MVPatch: More Vivid Patch for Adversarial Camouflaged Attacks on Object Detectors in the Physical World (2312.17431v3)
Abstract: Recent studies have shown that Adversarial Patches (APs) can effectively manipulate object detection models. However, the conspicuous patterns often associated with these patches tend to attract human attention, posing a significant challenge. Existing research has primarily focused on enhancing attack efficacy in the physical domain while often neglecting the optimization of stealthiness and transferability. Furthermore, applying APs in real-world scenarios faces major challenges related to transferability, stealthiness, and practicality. To address these challenges, we introduce generalization theory into the context of APs, enabling our iterative process to simultaneously enhance transferability and refine visual correlation with realistic images. We propose a Dual-Perception-Based Framework (DPBF) to generate the More Vivid Patch (MVPatch), which enhances transferability, stealthiness, and practicality. The DPBF integrates two key components: the Model-Perception-Based Module (MPBM) and the Human-Perception-Based Module (HPBM), along with regularization terms. The MPBM employs ensemble strategy to reduce object confidence scores across multiple detectors, thereby improving AP transferability with robust theoretical support. Concurrently, the HPBM introduces a lightweight method for achieving visual similarity, creating natural and inconspicuous adversarial patches without relying on additional generative models. The regularization terms further enhance the practicality of the generated APs in the physical domain. Additionally, we introduce naturalness and transferability scores to provide an unbiased assessment of APs. Extensive experimental validation demonstrates that MVPatch achieves superior transferability and a natural appearance in both digital and physical domains, underscoring its effectiveness and stealthiness.
- C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in Proceedings of the International Conference on Learning Representations, vol. abs/1312.6199, 2014.
- I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in Proceedings of the International Conference on Learning Representations, vol. abs/1412.6572, 2015.
- A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in Proceedings of the International Conference on Learning Representations, 2018.
- N. Carlini and D. A. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE Symposium on Security and Privacy, 2017, pp. 39–57.
- S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple and accurate method to fool deep neural networks,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2016, pp. 2574–2582.
- N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, “The limitations of deep learning in adversarial settings,” in IEEE European Symposium on Security and Privacy, 2016, pp. 372–387.
- A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in Proceedings of the International Conference on Learning Representations, Toulon, France, April 2017.
- P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh, “Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models,” in ACM Workshop on Artificial Intelligence and Security, 2017.
- P. Neekhara, S. S. Hussain, P. Pandey, S. Dubnov, J. McAuley, and F. Koushanfar, “Universal adversarial perturbations for speech recognition systems,” in Proceedings of the International Speech Communication Association, 2019, pp. 481–485.
- S. Thys, W. Van Ranst, and T. Goedemé, “Fooling automated surveillance cameras: adversarial patches to attack person detection,” in CVPRW: The Bright and Dark Sides of Computer Vision: Challenges and Opportunities for Privacy and Security, 2019.
- X. Wei, Y. Guo, and J. Yu, “Adversarial sticker: A stealthy attack method in the physical world,” IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022.
- X. Liu, H. Yang, Z. Liu, L. Song, H. Li, and Y. Chen, “Dpatch: An adversarial patch attack on object detectors,” in AAAI Workshop on Artificial Intelligence Safety, Hawaii, USA, Jun 2019.
- M. Lee and J. Z. Kolter, “On physical adversarial patches for object detection,” in ICML Workshop on Security and Privacy of Machine Learning, Los Angeles, USA, Jun 2019.
- B. G. Doan, M. Xue, S. Ma, E. Abbasnejad, and D. C. Ranasinghe, “Tnt attacks! universal naturalistic adversarial patches against deep neural network systems,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 3816–3830, 2022.
- Y.-C.-T. Hu, J.-C. Chen, B.-H. Kung, K.-L. Hua, and D. S. Tan, “Naturalistic physical adversarial patch for object detectors,” in 2021 IEEE/CVF International Conference on Computer Vision, 2021, pp. 7828–7837.
- R. Duan, X. Ma, Y. Wang, J. Bailey, A. K. Qin, and Y. Yang, “Adversarial camouflage: Hiding physical-world attacks with natural styles,” in 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 997–1005.
- Z. Wu, S.-N. Lim, L. S. Davis, and T. Goldstein, “Making an invisibility cloak: Real world adversarial attacks on object detectors,” in European Conference on Computer Vision. Springer, 2020, pp. 1–17.
- Z. Hu, S. Huang, X. Zhu, X. Hu, F. Sun, and B. Zhang, “Adversarial texture for fooling person detectors in the physical world,” IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 13 297–13 306, 2022.
- K. Xu, G. Zhang, S. Liu, Q. Fan, M. Sun, H. Chen, P.-Y. Chen, Y. Wang, and X. Lin, “Adversarial t-shirt! evading person detectors in a physical world,” in European Conference on Computer Vision. Springer, 2020, pp. 665–681.
- H. Xue, A. Araujo, B. Hu, and Y. Chen, “Diffusion-based adversarial sample generation for improved stealthiness and controllability,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, Canada, June 2023.
- J. Wang, A. Liu, Z. Yin, S. Liu, S. Tang, and X. Liu, “Dual attention suppression attack: Generate adversarial camouflage in physical world,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 8561–8570.
- S. A. Komkov and A. Petiushko, “Advhat: Real-world adversarial attack on arcface face id system,” in 25th International Conference on Pattern Recognition, 2020, pp. 819–826.
- L. Huang, C. Gao, Y. Zhou, C. Xie, A. Yuille, C. Zou, and N. Liu, “Universal physical camouflage attacks on object detectors,” IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 717–726, 2020.
- M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition,” ACM SIGSAC Conference on Computer and Communications Security, 2016.
- I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. C. Courville, and Y. Bengio, “Generative adversarial nets,” in Conference on Neural Information Processing Systems, 2014.
- J. Su, D. V. Vargas, and K. Sakurai, “One pixel attack for fooling deep neural networks,” IEEE Transactions on Evolutionary Computation, vol. 23, pp. 828–841, 2019.
- A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok, “Synthesizing robust adversarial examples,” in International Conference on Machine Learning, 2017.
- T. B. Brown, D. Mané, A. Roy, M. Abadi, and J. Gilmer, “Adversarial patch,” arXiv preprint arXiv:1712.09665, 2017.
- H. Huang, Z. Chen, H. Chen, Y. Wang, and K. A. Zhang, “T-sea: Transfer-based self-ensemble attack on object detection,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, Canada, June 2023.
- N. Dalal and B. Triggs, “Histograms of oriented gradients for human detection,” in 2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 1, 2005, pp. 886–893 vol. 1.
- Z. Chen, B. Li, S. Wu, S. Ding, and W. Zhang, “Query-efficient decision-based black-box patch attack,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 5522–5536, 2023.
- X. Wei, Y. Guo, J. Yu, and B. Zhang, “Simultaneously optimizing perturbations and positions for black-box adversarial patch attacks,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 7, pp. 9041–9054, 2023.
- H. Ma, K. Xu, X. Jiang, Z. Zhao, and T. Sun, “Transferable black-box attack against face recognition with spatial mutable adversarial patch,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2023.
- A. Liu, X. Liu, J. Fan, Y. Ma, A. Zhang, H. Xie, and D. Tao, “Perceptual-sensitive gan for generating adversarial patches,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 33, 07 2019, pp. 1028–1035.
- Y. Wang, E. Sarkar, W. Li, M. Maniatakos, and S. E. Jabari, “Stop-and-go: Exploring backdoor attacks on deep reinforcement learning-based traffic congestion control systems,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 4772–4787, 2021.
- X. Yuan, S. Hu, W. Ni, X. Wang, and A. Jamalipour, “Deep reinforcement learning-driven reconfigurable intelligent surface-assisted radio surveillance with a fixed-wing uav,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 4546–4560, 2023.
- A. Guesmi, I. M. Bilasco, M. Shafique, and I. Alouani, “Advart: Adversarial art for camouflaged object detection attacks,” ArXiv, vol. abs/2303.01734, 2023. [Online]. Available: https://api.semanticscholar.org/CorpusID:257353509
- Z. Zhou, S. Hu, M. Li, H. Zhang, Y. Zhang, and H. Jin, “Advclip: Downstream-agnostic adversarial examples in multimodal contrastive learning,” ArXiv, vol. abs/2308.07026, 2023. [Online]. Available: https://api.semanticscholar.org/CorpusID:260887071
- A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clark, G. Krueger, and I. Sutskever, “Learning transferable visual models from natural language supervision,” in International Conference on Machine Learning, 2021. [Online]. Available: https://api.semanticscholar.org/CorpusID:231591445
- X. Qi, K. Huang, A. Panda, M. Wang, and P. Mittal, “Visual adversarial examples jailbreak large language models,” arXiv preprint arXiv:2306.13213, 2023.
- D. Lu, Z. Wang, T. Wang, W. Guan, H. Gao, and F. Zheng, “Set-level guidance attack: Boosting adversarial transferability of vision-language pre-training models,” ArXiv, vol. abs/2307.14061, 2023. [Online]. Available: https://api.semanticscholar.org/CorpusID:260164714
- J. Zhang, Q. Yi, and J. Sang, “Towards adversarial attack on vision-language pre-training models,” Proceedings of the 30th ACM International Conference on Multimedia, 2022. [Online]. Available: https://api.semanticscholar.org/CorpusID:249888984