Abstract: The crowd estimation algorithm based on head detection can provide effective decision-making assistance for railway passenger stations to cope with sudden passenger flow and prevent crowd aggregation, but the deep learning model used for head detection is easily affected by adversarial samples. To improve the adversarial robustness of deep learning models, this paper established a head detection model based on the RetinaNet algorithm. The paper used two adversarial attack methods, Fast Gradient Sign Method （FGSM）and Projected Gradient Descent （PGD）, to generate adversarial samples on the Brianwash dataset. The initial model had a significant decrease in mAP on the adversarial sample dataset, was verified the effectiveness of adversarial attacks on model performance. After conducting adversarial training on the model, the mAP values of the trained model were significantly improved on various adversarial sample validation datasets. The experimental results show that the head detection model trained in adversarial training can effectively defend against attacks from adversarial samples, improve the model's detection performance and adversarial robustness.