Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (3): 221-.

Previous Articles Next Articles

Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector

Li Xiuying, Zhao Haiqi, Chen Xuesong, Zhang Jianyi, and Zhao Cheng

(Beijing Electronic Science and Technology Institute, Beijing 100070)

Online:2025-03-18 Published:2025-03-30

基于YOLOv8目标检测器的对抗攻击方案设计

李秀滢赵海淇陈雪松张健毅赵成

(北京电子科技学院北京100070)

通讯作者: 张健毅博士，副教授.主要研究方向为系统安全、人工智能安全. zjy@besti.edu.cn
作者简介:李秀滢硕士，副教授.主要研究方向为智能系统安全、密码工程. lixiuying@besti.edu.cn 赵海淇硕士研究生.主要研究方向为计算机视觉、信息安全. 1328190298@qq.com 陈雪松硕士研究生.主要研究方向为密码工程、计算机视觉. 838683425@qq.com 张健毅博士，副教授.主要研究方向为系统安全、人工智能安全. zjy@besti.edu.cn 赵成硕士，高级工程师.主要研究方向为芯片安全、密码工程. zh_710@163.com

Abstract

Abstract: Currently, cameras equipped with AI object detection technology are widely used. However, AI object detection models in realworld applications are vulnerable to adversarial attacks. Existing adversarial attack methods, primarily designed for earlier models, are ineffective against the latest YOLOv8 object detector. To address this issue, we propose a novel adversarial patch attack method specifically for the YOLOv8 object detector. This method minimizes confidence output while incorporating an exponential moving average (EMA) attention mechanism to enhance feature extraction during patch generation, thereby improving the attack’s effectiveness. Experimental results demonstrate that our method achieves superior attack performance and transferability. Validation tests, in which the adversarial patches were printed on clothing, also demonstrated excellent attack results, indicating the strong practicality of our proposed method.

Key words: deep learning, adversarial example, YOLOv8, object detection, adversarial patch

摘要： 目前，基于人工智能目标检测技术的摄像头得到了广泛的应用.而在现实世界中，基于人工智能的目标检测模型容易受到对抗样本攻击.现有的对抗样本攻击方案都是针对早版本的目标检测模型而设计的，利用这些方案去攻击最新的YOLOv8目标检测器并不能取得很好的攻击效果.为解决这一问题，针对YOLOv8目标检测器设计了一个全新的对抗补丁攻击方案.该方案在最小化置信度输出的基础上，引入了EMA注意力机制强化补丁生成时的特征提取，进而增强了攻击效果.实验证明该方案具有较优异的攻击效果和迁移性，将该方案形成的对抗补丁打印在衣服上进行验证测试，同样获得较优异的攻击效果，表明该方案具有较强的实用性.

关键词: 深度学习, 对抗样本, YOLOv8, 目标检测, 对抗补丁

CLC Number:

TP309.1

李秀滢, 赵海淇, 陈雪松, 张健毅, 赵成, . 基于YOLOv8目标检测器的对抗攻击方案设计[J]. 信息安全研究, 2025, 11(3): 221-.

References

［1］徐金才, 任民, 李琦, 等. 图像对抗样本的安全性研究概述［J］. 信息安全研究, 2021, 7(4): 294309［2］Li Y, Bian X, Chang M C, et al. Exploring the vulnerability of single shot module in object detectors via imperceptible background patches［J］. arXiv preprint, arXiv:1809.05966, 2018［3］Kim J, Yang H, Oh S Y. Camouflaged adversarial patch attack on object detector［J］. Journal of the Korea Institute of Military Science and Technology, 2023, 26(1): 4453［4］Ouyang D, He S, Zhang G, et al. Efficient multiscale attention module with crossspatial learning［C］ Proc of the 2023 Int Conf on Acoustics, Speech and Signal Processing. Piscataway, NJ: IEEE, 2023: 15［5］Brown T B, Mané D, Roy A, et al. Adversarial patch［J］. arXiv preprint, arXiv: 1712.09665, 2017［6］Thys S, Van Ranst W, Goedemé T. Fooling automated surveillance cameras: Adversarial patches to attack person detection［C］ Proc of the Conf on Computer Vision and Pattern Recognition Workshops. Piscataway, NJ: IEEE, 2019［7］官榕林, 李秀滢, 张健毅. 一种新型的目标识别对抗攻击方法研究［J］. 北京电子科技学院学报, 2023, 31(2): 6070［8］Xu K, Zhang G, Liu S, et al. Adversarial tshirt! Evading person detectors in a physical world［C］ Proc of the 16th European Conference. Berlin: Springer, 2020: 665681［9］Lin S Y, Chu E, Lin C H, et al. Diffusion to confusion: Naturalistic adversarial patch generation based on diffusion model for object detector［J］. arXiv preprint, arXiv:2307.08076, 2023［10］Suryanto N, Kim Y, Larasati H T, et al. Active: Towards highly transferable 3d physical camouflage for universal and robust vehicle evasion［C］ Proc of the Int Conf on Computer Vision. Piscataway,NJ:IEEE, 2023: 43054314［11］Zhang Y, Zhang Y, Qi J, et al. Adversarial patch attack on multiscale object detection for uav remote sensing images［J］. Remote Sensing, 2022, 14(21): 5298［12］Kingma D P, Ba J. Adam: A method for stochastic optimization［J］. arXiv preprint, arXiv:1412.6980, 2014［13］Wang Y, Lv H, Kuang X, et al. Towards a physicalworld adversarial patch for blinding object detection models［J］. Information Sciences, 2021, 556: 459471［14］Zhu L, Wang X, Ke Z, et al. BiFormer: Vision transformer with bilevel routing attention［C］ Proc of the Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2023: 1032310333［15］Woo S, Park J, Lee J Y, et al. CBAM: Convolutional block attention module［C］ Proc of the 15th European Conf on Computer Vision. Berlin: Springer, 2018: 319［16］Wang Q, Wu B, Zhu P, et al. Efficient channel attention for deep convolutional neural networks［C］ Proc of the Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 1153411542［17］Gu R, Wang G, Song T, et al. CANet: Comprehensive attention convolutional neural networks for explainable medical image segmentation［J］. IEEE Trans on Medical Imaging, 2020, 40(2): 699711

[1]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[2]	. Fake Face Detection Method Based on ConvNeXt [J]. Journal of Information Security Reserach, 2025, 11(3): 231-.
[3]	. Research on Video Adversarial Example Generation Methods for Transfer Attacks [J]. Journal of Information Security Reserach, 2025, 11(3): 249-.
[4]	. Research on Deep Learningbased Spatiotemporal Feature Fusion Network Intrusion Detection Model [J]. Journal of Information Security Reserach, 2025, 11(2): 122-.
[5]	. A Malicious TLS Traffic Detection Method with Multimodal Features [J]. Journal of Information Security Reserach, 2025, 11(2): 130-.
[6]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.
[7]	. Container Anomaly Detection Based on Attention Mechanism and Multiscale Convolutional Neural Network [J]. Journal of Information Security Reserach, 2025, 11(1): 35-.
[8]	. Encrypted Traffic Detection Technology for Multisession Coordinated #br# Attack Based on Deep Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(1): 66-.
[9]	. Image Processing Model Watermarking Method Based on #br# Attention Mechanism and Passport Layer Embedding#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 849-.
[10]	. A Review of GPU Acceleration Technology for Deep Learning in Plaintext and Private Computing Environments [J]. Journal of Information Security Reserach, 2024, 10(7): 586-.
[11]	. Model of Intrusion Detection Based on Federated Learning and Convolutional Neural Network [J]. Journal of Information Security Reserach, 2024, 10(7): 642-.
[12]	. An Automatic Vulnerability Classification Framework Based on BiGRU TextCNN [J]. Journal of Information Security Reserach, 2024, 10(5): 446-.
[13]	. Adversarial Attack Algorithm Based on Multimodel Scheduling Optimization#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(5): 403-.
[14]	. Research on Network Traffic Intrusion Detection Method Based on Denoising Diffusion Probability Model [J]. Journal of Information Security Reserach, 2024, 10(5): 421-.
[15]	. Research on Source Code Vulnerability Detection Based on BERT Model [J]. Journal of Information Security Reserach, 2024, 10(4): 294-.

Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector

基于YOLOv8目标检测器的对抗攻击方案设计

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics