Deep neural networks for ship detection in remote sensing imagery are vulnerable to adversarial patch attacks, while conventional data augmentation techniques—relying on global operations—introduce background interference that causes false positives. To address these issues, this paper proposes a **target-localized augmentation-based adversarial attack method**, which applies augmentation exclusively within bounding boxes to suppress perturbations in background and irrelevant regions. This confines gradient optimization to object-centric features, thereby enhancing the transferability and attack success rate of adversarial patches. Evaluated on the HRSC2016 dataset, the method significantly outperforms global-augmentation baselines and demonstrates superior cross-model transferability across mainstream detectors—including Faster R-CNN and YOLOv5—achieving an average 12.7% improvement in attack success rate without inducing background-induced false detections.

Current ship detection techniques based on remote sensing imagery primarily rely on the object detection capabilities of deep neural networks (DNNs). However, DNNs are vulnerable to adversarial patch attacks, which can lead to misclassification by the detection model or complete evasion of the targets. Numerous studies have demonstrated that data transformation-based methods can improve the transferability of adversarial examples. However, excessive augmentation of image backgrounds or irrelevant regions may introduce unnecessary interference, resulting in false detections of the object detection model. These errors are not caused by the adversarial patches themselves but rather by the over-augmentation of background and non-target areas. This paper proposes a localized augmentation method that applies augmentation only to the target regions, avoiding any influence on non-target areas. By reducing background interference, this approach enables the loss function to focus more directly on the impact of the adversarial patch on the detection model, thereby improving the attack success rate. Experiments conducted on the HRSC2016 dataset demonstrate that the proposed method effectively increases the success rate of adversarial patch attacks and enhances their transferability.