Treffer: Twin trigger generative networks for backdoor attacks against real-time object detection.

Real-time object detectors, which are widely used in real-world applications, are vulnerable to backdoor attacks. This vulnerability arises because many users rely on datasets or pre-trained models provided by third parties due to constraints on data and resources. However, most research on backdoor attacks has focused on image classification, with limited investigation into real-time object detection. Furthermore, the triggers for most existing backdoor attacks on real-time object detection are manually generated, requiring prior knowledge and consistent patterns between the training and inference stages. This approach makes the attacks either easy to detect or difficult to adapt to various scenarios. To address these limitations, we propose novel twin trigger generative networks in the frequency domain to generate invisible triggers for implanting stealthy backdoors into models during training, and visible triggers for steady activation during inference, making the attack process difficult to trace. Specifically, for the invisible trigger generative network, we deploy a Gaussian smoothing layer and a high-frequency artifact classifier to enhance the stealthiness of backdoor implantation in object detectors. For the visible trigger generative network, we design a novel alignment loss to optimize the visible triggers so that they differ from the original patterns but still align with the malicious activation behavior of the invisible triggers. Extensive experimental results and analyses prove the possibility of using different triggers in the training stage and the inference stage, and demonstrate the attack effectiveness of our proposed visible trigger and invisible trigger generative networks, significantly reducing the mAP 0.5 of the object detectors by 70.0 % and 84.5 %, including two real-time object detectors with different settings, respectively. • Proposing twin trigger generative networks in the frequency domain, capable of generating two distinct types of triggers: visible and invisible. These triggers differ in style but produce the same effect. • Theoretically demonstrating, that the visible and invisible triggers are equivalent in terms of their activation of the real-time object detector backdoor. • Studying the visible and invisible trigger generation networks, which operate at different stages, making the attack process difficult to trace. • Investigating the competitive performance of our proposal on object detection datasets compared to other backdoor attack methods. [ABSTRACT FROM AUTHOR]