arxiv: 2604.24599 · v1 · submitted 2026-04-27 · 💻 cs.CR

Recognition: unknown

DETOUR: A Practical Backdoor Attack against Object Detection

Dazhuang Liu , Yanqi Qiao , Rui Wang , Kaitai Liang , Georgios Smaragdakis

Authors on Pith no claims yet

Pith reviewed 2026-05-08 02:46 UTC · model grok-4.3

classification 💻 cs.CR

keywords backdoor attackobject detectionsemantic triggertrigger radiating effectDETRcomputer vision securitypractical attack

0 comments

The pith

DETOUR shows that semantic triggers extracted from real objects under multiple viewpoints can embed reliable backdoors in object detectors that activate across unseen sizes, locations, and fields of view.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows how backdoor attacks on object detection transformers can be made practical for real-world camera deployments instead of relying on fixed artificial patches. It identifies a trigger radiating effect where a single patch influences neighboring regions and demonstrates that inserting rescaled triggers at multiple locations amplifies this effect across an entire image. DETOUR extracts trigger patterns from everyday objects like mugs captured at different angles, then uses these during training so the backdoor activates reliably regardless of the trigger's scale, position, or viewpoint in new scenes. Readers would care because object detection underpins many deployed vision systems and this approach produces attacks that are harder to spot and defend against than prior patch-based methods.

Core claim

DETOUR establishes a practical backdoor attack on detection transformers by rescaling semantic trigger patterns to different sizes, inserting them at multiple predefined locations, and extracting the patterns from real-world objects captured under varying fields of view; this leverages the trigger radiating effect to produce high attack success rates that persist across diverse spatial configurations and viewpoints in physical settings.

What carries the argument

The trigger radiating effect (TRE) enhanced through multi-location insertion of rescaled semantic triggers and multi-FoV extraction from real objects, which enables the backdoor to generalize beyond training configurations.

Load-bearing premise

That rescaling triggers to different sizes, placing them at multiple locations, and extracting patterns from real objects under multiple fields of view will let the model recognize the trigger even at arbitrary unseen positions and viewpoints.

What would settle it

Evaluate the backdoored model on images containing the trigger object at random locations and from camera angles completely absent from the multi-FoV training set; if attack success rate falls sharply below the reported levels, the generalization claim is false.

Figures

Figures reproduced from arXiv: 2604.24599 by Dazhuang Liu, Georgios Smaragdakis, Kaitai Liang, Rui Wang, Yanqi Qiao.

**Figure 1.** Figure 1: A typical real-world OD application scenario. (a) Illustration of a typical view at source ↗

**Figure 2.** Figure 2: Visualization of TRE heatmaps under different attack settings in DETR. view at source ↗

**Figure 3.** Figure 3: (a) Multiple FoVs of a mug as a semantic conceptual trigger pattern. view at source ↗

**Figure 4.** Figure 4: (a)–(h): Visualization of detection results on clean and poisoned images view at source ↗

**Figure 5.** Figure 5: (a)–(d): Visualization of detection results on clean and poisoned images view at source ↗

**Figure 6.** Figure 6: Visualization of detection results on clean and poisoned images under the view at source ↗

**Figure 7.** Figure 7: The x-axis shows the first ten classes in alphabetical order, along with view at source ↗

**Figure 7.** Figure 7: The inference accuracy (%) of object labels across samples from the clean view at source ↗

**Figure 8.** Figure 8: Visualization of TRE heatmaps under superimpose-based (SUP) trigger view at source ↗

read the original abstract

Object detection (OD) is critical to real-world vision systems, yet existing backdoor attacks on detection transformers (DETRs) for OD tasks rely on patch-wise triggers optimized at fixed locations with minimal perturbations. Such attacks overlook that backdoor triggers in the real world may appear at different sizes, fields of view (FoVs), and locations in images, while minimal perturbations are difficult for cameras to capture, limiting attack practicality. We first observe that a patch-wise trigger in DETR delivers high attack effectiveness when activating the backdoor across neighboring locations, a phenomenon we term the trigger radiating effect (TRE). Meanwhile, inserting patch-wise triggers across multiple locations synergistically enhances TRE, resulting in high attack effectiveness across images. We propose DETOUR, a practical backdoor attack by using semantic triggers that are effective in real-world object detection systems. To ensure attack practicality, we rescale trigger patterns to different sizes and insert them at various predefined locations during backdoor training, enabling the model to recognize the trigger regardless of its spatial configurations. To address FoV variations in physical deployments, we extract the trigger pattern from a real-world object (e.g., a mug) captured under multiple FoVs and inject the trigger accordingly, promoting viewpoint-invariant backdoor activation and enhancing TRE across the entire image. As a result, the backdoor can be reliably activated under diverse FoVs and spatial configurations.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

DETOUR spots a radiating effect in DETR triggers and builds semantic multi-location attacks around it for better real-world fit, but the evidence for true generalization beyond training placements stays thin.

read the letter

The main point is that this paper observes a trigger radiating effect in DETR object detectors, where a patch backdoor activates across neighboring locations, then uses that to design DETOUR with semantic triggers taken from real objects like mugs. They rescale the patterns, insert them at multiple predefined spots during training, and pull versions from multiple fields of view to push for activation that holds across different sizes, positions, and viewpoints. This directly targets the practical limits of earlier fixed-location, low-perturbation patch attacks that cameras struggle to capture reliably. The approach is new in combining those elements to exploit the radiating behavior and address FoV variation, and it gives credit to the shortcomings of prior DETR backdoor work without overclaiming. The design choices around multi-location synergy and real-object extraction are concrete and grounded in an empirical observation rather than pure theory. That part earns credit for trying to move beyond lab-only setups toward something that might survive physical deployment. The soft spots sit mainly in the validation. The abstract and high-level description give no success rates, no ablation numbers on whether multi-location training actually creates invariance or just covers the discrete spots used, and no tests on truly continuous random placements or fresh physical captures with new lighting and angles. If the model is mostly memorizing the inserted patterns instead of learning a radiating feature, the reliability claim for arbitrary configurations would not hold, and the stress-test concern lands because nothing isolates that contribution. The paper stays empirical with no fitted parameters or derivations, which is fine, but stronger isolation experiments would be needed to back the viewpoint-invariant and spatial-agnostic assertions. This is for people working on adversarial robustness in vision transformers and real-world object detection security. A reader focused on backdoor practicality in autonomous systems or surveillance would pick up the TRE observation and the trigger design ideas even if the results need tightening. It deserves peer review because the core idea fills a stated gap and rests on a reproducible empirical phenomenon, though referees will likely push for clearer ablations and physical validation data.

Referee Report

2 major / 2 minor

Summary. The paper proposes DETOUR, a practical backdoor attack on object detection transformers (DETRs) that exploits an observed 'trigger radiating effect' (TRE) in patch-wise triggers. By rescaling semantic triggers derived from real-world objects (e.g., a mug) captured under multiple fields of view (FoVs), inserting them at multiple predefined locations during training, and leveraging the synergistic enhancement of TRE, the authors claim to achieve reliable, viewpoint-invariant backdoor activation across diverse spatial configurations and physical deployment conditions.

Significance. If the empirical results demonstrate strong attack success rates on unseen configurations with limited clean-accuracy degradation, the work would meaningfully advance practical backdoor research by moving beyond fixed-location digital patches toward physically realizable semantic triggers. The emphasis on real-object pattern extraction and multi-FoV training is a concrete step toward closing the sim-to-real gap in OD security.

major comments (2)

[Experimental evaluation (likely §4–5)] The central claim that multi-location insertion plus multi-FoV pattern extraction produces reliable activation 'regardless of its spatial configurations' and 'viewpoint-invariant' behavior rests on an unisolated generalization assumption. Experiments must include ablations or test sets with continuous/random placements and novel viewpoints (distinct from the predefined training locations and captured FoVs) to rule out memorization of the discrete training set; without such controls the load-bearing practicality argument is not yet established.
[Abstract and §1] No quantitative metrics (attack success rate, clean mAP drop, comparison to prior patch-based attacks on DETR, or physical capture results) appear in the abstract or high-level description, even though the claims assert 'high attack effectiveness' and 'reliable' activation. All load-bearing assertions require explicit tables or figures reporting these numbers under the claimed diverse conditions.

minor comments (2)

[§2 or §3] The precise operational definition and quantitative measurement of the 'trigger radiating effect' (TRE) should be stated formally at first use, including how neighboring-location activation is scored.
[Method description] Clarify whether the semantic trigger is a fixed patch extracted once or dynamically adapted per FoV; the current wording leaves the injection procedure ambiguous for reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on experimental rigor and presentation. We address each major point below and will revise the manuscript to strengthen the claims.

read point-by-point responses

Referee: [Experimental evaluation (likely §4–5)] The central claim that multi-location insertion plus multi-FoV pattern extraction produces reliable activation 'regardless of its spatial configurations' and 'viewpoint-invariant' behavior rests on an unisolated generalization assumption. Experiments must include ablations or test sets with continuous/random placements and novel viewpoints (distinct from the predefined training locations and captured FoVs) to rule out memorization of the discrete training set; without such controls the load-bearing practicality argument is not yet established.

Authors: We agree that the current evaluation uses predefined locations and captured FoVs, which leaves open the possibility of memorization. In the revision we will add ablations and test sets using continuous/random placements together with novel viewpoints outside the training distribution. These new results will isolate the contribution of multi-location insertion and multi-FoV extraction to the observed trigger radiating effect. revision: yes
Referee: [Abstract and §1] No quantitative metrics (attack success rate, clean mAP drop, comparison to prior patch-based attacks on DETR, or physical capture results) appear in the abstract or high-level description, even though the claims assert 'high attack effectiveness' and 'reliable' activation. All load-bearing assertions require explicit tables or figures reporting these numbers under the claimed diverse conditions.

Authors: We accept that the abstract and §1 currently lack explicit numbers. We will revise both sections to report concrete attack success rates, clean mAP degradation, and comparisons to prior patch-based attacks on DETR, with direct references to the supporting tables and figures that already contain results under the evaluated spatial and FoV conditions. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical design based on direct observation

full rationale

The paper describes an empirical backdoor attack construction. It first observes the trigger radiating effect (TRE) from patch-wise triggers at neighboring locations, then designs DETOUR by rescaling semantic triggers, inserting them at multiple predefined locations during training, and extracting patterns from real objects under multiple FoVs. No equations, parameter fitting, or derivations are present that reduce any claim to its own inputs by construction. The central practicality claim rests on the described training procedure and experimental validation rather than self-referential definitions, self-citations, or renamed known results. The approach is self-contained as a practical engineering method informed by the stated observation.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the empirical observation of the trigger radiating effect and the assumption that standard backdoor poisoning with the described augmentations will produce viewpoint- and scale-invariant activation.

axioms (2)

domain assumption A patch-wise trigger in DETR delivers high attack effectiveness when activating the backdoor across neighboring locations (trigger radiating effect).
This observation is used to justify inserting triggers at multiple locations during training.
domain assumption Inserting patch-wise triggers across multiple locations synergistically enhances the trigger radiating effect.
Invoked to support the multi-location training strategy for high effectiveness across images.

pith-pipeline@v0.9.0 · 5555 in / 1394 out tokens · 66190 ms · 2026-05-08T02:46:58.741152+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

42 extracted references · 3 canonical work pages · 1 internal anchor

[1]

In: Proceedings of the IEEE International Con- ference on Image Processing (ICIP)

Barni, M., Kallas, K., Tondi, B.: A new backdoor attack in cnns by training set corruption without label poisoning. In: Proceedings of the IEEE International Con- ference on Image Processing (ICIP). pp. 101–105 (2019)

2019
[2]

Boisvert, L., Puri, A., Evuru, C.K.R., Chapados, N., Cappart, Q., Lacoste, A., Dvi- jotham, K.D., Drouin, A.: Malice in agentland: Down the rabbit hole of backdoors in the ai supply chain (2025)

2025
[3]

IEEE Transactions on Instrumentation and Measurement70, 1–13 (2021)

Cai, Y., Luan, T., Gao, H., Wang, H., Chen, L., Li, Y., Sotelo, M.A., Li, Z.: Yolov4-5d: An effective and efficient object detector for autonomous driving. IEEE Transactions on Instrumentation and Measurement70, 1–13 (2021)

2021
[4]

In: European Conference on Computer Vision (ECCV) (2020)

Carion, N., Massa, F., Synnaeve, G., Usunier, N., Kirillov, A., Zagoruyko, S.: End- to-end object detection with transformers. In: European Conference on Computer Vision (ECCV) (2020)

2020
[5]

In: Proceedings of the European Conference on Computer Vision (ECCV)

Chan, S.H., Dong, Y., Zhu, J., Zhang, X., Zhou, J.: Baddet: Backdoor attacks on object detection. In: Proceedings of the European Conference on Computer Vision (ECCV). pp. 396–412 (2022)

2022
[6]

arXiv preprint arXiv:1811.03728 (2018)

Chen, B., Carvalho, W., Baracaldo, N., Ludwig, H., Edwards, B., Lee, T., Molloy, I.,Srivastava,B.:Detectingbackdoorattacksondeepneuralnetworksbyactivation clustering. arXiv preprint arXiv:1811.03728 (2018)

work page arXiv 2018
[7]

Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

Chen, X., Liu, C., Li, B., Lu, K., Song, D.: Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)

work page internal anchor Pith review arXiv 2017
[9]

Cheng,Y.,Hu,W.,Cheng,M.:Attackingbyaligning:Clean-labelbackdoorattacks on object detection (2023)

2023
[10]

ACM Computing Surveys18(1), 67–108 (1986)

Chin, R.T., Dyer, C.R.: Model-based recognition in robot vision. ACM Computing Surveys18(1), 67–108 (1986)

1986
[11]

In: Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV)

Doan, K., Lao, Y., Zhao, W., Li, P.: Lira: Learnable, imperceptible and robust backdoor attacks. In: Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). pp. 11966–11976 (2021)

2021
[12]

In: International Conference on Learning Representations (ICLR) (2021)

Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: International Conference on Learning Representations (ICLR) (2021)

2021
[13]

Dunnett, K., Arablouei, R., Miller, D., Dedeoglu, V., Jurdak, R.: Baddet+: Robust backdoor attacks for object detection (2026)

2026
[14]

Gu, T., Dolan-Gavitt, B., Garg, S.: Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain (2019)

2019
[15]

IEEE Transactions on systems, man, and cybernetics (6), 610–621 (2007) 22 D

Haralick, R.M., Shanmugam, K., Dinstein, I.H.: Textural features for image classi- fication. IEEE Transactions on systems, man, and cybernetics (6), 610–621 (2007) 22 D. Liu et al

2007
[16]

In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). pp. 770–778 (2016)

2016
[17]

IEEE Transactions on Dependable and Secure Computing18, 2088–2105 (2019)

Li, S., Xue, M., Zhao, B.Z.H., Zhu, H., Zhang, X.: Invisible backdoor attacks on deep neural networks via steganography and regularization. IEEE Transactions on Dependable and Secure Computing18, 2088–2105 (2019)

2088
[18]

Li, Z., Liu, Z., Geng, G., Gowda, S.N., Lin, S., Weng, J., Jin, X.: Twin trigger generative networks for backdoor attacks against object detection (2024)

2024
[19]

In: IEEE International Conference on Computer Vision (ICCV) (2017)

Lin, T.Y., Goyal, P., Girshick, R., He, K., Dollaŕ, P.: Focal loss for dense object detection. In: IEEE International Conference on Computer Vision (ICCV) (2017)

2017
[20]

Lin, T.Y., Maire, M., Belongie, S., Bourdev, L., Girshick, R., Hays, J., Perona, P., Ramanan, D., Zitnick, C.L., Dollár, P.: Microsoft coco: Common objects in context (2015)

2015
[21]

Lin, T.Y., Maire, M., Belongie, S., Hays, J., Perona, P., Ramanan, D., Dollár, P., Zitnick,C.L.:Microsoftcoco:Commonobjectsincontext.In:EuropeanConference on Computer Vision. pp. 740–755. Springer (2014)

2014
[22]

In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2025)

Liu, D., Qiao, Y., Wang, R., Liang, K., Smaragdakis, G.: Ladder: Multi-objective backdoor attack via evolutionary algorithm. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2025)

2025
[23]

International Journal of Computer Vision128(2), 261–318 (2020)

Liu,L.,Ouyang,W.,Wang,X.,Fieguth,P.,Chen,J.,Liu,X.,Pietikäinen,M.:Deep learning for generic object detection: A survey. International Journal of Computer Vision128(2), 261–318 (2020)

2020
[24]

IEEE Transactions on Information Forensics and Security17, 69–84 (2022)

Liu, Y., Ma, Z., Liu, X., Ma, S., Ren, K.: Privacy-preserving object detection for medical images with faster r-cnn. IEEE Transactions on Information Forensics and Security17, 69–84 (2022)

2022
[25]

In: European Conference on Computer Vision (ECCV)

Liu, Y., Ma, X., Bailey, J., Lu, F.: Reflection backdoor: A natural backdoor attack on deep neural networks. In: European Conference on Computer Vision (ECCV). pp. 182–199 (2020)

2020
[26]

Lu, J., Shan, J., Zhao, Z., Chow, K.H.: Anywheredoor: Multi-target backdoor attacks on object detection (2024)

2024
[27]

In: Proceedings of the IEEE International Conference on Multimedia and Expo (ICME)

Lv, P., Ma, H., Zhou, J., Liang, R., Chen, K., Zhang, S., Yang, Y.: Dbia: Data- free backdoor attack against transformer networks. In: Proceedings of the IEEE International Conference on Multimedia and Expo (ICME). pp. 2819–2824 (2023)

2023
[28]

IEEE transactions on pattern analysis and machine intelligence44(7), 3523–3542 (2021)

Minaee, S., Boykov, Y., Porikli, F., Plaza, A., Kehtarnavaz, N., Terzopoulos, D.: Image segmentation using deep learning: A survey. IEEE transactions on pattern analysis and machine intelligence44(7), 3523–3542 (2021)

2021
[29]

In: Advances in Neural Information Processing Systems (NeurIPS)

Paszke, A., Gross, S., Massa, F., Lerer, A., Bradbury, J., Chanan, G., Killeen, T., Lin, Z., Gimelshein, N., Antiga, L., Desmaison, A., Köpf, A., Yang, E., DeVito, Z., Raison, M., Tejani, A., Chilamkurthy, S., Steiner, B., Fang, L., Bai, J., Chintala, S.: Pytorch: An imperative style, high-performance deep learning library. In: Advances in Neural Informat...

2019
[30]

Qian, Y., Ji, B., He, S., Huang, S., Ling, X., Wang, B., Wang, W.: Robust backdoor attacks on object detection in real world (2023)

2023
[31]

In: IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2016)

Redmon, J., Divvala, S., Girshick, R., Farhadi, A.: You only look once: Unified, real-time object detection. In: IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2016)

2016
[32]

In: Advances in Neural Information Processing Systems (NeurIPS) (2015)

Ren, S., He, K., Girshick, R., Sun, J.: Faster r-cnn: Towards real-time object detec- tion with region proposal networks. In: Advances in Neural Information Processing Systems (NeurIPS) (2015)

2015
[33]

Neural Networks 61, 85–117 (Jan 2015) DETOUR: A Practical Backdoor Attack against Object Detection 23

Schmidhuber, J.: Deep learning in neural networks: An overview. Neural Networks 61, 85–117 (Jan 2015) DETOUR: A Practical Backdoor Attack against Object Detection 23

2015
[34]

Sermanet, D

Sermanet, P., Eigen, D., Zhang, X., Mathieu, M., Fergus, R., LeCun, Y.: Overfeat: Integrated Recognition, Localization and Detection using Convolutional Networks. arXiv preprint arXiv:1312.6229 (2013)

work page arXiv 2013
[35]

In: Advances in Neural Information Processing Systems (NeurIPS)

Shen, G., Cheng, S., Tao, G., Zhang, K., Liu, Y., An, S., Ma, S., Zhang, X.: Django: Detecting trojans in object detection models via gaussian focus calibration. In: Advances in Neural Information Processing Systems (NeurIPS). vol. 36, pp. 51253– 51272 (2023)

2023
[36]

In: International Conference on Learning Representations (ICLR) (2015)

Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale im- age recognition. In: International Conference on Learning Representations (ICLR) (2015)

2015
[37]

Yuan, Z., Zhou, P., Zou, K., Cheng, Y.: You are catching my attention: Are vi- sion transformers bad learners under backdoor attacks? In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). pp. 24605–24615 (2023)

2023
[38]

In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS)

Zeng, Y., Pan, M., Just, H.A., Lyu, L., Qiu, M., Jia, R.: Narcissus: A practical clean-label backdoor attack with limited information. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). pp. 771– 785 (2023)

2023
[39]

In: Proceedings of the International Joint Conference on Artificial Intelligence (IJCAI)

Zhang,H.,Hu,S.,Wang,Y.,Zhang,L.Y.,Zhou,Z.,Wang,X.,Zhang,Y.,Chen,C.: Detector collapse: Backdooring object detection to catastrophic overload or blind- ness in the physical world. In: Proceedings of the International Joint Conference on Artificial Intelligence (IJCAI). pp. 185–193 (2024)

2024
[40]

In: Pattern Recognition: International Conference (PRIC)

Zhang, X., Liang, S., Li, C.: Towards robust object detection: Identifying and removing backdoors via module inconsistency analysis. In: Pattern Recognition: International Conference (PRIC). pp. 343–358. Springer (2024)

2024
[41]

IEEE Transactions on Neural Networks and Learning Systems30(11), 3212–3232 (2019)

Zhao, Z.Q., Zheng, P., Xu, S.T., Wu, X.: Object detection with deep learning: A review. IEEE Transactions on Neural Networks and Learning Systems30(11), 3212–3232 (2019)

2019
[42]

In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

Zheng, M., Lou, Q., Jiang, L.: Trojvit: Trojan insertion in vision transformers. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). pp. 4025–4034 (2022) Appendix A Ethical Consideration This work investigates the vulnerability of object detection models to practical backdoor attacks and may inspire future researc...

2022
[43]

Person” and “Motorbike

Within each training epoch, we partition the training datasetDinto a clean subsetD cln and a poisoned subsetD bd according to the predefined poisoning ratioρ, as described from lines 2 to 4. Then, we sample a FoV of trigger pattern from the distributionPτ, in line 5. We produce the poisoned datasetDbd from lines 6 to 11. In specific, we first sample the r...