ML Security PapersDisPatch: Disarming Adversarial Patches in Object Detection with Diffusion Models
Jin Ma , Mohammed Aldeen , Christopher Salas , Feng Luo , Mashrur Chowdhury , Mert Pesé , Long Cheng
Published on arXiv
2509.04597
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves best overall mAP of 89.3% on hiding attacks and lowers attack success rate to 24.8% on untargeted creating attacks, outperforming all prior defenses while maintaining robustness against adaptive attacks.
DisPatch
Novel technique introduced
Object detection is fundamental to various real-world applications, such as security monitoring and surveillance video analysis. Despite their advancements, state-of-theart object detectors are still vulnerable to adversarial patch attacks, which can be easily applied to real-world objects to either conceal actual items or create non-existent ones, leading to severe consequences. Given the current diversity of adversarial patch attacks and potential unknown threats, an ideal defense method should be effective, generalizable, and robust against adaptive attacks. In this work, we introduce DISPATCH, the first diffusion-based defense framework for object detection. Unlike previous works that aim to "detect and remove" adversarial patches, DISPATCH adopts a "regenerate and rectify" strategy, leveraging generative models to disarm attack effects while preserving the integrity of the input image. Specifically, we utilize the in-distribution generative power of diffusion models to regenerate the entire image, aligning it with benign data. A rectification process is then employed to identify and replace adversarial regions with their regenerated benign counterparts. DISPATCH is attack-agnostic and requires no prior knowledge of the existing patches. Extensive experiments across multiple detectors and attacks demonstrate that DISPATCH consistently outperforms state-of-the-art defenses on both hiding attacks and creating attacks, achieving the best overall mAP.5 score of 89.3% on hiding attacks, and lowering the attack success rate to 24.8% on untargeted creating attacks. Moreover, it maintains strong robustness against adaptive attacks, making it a practical and reliable defense for object detection systems.
Key Contributions
- First diffusion-based defense framework (DISPATCH) for object detection against adversarial patches, using a 'regenerate and rectify' strategy instead of 'detect and remove'
- Attack-agnostic design requiring no prior knowledge of patch type, demonstrating generalizability across diverse hiding and creating attacks
- Strong robustness against adaptive attacks, achieving 89.3% mAP on hiding attacks and reducing attack success rate to 24.8% on untargeted creating attacks
🛡️ Threat Analysis
Directly defends against adversarial patch attacks — a canonical form of input manipulation attack at inference time — on object detection models. The 'regenerate and rectify' strategy using diffusion models is an input purification defense against adversarial perturbations.