Defending Against Physical Adversarial Patch attacks On Infrared Human Detection

Although deep learning has received extensive attention and achieved excellent performance in various scenarios, it suffers from adversarial examples to some extent. In particular, physical attack poses a greater threat than digital attack. However, existing research has paid less attention to the physical attack of object detection in UAV remote sensing images (RSIs). In this work, we carefully analyze the universal adversarial patch attack for multi-scale objects in the field of remote sensing. There are two challenges faced by an adversarial attack in RSIs. On one hand, the number of objects in remote sensing images is more than that of natural images. Therefore, it is difficult for an adversarial patch to show an adversarial effect on all objects when attacking a detector of RSIs. On the other hand, the wide height range of the photography platform causes the size of objects to vary a great deal, which presents challenges for the generation of universal adversarial perturbation for multi-scale objects. To this end, we propose an adversarial attack method of object detection for remote sensing data. One of the key ideas of the proposed method is the novel optimization of the adversarial patch. We aim to attack as many objects as possible by formulating a joint optimization problem. Furthermore, we raise the scale factor to generate a universal adversarial patch that adapts to multi-scale objects, which ensures that the adversarial patch is valid for multi-scale objects in the real world. Extensive experiments demonstrate the superiority of our method against state-of-the-art methods on YOLO-v3 and YOLO-v5. In addition, we also validate the effectiveness of our method in real-world applications.

Advertising or adversarial? AdvSign: Artistic advertising sign camouflage for target physical attacking to object detector.

Adversarial attacks are being frequently used these days to exploit different machine learning models including the deep neural networks (DNN) either during the training or testing stage. DNN under such attacks make the false predictions. Digital adversarial attacks are not applicable in physical world. Adversarial attack on object detection is more difficult as compared to the adversarial attack on image classification. This paper presents a physical adversarial attack on object detection using 3D adversarial objects. The proposed methodology overcome the constraint of 2D adversarial patches as they only work for certain viewpoints only. We have mapped an adversarial texture onto a mesh to create the 3D adversarial object. These objects are of various shapes and sizes. Unlike adversarial patch attacks, these adversarial objects are movable from one place to another. Moreover, application of 2D patch is limited to confined viewpoints. Experimentation results show that our 3D adversarial objects are free from such constraints and perform a successful attack on object detection. We used the ShapeNet dataset for different vehicle models. 3D objects are created using Blender 2.93 [1]. Different HDR images are incorporated to create the virtual physical environment. Moreover, we targeted the FasterRCNN and YOLO pre-trained models on the COCO dataset as our target DNN. Experimental results demonstrate that our proposed model successfully fooled these object detectors.

Adversarial examples that can fool deep neural network (DNN) models in computer vision present a growing threat. The current methods of launching adversarial attacks concentrate on attacking image classifiers by adding noise to digital inputs. The problem of attacking object detection models and adversarial attacks in physical world are rarely touched. Some prior works are proposed to launch physical adversarial attack against object detection models, but limited by certain aspects. In this paper, we propose a novel physical adversarial attack targeting object detection models. Instead of simply printing images, we manufacture real metal objects that could achieve the adversarial effect. In both indoor and outdoor experiments we show our physical adversarial objects can fool widely applied object detection models including SSD, YOLO and Faster R-CNN in various environments. We also test our attack in a variety of commercial platforms for object detection and demonstrate that our attack is still valid on these platforms. Consider the potential defense mechanisms our adversarial objects may encounter, we conduct a series of experiments to evaluate the effect of existing defense methods on our physical attack.

Computer vision models based on Deep Neural Networks (DNNs) are vulnerable to adversarial attacks. It has also been demonstrated that physical adversarial attacks can affect computer vision models though printed medium or physical 3D objects. However, the efficacy of physical adversarial attacks, is highly variable under real-world conditions. In this research, we leverage a synthetic validation environment to evaluate 2D and 3D physical adversarial attacks on state-of the-art object detection models (Faster-RCNN, RetinaNet, YOLOv3, YOLOv4). Using the Unreal Engine, we create synthetic environments to evaluate the limitations of physical adversarial attacks. We evaluate 2D adversarial patches under varying lighting conditions and poses. We optimize the same adversarial attacks for 3D shapes including a pyramid, a cube, and a barrel (cylinder), and evaluate the robustness of the 3D physical attacks against the 2D attack baseline. We test our attacks against object-detection models trained on MSCOCO, VIRAT, VISDRONE, and synthetic datasets. By advancing physical adversarial attacks and validation-methodology, we improve our ability to red-team computer vision models with a goal toward defending and assuring AI systems used in fields like Transportation, and Security.

Object detection systems are used in various fields such as autonomous vehicles and facial recognition. In particular, object detection using deep learning networks enables real-time processing in low-performance edge devices and can maintain high detection rates. However, edge devices that operate far from administrators are vulnerable to various physical attacks by malicious adversaries. In this paper, we implement a function for detecting traffic signs by using You Only Look Once (YOLO) as well as Faster-RCNN, which can be adopted by edge devices of autonomous vehicles. Then, assuming the role of a malicious attacker, we executed adversarial patch attacks with Adv-Patch and Dpatch. Trying to cause misdetection of traffic stop signs by using Adv-Patch and Dpatch, we confirmed the attacks can succeed with a high probability. To defeat these attacks, we propose an image reconstruction method using an autoencoder and the Structural Similarity Index Measure (SSIM). We confirm that the proposed method can sufficiently defend against an attack, attaining a mean Average Precision (mAP) of 91.46% even when two adversarial attacks are launched.

We show that end-to-end learning of communication systems through deep neural network autoencoders can be extremely vulnerable to physical adversarial attacks. Specifically, we elaborate how an attacker can craft effective physical black-box adversarial attacks. Due to the openness (broadcast nature) of the wireless channel, an adversary transmitter can increase the block-error-rate of a communication system by orders of magnitude by transmitting a well-designed perturbation signal over the channel. We reveal that the adversarial attacks are more destructive than the jamming attacks. We also show that classical coding schemes are more robust than the autoencoders against both adversarial and jamming attacks.

Deep Learning (DL), in spite of its huge success in many new fields, is extremely vulnerable to adversarial attacks. We demonstrate how an attacker applies physical white-box and black-box adversarial attacks to Channel decoding systems based on DL. We show that these attacks can affect the systems and decrease performance. We uncover that these attacks are more effective than conventional jamming attacks. Additionally, we show that classical decoding schemes are more robust than the deep learning channel decoding systems in the presence of both adversarial and jamming attacks.

Adversarial attacks and active defense on deep learning based identification of GaN power amplifiers under physical perturbation

Adversarial patches present significant challenges to the robustness of deep learning models, making the development of effective defenses become critical for real-world applications. This paper introduces DIFFender, a novel DIFfusion-based DeFender framework that leverages the power of a text-guided diffusion model to counter adversarial patch attacks. At the core of our approach is the discovery of the Adversarial Anomaly Perception (AAP) phenomenon, which enables the diffusion model to accurately detect and locate adversarial patches by analyzing distributional anomalies. DIFFender seamlessly integrates the tasks of patch localization and restoration within a unified diffusion model framework, enhancing defense efficacy through their close interaction. Additionally, DIFFender employs an efficient few-shot prompt-tuning algorithm, facilitating the adaptation of the pre-trained diffusion model to defense tasks without the need for extensive retraining. Our comprehensive evaluation, covering image classification and face recognition tasks, as well as real-world scenarios, demonstrates DIFFender's robust performance against adversarial attacks. The framework's versatility and generalizability across various settings, classifiers, and attack methodologies mark a significant advancement in adversarial patch defense strategies. Except for the popular visible domain, we have identified another advantage of DIFFender: its capability to easily expand into the infrared domain. Consequently, we demonstrate the good flexibility of DIFFender, which can defend against both infrared and visible adversarial patch attacks alternatively using a universal defense framework.

Machine learning models are vulnerable to adversarial attacks which can cause integrity violations in real- world systems with machine learning components. Alarmingly, these attacks can also manifest in the physical world where an adversary can disrupt systems without gaining digital access. These attacks are becoming more concerning as safety-critical infrastructure such as healthcare and transportation increasingly rely on machine learning.This work is motivated by the need for safeguarding vision- based systems against physical adversarial pattern attacks—an important domain for autonomous vehicles. We propose the use of a separate detection module that can identify inputs that contain physical adversarial patterns. This approach allows for independent development of the defensive mechanism which can be updated without affecting the performance of the protected model. This methodology allows the model developers to focus on performance and leave security to a separate team. It is a practical approach that can provide security in cases where a model is acquired from a third party and cannot be re-trained.We perform experimentation demonstrating that we can detect unknown adversarial patterns with high accuracy using standard object detectors trained on datasets containing adversarial patches. A single detector is capable of detecting a variety of adversarial patterns trained from models with different datasets and tasks. Additionally, we introduce a new class of visually distinct adversarial patch attack we call GAN patches. Our experimentation shows that once observed the detection module can be updated to identify additional classes of patch attacks. Finally, we experiment with detectors trained trained on innocuous patches and examine how they can generalize to detecting a variety of known patch attacks.

Cyber-physical systems (CPS) represent the integration of the physical world with digital technologies and are expected to change our everyday lives significantly. With the rapid development of CPS, the importance of artificial intelligence (AI) has been increasingly recognized. Concurrently, adversarial attacks that cause incorrect predictions in AI models have emerged as a new risk. They are no longer limited to digital data and now extend to the physical environment. Thus, they are pointed out to pose serious practical threats to CPS. In this paper, we focus on the “adversarial camera stickers attack,” a type of physical adversarial attack. This attack directly affixes adversarial noise to a camera lens. Since the adversarial noise perturbs various images captured by the camera, it must be universal. To realize more effective adversarial camera stickers, we propose a new method for generating more universal adversarial noise compared to previous research. We first reveal that the existing method for generating noise of adversarial camera stickers does not always lead to the creation of universal perturbations. Then, we address this drawback by improving the optimization problem. Furthermore, we implement our proposed method, achieving an attack success rate 2.5 times higher than existing methods. Our experiments prove the capability of our proposed method to generate more universal adversarial noises, highlighting its potential effectiveness in enhancing security measures against adversarial attacks in CPS.

Adversarial patch-based false positive creation attacks against aerial imagery object detectors

Physical adversarial attacks present a novel and growing challenge in cybersecurity, especially for systems reliant on physical inputs for Deep Neural Networks (DNNs), such as those found in Internet of Things (IoT) devices. They are vulnerable to physical adversarial attacks where real-world objects or environments are manipulated to mislead DNNs, thereby threatening the operational integrity and security of IoT devices. The camera-based attacks are one of the most practical adversarial attacks, which are easy to implement and more robust than all the other attack methods, and pose a big threat to the security of IoT. This paper proposes Adversarial Camera Patch (ADCP), a novel approach that employs a single-camera patch to launch robust physical adversarial attacks against object detectors. ADCP optimizes the physical parameters of the camera patch using Particle Swarm Optimization (PSO) to identify the most adversarial configuration. The optimized camera patch is then attached to the lens to generate stealthy and robust adversarial samples physically. The effectiveness of the proposed approach is validated through ablation experiments in a digital environment, with experimental results demonstrating its effectiveness even under worst-case scenarios (minimal width, maximum transparency). Notably, ADCP exhibits higher robustness in both digital and physical domains compared to the baseline. Given the simplicity, robustness, and stealthiness of ADCP, we advocate for attention towards the ADCP framework as it offers a means to achieve streamlined, robust, and stealthy physical attacks. Our adversarial attacks pose new challenges and requirements for cybersecurity.

The existence of physical-world adversarial examples such as adversarial patches proves the vulnerability of real-world deep learning systems. Therefore, it is essential to develop efficient adversarial attack algorithms to identify potential risks and build a robust system. The patch-based physical adversarial attack has shown its effectiveness in attacking neural network-based object detectors. However, the generated patches are quite perceptible for humans, violating the fundamental assumption of adversarial examples. In this work, we present task-specific loss functions that can generate imperceptible adversarial patches based on camouflaged patterns. First, we propose a constrained optimization method with two camouflage assessment metrics to quantify camouflage performance. Then, we show the regularization with those metrics can help generate the adversarial patches based on camouflage patterns. Furthermore, we validate our methods with various experiments and show that we can generate natural-style camouflaged adversarial patches with comparable attack performance.