Abstract:Recent years have seen an increasing interest in physical adversarial attacks, which aim to craft deployable patterns for deceiving deep neural networks, especially for person detectors. However, the adversarial patterns of existing patch-based attacks heavily suffer from the self-coupling issue, where a degradation, caused by physical transformations, in any small patch segment can result in a complete adversarial dysfunction, leading to poor robustness in the complex real world. Upon this observation, we introduce the Decoupled adversarial Patch (DePatch) attack to address the self-coupling issue of adversarial patches. Specifically, we divide the adversarial patch into block-wise segments, and reduce the inter-dependency among these segments through randomly erasing out some segments during the optimization. We further introduce a border shifting operation and a progressive decoupling strategy to improve the overall attack capabilities. Extensive experiments demonstrate the superior performance of our method over other physical adversarial attacks, especially in the real world.
What problem does this paper attempt to address?
### What problem does this paper attempt to solve?
This paper aims to solve the **self - coupling issue** existing in the current adversarial patches when attacking person detectors in the physical world. Specifically, in the existing patch - based attack methods, when generating adversarial patterns, the dependence among all segments is too high. As a result, the degradation of any segment (for example, local occlusion, pose change, illumination change, etc. caused by physical transformation) will make the entire adversarial attack ineffective, thus showing poor robustness in complex real - world environments.
To meet this challenge, the authors propose the **Decoupled adversarial Patch (DePatch)** method and improve the robustness of adversarial patches through the following technical means:
1. **Block - wise Decoupling**: Divide the adversarial patch into multiple blocks and randomly erase certain blocks during the optimization process to reduce the dependence among blocks.
2. **Border Shifting**: Randomly move the boundaries of blocks to ensure that each possible segment can independently exhibit an adversarial effect.
3. **Progressive Decoupling Strategy (PDS)**: Gradually adjust the decoupling granularity and decoupling ratio to adapt to different types of physical degradations.
Through these methods, DePatch can maintain a high attack success rate when facing various complex physical conditions (such as occlusion, outdoor scenes, pose changes, and complex illumination), thereby significantly improving the robustness and effectiveness of adversarial patches in the real world.
### Formula Summary
- **Block - level decoupling operation**:
\[
\hat{P}=P\odot M
\]
where \(P\) is the original patch, \(M\) is a binary mask matrix, and \(\odot\) represents element - wise multiplication.
- **Decoupling operation with border shift**:
\[
D(P) = S(D(P, n, r), sh, sv)
\]
where \(S(P, sh, sv)\) represents the border shift operation in the horizontal and vertical directions, and \(sh\) and \(sv\) are the horizontal and vertical offsets respectively.
- **The final transformed patch**:
\[
\tilde{P}=T(S(D(P, n, r), sh, sv))
\]
- **Attack objective function**:
\[
\text{DePatch}=\arg\min_p (L_{\text{acc}}+\alpha L_{\text{nps}}+\beta L_{\text{tv}})
\]
where \(L_{\text{acc}}\) is the accuracy loss, \(L_{\text{nps}}\) is the non - printability score loss, \(L_{\text{tv}}\) is the total variation loss, and \(\alpha\) and \(\beta\) are trade - off parameters.
Through these improvements, the experimental results of DePatch in both the digital world and the real world show that it has superior robustness and attack performance.