Adversarial patch-based false positive creation attacks against aerial imagery object detectors

Abstract

Although adversarial attacks have revealed weaknesses in Deep Neural Networks (DNNs)-based aerial detectors, they present a new paradigm for concealing vulnerable assets from autonomous detection systems onboard satellites. Among them, adversarial patches were widely applied due to their physical realizability. Nonetheless, most existing adversarial patch-based attack methods are developed to hide objects from detectors to achieve a vanishing attack. This paper proposes a novel Adversarial Patch False Positive Creation Attack (APFP-CA) framework that enables aerial detectors to recognize non-existent objects, thereby realizing a creation attack. Concretely, the APFP-CA models the creation attack as a two-stage optimization problem. The first stage uses a well-designed efficient loss function to increase the objectness score of patches placed anywhere in the scene to achieve untargeted attacks. The second stage involves elaborating two category-dependent loss functions for fulfilling targeted attacks. Experiments conducted on diverse datasets and detectors demonstrate the effectiveness and universality of our method. Transfer attacks across different datasets and models validate the generalizability of the optimized adversarial patches. Finally, we perform several proportionally scaled experiments physically to illustrate that the optimized adversarial patches can successfully deceive aerial detectors in the physical world. The proposed approach offers a novel contribution to adversarial attacks against aerial imagery objectors and holds potential for practical applications in high-security systems.