Defending Object Detection Models Against Adversarial Patch Attacks Using Style Removal
Official implementation of the CVPR 2026 paper:
AntiStyler: Defending Object Detection Models Against Adversarial Patch Attacks Using Style Removal
Adversarial patch attacks can severely degrade object detection (OD) performance by inserting localized, malicious patterns into images.
AntiStyler is a fast, training-free, and fully agnostic defense that:
- 🧠 Detects adversarial patches via “style inconsistency”
- 🎭 Removes adversarial “random style” using a modified style transfer process
- 🎯 Masks suspicious regions with minimal impact on benign images
- ⚡ Runs in real-time (~10–12 FPS)
Unlike many prior defenses, AntiStyler:
- ✅ Does not require retraining
- ✅ Is model-, patch-, and attack-agnostic
- ✅ Preserves benign performance
- ✅ Works on both digital and physical attacks
AntiStyler consists of four sequential phases:
- Apply random padding to ensure the presence of “random style”
- Use a modified style transfer model (AntiStyle) to remove style
- Output: AntiStyled image
- Compute absolute difference between original and AntiStyled image
- Extract pixels with the largest changes → raw mask
Apply morphological operations:
- Dilation → connect regions
- Erosion → remove noise
- Smoothing + thresholding → refine mask
- Apply mask to input image
- Output: defended image → fed to detector
- 📈 +8–15 mAP improvement under attacks
- 🟰 No degradation on benign images
- ⚡ ~80–90 ms per image (~10–12 FPS)
- 🥇 Best speed–robustness tradeoff among SOTA defenses
AntiStyler is based on a key observation:
Adversarial patches introduce high-frequency, random “style” patterns that differ from natural image statistics.
Instead of reconstructing images, AntiStyler:
- Removes style (not content) using a modified loss:
- Minimize content loss
- Maximize style loss
- Regions that change the most → likely adversarial
- These regions are masked instead of reconstructed
This avoids:
- Object misalignment
- Localization errors
- Heavy computation
AntiStyler was evaluated against:
- Google Adversarial Patch
- M-PGD
- DPatch
- TSEA
- Printable patches
- Naturalistic patches
- Physical attacks (APRICOT, Superstore)
jupyter notebook AntiStyler_Demo.ipynbThis notebook demonstrates:
- Attack Generation
- AntiStyler's Pipeline
- AntiStyler's Effect on Benign and Adversarial Images
If you use this work in your research, please cite:
TBD- Ben-Gurion University
- Fujitsu Research
Please ⭐ the repo and cite the paper!