정재훈 교수의 연구실에서 발표한 "Amnesia as a Catalyst for Enhancing Black Box Pixel Attacks in Image Classification and Object Detection" 논문이 이번 2024년 "NeurIPS (Neural Information Processing Systems)"에 게재되었다. 본 논문은 강화학습 기반의 블랙박스 픽셀 공격 기법(RFPAR)을 통해, 기존 이미지 분류 및 객체 탐지에서 사용되는 적대적 공격 기법을 개선, 적대적 이미 생성 뿐만 아니라 객체 탐지 분야에서도 혁신적인 성능 개선을 달성했다.

NeurIPS는 1987년 창립된 이래 인공지능 및 기계학습 분야에서 가장 권위 있는 학회 중 하나로, 매년 전 세계 연구자들이 최첨단 연구 성과를 발표하고 토론하는 자리이다. 이번 2024년 학회에는 인공지능 학계와 업계의 관심을 받는 최신 연구들이 발표될 예정이며, 논문 선정이 매우 까다롭기로 유명하다.

논문 사이트로 이동 

It is well known that query-based attacks tend to have relatively higher success rates in adversarial black-box attacks. While research on black-box attacks is ac- tively being conducted, relatively few studies have focused on pixel attacks that target only a limited number of pixels. In image classification, query-based pixel attacks often rely on patches, which heavily depend on randomness and neglect the fact that scattered pixels are more suitable for adversarial attacks. Moreover, to the best of our knowledge, query-based pixel attacks have not been explored in the field of object detection. To address these issues, we propose a novel pixel-based black-box attack called Remember and Forget Pixel Attack using Reinforcement Learning(RFPAR), consisting of two main components: the Remember and For- get processes. RFPAR mitigates randomness and avoids patch dependency by leveraging rewards generated through a one-step RL algorithm to perturb pixels. RFPAR effectively creates perturbed images that minimize the confidence scores while adhering to limited pixel constraints. Furthermore, we advance our pro- posed attack beyond image classification to object detection, where RFPAR re- duces the confidence scores of detected objects to avoid detection. Experiments on the ImageNet-1K dataset for classification show that RFPAR outperformed state-of-the-art query-based pixel attacks. For object detection, using the MS- COCO dataset with YOLOv8 and DDQ, RFPAR demonstrates comparable mAP reduction to state-of-the-art query-based attack while requiring fewer query. Fur- ther experiments on the Argoverse dataset using YOLOv8 confirm that RFPAR effectively removed objects on a larger scale dataset. Our code is available at https://github.com/KAU-QuantumAILab/RFPAR.