TransRPN: Towards the Transferable Adversarial Perturbations using Region Proposal Networks and Beyond

The adversarial perturbation for object detectors has drawn increasing attention due to the application in video surveillance and autonomous driving. However, few works have explored the transferability of adversarial perturbations across different object detectors. In this paper, we describe a simple but effective method, namely TransRPN, to generate adversarial perturbations that can reliably transfer among different object detectors—different categories (e.g., SSD, Faster-RCNN, YOLO) and different base networks (e.g., VGG16, ResNet, MobileNet), and even other tasks such as instance segmentation methods. Our method targets the Region Proposal Network (RPN) as the common bottleneck of the existing object detectors and disrupts the RPN by attacking the intermediate features. Moreover, as RPNs have no constraint on the size of the input image, our method can generate the adversarial images directly fitting into object detectors with arbitrary input size, which thereby improves the feasibility of our method in practical applications. We study four types of RPNs and validate our method on each type of RPN on MSCOCO dataset with nine object detectors and two instance segmentation methods, as well as the real-world API, which demonstrates the effectiveness of our method regarding transferability.