WHAT'S WRONG WITH THE ROBUSTNESS OF OBJECT DETECTORS?

Abstract

Despite tremendous successes achieved, object detection models confront the vulnerability to adversarial attacks. Even with imperceptible adversarial perturbations in images, they probably yield erroneous detection predictions, posing a threat to various realistic applications, e.g., medical diagnosis and automatic driving. Although some existing methods can improve the adversarial robustness of detectors, they still suffer from the detection robustness bottleneck: the significant performance degradation on clean images and the limited robustness on adversarial images. In this paper, we conduct empirically a comprehensive investigation on what's wrong with the robustness of object detectors in four different seminal architectures, i.e., two-stage, one-stage, anchor-free, and Transformer-based detectors, inspiring more research interest on this task. We also devise a Detection Confusion Matrix (DCM) and Classification-Ablative Validation (ClsAVal) for further detection robustness analyses. We explore underlying factors that account for robustness bottleneck. It is empirically demonstrated that robust detectors have reliable localization robustness and poor classification robustness. The classification module easily mis-classifies the foreground objects into the background. Furthermore, Robust Derformable-DETR suffers from a poor classification and localization robustness. Our source codes, trained models, and detailed experiment results will be publicly available.



Nevertheless, existing robust detection methods present a typical detection robustness bottleneck on both clean images and adversarial images for object detection: a significant performance decline on clean images and the limited performance on adversarial images. As demonstrated in Fig. 1 , on one hand, robust object detectors (MTD and CWAT) only obtain about 22%∼37% mAP on adversarial images! On the other hand, robust object detectors (MTD and CWAT) suffer from the



in recent years, deep neural networks (DNNs) have built a series of milestones in the computer vision community He et al. (2016); Chen et al. (2018a); Ge et al. (2021). Nevertheless, with millions of model parameters, they are verified to be easily fooled to generate completely wrong predictions under slight and imperceptible image perturbations Szegedy et al. (2014). Many recent works are devoted to exploring the model robustness with adversarial perturbations crafted by attack models including FGSM Goodfellow et al. (2015), PGD Madry et al. (2018), AdvGAN Xiao et al. (2018), Carlini and Wagner Attack (C&W) Carlini & Wagner (2017). However, those mainly focus on the image classification task. The robustness of object detectors is quite under-explored. Object detectors not only identify which categories objects belong to (classification), but also recognize where objects exactly are (localization). Inevitably, detection models suffer from more complex and challenging adversarial robustness from classification and localization, exposing more possibilities of being attacked. A few recent approaches Xie et al. (2017); Wei et al. (2019); Sarkar et al. (2017); Chen et al. (2018b) have been proposed to attack the state-of-the-art object detectors. Though those methods achieve successful attacks on Faster RCNN and SSD object detectors, it is not trivial to defense attacks to ensure the adversarial robustness for object detectors. Generally, few works are devoted to adversarially-robust object detectors. Three early attempts are MTD Zhang & Wang (2019), CAWT Chen et al. (2021) and RobustDet Dong et al. (2022), which are derived from the one-stage SSD detector.

