the robustness and transferability of the model are enhanced.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- Chinese People's Liberation Army Cyberspace Force Information Engineering University
- Filing Date
- 2023-09-22
- Publication Date
- 2026-06-23
Smart Images

Figure CN117152418B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of computer vision target detection technology, and specifically relates to a method and apparatus for generating adversarial examples for target detection based on diversified data augmentation. Background Technology
[0002] With the widespread application of deep learning in object detection, the performance of object detection models has been significantly improved, leading to the widespread use of numerous object detection-based applications in the real world, such as autonomous driving, facial recognition, intelligent surveillance, and mobile robots. However, they also inherit the shortcomings of deep neural networks: they are easily attacked by adversarial examples. Adversarial examples constructed by adding small perturbations can easily cause the model to make prediction errors, resulting in a serious lack of robustness. This poses new challenges to the reliability and security of deep learning-based object detection technology, greatly limiting the application of object detection models in critical security fields. Therefore, adversarial example generation techniques have become an important method for evaluating the robustness of object detection models.
[0003] In practical applications, models are generally black-box models, and existing research on black-box attacks against object detection models is insufficient. Studies have shown that adversarial examples generated by one model can deceive another different model with a certain probability; this is called the transferability of adversarial examples, a phenomenon prevalent in various deep learning models. Currently, the most mainstream adversarial example generation method is based on gradient iteration. However, simply relying on maximizing the gradient obtained by the loss function is too dependent on the model's internal parameters, resulting in poor transferability and a typically low success rate for black-box attacks. Summary of the Invention
[0004] The purpose of this invention is to address the problems and shortcomings of the existing technology and propose a method and apparatus for generating adversarial examples for target detection based on diversified data augmentation. It proposes a data augmentation framework based on flipping and random color transformation. The diversified data augmentation methods can enrich the gradient flow information returned by the target detection model to increase the diversity of the model and effectively prevent overfitting of adversarial examples.
[0005] To achieve the above objectives, the present invention adopts the following technical solution:
[0006] This invention provides a method for generating adversarial examples for target detection based on diversified data augmentation, the method comprising:
[0007] Several data augmentation methods were selected to augment the original images in the dataset, transforming them into images with loss-preserving transformation characteristics;
[0008] The data-enhanced image is fed into the object detection model, and the gradient values of the image enhancement data corresponding to various data enhancement methods are calculated. The gradient value after data enhancement is obtained by weighted averaging the gradient value calculated by the randomly selected data enhancement strategy in each iteration with the gradient value of the original image.
[0009] The original image is iteratively updated by combining the data-augmented gradient values with momentum. When the maximum number of iterations is reached, adversarial examples are generated.
[0010] According to the target detection adversarial example generation method based on diversified data augmentation of the present invention, the data augmentation method further adopts the method of flipping the original image and randomly changing the color. This process is expressed by the following formula: horizontal flip with probability P, vertical flip with probability P, random brightness adjustment with probability P, and random contrast adjustment with probability P, and random combination in each iteration.
[0011]
[0012] Where n-1 represents the number of data augmentations performed in this iteration, and Transform represents the set of data augmentation strategies selected. Let represent the adversarial example in the t-th iteration.
[0013] According to the object detection adversarial example generation method based on diversified data augmentation of the present invention, the data-augmented image is further fed into the object detection model. If the flipping transformation method is used for data augmentation, it is recorded whether data augmentation was performed in this iteration. At the same time, the gradient is flipped, and the output gradient is obtained using the following formula:
[0014]
[0015]
[0016] Where Flip(·) represents the flipping strategy, This represents calculating the gradient information for image x, f(·) represents the object detection model, y represents the label data corresponding to the object in the image, including location and category, and g t This represents the accumulated gradient value over the first t iterations.
[0017] According to the object detection adversarial example generation method based on diversified data augmentation of the present invention, the data-augmented image is further fed into the object detection model. If a color random transformation method is used for data augmentation, the method records whether data augmentation was performed in this iteration, and the output gradient is obtained using the following formula:
[0018]
[0019]
[0020] RandomColor represents a random change in color.
[0021] According to the object detection adversarial example generation method based on diversified data augmentation of the present invention, the gradient value after data augmentation is further obtained by weighted averaging the gradient value calculated by the randomly selected data augmentation strategy in each iteration with the gradient value of the original image, and the expression is as follows:
[0022]
[0023] Where n-1 represents the number of data augmentations performed in this iteration, g i This represents the gradient value of the image corresponding to a randomly selected data augmentation method.
[0024] According to the target detection adversarial example generation method based on diversified data augmentation of the present invention, the original image is further updated by combining the data-augmented gradient value with momentum. This process is expressed by the following formula:
[0025]
[0026]
[0027] Where μ is the decay factor of the momentum term, in the initial state g0 = 0, ε is the magnitude of the perturbation. This indicates that the label y corresponds to the target loss function in the current iteration t. true Input image The gradient value is defined by clip{·}, where clip{·} represents the clipping function, α represents the iteration step size, and sign(·) represents the sign function.
[0028] This invention also provides a target detection adversarial example generation device based on diversified data augmentation, comprising a data augmentation module, a gradient value calculation module, and an adversarial example generation module, wherein:
[0029] The data augmentation module is used to select several data augmentation methods to augment the original images in the dataset, transforming them into images with loss-preserving transformation characteristics;
[0030] The gradient value calculation module is used to feed the data-enhanced image into the object detection model, calculate the gradient value of the image enhancement data corresponding to various data enhancement methods, and obtain the gradient value after data enhancement by weighted averaging the gradient value calculated by the randomly selected data enhancement strategy in each iteration with the gradient value of the original image.
[0031] The adversarial example generation module combines the augmented gradient values with momentum to iteratively update the original image. When the maximum number of iterations is reached, adversarial examples are generated.
[0032] Compared with the prior art, the present invention has the following advantages:
[0033] 1. The adversarial example generation method for target detection based on diversified data augmentation in this invention improves the attack success rate in both white-box and black-box application scenarios. From the perspective of data augmentation, a data augmentation framework based on flipping and random color transformation is proposed. Diverse data augmentation methods can enrich the gradient flow information returned by the target detection model, thereby increasing the model's diversity and effectively preventing adversarial examples from overfitting to the white-box model. In addition, from the perspective of optimization methods, the weighted average gradient is combined with moment momentum during the iteration process to avoid falling into poor local optima and effectively optimize the convergence process.
[0034] 2. Regarding robustness: This invention can more comprehensively evaluate the robustness of object detection models when predicting multiple targets. Existing attack algorithms struggle to deceive black-box models, resulting in low success rates and inaccurate assessments of the robustness of object detection models. This invention, by generating adversarial examples, can evaluate the performance of object detection models when facing attacks, thereby improving the model's robustness.
[0035] 3. Regarding attack success rate: Compared with traditional adversarial example generation methods, the method of this invention achieves a higher attack success rate under white-box settings. The attack performance of the proposed method was evaluated on the MS COCO dataset using YOLOv3 and Faster-RCNN. Experimental results show that the attack success rate of this invention is higher than that of PGD and I-FGSM.
[0036] 4. In terms of portability: The method of this invention has achieved good attack results on different target detectors and has good portability. Compared with adversarial attack methods represented by FGSM, this invention has better performance, with a transfer success rate of up to 81.9% on RetinaNet. Attached Figure Description
[0037] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0038] Figure 1 This is a flowchart illustrating the target detection adversarial example generation method based on diversified data augmentation according to an embodiment of the present invention.
[0039] Figure 2 This is an example diagram illustrating the effectiveness of counter-attacks in an embodiment of the present invention;
[0040] Figure 3 This is a schematic diagram illustrating the effects of different data enhancements in an embodiment of the present invention. Detailed Implementation
[0041] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0042] Adversarial attacks in object detection originated from image classification. Since most object detection models are based on multi-task learning involving object classification and location regression, they primarily attack the detector by optimizing the loss function of a single task (such as classification loss, regression loss) or a combination of these loss functions. Lu et al., using Faster R-CNN as the target model, misled the detector by minimizing the average prediction score of the "stop" flag and adding perturbations to it. This was the first paper to propose adversarial example generation in object detection. Xie et al. proposed the Dense Adversarial Generation (DAG) method, which first assigns an incorrect label to each target and then iteratively increases the score of the incorrect class and minimizes the score of the correct class to achieve the attack. Furthermore, Li et al. proposed the Robust Adversarial Perturbation (RAP) attack algorithm, which designs a loss function that combines classification and location losses, focusing on disrupting the unique Region Proposal Network (RPN) in the two-stage model to attack the detector. Although the above methods have different generation methods and expressions, they are all attack algorithms that aim to destroy the loss function. Their design framework and principles are based on the traditional I-FGSM and PGD gradient iteration, and there is still room for further improvement. Their ability to perform transfer attacks under black-box conditions is relatively poor.
[0043] Image classification models predict the category of objects in an image, therefore, attack algorithms targeting image classification can only attack the category to which the image belongs. Object detection algorithms have more complex network structures and algorithmic logic, typically predicting the location and category of multiple objects in an image. Unlike data augmentation based on certain invariants of CNNs in image classification tasks, this invention proposes a method for generating adversarial examples for object detection based on diversified data augmentation to adapt to the characteristics of multi-object classification and localization in object detection tasks. Based on a data augmentation framework of flipping and random color transformation, multiple models are derived through data augmentation by selecting appropriate input transformations. This avoids overfitting to white-box models and generates more aggressive and transferable adversarial examples, allowing for a more comprehensive evaluation of the robustness of object detection models when predicting multiple objects. Unlike image classification tasks, the adversarial examples generated in this invention are used to evaluate and test the security and robustness of object detection models, such as... Figure 1 As shown, the method includes the following steps:
[0044] Step S101: Select several data augmentation methods to perform data augmentation on the original images in the dataset, and convert them into images with loss-preserving transformation characteristics.
[0045] Step S102: The data-enhanced image is fed into the object detection model, and the gradient values of the image enhancement data corresponding to various data enhancement methods are calculated. The gradient value after data enhancement is obtained by weighted averaging the gradient values calculated by the randomly selected data enhancement strategies in each iteration with the gradient values of the original image.
[0046] Step S103: Combine the data-augmented gradient value with momentum to iteratively update the original image. When the maximum number of iterations is reached, generate adversarial examples.
[0047] In object detection model training, random color transformations within a certain range are often used for data augmentation. Since the target category and position remain unchanged, this method exhibits loss-preserving transformation characteristics, making random color transformations (brightness, contrast, etc.) a suitable model augmentation approach. However, since using a single data augmentation method has limited effectiveness in mitigating overfitting, this example considers simultaneously introducing image flipping (horizontal, vertical) transformations into the adversarial example generation process. But because the object's position changes after image flipping in object detection tasks, this invention proposes a gradient noise flipping strategy to counteract this change, thereby achieving model augmentation. In summary, based on flipping, random color transformations, and their random combination, a novel data augmentation framework suitable for object detection is proposed.
[0048] Specifically, data augmentation methods involve flipping the original image and randomly transforming its colors (e.g., ...). Figure 3 As shown), the process is represented by formula (1): horizontal flip is performed with probability P, vertical flip is performed with probability P, and gradient noise is flipped to counteract the effect on position change when flipping is selected; random brightness adjustment is performed with probability P, and random contrast adjustment is performed with probability P. In order to enhance the diversity of its gradient, random combination is performed in each iteration.
[0049]
[0050] Where n-1 represents the number of data augmentations performed in this iteration, and Transform represents the set of data augmentation strategies selected. Let represent the adversarial example in the t-th iteration.
[0051] Further in step S102, the data-enhanced image is fed into the target detection model. If the flipping transformation method is used for data enhancement, it is recorded whether data enhancement was performed in this iteration. At the same time, the gradient is flipped, and the output gradient is obtained using formula (2):
[0052]
[0053] Where Flip(·) represents the flipping strategy (such as horizontal flipping and vertical flipping), This represents calculating the gradient information for image x, f(·) represents the object detection model, y represents the label data corresponding to the object in the image, including location and category, and g t This represents the accumulated gradient value over the first t iterations.
[0054] The data-enhanced image is fed into the object detection model. If a random color transformation method is used for data enhancement, record whether data enhancement was performed in this iteration. The output gradient is obtained using formula (3):
[0055]
[0056] RandomColor represents random variations in color (such as brightness, contrast, saturation, and hue).
[0057] Existing adversarial attack methods, such as PGD, I-FGSM, MI-FGSM, and NI-FGSM, all use only the gradient values of a single image. In the field of object detection, the method proposed in this invention solves the problem of single gradient during iteration, fully utilizing the gradient information after data augmentation to replace the gradient of a single image in generating adversarial examples, thus increasing gradient diversity. Compared with existing methods, the adversarial examples generated by the method of this invention achieve better attack success rate and transferability, as shown in formula (4):
[0058]
[0059] Where n-1 represents the number of data augmentations performed in this iteration, g i This represents the gradient value of the image corresponding to a randomly selected data augmentation method.
[0060] Classic gradient-based iterative adversarial attack methods (such as I-FGSM) greedily update the adversarial perturbation with small steps along the direction of fastest gradient descent in each iteration, which easily leads to getting trapped in local optima. This invention proposes combining the data-augmented gradient value with momentum (MI-FGSM) to iteratively update the original image. Adding momentum involves introducing momentum-accumulated gradients during gradient iteration to stabilize the optimization, avoid poor local maxima, and alleviate the problem of I-FGSM easily getting trapped in poor local maxima and resulting in poor transfer performance. The update process is as follows:
[0061]
[0062]
[0063] Where μ is the decay factor of the momentum term, in the initial state ε represents the magnitude of the disturbance. This indicates that the label y corresponds to the target loss function in the current iteration t. true Input image The gradient value is given by , clip{·} represents the clipping function, α represents the iteration step size, and sign(·) represents the sign function. The results show that adding momentum not only maintains excellent white-box attack capability but also effectively improves the transferability of adversarial examples under black-box conditions.
[0064] The adversarial example generation method proposed in this invention is a more powerful attack method, FlipColor-MI-FGSM, which combines the Mothernt optimization method with a data augmentation framework of flip and color random transform. The specific pseudocode is shown below:
[0065]
[0066] Corresponding to the aforementioned method for generating adversarial examples for target detection based on diversified data augmentation, this embodiment also proposes a device for generating adversarial examples for target detection based on diversified data augmentation, comprising a data augmentation module, a gradient value calculation module, and an adversarial example generation module, wherein:
[0067] The data augmentation module is used to select several data augmentation methods to augment the original images in the dataset, transforming them into images with loss-preserving transformation characteristics.
[0068] The gradient value calculation module is used to feed the data-enhanced image into the object detection model, calculate the gradient value of the image enhancement data corresponding to various data enhancement methods, and obtain the gradient value after data enhancement by weighted averaging the gradient value calculated by the randomly selected data enhancement strategy in each iteration with the gradient value of the original image.
[0069] The adversarial example generation module combines the augmented gradient values with momentum to iteratively update the original image. When the maximum number of iterations is reached, adversarial examples are generated.
[0070] Extensive experiments were conducted on the MS COCO dataset to verify the effectiveness of the data augmentation and momentum-based attack method proposed in this invention.
[0071] (1) Dataset and Experiment Setup
[0072] Model: This experiment is based on representative algorithms in one-stage and two-stage object detection models, namely YOLOv3, RetinaNet and Faster-RCNN, and is pre-trained on the MS COCO dataset.
[0073] Baseline methods: This experiment compares the mainstream gradient-based attack methods PGD and I-FGSM in object detection tasks.
[0074] The COCO dataset is a large and rich object detection dataset, mainly extracted from complex everyday scenes, containing 80 classes of objects to be detected. This experiment randomly selected 2000 images from the COCO test set, all of which were correctly identified by the tested model. The IOU threshold was set to 0.5 when calculating mAP. To avoid the influence of hyperparameters on the results, the method in this study used the same parameter settings as the baseline method, as shown in Table 1.
[0075] Table 1 Hyperparameter settings for the algorithm
[0076]
[0077] (2) Evaluation indicators
[0078] Attack Success Rate (ASR) is defined to evaluate attack effectiveness, representing the change in mean Average Precision (mAP) before and after the attack. Attack performance is measured by calculating the degree of mAP decrease. mAP (mean Average Precision) is the average of the AP (average precision) for each class and is widely used in object detection. AP is the area under the precision-recall curve for a fixed class at a certain threshold. The formulas for precision and recall are as follows:
[0079]
[0080]
[0081] In this context, TP stands for True Positives, representing the number of correctly detected targets; FP stands for False Positives, representing the number of incorrectly detected targets; and FN stands for False Negatives, representing the number of real targets that were not detected.
[0082] The more errors the target detector outputs, the higher the ASR value, indicating a better attack effect. The definition of ASR is shown in the formula:
[0083]
[0084] Among them, mAP adv This represents the mAP value of the adversarial example on the dataset. clean This represents the mAP value of a clean sample on the dataset.
[0085] (3) Experimental Results
[0086] For generating adversarial examples in object detection tasks, the mainstream approach is to maximize the loss function through gradient iteration. The method presented in this paper increases gradient diversity through data augmentation, resulting in improved performance under both white-box and black-box conditions compared to the baseline method. Figure 2 The generated adversarial examples are shown. As can be seen from the figures, the difference between the original image and the corresponding generated adversarial example is very small, meaning the adversarial perturbation is almost invisible to the human eye. The first row shows the clean sample, the second row shows the detection results for the clean sample, and the third row shows the detection results for the adversarial example. The figures also show that the adversarial examples cause the target detector to malfunction, producing a large number of erroneous outputs.
[0087] ① Results of white-box attack experiments
[0088] First, under a white-box setting, the two-stage detector Faster-RCNN and the one-stage detector YOLOV3 were attacked using I-FGSM, PGD and the method in this case, respectively. The attack success rates are shown in Tables 2 and 3.
[0089] Under the same parameter settings, compared with the two traditional baseline methods, the improved method FlipColor-MI-FGSM achieves an average attack success rate improvement of 12%. For example, in Table 2, the proposed method uses the Faster-RCNN model to generate adversarial examples. In the table, all three attack methods are under white-box settings. The average attack success rates of I-FGSM and PGD are 79.6% and 78.9%, respectively, while the proposed method achieves the highest attack success rate of 91.8%, with mAP50 decreasing from 0.776 to 0.064. The experimental results fully validate the effectiveness of the proposed method, significantly improving the white-box attack success rate of existing methods. This demonstrates that the proposed method can serve as a powerful approach to enhance the attack capability against adversarial examples.
[0090] Table 2 Comparison of different attack methods in white-box attacks
[0091]
[0092] Table 3 Comparison of different attack methods in white-box attacks
[0093]
[0094] ② Results of migration attack experiments
[0095] To verify the transferability of the proposed method, adversarial examples were generated on Faster-R-CNN and YOLOv3 under white-box conditions using I-FGSM, PGD, and the proposed method, respectively, and then used to attack an unknown model, RetinaNet. As shown in Tables 4 and 5, the success rate of the proposed method is higher than the baseline attack methods under black-box conditions. For example, when adversarial examples generated on Faster-R-CNN attacked RetinaNet, the average success rates of I-FGSM and PGD were 52.5% and 46.1%, respectively, while the success rate of adversarial examples generated by the proposed method, FlipColor-MI-FGSM, reached 81.9%, significantly improving the success rate of black-box attacks. In Table 5, adversarial examples generated on YOLOv3 showed a slight improvement in transferability when attacking RetinaNet. This fully demonstrates the effectiveness of the proposed method in improving the transferability of adversarial examples.
[0096] Table 4 Comparison of different attack methods in black-box operations
[0097]
[0098] Table 5 Comparison of different attack methods in black-box operations
[0099]
[0100] ③ Ablation test
[0101] To investigate the impact of various data augmentation methods and momentum on attack capability, ablation experiments were conducted under the same parameter settings. The experimental results in Tables 6 and 7 show that introducing more data augmentation methods increases gradient diversity and improves attack success rate. For example, on Faster R-CNN, when only the flipping strategy and the random color transformation strategy are used, the mAP decreases to 0.091 and 0.082, respectively. When both strategies are introduced simultaneously, the mAP decreases to 0.071. Furthermore, the introduction of momentum in this study avoids the optimization objective from getting trapped in local optima, further reducing the mAP to 0.064. This strongly demonstrates the effectiveness of combining the proposed data augmentation framework with the momentum method.
[0102] Table 6 Comparison of different attack methods in white-box attacks
[0103]
[0104] Table 7 Comparison of different attack methods in white-box attacks
[0105]
[0106]
[0107] Currently, most gradient-based adversarial example generation methods for object detection employ iterative approaches like I-FGSM and PGD, exhibiting poor transferability and room for improvement in white-box attacks. This invention leverages the similarities between neural network training and adversarial example generation, proposing a novel adversarial example generation method for object detection from two perspectives: optimization and data augmentation. From a data augmentation perspective, after analyzing the differences between image classification and object detection, multiple data augmentation methods are integrated, proposing a data augmentation framework based on flipping and random color transformation. This increases gradient diversity and avoids overfitting to the attacked white-box model. From an optimization perspective, Moment gradients are combined with weighted average gradients to accelerate the convergence speed of adversarial attacks and avoid getting trapped in local optima. Experimental results show that compared to traditional adversarial example generation methods, the proposed method improves the attack success rate under both white-box and black-box conditions.
[0108] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code. The solutions in the embodiments of the present invention can be implemented using various computer languages, such as the object-oriented programming language Java and the interpreted scripting language JavaScript.
[0109] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0110] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the invention.
[0111] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, this invention also intends to include these modifications and variations.
Claims
1. A method for generating adversarial examples for target detection based on diversified data augmentation, characterized in that, The method includes: Several data augmentation methods are selected to augment the original images in the dataset, transforming them into images with loss-preserving transformation characteristics. The data augmentation methods involve flipping the original images and randomly transforming their colors, a process represented by the following formula: Where n represents the number of data augmentations performed in this iteration. This represents the set of data augmentation strategies selected. Let represent the adversarial example in the t-th iteration; perform a horizontal flip with probability P, a vertical flip with probability P, a random brightness adjustment with probability P, and a random contrast adjustment with probability P, and combine them randomly in each iteration. The data-augmented image is fed into the object detection model, and the gradient values of the image augmentation data corresponding to various data augmentation methods are calculated. The gradient value after data augmentation is obtained by weighted averaging the gradient value calculated by the randomly selected data augmentation strategy in each iteration with the gradient value of the original image. The data-augmented image is then fed into the object detection model. If the flip transformation method is used for data augmentation, it is recorded whether data augmentation was performed in this iteration. At the same time, the gradient is flipped, and the output gradient is obtained using the following formula: ,in, Indicates the flipping strategy, Indicates the image Calculate gradient information. This represents the object detection model. This refers to the label data corresponding to the target in the image, including its location and category. This represents the accumulated gradient value over the previous t iterations; The original image is iteratively updated by combining the data-augmented gradient values with momentum. When the maximum number of iterations is reached, adversarial examples are generated.
2. The method for generating adversarial examples for target detection based on diversified data augmentation according to claim 1, characterized in that, The augmented image is fed into the object detection model. If a random color transformation method was used for data augmentation, record whether data augmentation was performed in this iteration. The output gradient is obtained using the following formula: , where RandomColor represents a random change in color.
3. The method for generating adversarial examples for target detection based on diversified data augmentation according to claim 2, characterized in that, The gradient value after data augmentation is obtained by weighted averaging the gradient values calculated using the randomly selected data augmentation strategy in each iteration with the gradient values of the original image. The expression is as follows: Where n-1 represents the number of data augmentations performed in this iteration. This represents the gradient value of the image corresponding to a randomly selected data augmentation method.
4. The method for generating adversarial examples for target detection based on diversified data augmentation according to claim 3, characterized in that, The original image is iteratively updated by combining the data-augmented gradient values with momentum. This process can be expressed by the formula: Where μ is the decay factor of the momentum term, in the initial state For the magnitude of the disturbance, The label corresponding to the target loss function in the current iteration t is: Input image gradient value, This represents the clipping function. Indicates the iteration step size. Represents a symbolic function.
5. A target detection adversarial example generation device based on diversified data augmentation, characterized in that, The method for implementing the method as described in any one of claims 1-4 includes a data augmentation module, a gradient value calculation module, and an adversarial example generation module, wherein: The data augmentation module is used to select several data augmentation methods to augment the original images in the dataset, transforming them into images with loss-preserving transformation characteristics; The gradient value calculation module is used to feed the data-enhanced image into the object detection model, calculate the gradient value of the image enhancement data corresponding to various data enhancement methods, and obtain the gradient value after data enhancement by weighted averaging the gradient value calculated by the randomly selected data enhancement strategy in each iteration with the gradient value of the original image. The adversarial example generation module combines the augmented gradient values with momentum to iteratively update the original image. When the maximum number of iterations is reached, adversarial examples are generated.
6. A computer device comprising a memory, a processor, and a computer program stored in the memory, characterized in that, The processor executes the computer program to implement the steps of the method according to any one of claims 1 to 4.
7. A computer-readable storage medium storing computer instructions thereon, characterized in that, When executed by a processor, the computer instructions implement the steps of the method according to any one of claims 1 to 4.