应用于限速类交通标志识别算法鲁棒性
测试的对抗样本生成研究

doi:10.16638/j.cnki.1671-7988.2025.016.001

汽车实用技术 ›› 2025, Vol. 50 ›› Issue (16): 1-7.DOI: 10.16638/j.cnki.1671-7988.2025.016.001

• 智能网联汽车 •

应用于限速类交通标志识别算法鲁棒性测试的对抗样本生成研究

曾爱民 1，毛宏敏 1，贾伟 2*

1.武汉产品质量监督检验所；2.华中科技大学

发布日期:2025-08-20
通讯作者: 贾伟
作者简介:曾爱民（1968－），男，硕士，正高级工程师，研究方向为质量检测通信作者：贾伟（1994－），男，博士，研究方向为人工智能安全
基金资助:
国家市场监督管理总局科技计划项目（2023MK150）

Research on Adversarial Example Generation for Robustness Testing of Speed Limit Traffic Sign Recognition Algorithms

ZENG Aimin1 , MAO Hongmin1 , JIA Wei2*

1.Wuhan Pruduct Quality Supervision & Testing Institute; 2.Huazhong University of Science and Technology

Published:2025-08-20
Contact: JIA Wei

摘要/Abstract

摘要： 为了能够对以限速为代表的交通标志识别算法进行高效的鲁棒性测试，提出了一种对抗样本生成框架。通过光照变换、角度变换等不同的变换算法对交通标志进行处理，模拟环境变化；将变换后的图像嵌入到真实道路背景，模拟真实交通图像；使用深度学习模型处理嵌入限速标志后的交通图像，利用单边界框和多边界框过滤器筛选出用于训练对抗扰动的边界框；训练过程中，基于目标攻击、隐藏攻击、非目标攻击、显现攻击四种不同的预期攻击效果，设计四种损失函数，用于计算损失值；利用反向传播算法更新对抗扰动，最终生成对抗样本。该框架能够快速生成可模拟四种攻击的对抗样本，对以限速为代表的交通标志识别算法进行鲁棒性评估。生成的对抗样本可迁移到真实物理车辆测试，辅助开发人员优化交通标志识别算法。

关键词: 限速；交通标识识别；鲁棒性测试；对抗样本；图像变换

Abstract: To efficiently evaluate the robustness of traffic sign recognition algorithms, particularly those for speed limit signs, this paper proposes an adversarial sample generation framework. Traffic signs are processed using various transformation algorithms, including illumination and angle transformations, to simulate environmental changes. The transformed images are embedded into real road backgrounds to mimic realistic traffic scenarios. A deep learning model is employed to process these embedded traffic images containing speed limit signs. Single bounding box and multiple bounding box filters are utilized to screen out bounding boxes for anti-disturbance training. During the training process, four loss functions are designed based on four distinct expected attack effects: target attack, hidden attack, non-target attack, and revealed attack. These functions are used to calculate the loss values. The back-propagation algorithm is then applied to update the adversarial perturbations, ultimately generating adversarial samples. This framework can rapidly generate adversarial samples capable of simulating four types of attacks, thereby assessing the robustness of traffic sign recognition algorithms, especially those for speed limit signs. Furthermore, the generated adversarial examples can be transferred to real-world physical vehicle testing environments, assisting developers in optimizing traffic sign recognition algorithms.

Key words: speed limit; traffic sign recognition; robustness testing; adversarial example; image transformation

曾爱民 1，毛宏敏 1，贾伟 2*. 应用于限速类交通标志识别算法鲁棒性测试的对抗样本生成研究[J]. 汽车实用技术, 2025, 50(16): 1-7.

ZENG Aimin1 , MAO Hongmin1 , JIA Wei2*. Research on Adversarial Example Generation for Robustness Testing of Speed Limit Traffic Sign Recognition Algorithms[J]. Automobile Applied Technology, 2025, 50(16): 1-7.

参考文献

[ 1 ] SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al. Intriguing Properties of Neural Networks[J].arXiv,2014: 1312.6199. [ 2 ] WANG X S,HE K.Enhancing the Transferability of Adversarial Attacks through Variance Tuning[C]// IEEE/CVF Conference on Computer Vision and Pattern Recognition.Piscataway:IEEE,2021:1924-1933. [ 3 ] M A,DRY A,MAKELOV A,SCHMIDT L,et al.Towards Deep Learning Models Resistant to Adversarial Attacks [J].arXiv,2019:1706.06083. [ 4 ] CHI L,MSAHLI M,MEMMI G,et al.Public-AttentionBased Adversarial Attack on Traffic Sign Recognition [C]//IEEE 20th Consumer Communications & Networking Conference.Piscataway:IEEE,2023:740-745. [ 5 ] WANG N,LUO Y,SATO T,et al.Does Physical Adversarial Example Really Matter to Autonomous Driving? Towards System-level Effect of Adversarial Object Evasion Attack[C]//IEEE/CVF International Conference on Computer Vision.Piscataway:IEEE,2023:4412-4423. [ 6 ] LU J,SIBAI H,FABRY E,et al.No Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles[J].arXiv,2017:1707.03501. [ 7 ] ATHALYE A,ENGSTROM L,ILYAS A,et al.Synthesizing Robust Adversarial Examples[C]//35th Interna- tional Conference on Machine Learning:ICML 2018. Stockholm:ICML,2018:284-293. [ 8 ] LOVISOTTO G,TURNER H,SLUGANOVIC I,et al. SLAP:Improving Physical Adversarial Examples with Short-lived Adversarial Perturbations[C]//30th USENIX Security Symposium.Berkeley:USENIX Association,2021: 1865-1882. [ 9 ] HUANG B,LING H.SPAA:Stealthy Projector-based Adversarial Attacks on Deep Image Classifiers[C]// IEEE Conference on Virtual Reality and 3D User Interfaces.Piscataway:IEEE,2022:534-542. [10] ETIM A,SZEFER J.Adversarial Universal Stickers: Universal Perturbation Attacks on Traffic Sign Using Stickers[J].arXiv,2025:2502.18724. [11] ZHANG T,WANG L,ZHANG X,et al.Visual Adversarial Attack on Vision-language Models for Autonomous Driving[J].arXiv:2024:2411.18275. [12] SHARMA P,AUSTIN D,LIU H.Attacks on Machine Learning:Adversarial Examples in Connected and Autonomous Vehicles[C]//IEEE International Symposium on Technologies for Homeland Security:HST 2019. Piscataway:IEEE,2019:1-7. [13] ZHU Z,LIANG D,ZHANG S,et al.Traffic-sign Detection and Classification in the Wild[C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway:IEEE Computer Society,2016:2110-2118.

应用于限速类交通标志识别算法鲁棒性测试的对抗样本生成研究

Research on Adversarial Example Generation for Robustness Testing of Speed Limit Traffic Sign Recognition Algorithms

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 0

编辑推荐

Metrics

应用于限速类交通标志识别算法鲁棒性 测试的对抗样本生成研究

Research on Adversarial Example Generation for Robustness Testing of Speed Limit Traffic Sign Recognition Algorithms

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 0

编辑推荐

Metrics

应用于限速类交通标志识别算法鲁棒性测试的对抗样本生成研究