Abstract
Deep neural networks (DNNs) find extensive applications, including object detection in various security domains. However, these DNN models are susceptible to backdoor attacks. While significant research has been conducted on backdoor attacks in classified models, limited attention has been given to object detection models. Previous studies have predominantly focused on backdoor attacks in digital environments, overlooking real-world implications. Notably, the efficacy of backdoor attacks in real-world scenarios can be significantly influenced by physical factors such as distance and illumination. In this article, we introduce a variable-size backdoor trigger designed to accommodate objects of different sizes, mitigating disruptions arising from varying distances between the viewing point and the targeted object. Additionally, we propose malicious adversarial training for backdoor training, enabling the backdoor object detector to learn trigger features amidst physical noise. Experimental results demonstrate that our robust backdoor attack (RBA) enhances the success rate of attacks in real-world settings.
Introduction
Deep neural networks (DNNs) have made significant progress in various computer vision tasks, such as image classification,1–3 object detection,4–6 and semantic segmentation,7–9 surpassing human performance in some cases. 10 However, DNNs are susceptible to serious vulnerabilities from adversarial attacks11–13 and backdoor attacks.14–16 Backdoor attacks, in particular, are more insidious and inconspicuous compared to adversarial attacks, making them difficult to detect. During the training phase, a backdoor attack inserts a subtle trigger into a target model. For instance, a small number of poisoned images containing a backdoor trigger are introduced into the training data, causing the model to learn and recognise the trigger pattern. In the inference phase, the model behaves normally with clean images but misclassifies when the trigger is present. Consequently, the vulnerability of models to backdoor attacks poses a significant threat, for example, an object detection model embedded with a backdoor for pedestrian detection17,18 may fail to identify individuals, potentially leading to severe security incidents.
While adversarial attacks on object detection have been extensively researched, backdoor attacks on object detection have been largely overlooked, particularly in real-world scenarios. Backdoor attacks have the potential to cause the bounding box (
Backdoor attacks on object detection have been explored in a limited number of studies. Wu et al. 21 generated a poisoned dataset by rotating a small subset of objects and mislabelling them. Li et al. 22 introduced additional training images to enhance the detector’s performance. Ma et al. 20 deceptively embedded backdoors into object detectors by creating clean-annotated images, a process that could potentially evade manual inspection by data curators. Chan et al. 19 proposed four methods to contaminate clean labels in object detection datasets in the digital realm. However, their approaches faced two key issues. First, they uniformly added fixed-size triggers to every image without considering the spatial relationship between the viewing perspective and the targeted object, thereby impacting the detector’s accuracy on clean data. Second, the backdoor attack algorithms for object detection failed to account for real-world physical factors such as varying illumination and adverse weather conditions. These physical elements render backdoor attacks challenging to deceive object detectors effectively.
In this article, we introduce a novel approach called robust backdoor attack (RBA) on object detection that addresses physical factors affecting traditional backdoor attacks. Prior works on backdoor attacks in object detection19–21 have overlooked the importance of considering distance during the poisoning process. Our method involves designing a customised trigger that adapts to the size of the ground-truth box, reflecting the distance between the viewing perspective and the targeted object. This tailored trigger enables the backdoor object detector to effectively learn the relationship between varying trigger sizes and the manipulated label in real-world scenarios (Figures 1 and 2).

Illustration of the different impacts on the normal backdoor and robust backdoor detection process. The red line means robust backdoor detection and the sky-blue line means normal backdoor detection.

Illustration of an object detection process. The features of input divided into multiple grids are extracted to generate multiple
Furthermore, we recognise that physical factors like illumination can significantly impact the success of backdoor attacks in object detection tasks. Previous studies23,24 have demonstrated that standard adversarial training can enhance the detector’s resilience to such physical variations. To this end, we introduce the concept of malicious adversarial training for training the backdoor object detector. This approach involves providing true labels to generate potent physical perturbations that disrupt backdoor attacks, integrating these perturbations with the manipulated label in the training dataset to induce confusion in predictions. By implementing this method, we aim to fortify the association between the manipulated label and the trigger affected by physical disturbances. We call the trained detector by RBA as robust backdoor object detector, which can maintain the attack success rate in the real physical world.
To realise our concept, we first implant backdoors in the digital world and validate their effectiveness. Subsequently, we utilise 3-D modelling to create a virtual physical environment that accurately simulates physical conditions such as distance and illumination, allowing for the refinement of the backdoor algorithm. Finally, we validate backdoor attacks under various physical conditions in the real world. By following this three-step process, we can significantly enhance the efficiency of experimental validation. Our major contributions are summarised as follows:
We introduce variable-size backdoor triggers that adapt to the sizes of targeted objects, reflecting the real-world distance between the viewing perspective and the objects under attack. We propose malicious adversarial training to enable the backdoor object detector to learn and adapt to triggers with the most significant physical perturbations. This approach enhances the detector’s resilience to physical interferences such as illumination. Through extensive experiments conducted in digital, virtual and real-world settings, we demonstrate that our method enhances the robustness of the backdoor object detector against physical factors across these three distinct environments.
Backdoor attacks
There are two primary methods for implementing backdoor attacks: data poisoning and model poisoning. In data poisoning, Gu et al. 14 were the first to introduce backdoor attacks on DNNs. Their approach involves adding a trigger to clean images, altering the ground-truth label, and then training the model. Liu et al. 25 developed a training dataset through reverse engineering to embed a backdoor in the model via retraining. Chen et al. 26 proposed a less potent backdoor attack that allows adversaries to target the model without prior knowledge of its structure. To enhance the efficacy of backdoor attacks, other studies27–29 focused on improving the stealthiness of these attacks by concealing triggers within images. In contrast to the aforementioned methods, clean label attacks30–32 do not require modifying the poisoned label; instead, the poisoned image aligns with its corresponding label in terms of features. On the other hand, model poisoning involves adjusting the model’s weights to match the performance of the original model when trained on the poisoned dataset.33,34 For instance, Tang et al. 35 proposed a non-poisoning-based backdoor attack that involves inserting a pre-trained malicious backdoor module into the target model, as opposed to altering parameters to embed a hidden backdoor.
In recent times, a range of backdoor attacks has been developed for various application scenarios, including semantic segmentation36–38 and natural language processing.39,40 However, the exploration of backdoor attacks in object detection remains limited. Ma et al. 20 highlighted the significant threat posed by backdoor attacks to object detection and introduced a novel backdoor method. On a similar note, Chan et al. 19 presented four attack methods that rely on a small subset of training images across four distinct settings. Nevertheless, their approaches do not consider the impact of physical factors, which can affect the appearance of the backdoor trigger.
Physical attack on DNNs
Currently, the majority of research focuses on attacking DNNs in digital environments. However, the significance of physical attacks against DNNs in the real world cannot be understated. Several prior studies21,41,42 have demonstrated the susceptibility of object detection systems to adversarial attacks in real-world settings. For instance, there have been instances of physical attacks, such as the evasion of face detection through printed sunglasses, showcasing the vulnerabilities in real-world scenarios. 43 Additionally, Ivan et al. 44 conducted experiments where they placed ‘stickers’ on road signs to deceive image classifiers, further emphasising the practical implications of physical attacks on DNNs.
In the real world, various physical factors such as illumination play a crucial role and must be considered in physical attacks on DNNs. The Expectation Over Transformer (EOT) attack, as described in Athalye et al., 45 enables adversarial patches to manifest as real-world physical disturbances. Zhao et al. 46 introduced the nested AE approach, which utilises multiple adversarial examples (AEs) to target object detectors at varying distances. Another study by Thys et al. 42 incorporates viewing angles and illumination, performing transformations on the adversarial patch before its application to the image. Xu et al. 47 innovatively proposed an adversarial T-shirt, a physically robust example that can evade person detectors even under non-rigid deformation. Additionally, Suryanto et al. 48 presented a camouflage attack named differentiable transformation attack (DTA), employing the differentiable transformation network (DTN) to retain and understand physical factors. The adversarial patch generated by DTA exhibits robustness against physical factors. This article aims to develop backdoor object detectors that account for physical factors, thereby enhancing the efficacy of backdoor attacks.
Backdoor attack on object detection
Recently, there have been some works on backdoor attacks in object detection. Baddet 19 demonstrates the existence of backdoor attacks in object detection by contaminating the dataset. Still, it lacks consideration of the physical world, only focusing on the digital world for backdoor attacks. Rotation backdoor 21 rotates the trigger and contaminates the dataset to prove the deflection direction of the trigger, but it neglects the interference of other physical factors on the backdoor attack. Literature Ma et al. 20 and Ma et al. 22 proposed backdoor attacks by adding carefully crafted images, but can be easily perceived by users. The former works simulate triggers under various physical scenarios for backdoor attacks. It is difficult for the digital world to simulate all physical factors due to the complexity of the physical world, resulting in the inability to train models with both stealthiness and robustness against physical interference. However, our RBA simulates trigger pixel information under various physical factor interference scenarios by variable trigger and malicious adversarial training, thus enabling the trained backdoor model to possess robustness against physical interference.
Background
Object detection
Object detection is the computer vision technique that aims to identify and locate objects of specific classes within an image or video. Suppose
To improve the prediction accuracy, the object detector minimises the detection’s loss function by training the detector as follows:
Furthermore, we assess the performance of the object detector using the mean average precision (mAP), which is a widely used metric for evaluating object detectors. The mAP is calculated as the average of the average precision (AP) values across all classes. AP is determined by computing the area under the precision-recall curve for each class, considering the confidence scores associated with the detections. A higher AP indicates better performance of the detector in accurately identifying objects in the images.
For convenience, we begin with classifiers to introduce backdoor attacks because they have been wildly studied previously. Let
Essentially, the backdoor attack aims to establish a strong connection between the trigger and poisoned label
Methodology
Overview
In this section, we provide a high-level overview of our approach. The primary motivation behind our method is to enhance the robustness of the implanted backdoor against variations in distance and environmental noise. In other words, we aim to ensure that the implanted backdoor is less susceptible to physical factors such as distance and lighting conditions, thereby preserving its attack performance. To facilitate a better understanding, we present a more formal definition of robust backdoor attacks as follows:
Robust backdoor attack
For a physical-world backdoor attack, if the adversary takes into account the influence of various physical factors and ensures the resilience of the backdoor attack against changes in these factors, we refer to it as a robust backdoor attack.
We assume that the adversary inserts the trigger
As illustrated in Figure 3, to render the backdoor attack on a detector robust to physical factors, we train the detector consisting of the following three steps:

The pipeline of RBA built upon an object detector. The image is processed through the backbone, which extracts feature information from three convolutional layers of varying sizes. The backbone is divided into two parts, namely backdoor injection and output. The main data flow for training the backdoor object detector is represented by sky blue arrows, while the red arrows depict the data flow for perturbation training. The output loss function of the perturbation training can be utilised to generate perturbations.
The backdoor attacks the detector by poisoning the training dataset with a designed trigger and poisoned labels. Generate a poisoned dataset that needs to poison clean images
However, in real-world scenarios, the presence of a trigger can result in changes in its size due to the varying distances between the viewing point and the targeted object. A fixed-size trigger, as exemplified by the function
The variable-size trigger is suitable for every attacked object which has less influence on non-target objects. If the adversary wants to make the attacked object disappear,
To implant the backdoor into the detector
Through the training process, we successfully inject a backdoor into the original detector, resulting in a backdoor object detector denoted as
After undergoing backdoor training, the backdoor attack on object detection achieves a high success rate due to the presence of a variable-size trigger. However, when faced with other physical interferences such as changes in illumination or rain, it becomes challenging to achieve the desired attack effects. Specifically, these small physical noises denoted as

Empirical analyses on the detector with backdoor training via the statistics of loss changes.
One possible approach to enhance the attack’s robustness against physical noises
Malicious adversarial training on detector
In the model training, the minimisation loss function is designed to enable the backdoor object detector to learn the feature of the poisoned image with physical noise
We assess the efficacy of our robust backdoor attack, RBA, in three distinct scenarios. Firstly, we embed the trigger into the COCO dataset, referred to as the digital world, to evaluate our approach (Section 5.2). In the COCO dataset, we lack the flexibility to replicate changes in physical factors such as object rotation. Hence, we develop a 3-D virtual environment to replicate real-world conditions under tightly controlled physical parameters (Section 5.4). Following successful attacks in the digital and virtual realms, we proceed to create a physical trigger and evaluate its impact in the physical world (Section 5.4). Furthermore, we conduct ablation experiments focusing on trigger size, transparency, the object detector’s backbone and the loss function (Section 5.5).
Experimental settings
We use an SGD optimiser during the training phase, with the learning rate set to 0.001. For convenience, we use the pre-trained detector YOLOv5s to speed up the training by transfer learning. Specifically, the epoch is set to 100, freeze the backbone in the first 50 epochs, and unfreeze the backbone in the second 50 epochs. The weight

Physical setup in the virtual world and the individual with the trigger. On the left, the trigger is depicted on the T-shirt of a 3D human model. In the middle, the physical factor setup in the virtual environment includes various physical parameters. On the right, the alterations in the appearance of the targeted individual due to the influence of different physical factors are illustrated.
The results (%) of the backdoor object detector for different poisoning rates after fine-tuning. The trigger is set to Face.
The results (%) of the backdoor object detector for different poisoning rates after fine-tuning. The trigger is set to Face.
The results (%) of the detector YOLOv5s, backdoor object detector and robust backdoor object detector with trigger + random noise
As shown in Table 3, the degree is used to measure the fuzziness of the motion blurring on images. Even if the trigger is disturbed by a larger degree of the motion blurring, the
The results (%) of the detector YOLOv5s, backdoor detector and robust backdoor object detector with trigger + motion blurring. The number of the second line is the degree of motion blurring.
The results (%) of the detector YOLOv5s, backdoor object detector and robust backdoor object detector with trigger
We evaluate the trigger on the COCO dataset and visualise the detections as shown in Figure 6. The individual without a trigger exhibits the same detection when identified by both backdoor object detectors, suggesting that our trigger does not influence the prediction of clean objects. However, when the trigger is applied to the targeted object, it triggers the backdoor object detector, causing the

Visualisation of the backdoor attack on object detection in the digital world. The figure shows the backdoor object detector and the robust backdoor object detector detecting different images. The first and fourth rows show the detection of clean images. The second and fifth rows show the detection of poisoned images. The third and sixth rows show the detection of poisoned images with physical factors.
Following the setup in the digital world, we select various human models as the targets of attacks. Without loss of generality, we designate the background as the poisoned label to deceive the detectors. We incorporate four distinct physical factors, as depicted in Figure 5, to assess the effectiveness of the proposed RBA. As illustrated in Figure 7, we observe that higher rotation angles and distances can diminish the efficacy of our attack. This can be attributed to the poor capture of the trigger when the pixel information of the trigger is compromised. We manipulate the lighting conditions to simulate different times of day indoors and outdoors, as shown in Figure 7. When the lighting conditions become brighter or darker, the individual with the trigger remains undetected, indicating that simple lighting changes do not affect our robust backdoor detector. Figure 8 demonstrates the robustness of our detector to rain. However, when the number of raindrops reaches 150, the individual with the trigger becomes partially obscured in the detector’s field of view. We observe that the performance of

Visualisation of different detectors with different distances and angles. The column represents the different values of distance (dm) on the left side of the black dotted line, and the right side’s column represents the different angles (

Visualisation of different detectors with different light sources. The column represents the different light intensity values of sources. The left side of the black dotted line is the indoor environment, and the right side is the outdoor environment.

Visualisation of the different detectors with different rains. The column represents the different number of raindrops per square metre.
To assess the effectiveness of

Visualisation of different detectors indoors. The figure shows the effectiveness of the trigger T-shirt for a person to evade the backdoor object detector indoors. Each row corresponds to various detectors while each column shows an individual frame.

Visualisation of different detectors outdoors in sunny. The figure shows the effectiveness of the trigger T-shirt for a person to evade the backdoor object detector outdoors.

Visualisation of different detectors outdoors in the rain. The figure shows the effectiveness of the trigger T-shirt for a person to evade the backdoor object detector in the rain.
In this section, we conduct a series of experiments on the COCO dataset to investigate the influence of various parameters on
The performance (%) of the trained backdoor object detector by different trigger sizes on the three COCO datasets. The trigger transparency is fixed to 1.
The performance (%) of the trained backdoor object detector by different trigger sizes on the three COCO datasets. The trigger transparency is fixed to 1.

The clean accuracy and
Training YOLOv5s with different backbone, clean accuracy (%) and
Clean accuracy (%) and
In this section, we delve into the potential reasons behind the effectiveness of our attack method. When subjected to physical factors present in the real world, the trigger can lose its connection with the backdoor-related neurons of the backdoor object detector. This disruption can impair the trigger’s encoded feature that corresponds to the backdoor-related neurons. Consequently, the original
The percentage of
-box (%) detected as the person class by clean detector, backdoor object detector, and robust backdoor object detector with different datasets. Low represents
. Middle represents
. High represents
.
The percentage of
In summary, our RBA enhances the diversity of backdoor triggers, reinforcing the correlation between these triggers and the tainted labels within the backdoor object detector. This expansion broadens the threshold at which an object bearing a trigger is identified as a tainted label. Despite the introduction of physical factors to the trigger, objects with triggers will remain in proximity to the boundary but within the scope of detection by
This article introduces a robust backdoor attack on object detectors, addressing the limitations of existing backdoor attacks in object detection that lack resilience to physical factors. We propose a variable-size trigger capable of accommodating various sizes of targeted objects to simulate real-world scenarios where the viewing point varies in proximity to the object. Furthermore, to bolster the resilience of the backdoor object detector against physical factors, we introduce malicious adversarial training to acclimate the detector to a wide range of physical disturbances. Our experiments showcase the efficacy of our approach across digital, virtual and real-world settings, highlighting its ability to maintain robustness against physical noise and vertical object rotations. In the future, our work will continue to study the robustness of backdoor attacks against physical factors, enhance the invisibility of backdoor attacks and diminish the computational complexity of backdoor attacks. Consequently, the robust backdoor attack method we designed can serve as a benchmark for physical world-based backdoor defense in the future, thereby promoting research on backdoor defense in the physical world to mitigate the threat of RBA. In conclusion, our attack reveals the existence of backdoor attacks in the physical domain.
Footnotes
Acknowledegments
This work was supported in part by the National Key R&D Program of China, under Grant 2023YFB2703800, in part by the National Natural Science Foundation of China under Grants 62476250 and 62472335, and in part by the Key Program of Zhejiang Provincial Natural Science Foundation of China under Grant LZ22F020007.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
