524 research outputs found
TPatch: A Triggered Physical Adversarial Patch
Autonomous vehicles increasingly utilize the vision-based perception module
to acquire information about driving environments and detect obstacles. Correct
detection and classification are important to ensure safe driving decisions.
Existing works have demonstrated the feasibility of fooling the perception
models such as object detectors and image classifiers with printed adversarial
patches. However, most of them are indiscriminately offensive to every passing
autonomous vehicle. In this paper, we propose TPatch, a physical adversarial
patch triggered by acoustic signals. Unlike other adversarial patches, TPatch
remains benign under normal circumstances but can be triggered to launch a
hiding, creating or altering attack by a designed distortion introduced by
signal injection attacks towards cameras. To avoid the suspicion of human
drivers and make the attack practical and robust in the real world, we propose
a content-based camouflage method and an attack robustness enhancement method
to strengthen it. Evaluations with three object detectors, YOLO V3/V5 and
Faster R-CNN, and eight image classifiers demonstrate the effectiveness of
TPatch in both the simulation and the real world. We also discuss possible
defenses at the sensor, algorithm, and system levels.Comment: Appeared in 32nd USENIX Security Symposium (USENIX Security 23
Visually Adversarial Attacks and Defenses in the Physical World: A Survey
Although Deep Neural Networks (DNNs) have been widely applied in various
real-world scenarios, they are vulnerable to adversarial examples. The current
adversarial attacks in computer vision can be divided into digital attacks and
physical attacks according to their different attack forms. Compared with
digital attacks, which generate perturbations in the digital pixels, physical
attacks are more practical in the real world. Owing to the serious security
problem caused by physically adversarial examples, many works have been
proposed to evaluate the physically adversarial robustness of DNNs in the past
years. In this paper, we summarize a survey versus the current physically
adversarial attacks and physically adversarial defenses in computer vision. To
establish a taxonomy, we organize the current physical attacks from attack
tasks, attack forms, and attack methods, respectively. Thus, readers can have a
systematic knowledge of this topic from different aspects. For the physical
defenses, we establish the taxonomy from pre-processing, in-processing, and
post-processing for the DNN models to achieve full coverage of the adversarial
defenses. Based on the above survey, we finally discuss the challenges of this
research field and further outlook on the future direction
Why Don't You Clean Your Glasses? Perception Attacks with Dynamic Optical Perturbations
Camera-based autonomous systems that emulate human perception are
increasingly being integrated into safety-critical platforms. Consequently, an
established body of literature has emerged that explores adversarial attacks
targeting the underlying machine learning models. Adapting adversarial attacks
to the physical world is desirable for the attacker, as this removes the need
to compromise digital systems. However, the real world poses challenges related
to the "survivability" of adversarial manipulations given environmental noise
in perception pipelines and the dynamicity of autonomous systems. In this
paper, we take a sensor-first approach. We present EvilEye, a man-in-the-middle
perception attack that leverages transparent displays to generate dynamic
physical adversarial examples. EvilEye exploits the camera's optics to induce
misclassifications under a variety of illumination conditions. To generate
dynamic perturbations, we formalize the projection of a digital attack into the
physical domain by modeling the transformation function of the captured image
through the optical pipeline. Our extensive experiments show that EvilEye's
generated adversarial perturbations are much more robust across varying
environmental light conditions relative to existing physical perturbation
frameworks, achieving a high attack success rate (ASR) while bypassing
state-of-the-art physical adversarial detection frameworks. We demonstrate that
the dynamic nature of EvilEye enables attackers to adapt adversarial examples
across a variety of objects with a significantly higher ASR compared to
state-of-the-art physical world attack frameworks. Finally, we discuss
mitigation strategies against the EvilEye attack.Comment: 15 pages, 11 figure
REAP: A Large-Scale Realistic Adversarial Patch Benchmark
Machine learning models are known to be susceptible to adversarial
perturbation. One famous attack is the adversarial patch, a sticker with a
particularly crafted pattern that makes the model incorrectly predict the
object it is placed on. This attack presents a critical threat to
cyber-physical systems that rely on cameras such as autonomous cars. Despite
the significance of the problem, conducting research in this setting has been
difficult; evaluating attacks and defenses in the real world is exceptionally
costly while synthetic data are unrealistic. In this work, we propose the REAP
(REalistic Adversarial Patch) benchmark, a digital benchmark that allows the
user to evaluate patch attacks on real images, and under real-world conditions.
Built on top of the Mapillary Vistas dataset, our benchmark contains over
14,000 traffic signs. Each sign is augmented with a pair of geometric and
lighting transformations, which can be used to apply a digitally generated
patch realistically onto the sign. Using our benchmark, we perform the first
large-scale assessments of adversarial patch attacks under realistic
conditions. Our experiments suggest that adversarial patch attacks may present
a smaller threat than previously believed and that the success rate of an
attack on simpler digital simulations is not predictive of its actual
effectiveness in practice. We release our benchmark publicly at
https://github.com/wagner-group/reap-benchmark.Comment: ICCV 2023. Code and benchmark can be found at
https://github.com/wagner-group/reap-benchmar
Adversarial Scratches: Deployable Attacks to CNN Classifiers
A growing body of work has shown that deep neural networks are susceptible to
adversarial examples. These take the form of small perturbations applied to the
model's input which lead to incorrect predictions. Unfortunately, most
literature focuses on visually imperceivable perturbations to be applied to
digital images that often are, by design, impossible to be deployed to physical
targets. We present Adversarial Scratches: a novel L0 black-box attack, which
takes the form of scratches in images, and which possesses much greater
deployability than other state-of-the-art attacks. Adversarial Scratches
leverage B\'ezier Curves to reduce the dimension of the search space and
possibly constrain the attack to a specific location. We test Adversarial
Scratches in several scenarios, including a publicly available API and images
of traffic signs. Results show that, often, our attack achieves higher fooling
rate than other deployable state-of-the-art methods, while requiring
significantly fewer queries and modifying very few pixels.Comment: This paper stems from 'Scratch that! An Evolution-based Adversarial
Attack against Neural Networks' for which an arXiv preprint is available at
arXiv:1912.02316. Further studies led to a complete overhaul of the work,
resulting in this paper. This work was submitted for review in Pattern
Recognition (Elsevier
- …