Defending Adversarial Patches via Joint Region Localizing and Inpainting

Yafu Zhang; Shiji Zhao; Xingxing Wei; Sha Wei

doi:10.1007/978-981-97-8487-5_17

Defending Adversarial Patches via Joint Region Localizing and Inpainting

Yafu Zhang^*
, Shiji Zhao
, Xingxing Wei
, Sha Wei

^*Corresponding author for this work

School of Artificial Intelligence(Institute of Artificial Intelligence)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

Deep neural networks are successfully used in various applications but show their vulnerability to adversarial examples. With the development of adversarial patches, the feasibility of attacks in physical scenes increases, and the defenses against patch attacks are urgently needed. However, the technology for defending against such adversarial patch attacks still requires to be improved. In this paper, we analyze the characteristics of adversarial patches and find that adversarial patches will lead to the appearance or contextual inconsistency in the target objects. The patch region will show abnormal changes on the high-level feature maps of the objects extracted by a backbone network. Consequently, we propose a novel defense method based on a “localizing and inpainting” mechanism to pre-process the input examples. Specifically, we design a unified framework, where the “localizing” sub-network utilizes a two-branch structure corresponding to two characteristics of patches to accurately detect the adversarial patch region in the image. The “inpainting” subnetwork utilizes the surrounding contextual cues to recover the original content covered by the adversarial patch. The quality of inpainted images is also evaluated by measuring the appearance consistency and the effects of adversarial attacks. These two sub-networks are jointly trained via an iterative optimization approach, allowing the ‘localizing’ and ‘inpainting’ modules to closely interact and learn a better solution. Extensive experiments on traffic sign classification and detection tasks demonstrate that our method outperforms the state-of-the-art method, increasing accuracy by 37%, which verifies the effectiveness and superiority of the proposed method.

Original language	English
Title of host publication	Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings
Editors	Zhouchen Lin, Hongbin Zha, Ming-Ming Cheng, Ran He, Cheng-Lin Liu, Kurban Ubul, Wushouer Silamu, Jie Zhou
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	236-250
Number of pages	15
ISBN (Print)	9789819784868
DOIs	https://doi.org/10.1007/978-981-97-8487-5_17
State	Published - 2025
Event	7th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2024 - Urumqi, China Duration: 18 Oct 2024 → 20 Oct 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15031 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2024
Country/Territory	China
City	Urumqi
Period	18/10/24 → 20/10/24

Keywords

Adversarial defenses
Adversarial patch attack
Adversarial robustness
Image localizing and inpainting

Access to Document

10.1007/978-981-97-8487-5_17

Cite this

Zhang, Y., Zhao, S., Wei, X., & Wei, S. (2025). Defending Adversarial Patches via Joint Region Localizing and Inpainting. In Z. Lin, H. Zha, M.-M. Cheng, R. He, C.-L. Liu, K. Ubul, W. Silamu, & J. Zhou (Eds.), Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings (pp. 236-250). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15031 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-97-8487-5_17

Zhang, Yafu ; Zhao, Shiji ; Wei, Xingxing et al. / Defending Adversarial Patches via Joint Region Localizing and Inpainting. Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings. editor / Zhouchen Lin ; Hongbin Zha ; Ming-Ming Cheng ; Ran He ; Cheng-Lin Liu ; Kurban Ubul ; Wushouer Silamu ; Jie Zhou. Springer Science and Business Media Deutschland GmbH, 2025. pp. 236-250 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8eaec2409cc347ccb30fe8b0e2f78b80,

title = "Defending Adversarial Patches via Joint Region Localizing and Inpainting",

abstract = "Deep neural networks are successfully used in various applications but show their vulnerability to adversarial examples. With the development of adversarial patches, the feasibility of attacks in physical scenes increases, and the defenses against patch attacks are urgently needed. However, the technology for defending against such adversarial patch attacks still requires to be improved. In this paper, we analyze the characteristics of adversarial patches and find that adversarial patches will lead to the appearance or contextual inconsistency in the target objects. The patch region will show abnormal changes on the high-level feature maps of the objects extracted by a backbone network. Consequently, we propose a novel defense method based on a “localizing and inpainting” mechanism to pre-process the input examples. Specifically, we design a unified framework, where the “localizing” sub-network utilizes a two-branch structure corresponding to two characteristics of patches to accurately detect the adversarial patch region in the image. The “inpainting” subnetwork utilizes the surrounding contextual cues to recover the original content covered by the adversarial patch. The quality of inpainted images is also evaluated by measuring the appearance consistency and the effects of adversarial attacks. These two sub-networks are jointly trained via an iterative optimization approach, allowing the {\textquoteleft}localizing{\textquoteright} and {\textquoteleft}inpainting{\textquoteright} modules to closely interact and learn a better solution. Extensive experiments on traffic sign classification and detection tasks demonstrate that our method outperforms the state-of-the-art method, increasing accuracy by 37\%, which verifies the effectiveness and superiority of the proposed method.",

keywords = "Adversarial defenses, Adversarial patch attack, Adversarial robustness, Image localizing and inpainting",

author = "Yafu Zhang and Shiji Zhao and Xingxing Wei and Sha Wei",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.; 7th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2024 ; Conference date: 18-10-2024 Through 20-10-2024",

year = "2025",

doi = "10.1007/978-981-97-8487-5\_17",

language = "英语",

isbn = "9789819784868",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "236--250",

editor = "Zhouchen Lin and Hongbin Zha and Ming-Ming Cheng and Ran He and Cheng-Lin Liu and Kurban Ubul and Wushouer Silamu and Jie Zhou",

booktitle = "Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings",

address = "德国",

}

Zhang, Y, Zhao, S, Wei, X & Wei, S 2025, Defending Adversarial Patches via Joint Region Localizing and Inpainting. in Z Lin, H Zha, M-M Cheng, R He, C-L Liu, K Ubul, W Silamu & J Zhou (eds), Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 15031 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 236-250, 7th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2024, Urumqi, China, 18/10/24. https://doi.org/10.1007/978-981-97-8487-5_17

Defending Adversarial Patches via Joint Region Localizing and Inpainting. / Zhang, Yafu; Zhao, Shiji; Wei, Xingxing et al.
Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings. ed. / Zhouchen Lin; Hongbin Zha; Ming-Ming Cheng; Ran He; Cheng-Lin Liu; Kurban Ubul; Wushouer Silamu; Jie Zhou. Springer Science and Business Media Deutschland GmbH, 2025. p. 236-250 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15031 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Defending Adversarial Patches via Joint Region Localizing and Inpainting

AU - Zhang, Yafu

AU - Zhao, Shiji

AU - Wei, Xingxing

AU - Wei, Sha

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

PY - 2025

Y1 - 2025

N2 - Deep neural networks are successfully used in various applications but show their vulnerability to adversarial examples. With the development of adversarial patches, the feasibility of attacks in physical scenes increases, and the defenses against patch attacks are urgently needed. However, the technology for defending against such adversarial patch attacks still requires to be improved. In this paper, we analyze the characteristics of adversarial patches and find that adversarial patches will lead to the appearance or contextual inconsistency in the target objects. The patch region will show abnormal changes on the high-level feature maps of the objects extracted by a backbone network. Consequently, we propose a novel defense method based on a “localizing and inpainting” mechanism to pre-process the input examples. Specifically, we design a unified framework, where the “localizing” sub-network utilizes a two-branch structure corresponding to two characteristics of patches to accurately detect the adversarial patch region in the image. The “inpainting” subnetwork utilizes the surrounding contextual cues to recover the original content covered by the adversarial patch. The quality of inpainted images is also evaluated by measuring the appearance consistency and the effects of adversarial attacks. These two sub-networks are jointly trained via an iterative optimization approach, allowing the ‘localizing’ and ‘inpainting’ modules to closely interact and learn a better solution. Extensive experiments on traffic sign classification and detection tasks demonstrate that our method outperforms the state-of-the-art method, increasing accuracy by 37%, which verifies the effectiveness and superiority of the proposed method.

AB - Deep neural networks are successfully used in various applications but show their vulnerability to adversarial examples. With the development of adversarial patches, the feasibility of attacks in physical scenes increases, and the defenses against patch attacks are urgently needed. However, the technology for defending against such adversarial patch attacks still requires to be improved. In this paper, we analyze the characteristics of adversarial patches and find that adversarial patches will lead to the appearance or contextual inconsistency in the target objects. The patch region will show abnormal changes on the high-level feature maps of the objects extracted by a backbone network. Consequently, we propose a novel defense method based on a “localizing and inpainting” mechanism to pre-process the input examples. Specifically, we design a unified framework, where the “localizing” sub-network utilizes a two-branch structure corresponding to two characteristics of patches to accurately detect the adversarial patch region in the image. The “inpainting” subnetwork utilizes the surrounding contextual cues to recover the original content covered by the adversarial patch. The quality of inpainted images is also evaluated by measuring the appearance consistency and the effects of adversarial attacks. These two sub-networks are jointly trained via an iterative optimization approach, allowing the ‘localizing’ and ‘inpainting’ modules to closely interact and learn a better solution. Extensive experiments on traffic sign classification and detection tasks demonstrate that our method outperforms the state-of-the-art method, increasing accuracy by 37%, which verifies the effectiveness and superiority of the proposed method.

KW - Adversarial defenses

KW - Adversarial patch attack

KW - Adversarial robustness

KW - Image localizing and inpainting

UR - https://www.scopus.com/pages/publications/85209567437

U2 - 10.1007/978-981-97-8487-5_17

DO - 10.1007/978-981-97-8487-5_17

M3 - 会议稿件

AN - SCOPUS:85209567437

SN - 9789819784868

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 236

EP - 250

BT - Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings

A2 - Lin, Zhouchen

A2 - Zha, Hongbin

A2 - Cheng, Ming-Ming

A2 - He, Ran

A2 - Liu, Cheng-Lin

A2 - Ubul, Kurban

A2 - Silamu, Wushouer

A2 - Zhou, Jie

PB - Springer Science and Business Media Deutschland GmbH

T2 - 7th Chinese Conference on Pattern Recognition and Computer Vision, PRCV 2024

Y2 - 18 October 2024 through 20 October 2024

ER -

Zhang Y, Zhao S, Wei X, Wei S. Defending Adversarial Patches via Joint Region Localizing and Inpainting. In Lin Z, Zha H, Cheng MM, He R, Liu CL, Ubul K, Silamu W, Zhou J, editors, Pattern Recognition and Computer Vision - 7th Chinese Conference, PRCV 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 236-250. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-981-97-8487-5_17

Defending Adversarial Patches via Joint Region Localizing and Inpainting

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this