PIDray: X-ray Benchmark for Prohibited Item Detection
- PIDray is a large-scale X-ray benchmark featuring real-world security inspection data with over 124K images and 12 prohibited item categories.
- The dataset supports multiple tasks by providing high-quality segmentation masks, bounding boxes, and multi-label annotations for object detection, instance segmentation, and classification.
- PIDray addresses challenges such as clutter, overlap, and deliberate concealment, making it a critical resource for advancing security screening and detection models.
PIDray is a large-scale real-world X-ray benchmark for prohibited item analysis in security inspection imagery, designed to support object detection, instance segmentation, and multi-label classification under operational conditions such as clutter, overlap, intra-class variance, and deliberate concealment. The dataset first appeared in a 2021 version centered on 47,677 X-ray images containing prohibited items, with high-quality segmentation masks and bounding boxes, and was later extended to 124,486 X-ray images in total, including 47,677 images with prohibited items and 76,809 images without prohibited items; that extension made the benign majority an explicit part of the benchmark rather than a discarded background class (Wang et al., 2021, Zhang et al., 2022).
1. Corpus, versions, and scope
PIDray was introduced to address a persistent limitation in X-ray security inspection research: earlier public datasets rarely covered deliberately hidden prohibited items in messy real-world baggage, which restricted the practical relevance of trained models. In its initial 2021 formulation, PIDray was described as containing 12 categories of prohibited items in 47,677 X-ray images with segmentation masks and bounding boxes, and was presented as the largest prohibited items detection dataset to date (Wang et al., 2021). The 2022 extended version, titled “PIDray: A Large-scale X-ray Benchmark for Real-World Prohibited Item Detection,” expanded the benchmark to 124,486 X-ray images in total while retaining the same 12 prohibited categories and the 47,677-image positive subset (Zhang et al., 2022).
The 12 prohibited item categories are Gun, Knife, Wrench, Pliers, Scissors, Hammer, Handcuffs, Baton, Sprayer, Power bank, Lighter, and Bullet (Zhang et al., 2022). Later comparative studies often report PIDray as a 47,677-image dataset because they operate only on the images containing prohibited items for detection experiments; the full benchmark, however, includes the larger 124,486-image corpus with benign images preserved (Cani et al., 23 Jul 2025). This distinction is central to interpreting published results, because some works evaluate on the complete screening problem and others on the positive-image detection subset.
A common misconception is that PIDray is only a detection dataset. In fact, the extended benchmark was explicitly constructed to support three tasks: object detection, instance segmentation, and multi-label classification (Zhang et al., 2022). This multi-task design differentiates PIDray from earlier X-ray benchmarks that emphasized either image-level labels or bounding boxes alone.
2. Data acquisition and annotation regime
PIDray was collected from real security inspection scenarios at subway stations, airports, and railway stations, using three different security inspection machines from different manufacturers (Zhang et al., 2022). The images were acquired by placing prepared prohibited items into passengers’ carry-ons in real security lanes, with rough item locations recorded to facilitate subsequent labeling (Zhang et al., 2022). Later comparative work characterizes the imagery as RGB pseudo-color dual-energy X-ray, acquired at real-world security checkpoints in airports, subways, and railway stations (Cani et al., 23 Jul 2025).
The dataset reflects the imaging characteristics of operational X-ray systems rather than natural-image acquisition. The extended description reports that image height is generally fixed by the machine, width depends on bag size, average image resolution is approximately pixels, and files are stored as PNG (Zhang et al., 2022). The visual domain is marked by material-dependent color, sparse texture, and mixed contours caused by superposition and penetration, which makes prohibited item perception structurally different from natural-image object recognition (Zhang et al., 2022).
Annotation proceeded in stages. Five trained volunteers first filtered images and assigned image-level labels indicating whether prohibited items were present and, if so, which of the 12 categories appeared (Zhang et al., 2022). More than 10 annotators then used Labelme to draw polygon masks for each prohibited-item instance, with bounding boxes derived as tight rectangles around the masks; the paper states that each image typically required about three minutes of annotation and that the dataset underwent multiple rounds of double-checking for quality control (Zhang et al., 2022). The resulting annotation stack includes binary image-level labels, 12-way multi-label annotations, bounding boxes, and instance masks (Zhang et al., 2022).
3. Difficulty structure and benchmark tasks
The extended PIDray benchmark defines an official full-data split of 76,913 training images and 47,573 test images, with the test partition further divided into Easy, Hard, and Hidden subsets containing 24,758, 9,746, and 13,069 images, respectively (Zhang et al., 2022). These subsets correspond to distinct operational regimes: Easy contains one prohibited item in a relatively clean context, Hard contains multiple prohibited items, and Hidden contains deliberately hidden prohibited items such as objects wrapped, embedded, or shape-altered to increase concealment difficulty (Zhang et al., 2022).
Detection-focused studies often work on the positive subset alone. In that setting, the 47,677 images containing prohibited items are split into 29,457 training images and 18,220 test images, and the test portion is divided into 9,482 Easy images, 3,733 Hard images, and 5,055 Hidden images (Cani et al., 23 Jul 2025, Cani et al., 1 May 2025). The difference between these two split conventions is not a contradiction; it reflects whether benign images are retained as part of the task definition.
The benchmark tasks are organized as follows. For object detection and instance segmentation, PIDray uses COCO-style evaluation, including , , , , and recall metrics such as , , , and (Zhang et al., 2022). For multi-label classification, performance is reported as mean Average Precision over the 12 prohibited categories (Zhang et al., 2022). Later detector-comparison studies standardize on and 0, where the latter averages AP over IoU thresholds from 0.5 to 0.95 in steps of 0.05 (Cani et al., 23 Jul 2025).
Subsequent analyses underline the dataset’s small-object regime. One comparative evaluation reports 23,382 annotated PIDray instances and classifies all of them as small under COCO-style area 1 pixels, with no medium or large objects under that thresholding scheme (Cani et al., 23 Jul 2025). This property, combined with deliberate hiding, makes PIDray less a generic occlusion benchmark than a benchmark for small-object detection under concealment.
4. Baseline architectures and original benchmark findings
The initial PIDray release was paired with the “selective dense attention network” (SDANet), whose two principal components are the dense attention module and the dependency refinement module. The dense attention module combines spatial and channel-wise dense attentions to learn discriminative features, and the dependency refinement module exploits dependencies among multi-scale features; the original paper states that SDANet performed favorably against state-of-the-art methods, especially for deliberately hidden items (Wang et al., 2021).
The extended benchmark generalized this baseline into a divide-and-conquer pipeline tailored to PIDray’s long-tailed structure. The first node, 2, performs coarse binary classification to decide whether an image contains any prohibited item, thereby separating the dominant benign head category from the 12 prohibited tail categories (Zhang et al., 2022). The second node, 3, performs the task-specific analysis: for detection and instance segmentation it is implemented with Cascade Mask R-CNN plus dense attention modules and dependency refinement; for multi-label classification it uses class-aware attention and Asymmetric Loss (Zhang et al., 2022). The task loss is reweighted by the proportion of positive images in the batch so that optimization remains stable when the benign majority would otherwise dominate (Zhang et al., 2022).
The benchmark results established Hidden as the decisive regime. On detection, “Cascade Mask R-CNN+Ours” reached 74.5 AP on Easy, 64.8 AP on Hard, 53.0 AP on Hidden, and 66.6 AP overall; on instance segmentation, the corresponding values were 61.4, 51.9, 39.7, and 53.4 AP (Zhang et al., 2022). Relative to the strongest non-tree baselines, the gains were especially large on Hidden, where the authors report +6.2 AP over Cascade Mask R-CNN for detection and +3.5 AP for segmentation (Zhang et al., 2022). For multi-label classification, the best reported result in the paper is 94.24 mAP with a CvT-w24-384 backbone and the proposed method (Zhang et al., 2022).
PIDray’s inclusion of benign images materially affects conclusions. In the extended paper, training Cascade Mask R-CNN without benign images yielded 63.2 AP and a 21.4% error rate in judging whether an image contained prohibited items; training on the full dataset yielded 63.7 AP and a 4.8% error rate (Zhang et al., 2022). For multi-label classification, training Q2L on positive-only data led to 90.04 mAP and a 61.7% error rate for deciding whether any prohibited item was present, whereas training on the full dataset yielded 93.49 mAP and an error rate of approximately 4 (Zhang et al., 2022). These experiments established that the benign majority is not peripheral metadata but a defining property of the benchmark.
5. Derived benchmarks, new supervision regimes, and dataset reuse
PIDray has been repeatedly repurposed as a substrate for new supervision paradigms. In open-vocabulary X-ray prohibited item detection, OVXD defined nine base categories—baton, bullet, gun, hammer, powerbank, knife, lighter, pliers, and sprayer—and three novel categories—scissors, wrench, and handcuffs—on PIDray, with test-time recognition performed through CLIP text embeddings rather than closed-set class logits (Lin et al., 2024). On PIDray, OVXD reported 27.8 AP5 on novel categories and 32.2 AP6 over all classes, surpassing BARON by 1.5 AP7 on the novel subset while also improving base-class performance (Lin et al., 2024).
In self-supervised dense prediction, SegLoc used PIDray’s segmentation masks and class labels as labeled foregrounds, composited them onto unlabeled SIXray backgrounds, and pretrained on approximately 200,000 synthetic images before fine-tuning on PIDray (Halat et al., 2023). The reported outcome was that SegLoc outperformed random initialization by about 3–6% in AP and AR on Easy and Hard splits for both detection and semantic segmentation, but remained below supervised ImageNet initialization and slightly underperformed random initialization on Hidden (Halat et al., 2023). This made PIDray not only an evaluation benchmark but also a source of mask-level supervision for synthetic SSL pair construction.
PIDray has also been used to train generative pipelines. BagGAN trained a StyleGAN2-ADA model on PIDray baggage imagery and coupled it to a SwAV-based one-shot segmenter for five threat categories—hammer, handcuffs, pliers, powerbank, and wrench—thereby producing annotated synthetic baggage X-ray scans (Manerikar et al., 2023). When those synthetic labels were used to augment training of SDANet on real PIDray, the reported IoU gains on real images were 1.07%, 2.51%, and 3.11% for real-to-synthetic sample ratios of 1:1, 1:5, and 1:10, respectively (Manerikar et al., 2023).
A particularly important derivative resource is PIDray-A, an occlusion-annotated extension of PIDray. PIDray-A adds, for each occluded instance, an extra mask 8 that records the overlapping area of occluding objects relative to the target instance (Ren et al., 13 Jun 2025). In PIDray-A, the training split contains 76,913 total images, 29,454 annotated positive images, 39,708 item instances, and 11,080 instances with explicit occlusion-area masks (Ren et al., 13 Jun 2025). The associated SAM-based occlusion-aware bilayer model reported 57.6 mask AP on the full PIDray-A test set, exceeding RSPrompter’s 56.5, and reached 60.0 mask AP on the Hard subset while improving separation of overlapping instances (Ren et al., 13 Jun 2025).
PIDray also serves as raw material for larger segmentation corpora. XSeg integrates PIDray, PIXray, and 114Xray, refines PIDray and PIXray masks with MobileSAM plus human correction, and then evaluates APSAM back on PIDray (Gao et al., 4 Apr 2026). In that cross-dataset evaluation, APSAM achieved 71.23 mIoU and 80.55 Dice on PIDray, outperforming DeepLabV3+, Mask2Former, SegMAN, SAM, and SAMUS (Gao et al., 4 Apr 2026). This suggests that PIDray has become both a standalone benchmark and a foundational component in broader X-ray segmentation data engineering.
6. Comparative evaluations and position in the X-ray security ecosystem
Later detector-comparison studies use PIDray as a reference benchmark for realistic concealed-item detection. A 2025 comparative evaluation spanning six public X-ray datasets and ten detector families identifies PIDray as one of the largest and most realistic benchmarks, emphasizes deliberately hidden items, and reports that the best overall PIDray 9 in its framework is 0.807 for 0 (Cani et al., 23 Jul 2025). The same study finds that performance drops on PIDray’s Hidden subset for every model and that X-ray-specific modules such as CHR, DOAM, and LIM degrade performance when attached to a modern YOLOv8 backbone on this dataset (Cani et al., 23 Jul 2025).
A separate 2025 study on hybrid CNN-transformer architectures reaches a similar conclusion. On PIDray, 1 is the best overall model with 2 and 3, while the hybrid 4 is slightly lower overall at 0.898 and 0.801 but holds a small advantage on the Hidden subset, where it records 0.685 versus 0.682 5 (Cani et al., 1 May 2025). The paper therefore treats PIDray as a single-domain benchmark on which a strong CNN detector remains optimal overall, with hybridization helping only marginally in the most concealment-heavy regime (Cani et al., 1 May 2025).
PIDray is also used to evaluate efficiency-oriented deployment models. GSA-YOLO, a structured-sparsity and adaptive-distillation variant of YOLOv8n, reports on PIDray an average 6 of 0.804 and average 7 of 0.679, improving over the YOLOv8n baseline’s 0.783 and 0.661 while reducing model size from 6.2 MB to 5.7 MB and computational cost from 8.7G to 8.0G (Kong, 20 May 2026). In that work, the Hidden subset remains the hardest split, but gains persist there as well, reinforcing PIDray’s role as a real-time screening benchmark rather than only an offline detection corpus (Kong, 20 May 2026).
Taken together, these later studies frame PIDray as a benchmark defined by four interacting properties: a full screening distribution that includes benign images, deliberately hidden threats, small-object predominance, and multi-task supervision. This suggests that PIDray’s enduring importance lies not only in scale, but in the fact that it approximates the operational logic of security inspection more closely than positive-only or box-only X-ray datasets (Zhang et al., 2022, Cani et al., 23 Jul 2025).