TY - GEN
T1 - Beyond PhantomSponges
T2 - 2024 ACM Workshop on Wireless Security and Machine Learning, WiseML 2024
AU - Schoof, Coen
AU - Koffas, Stefanos
AU - Conti, Mauro
AU - Picek, Stjepan
PY - 2024
Y1 - 2024
N2 - Given today's ongoing deployment of deep learning models, ensuring their security against adversarial attacks has become paramount. This paper introduces an enhanced version of the PhantomSponges attack by Shapira et al. The attack exploits the non-maximum suppression (NMS) algorithm in YOLO object detection (OD) models without compromising OD, substantially increasing inference time. Our enhancement focuses on improving the attack's impact on YOLOv5 models by modifying its bounding box area loss term, aiming to directly decrease the intersection over union and, thus, exacerbate the computational load on NMS. Through a parameter study using the Berkeley Deep Drive dataset, we evaluate the enhanced attack's efficacy against various sizes of YOLOv5, demonstrating, under certain circumstances, an improved capability to increase NMS time with a minimal loss in OD accuracy. Furthermore, we propose a novel defense that dynamically resizes input images to mitigate the attack's effectiveness, showcasing a substantial restoration in inference speed and OD accuracy. Our findings show that the enhanced attack could result in a 550% increase in NMS time on the YOLOv5 small configuration. Moreover, our defense's results show a substantial decrease of 90.18% in NMS execution time when applied to an attacked YOLOv5 large model.
AB - Given today's ongoing deployment of deep learning models, ensuring their security against adversarial attacks has become paramount. This paper introduces an enhanced version of the PhantomSponges attack by Shapira et al. The attack exploits the non-maximum suppression (NMS) algorithm in YOLO object detection (OD) models without compromising OD, substantially increasing inference time. Our enhancement focuses on improving the attack's impact on YOLOv5 models by modifying its bounding box area loss term, aiming to directly decrease the intersection over union and, thus, exacerbate the computational load on NMS. Through a parameter study using the Berkeley Deep Drive dataset, we evaluate the enhanced attack's efficacy against various sizes of YOLOv5, demonstrating, under certain circumstances, an improved capability to increase NMS time with a minimal loss in OD accuracy. Furthermore, we propose a novel defense that dynamically resizes input images to mitigate the attack's effectiveness, showcasing a substantial restoration in inference speed and OD accuracy. Our findings show that the enhanced attack could result in a 550% increase in NMS time on the YOLOv5 small configuration. Moreover, our defense's results show a substantial decrease of 90.18% in NMS execution time when applied to an attacked YOLOv5 large model.
KW - adversarial machine learning
KW - object detection
KW - sponge attacks
UR - http://www.scopus.com/inward/record.url?scp=85195976674&partnerID=8YFLogxK
U2 - 10.1145/3649403.3656485
DO - 10.1145/3649403.3656485
M3 - Conference contribution
AN - SCOPUS:85195976674
T3 - WiseML 2024 - Proceedings of the 2024 ACM Workshop on Wireless Security and Machine Learning
SP - 14
EP - 19
BT - WiseML 2024 - Proceedings of the 2024 ACM Workshop on Wireless Security and Machine Learning
PB - Association for Computing Machinery (ACM)
Y2 - 30 May 2024
ER -