Robust Object Detection Under Adversarial Patch Attacks in Vision-Based Navigation

Abstract

In vision-guided autonomous robots, object detectors play a crucial role in perceiving the environment for path planning and decision-making. However, adaptive adversarial patch attacks undermine the resilience of detector-based systems. Strengthening object detectors against such adaptive attacks enhances the robustness of navigation systems. Existing defenses against patch attacks are primarily designed for stationary scenes and struggle against adaptive patch attacks that vary in scale, position, and orientation in dynamic environments. In this paper, we introduce Ad_YOLO+, an efficient and effective plugin that extends Ad_YOLO to defend against white-box patch-based image attacks. Built on YOLOv5x with an additional patch detection layer, Ad_YOLO+ is trained on a specially crafted adversarial dataset (COCO-Visdrone-2019). Unlike conventional methods that rely on redundant image preprocessing, our approach directly detects adversarial patches and the overlaid objects. Experiments on the adversarial training dataset demonstrate that Ad_YOLO+ improves both provable robustness and clean accuracy. Ad_YOLO+ achieves $85.4\%$ top-1 clean accuracy on the COCO dataset and $74.63\%$ top-1 robust provable accuracy against pixel square patches anywhere on the image for the COCO-VisDrone-2019 dataset. Moreover, under adaptive attacks in AirSim simulations, Ad_YOLO+ reduces the attack success rate, ensuring tracking resilience in both dynamic and static settings. Additionally, it generalizes well to other patch detection weight configurations.

1. Introduction

The emergence of Convolutional Neural Networks (CNNs) and Deep Neural Networks (DNNs) has revolutionized computer vision and natural language processing (NLP), delivering remarkable results. These models are widely applied in autonomous vehicles, facial recognition, and medical image analysis, enabling real-time object classification and detection. However, object detectors remain vulnerable to patch-hiding attacks, which aim to disable detection models. These attacks can be executed in the physical world by attaching adversarial patches to real-world objects [1] or dynamically placing patches based on an object’s location within an image frame. Such threats pose significant risks to vision-based tracking systems in autonomous robots, potentially compromising their reliability and safety [2].

Defenses against adversarial patch attacks on object detectors can be categorized into five main types: (i) Locating and eliminating adversarial patches [3,4,5,6,7,8,9]—Methods such as PAD [6], PatchZero [7], and SAC [5] focus on identifying and removing adversarial regions. (ii) Detecting and neutralizing adversarial patches [10,11,12,13,14,15,16,17]—Techniques like UDFilter [14], local gradient smoothing [10], DIFFender [15], PatchCleanser [16], and PatchCure [17] aim to detect and mitigate patch effects. (iii) Detecting and inpainting adversarial patches [18,19,20]—Approaches such as Jedi [18], Adv-Inpainting [19], and RLID [20] replace adversarial regions with reconstructed image content. (iv) Certifiably robust-based defenses methods [21,22,23,24,25,26,27,28,29]—Represented by [29]. (v) Detection-based methods—Represented by [30], these leverage adversarial training to improve robustness. The first four categories rely on image preprocessing techniques, while the fifth is based on adversarial training. Despite the extensive research on adversarial patch attacks and defenses, most existing methods focus on digital attacks and classification tasks. Securing object detectors remains particularly challenging due to the diverse patch generation strategies, as well as variations in scale and placement.

In this paper, we propose Ad_YOLO+, an efficient and effective object detection approach designed to defend against white-box patch-enabled image attacks. The core idea of Ad_YOLO+ is to leverage adversarial training to develop a model capable of detecting both adversarial patches and target objects simultaneously—without requiring image preprocessing. Our method is tailored for dynamic environments, such as vision-based object tracking, where an attacker overlays printed adversarial patterns of varying sizes and locations onto detected targets in each image frame. This specially crafted robust adversarial patch accounts for physical variations and object scale fluctuations across frames, ensuring strong attack effectiveness against both dynamic and static objects. We address two key research questions: (1) Patch-agnostic detection—How can we detect adaptive adversarial patches in real time without prior knowledge of their size or location? (2) Certified robustness—How can we achieve provable robustness while maintaining high clean performance? The Ad_YOLO+ model is derived in three steps, as outlined in the following sections. An overview of our approach is illustrated in Figure 1.

• Step 1: Adversarial Training Dataset Generation. To enable Ad_YOLO+ to detect both adversarial patches and target objects simultaneously, we constructed a specialized adversarial training dataset comprising patch-attacked images and the COCO dataset [31]. Using pretrained YOLOv5s weights, we first detect objects in each image frame and then adaptively apply adversarial patches to the detected bounding boxes, generating adversarial samples. The patch dataset is derived from VisDrone-2019 [32] and includes 80 non-targeted image attacks, ensuring diverse and challenging adversarial scenarios.
• Step 2: Patch Category Preparation. Despite its robustness, Ad_YOLO+ must still detect adversarial patches as a distinct category (e.g., both the adversarial patch and the attacked target in

  Table 1. (Top Row) Conventional patch defense approaches, such as PatchZero [7], DIFFender [15], Jedi [18], preprocess the attacked image; that is, they mask or inpaint the patches in the image as shown in the top row. On the contrary, our method does not require an image preprocessing stage. (Bottom Row) As shown in the bottom row images, Ad_YOLO+ (our approach) achieves detection performance with high confidence, while PatchZero [7], DIFFender [15], and Jedi [18] (comparison baselines) yield degraded inference accuracy when used with standard YOLOv5x [33] for object detection.

  Attacked Image	PatchZero [7]	DIFFender [15]	Jedi [18]
  Ad_YOLO+	PatchZero [7] + YOLOv5x [33]	DIFFender [15] + YOLOv5x [33]	Jedi [18] + YOLOv5x [33]

  are identified by Ad_YOLO+). To accomplish this, we introduced a new patch category in the training YAML file, enabling precise detection of adversarial patches.
• Step 3: Training Ad_YOLO+ model. We use YOLOv5x as the backbone model and incorporate an additional patch detection layer as the final layer. The overall Ad_YOLO+ architecture includes a detection head and neck structure. The training schematic is illustrated in Figure 1. The network is trained for 300 epochs on a single GPU with a batch size of 16, using a specially designed adversarial training and validation dataset. The optimization process combines objectiveness loss, localization loss, and classification loss to enhance detection performance.

The main contributions of the paper are as follows:

• We propose Ad_YOLO+, an object detection model designed to be robust against adversarial patches of varying sizes and locations in a vision-based tracking task. By treating adversarial patches as a distinct category during training, Ad_YOLO+ effectively identifies both adversarial patches and target objects simultaneously.
• We evaluate Ad_YOLO+ in the AirSim virtual simulation environment. Our results show that Ad_YOLO+ achieves an $A{P}_{0.5}=71.44\%$ for tracking targets—significantly outperforming YOLOv5s $A{P}_{0.5}=8.76\%$—while also detecting adversarial patches with $A{P}_{0.5}=85.35\%$ on the specially generated adversarial training dataset ($A{P}_{0.5}$ represents average precision at an intersection over union (IoU) threshold of $0.5$).
• We implement a verification procedure to assess whether Ad_YOLO+ provides provable robustness against adaptive adversarial patches in real time under a defined threat model. Additionally, our comparison results demonstrate that Ad_YOLO+ outperforms the evaluated state-of-the-art approaches in defense against patch attacks, particularly in terms of object detection accuracy.

2. Relevant Work

Given the vulnerability of well-trained CNNs and DNNs to adversarial attacks, a crucial research direction is enhancing their reliability. In recent years, numerous defense strategies have been proposed [34,35], but most struggle to adapt to increasingly complex threats, such as adaptive adversarial patches. Additionally, many existing defenses are limited to models trained on datasets closely aligned with specific attack generation schemes [36,37]. While image denoising-based methods are effective in mitigating invisible perturbations for static image classification, they pose challenges in real-time applications like vision-based navigation. The computational overhead of image preprocessing, combined with the vulnerability of multi-task learning systems, can significantly impact the performance and responsiveness of vision-based models in dynamic environments.

2.1. Detection-Based Defense Methods for Adversarial Patches

Several detection- and removal-based methods, such as PAD [6], PatchZero [7], and SAC [5], leverage high-frequency signatures to detect adversarial patches, remove them from input images, and then pass the masked images to object detectors. SAC [5], a U-Net-based patch segmentation method, is designed to protect object detectors from patch attacks. It is trained on pre-generated adversarial images to remove untargeted patch attacks that vary in size and location. This self-adversarial training approach is effective when the patch segmenter’s output is within a certain Hamming distance of the ground-truth patch masks. However, the method faces limitations when dealing with targeted attacks that disable localization and label inference, and it performs poorly when encountering natural-looking patches that were not included in the training dataset, resulting in near-zero Patch Localization Recall.

2.2. Adversarial Training Method

Adversarial training is an effective brute-force method for enhancing model robustness by incorporating malicious examples alongside clean data during training. This approach helps the model predict the same object label for both legitimate and perturbed examples during testing. For visible perturbations, such as adversarial patches, Ad_YOLO [30] was proposed to detect both the adversarial patch and its targeted object. The training dataset for Ad_YOLO combines the COCO dataset with adversarially patched images. However, models trained using patch-based adversarial training are limited to defending against specific adversarial schemes. Moreover, adversarial training increases computational resource usage and training complexity. Additionally, these models may not be adaptive to all types of malicious attacks, as they block attacks that resemble the adversarial examples seen during training while leaving other vulnerabilities exposed to new white-box attackers. Changes to the loss function during adversarial training can also lead to unexpected drops in prediction confidence for legitimate objects [38].

2.3. Gradient Masking

Gradient masking is a technique that modifies input samples using smoothing functions to reduce the adversarial effect without altering the underlying DNN [39]. Recently, this approach has been applied in both classification and detection tasks to defend against adversarial patches. Naseer et al. [40] proposed local gradient smoothing (LGS) [10], which identifies and removes areas with abnormally high-frequency gradients in the input image, treating these regions as adversarial patches. Similarly, Yu et al. [10] introduced the feature norm clipping (FNC) defense, which adaptively clips deep norm features affected by universal adversarial patches. However, the effectiveness of these defenses is heavily dependent on the proper selection of thresholds, making them sensitive to tuning.

3. The Problem Statement and Proposed Method

In this section, we introduce the patch generation scheme and adaptive patch attack in a vision-based tracking task.

3.1. Adversarial Adaptive Patch Generation

Attack Capability: The goal of the adversarial attack is to prevent the object detector from accurately identifying the specific tracking target. The attacker aims to use the adversarial patch to reduce the detection confidence below the identification threshold. In a navigation scenario, the patch adaptively locates the target object within continuous image frames, overlaying a patch scaled to 30% of the bounding box size. This ensures the patch does not completely obscure the object, causing the object-tracking controller to lose track of the target. The integration of the adaptive patch into the object-tracking framework is illustrated in Figure 2. We use YOLOv5 [33] as the baseline object detector for the tracking control system.

Patch Generation Scheme [41]: We employ an adaptive patch (ADpatch) generation approach based on [41]. To train the malicious patch, our goal is to identify the pattern ${\widehat{P}}_u$ that maximizes the loss of the object detector relative to the true class label $\widehat{y}$ and bounding box label $\widehat{B}$. Specifically, the patch is optimized to maximize the probability of the detected object class. A maximum probability extractor is used to extract the highest class probability for the target classes. During training, the patch, derived from the pixels extracted by the probability extractor, is applied to the image frame at a random position, scale, and rotation. This ensures the patch is robust against shifting, scaling, and rotation. The YOLOv5 object detector model is involved in the optimization process.

Adversarial Patch Transformation and Training Loss: For patch training, we use the VisDrone-2019 [32] dataset consisting of thousands of static images in various resolutions and scenes acquired by the UAV platform and split across train, validation, and test datasets separately. The adversarial patch generation involves solving the following equation:

$$\begin{array}{c}\hfill {\mathcal{L}}_{patch}=\alpha {\mathcal{L}}_{obj}+\beta {\mathcal{L}}_{tv}+\gamma {\mathcal{L}}_{nps}\end{array}$$

(1)

The ${\mathcal{L}}_{obj}$ objectiveness score loss reduces the class score predicted by the detector. The total variation loss ${\mathcal{L}}_{tv}$ enhances the smoothness of the adversarial patch. The non-printability score loss ${\mathcal{L}}_{nps}$ explains how well a printer can physically represent the colors in the patch. By reducing this loss, the adversarial patch can be printed in the physical world. In [41], the physical adversarial patch is generated using detection for images of real-world cars, trucks, buses and people by maximizing the object detector loss function listed below:

$$\begin{array}{c}\hfill P(x,l)=\underset{P\in \{P^{\prime }:|\left|P^{\prime }\right|{|}_{\infty }\le ϵ\}}{argmax}{\mathcal{L}}_{patch}(h\left(A(x,l,P)\right);y),\end{array}$$

(2)

where h denotes the object detector, $A(x,l,P)$ is a function that applies the patch P on location l of input image x, y denotes the set of image objects and the bounding boxes, $ϵ$ is the attack budget and ${\mathcal{L}}_{patch}$ represents the patch optimization loss function.

Patch Adaptation Scheme: We accommodate the dynamic conditions of the physical world while optimizing the adversarial patches. Also, we focus on placing the adversarial patches in the proper position with the adaptive size due to the varied scale of the object in each image frame. For the patch on target, our goal is to overlay an adversarial patch in the center with the proper size. To achieve that, we use the coordinate $(x_1,y_1,x_2,y_2)$ of the detection result to compute the center coordinate of the adversarial patch $l_{p^{*}}$ as

$$\begin{array}{c}\hfill l_{p^{*}}=({\displaystyle \frac{x_1+x_2}{2}},{\displaystyle \frac{y_1+y_2}{2}}).\end{array}$$

(3)

Then, considering the varied scales of the objects, a scale-adaptive patch scheme is used to make the area of the adversarial patch and the targeted object keep a proper ratio $r_s$

$$\begin{array}{c}\hfill r_s={\displaystyle \frac{w_{p^{*}}\times h_{p^{*}}}{w_t\times h_t}},\end{array}$$

(4)

where $w_{p^{*}}$ and $h_{p^{*}}$ are equal to $\sqrt{r_s\times w_t\times h_t}$. The adversarial patch applier function $M_{p^{*}}$ is formulated as

$$\begin{array}{c}\hfill M_{p^{*}}=PA(p^{*},l_{p^{*}},w_{p^{*}},h_{p^{*}}),\end{array}$$

(5)

which aims to paste a visible adversarial pattern on the corresponding position with an adaptive size.

3.2. Robust Object Detection Model: Ad_YOLO+

We developed the Ad_YOLO+ model to simultaneously identify adversarial patches and restore targeted objects. To enhance the model’s ability to defend against a wide range of object categories, we created a new dataset of patch-attacked images, which is combined with COCO to support the adversarial training process.

3.2.1. Ad_YOLO+ Framework

Our Ad_YOLO+ model builds upon Ad_YOLO and YOLOv5x architectures. Figure 1 illustrates the overall defense framework and the datasets used. The base model of Ad_YOLO+ is YOLOv5x, which integrates both detection and segmentation components. It retains the original 24 convolutional layers and 2 fully connected layers with randomly initialized weights, similar to YOLO, but with an additional patch detection layer. The final layer of the model predicts class probabilities, including a category for the adversarial patch, along with the normalized bounding box coordinates to localize the object within the image frame.

3.2.2. VisDrone-2019 Dataset for Adversarial Training

Motivated by the adversarial training approach, we constructed a dataset that combines the COCO dataset [31] with specially generated patch-attacked images. We use the VisDrone dataset and YOLOv5 model to generate the patch-attacked images, as shown in Figure 1. In this process, pixel alterations are applied within a bounded region to disrupt object tracking by either misclassifying objects or lowering the detection confidence threshold for the target model. The adversarial patch P typically follows a square shape, occupying $30\%$ of the target object’s bounding box area. To build the adversarial training dataset, we apply the patch P to the location $\left(xy\right)$ identified by YOLOv5 in each input image, then scale and rotate it as needed. The process of generating this adversarial training dataset is outlined in Algorithm 1.

Algorithm 1 Adversarial training dataset generation.

Input:  pretrained adversarial patch P, image size $(W,H)$, object detector F, Visdrone dataset $D_{Visdrone}$, COCO dataset $D_{COCO}$. Output:  COCO_Visdrone adversarial training dataset 1:   Procedure DatasetGeneration(P, F, D) 2:   $coordinate\leftarrow F\left[image\right]$ 3:   $imagesize\leftarrow D_{Visdrone}$ 4:   for  $j\leftarrow 1$  to  $imagesize-1$  do 5:          if $properratio\le 30\%$ then 6:               $(x_1,y_1,x_2,y_2)\leftarrow F\left[image\right]$ 7:               add P on $image$ 8:          end if 9:   end for 10: merge $D_{COCO}$ and $D_{Visdrone}$ 11: return  $AdversarialTrainingDataset$ 12: end procedure

3.2.3. Adversarial Training Process

We now conduct the adversarial training optimization to obtain a robust detector.

$$\begin{array}{c}\hfill argmin\underset{(x,y)\in D}{max}\underset{d(x,x^{*})\le ϵ}{max}\sum _x{\mathcal{L}}_{\theta }(x,y)+\sum _{P\in \{P^{\prime }:|\left|P^{\prime }\right|{|}_{\infty }\le ϵ\}}{\mathcal{L}}_{\theta }(h\left(A(x,l,P)\right);\widehat{y}),\end{array}$$

(6)

where D is a dataset, $x^{*}$ represents the patch-attacked image, and x is the clean image. ${\mathcal{L}}_{\theta }(x,y)$ inherits the full form of the YOLOv5 loss function, which includes object coordinates, object confidence, and no object detection. $A(x,l,P)$ is a patch application function and $\widehat{y}$ is a patch category. During the training, we optimize the loss function (6). The training algorithm iteratively optimizes $\theta$ for outer minimization and fixes $\theta$ to find the inner maximized value. The adversarial training algorithm is summarized in Algorithm 2.

This optimization addresses the limitations of patch size and quantity. We split this training into two stages. In the first stage, we use the COCO dataset to train the reference model. During the training, we exclude the patch detection layer inside the Ad_YOLO+. In the second stage, we take the reference weights to train the model using the stochastic gradient descent (SGD) optimizer with a momentum of $0.937$ and a weight decay of $4\times {10}^{-4}$. The learning rate starts at $0.001$ and is linearly increased to $0.1$ during the first 10 epochs, then gradually decreases after each epoch using a learning rate scheduler. Training halts if there is no improvement in validation accuracy over 100 epochs. The network is trained on a single GPU for 300 epochs, with a batch size of 16, using specially designed adversarial training and validation datasets and a unified learning rate of ${10}^{-3}$. To maintain inference accuracy on clean images, we split each batch into $80\%$ clean images and $20\%$ adversarial patch-attacked images.

Algorithm 2 Adversarial training of Ad_YOLO+.

Input:  Adversarial training dataset D; Total iteration N; Learning rate $\eta$ Output:  Ad_YOLO+ weights 1: Procedure Training(D, N, $\eta$) 2: for  $i\leftarrow 0$  to  N  do 3:        $(x_i,y_i)\sim D$                               ▹ Sample a batch 4:        $x_i^{*}\leftarrow \mathcal{L}(f_{\theta }\left(x_i^{*}\right);y_i)$               ▹ Forward propagation to calculate the loss 5:        $\theta \leftarrow \theta -\eta {\sum }_i\nabla \theta \mathcal{L}(f_{\theta }\left(x_i^{*}\right);y_i)$          ▹ Backward to update the parameter                                    ▹ This is SGD algorithm 6: end for 7: end procedure

4. Evaluation of Effectiveness of Adversarial Patch Attacks

In this section, we evaluate the effectiveness of the pretrained adversarial patch attack models in both static settings and dynamic object-tracking scenarios. The following subsections include the model details and the quantitative evaluation results.

4.1. Adaptive Adversarial Patch Attack Evaluation

4.1.1. Adversarial Patches for Static Images

First, we present the meticulously crafted adversarial patches designed to target YOLOv5n, YOLOv5s, YOLOv5m, YOLOv5l, and YOLOv5x. To generate and optimize these adversarial patches, we use the VisDrone-2019 dataset, with the respective detector weights mentioned above utilized during the training process.

4.1.2. Simulation Environment for Patch Attack in Dynamic Setting

We evaluate the adaptive patch attack in the object-tracking task within the context of a navigation application, with the evaluation framework shown in Figure 2. The white-box adversarial patch is implemented in the simulation, and a video of our simulation case studies is available on YouTube (Youtube: (https://www.youtube.com/watch?v=mJRxWRMgxMM, accessed on 2 December 2024)). In the simulation, we integrate the state-of-the-art YOLOv5 object detector for real-time object label inference and localization, applied to both malicious and clean image frames. The object-tracking controller is responsible for detecting and tracking specific categories while maintaining a set distance. Our adversarial patch targets the car objects, preventing detection and deactivating the tracking controller. The simulation environment is built on the PyTorch library 2.3.0, with NVIDIA driver version 535.129.03, CUDA 11.8, CUDNN 8.9.6, and Python 3.11.7. The Unreal Engine and AirSim provide the photo-realistic simulation environment, with development and implementation conducted under ROS Melodic.

4.1.3. Attack Efficiency

We evaluate the effectiveness of our proposed adversarial patch against YOLOv5n, YOLOv5s, YOLOv5m, YOLOv5l, and YOLOv5x detectors, which are embedded in the vision-based tracking controller to track specific objects in navigation tasks. The adversarial patch is placed on the target object to disrupt the object-tracking task, and we report the average precision ($A{P}_{0.5}$) for the car category. The attack transferability of the patches across different detectors is summarized in

Table 2. Attack efficiency for different YOLO model weights. We use red color to highlight the most effective attack in each colomn.

	Detector	Yolov5n	Yolov5s	Yolov5m	Yolov5l	Yolov5x
Weights
Yolov5n		90.8%	$0.15\%$	$0.13\%$	$0.34\%$	$0.21\%$
Yolov5s		$0.14\%$	79.8%	$0.12\%$	$0.16\%$	$0.03\%$
Yolov5m		$0.11\%$	$0.23\%$	59.13%	$0.17\%$	$0.16\%$
Yolov5l		$0.9\%$	$0.07\%$	$0.17\%$	78.91%	$0.09\%$
Yolov5x		$0.04\%$	$0.12\%$	$0.03\%$	$0.12\%$	85.4%
Yolov5n		83.90%	$0.018\%$	$0.02\%$	$0.05\%$	$0.17\%$
Yolov5s		$0.16\%$	83.60%	$0.03\%$	$0.14\%$	$0.012\%$
Yolov5m		$0.08\%$	$0.014\%$	87.63%	$0.06\%$	$0.31\%$
Yolov5l		$0.014\%$	$0.04\%$	$0.019\%$	84.57%	$0.13\%$
Yolov5x		$0.013\%$	$0.12\%$	$0.04\%$	$0.18\%$	85.89%

. The first row lists the YOLO object detector models, while the second row shows the weights used in the patch training. It is evident that, in all white-box attack scenarios, our patch training method significantly reduces the detection $AP$ of the detectors, achieving $90.8\%$ in static object tracking and $87.63\%$ in dynamic object tracking. Additionally, while the adversarial patches exhibit limited transferability across detectors, they are highly effective at dropping the $A{P}_{0.5}$ of the matched weights based on the YOLO detector.

5. Evaluation Results

In this section, we further evaluate the robustness of the Ad_YOLO+ model, which has been adversarially trained using a specially designed dataset, against adversarial patches. Our results show a significant improvement in robustness compared to the baseline Ad_YOLO model. We assess the model’s performance under both non-adaptive and adaptive patch attacks and highlight Ad_YOLO+’s ability to generalize across different adversarial patches.

5.1. Evaluation Settings

In this subsection, we introduce the simulation framework, dataset, and evaluation metrics.

5.1.1. Dataset

We use the VisDrone-2019 [32] dataset to evaluate the Ad_YOLO+ model subject to the static image attack. We evaluate 1000 test images and report mean average precision (mAP) at the intersection over union (IoU) $0.5$.

Dataset Preparation: In the case of static image attacks, the patch location and size are automatically adjusted based on the detected bounding box, as illustrated in the first row of Table 1. For vision-based tracking, the patch location and size are dynamically updated frame-by-frame according to the inferred bounding box. We conducted 30 rounds of evaluations, including both autonomous driving with a dynamic tracking target and autonomous flight with a static tracking target, and reported the mean and standard deviation of the mAP.

5.1.2. Simulation Framework

Figure 3 illustrates our simulation framework for evaluating the Ad_YOLO+ model’s performance against adaptive patch attacks in a vision-based tracking scenario. As depicted, the first object detector is used to localize the target of the attack. Once the target location is identified, we apply the adversarial patch to disrupt the vision-based object-tracking system. The second detector is then replaced with the Ad_YOLO+ model, which enhances the tracking controller’s resilience against patch-attacked image frames.

5.1.3. Evaluation Metrics

We use robustness performance, clean performance, and lost predictions as our evaluation metrics.

Robustness performance [26]: Provable Robustness Accuracy. We use provable robustness accuracy as the evaluation metric for model robustness. This term refers to the percentage of data points in a test set for which the model can be mathematically guaranteed to maintain its predictions, even when subjected to visible adversarial perturbations.

Clean Performance [26]: Average Precision (AP). We use AP as the evaluation metric for clean performance. Clean accuracy refers to the standard test accuracy when evaluated on clean, unperturbed data. Average precision is defined as the precision–recall (PR) curve with a single value. In our evaluation, we report $A{P}_{0.5}$.

Lost Predictions [18]: This metric models the performance degradation caused by an exaggerated patch-covering area. It represents the percentage of negatively affected correct predictions normalized to the set where the detection of patch-covered objects failed.

5.1.4. Computation Setup

All experiments are conducted on a workstation with one GeForce RTX 2080 Ti GPU. We choose a square patch that takes $30\%$ of the detected bounding box to evaluate the adaptive and non-adaptive attacks and report the evaluation metrics.

5.2. Performance Results for Ad_YOLO+

Robustness of Ad_YOLO+ Model for Static Images (Non-Adaptive): Table 1 shows the inference results comparing Ad_YOLO+ against preprocessing-based patch defense methods, where YOLOv5x is used for object detection. When adversarial images are preprocessed with the “detect and remove” (represented by PatchZero [7]), “detect and mitigate” (represented by DIFFender [15]) and “detect and inpaint” (represented by Jedi [18]) strategies, the mask used to cover, mitigate or recover the patch can obscure the object, leading to detection failure due to excessive pixel loss. In contrast, when using Ad_YOLO+ to detect the corrupted regions, the objects are accurately detected as well, as shown in Table 1. In addition, Table 1 illustrates that while the adversarial patches successfully compromised the baseline YOLOv5 detector, they had minimal impact on the performance of the Ad_YOLO+ model. Ad_YOLO+ effectively defended against the patches, accurately identifying both the patch category and its location. As shown in the figure, the addition of adversarial patches led to a significant degradation in the inference accuracy of YOLOv5, while Ad_YOLO+ maintained high-confidence detection performance, demonstrating its robustness against such attacks.

Robustness of Ad_YOLO+ for Vision-Based Tracking (Adaptive Patch Attack): To assess the performance of Ad_YOLO+ under various patch sizes (as a percentage of the target object’s bounding box area), we report the clean accuracy, provable robust accuracy, and lost prediction metrics in Figure 4. Notably, the clean accuracy in the detection phase for clean images is similar to that of YOLOv5s in both static and dynamic target tracking scenarios. We observe that the provable robust accuracy decreases as the patch size covering the target increases, while the lost prediction rate rises with larger patches. The highest provable robust accuracy of $80.18\%$ is achieved when the tracking target is static, with only a $1.71\%$ drop in accuracy when tracking a dynamic target with a $30\%$ patch size. However, the robust accuracy declines significantly when the patch size is increased to $50\%$.

We further evaluate the performance of Ad_YOLO+ as an object detector in both dynamic and static object-tracking tasks, where the goal of the adversary is to conceal the tracking target using a patch attack. The evaluation framework is depicted in Figure 3. Ad_YOLO+ achieves a comparable image processing speed to YOLOv5x, processing 18 fps. In our simulation scenario (the video of our simulation case studies is available on Youtube: (https://www.youtube.com/watch?v=TSge8Ga0zR4, accessed on 2 December 2024), Ad_YOLO+ is able to detect the adversarial patch while recovering the correct prediction for patch-attacked image frames in both static and dynamic tracking conditions. Consequently, the tracking system successfully tracks the target even when the image frames are subjected to an adversarial patch attack, as demonstrated in Figure 5.

Robustness of Ad_YOLO+ Across Different Patch Generation Models and Datasets: We report the provable robustness accuracy of Ad_YOLO+ across different detector-based patches and datasets. The first row of Figure 6 illustrates the adversarial patches generated when various detector weights are involved in the training optimization. These patches exhibit significant variation depending on the detector model used. We assessed the generalization of Ad_YOLO+ against a range of these patches, as shown in Figure 6. In the evaluation, adversarial patches are adaptively placed on the target in each image frame with varied location and scale. The patch inference results for Ad_YOLO+ are displayed in Figure 6, and the corresponding evaluation metrics are summarized in

Table 3. Performance of Ad_YOLO+ model for patches shown in Figure 6.

	Weights	Yolov5n	Yolov5s	Yolov5m	Yolov5l	Yolov5x
Evaluation
Clean Accuracy		$74.10\%$	$72.17\%$	$69.41\%$	$71.34\%$	$75.21\%$
Robust Accuracy		$64.34\%$	$66.40\%$	$65.12\%$	$67.16\%$	$68.03\%$
Lost Prediction		$0.11\%$	$0.23\%$	$0.13\%$	$0.17\%$	$0.16\%$

, confirming the generalization of our defense method against diverse patches.

It is important to note that Ad_YOLO+ is trained using a specific adversarial training dataset, with a representative patch model used to generate the patch-attacked image dataset. Our results show that once a patch model is incorporated into the adversarial training optimization, Ad_YOLO+ is capable of detecting other patches, demonstrating its ability to generalize. This suggests that a unified pixel pattern can effectively represent a broader class of patches generated by optimization algorithms during adversarial training. Additionally, Ad_YOLO+ exhibits high provable robustness across different datasets. For both the VisDrone-2019 [32] dataset and image frames sourced from the AirSim simulation environment, Ad_YOLO+ achieves a robust provable accuracy of $85.34\%$ for adaptive patches.

Baseline Comparison (Ad_YOLO+ vs. Ad_YOLO): We compared the performance of Ad_YOLO and Ad_YOLO+ in defending against adversarial patches. During the adversarial training process for Ad_YOLO+, patches of varying sizes and locations were incorporated into the training dataset, enabling the model to adapt to these dynamic changes. In contrast, Ad_YOLO was not specifically trained to handle such variations in patch size and location. As a result, Ad_YOLO+ is better suited for applications in dynamic environments, such as vision-based object tracking, where patch size and location can change over time. In addition, our results show that the Ad_YOLO+ model has a higher clean performance accuracy compared to Ad_YOLO, as shown in

Table 4. Results of YOLOv5x, Ad_YOLO and Ad_YOLO+ on COCO test set. Mean average precision and per-class average precision are shown. We use red color to have Ad_YOLO+ stand out from the comparison.

Class	Giraffe	Zebra	Bird	Boat	Bottle	Bus	Dog	Horse	Bike	Person	Plant
YOLOv5x	$83.18$	$80.53$	$73.61$	$66.86$	$51.12$	$76.19$	$79.31$	$78.19$	$78.52$	$78.70$	$78.52$
Ad_YOLO	$82.31$	$79.36$	$71.05$	$68.82$	$50.19$	$76.40$	$78.18$	$76.14$	$77.93$	$77.67$	$48.90$
Ad_YOLO+	83.67	92.22	59.22	55.72	62.60	84.74	79.59	89.42	64.94	81.29	56.77
Class	Bus	Car	Cat	Chair	Cow	Table	No Sofa	Train	tv	Sheep	mAP
YOLOv5x	$76.19$	$83.33$	$81.86$	$56.64$	$68.88$	$73.97$	$70.59$	$74.06$	$82.31$	$51.20$	$72.02$
Ad_YOLO	$76.40$	$81.44$	$83.50$	$53.42$	$68.13$	$72.82$	$73.94$	$85.98$	$71.98$	$68.76$	$72.35$
Ad_YOLO+	84.74	71.44	90.02	57.43	85.51	45.85	73.94	90.72	82.85	80.50	74.63

.

5.3. Ablation Study

In this subsection, we present an ablation study to evaluate the individual effects of the detection backbone and the number of neck layers in Ad_YOLO+ on image preprocessing speed and mAP. Our findings indicate that a detection backbone with 8 layers, 4 layers in the detection neck, and the final patch detection layer delivers the most stable overall performance.

Number of Training Epochs: Figure 7 demonstrates the training loss of Ad_YOLO+ against adversarial patch attacks with different numbers of training epochs. The defense performance is improved as the training loss decreases. The loss functions start decreasing at the epoch $E=15$. Therefore, we set the training epoch E as 300 for optimal choice.

Impact of Different Backbone Models: We explored the combination of five different YOLO backbone models with the patch detection layer to identify the most stable model configuration. Specifically, we built five robust detectors based on YOLOv5n, YOLOv5s, YOLOv5m, YOLOv5l, and YOLOv5x, each paired with the patch detection layer. We evaluated their defense performance using the VisDrone dataset against pretrained adversarial square patches, which cover $30\%$ of the target in each image. The quantitative results of these models, tested across various base models and patch configurations, are summarized in

Table 5. Results on impact of individual parameters of model configuration. We use red color to have Ad_YOLO+ stand out from the comparison.

Backbone Model	Model Convergence Efficiency	Image Processing Speed	mAP	Clean Accuracy
Ad_YOLOv5n	$0.15$ h/Epoch	60 fps	$0.02\%$	$47.1\%$
Ad_YOLOv5s	$0.24$ h/Epoch	48 fps	$0.18\%$	$56.8\%$
Ad_YOLOv5m	$0.58$ h/Epoch	35 fps	$59.13\%$	$76.4\%$
Ad_YOLOv5l	$5.14$ h/Epoch	28 fps	$67.1\%$	$78.91\%$
Ad_YOLOv5x	6.23 h/Epoch	18 fps	74.63%	85.4%

. Our analysis shows that YOLOv5x with the patch detection layer achieves the best average precision (AP) for the car category. However, the YOLOv5x-based Ad_YOLO+ is computationally intensive, requiring the longest convergence time of $6.23$ h per epoch. Additionally, the image processing speed with YOLOv5x is 18 fps.

6. Limitations

We evaluated the limitations of the Ad_YOLO+ model in terms of its generalization to patch attacks generated from different datasets. While our model showed some tolerance to variations in patches, as discussed in Section 5.2 (Figure 6), the model showed some generalization limits when applied to patches generated from datasets other than the one used during training. To understand these limitations, we analyzed its defense performance against patches generated from various datasets. Our results, shown in Figure 8, indicate that Ad_YOLO+ exhibits a reduced provable robustness accuracy on patches generated from datasets such as MS-COCO [31], ImageNet [42], ImageNette [43], and COCO [31] for different patch sizes. Specifically, when patches were placed on various object categories in the dataset, Ad_YOLO+ failed to detect the adversarial patches.

7. Discussion and Concluding Remarks

In this paper, we introduce Ad_YOLO+, an object detection model that is location- and scale-agnostic, designed to be robust against adversarial patches. To the best of our knowledge, this is the first model specifically developed to defend against adaptive adversarial patches in a vision-based object-tracking task. Thanks to its efficient patch localization, Ad_YOLO+ outperforms its baseline, Ad_YOLO, achieving a $2.28\%$ improvement in provable robustness accuracy and a $2.61\%$ improvement in clean accuracy.

We evaluated Ad_YOLO+ against adaptive patch attacks, where both the location and scale of the patch changed dynamically in a vision-based object-tracking task. The simulation results demonstrate that Ad_YOLO+ exhibits strong robustness against such attacks. Additionally, we tested the model’s provable robustness accuracy for patches generated with different YOLO models. Our findings show that Ad_YOLO+ displays a notable level of generalizability across patch variations, enhancing its resilience in object-tracking tasks.