Adversarial Vulnerability and Defense in Human Detection: An Experimental Study Using FGSM, PGD, and Adversarial Training on the HERIDAL Dataset

Marijana Bandić; Maja Kovačić; Fran Pavlović

doi:https://doi.org/10.47960/3029-3200.2026.2.2.38

Research Article

DOI: https://doi.org/10.47960/3029-3200.2026.2.2.38

Citations (Crossref, OpenAlex): …

Marijana Bandić* , Maja Kovačić and Fran Pavlović

*CA	marijana.bandic@fsre.sum.ba
	maja.kovacic@fsre.sum.ba
	fran.pavlovic@fsre.sum.ba

Full text:

In Press

This article belongs to Vol. 2 No. 2, 2026

M. Bandić, M. Kovačić, and F. Pavlović, “Adversarial Vulnerability and Defense in Human Detection: An Experimental Study Using FGSM, PGD, and Adversarial Training on the HERIDAL Dataset,” International Journal of Innovative Solutions in Engineering, vol. 2, no. 2, pp. 38–48, doi: 10.47960/3029-3200.2026.2.2.38.

pages 38-48

Download a citation file:

Vol. 2 No. 2 Article 21 Download

Preview and download a citation file in BibTex format that can be imported by citation management software, including Mendeley, EndNote, ProCite, RefWorks, and Reference Manager.

This article is archived in Zenodo

Abstract

Adversarial attacks pose a serious threat to the reliability of modern artificial intelligence systems, especially in computer vision. Although such attacks rely on very small, often imperceptible perturbations of the input data, they can cause a dramatic degradation of deep neural network performance. This paper investigates the vulnerability of an object detection model to adversarial attacks and evaluates the effectiveness of adversarial training as a defense mechanism. The YOLOv8 model, trained for human detection in images, is used as the target model. The Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) are implemented as adversarial attacks using multiple perturbation parameters. Model performance is evaluated using global metrics, per-image analysis, and detailed error analysis. The results show that FGSM attacks lead to a significant performance drop, primarily due to increased missed detections. The application of adversarial training substantially improves model robustness, although complete immunity to strong attacks is not achieved. These findings highlight the importance of systematic security evaluation of AI models before their deployment in real-world systems.

Keywords

Adversarial AI, FGSM, YOLOv8, Object Detection, Adversarial Training

ijise ID

21

URI

https://ijise.ba/article/21/

Publication Date

In Press

References

J. C. Costa, T. Roxo, H. Proença, and P. R. M. Inácio, “How Deep Learning Sees the World: A Survey on Adversarial Attacks & Defenses,” IEEE Access, vol. 12, pp. 61113–61136, 2024, doi: 10.1109/ACCESS.2024.3395118.
N. Akhtar and A. Mian, “Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey,” IEEE Access, vol. 6, pp. 14410–14430, 2018, doi: 10.1109/ACCESS.2018.2807385.
C. Szegedy et al., “Intriguing properties of neural networks,” Feb. 19, 2014, arXiv: arXiv:1312.6199. doi: 10.48550/arXiv.1312.6199.
I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and Harnessing Adversarial Examples,” Mar. 20, 2015, arXiv: arXiv:1412.6572. doi: 10.48550/arXiv.1412.6572.
Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” Nature, vol. 521, no. 7553, pp. 436–444, May 2015, doi: 10.1038/nature14539.
A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial Examples in the Physical World,” in Artificial Intelligence Safety and Security, 1st ed., R. V. Yampolskiy, Ed., First edition. | Boca Raton, FL : CRC Press/Taylor & Francis Group, 2018.: Chapman and Hall/CRC, 2018, pp. 99–112. doi: 10.1201/9781351251389-8.
U. Pesso, K. Bibas, and M. Feder, “Utilizing Adversarial Targeted Attacks to Boost Adversarial Robustness,” Sep. 04, 2021, arXiv: arXiv:2109.01945. doi: 10.48550/arXiv.2109.01945.
J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You Only Look Once: Unified, Real-Time Object Detection,” in 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Jun. 2016, pp. 779–788. doi: 10.1109/CVPR.2016.91.
G. Jocher, J. Qiu, and A. Chaurasia, Ultralytics YOLO. (Jan. 2023). Python. Accessed: May 06, 2026. [Online]. Available: https://github.com/ultralytics/ultralytics
Ultralytics, “Performance Metrics Deep Dive.” Accessed: May 06, 2026. [Online]. Available: https://docs.ultralytics.com/guides/yolo-performance-metrics/
S. Gotovac, D. Zelenika, Ž. Marušić, and D. Božić-Štulić, “Visual-Based Person Detection for Search-and-Rescue with UAS: Humans vs. Machine Learning Algorithm,” Remote Sensing, vol. 12, no. 20, p. 3295, Oct. 2020, doi: 10.3390/rs12203295.
U. Shaham, Y. Yamada, and S. Negahban, “Understanding adversarial training: Increasing local stability of supervised models through robust optimization,” Neurocomputing, vol. 307, pp. 195–204, Sep. 2018, doi: 10.1016/j.neucom.2018.04.027.
F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “Ensemble Adversarial Training: Attacks and Defenses,” Apr. 26, 2020, arXiv: arXiv:1705.07204. doi: 10.48550/arXiv.1705.07204.
A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks,” Sep. 04, 2019, arXiv: arXiv:1706.06083. doi: 10.48550/arXiv.1706.06083.
D. Tsipras, S. Santurkar, L. Engstrom, A. Turner, and A. Madry, “Robustness May Be at Odds with Accuracy,” Sep. 09, 2019, arXiv: arXiv:1805.12152. doi: 10.48550/arXiv.1805.12152.
N. Carlini and D. Wagner, “Towards Evaluating the Robustness of Neural Networks,” in 2017 IEEE Symposium on Security and Privacy (SP), May 2017, pp. 39–57. doi: 10.1109/SP.2017.49.
K. N. T. Nguyen et al., “A Survey and Evaluation of Adversarial Attacks for Object Detection,” Apr. 17, 2025, arXiv: arXiv:2408.01934. doi: 10.48550/arXiv.2408.01934.