NaturalAE: Natural and robust physical adversarial examples for object detectors

Abstract

Recently, many studies show that deep neural networks (DNNs) are susceptible to adversarial examples, which are generated by adding imperceptible perturbations to the input of DNN. However, in order to convince that adversarial examples are real threats in real physical world, it is necessary to study and evaluate the adversarial examples in real-world scenarios. In this paper, we propose a natural and robust physical adversarial example attack method targeting object detectors under real-world conditions, which is more challenging than targeting image classifiers. The generated adversarial examples are robust to various physical constraints and visually look similar to the original images, thus these adversarial examples are natural to humans and will not cause any suspicions. First, to ensure the robustness of the adversarial examples in real-world conditions, the proposed method exploits different image transformation functions (Distance, Angle, Illumination and Photographing), to simulate various physical changes during the iterative optimization of the adversarial examples generation. Second, to construct natural adversarial examples, the proposed method uses an adaptive mask to constrain the area and intensities of the added perturbations, and utilizes the real-world perturbation score (RPS) to make the perturbations be similar to those real noises in physical world. Compared with existing studies, our generated adversarial examples can achieve a high success rate with less conspicuous perturbations. Experimental results demonstrate that, the generated adversarial examples are robust under various indoor and outdoor physical conditions, including different distances, angles, illuminations, and photographing. Specifically, the attack success rate of generated adversarial examples indoors and outdoors is high up to 73.33% and 82.22%, respectively. Meanwhile, the proposed method ensures the naturalness of the generated adversarial example, and the size of added perturbations is as low as 29361.86, which is much smaller than the perturbations in the existing works (95381.14 at the highest). Further, the proposed physical adversarial attack method can be transferred from the white-box models to other object detection models. The attack success rate of the adversarial examples (generated targeting Faster R-CNN Inception v2) is high up to 57.78% on the SSD models, while the success rate of adversarial example (generated targeting YOLO v2) on SSD models reaches 77.78%. This paper reveals that physical adversarial example attacks are real threats in the real-world conditions, and can hopefully provide guidance for designing robust object detectors and image classifiers.