Adversarial attacks involve adding, small, often imperceptible, perturbations to inputs with the goal of getting a machine learning model to misclassifying them. While many different adversarial attack strategies have been proposed on image classification models, object detection pipelines have been much harder to break. In this paper, we propose a novel strategy to craft adversarial examples by solving a constrained optimization problem using an adversarial generator network. Our approach is fast and scalable, requiring only a forward pass through our trained generator network to craft an adversarial sample. Unlike in many attack strategies, we show that the same trained generator is capable of attacking new images without explicitly optimizing on them. We evaluate our attack on a trained Faster R-CNN face detector on the cropped 300-W face dataset where we manage to reduce the number of detected faces to $0.5\%$ of all originally detected faces. In a different experiment, also on 300-W, we demonstrate the robustness of our attack to a JPEG compression based defense typical JPEG compression level of $75\%$ reduces the effectiveness of our attack from only $0.5\%$ of detected faces to a modest $5.0\%$.

本文提出了一种新的对抗生成网络（adversarial generator network）求解约束优化问题来产生对抗性样本的策略，该方法经过简单训练后线性扩展的能力很强，可以攻击还未曾见过的新图片，使用此技术针对 Faster R-CNN 人脸检测模型可将原本检测人脸的成功率从 100% 降低到仅 0.5%。

使用基于神经网络的约束优化对人脸检测器进行对抗性攻击