Chengyin Hu,Weiwen Shi

DOI: https://doi.org/10.48550/arXiv.2209.02430

2023-05-23

Abstract:It is well known that the performance of deep neural networks (DNNs) is susceptible to subtle interference. So far, camera-based physical adversarial attacks haven't gotten much attention, but it is the vacancy of physical attack. In this paper, we propose a simple and efficient camera-based physical attack called Adversarial Color Film (AdvCF), which manipulates the physical parameters of color film to perform attacks. Carefully designed experiments show the effectiveness of the proposed method in both digital and physical environments. In addition, experimental results show that the adversarial samples generated by AdvCF have excellent performance in attack transferability, which enables AdvCF effective black-box attacks. At the same time, we give the guidance of defense against AdvCF by means of adversarial training. Finally, we look into AdvCF's threat to future vision-based systems and propose some promising mentality for camera-based physical attacks.

Computer Vision and Pattern Recognition

Chengyin Hu,Weiwen Shi,Ling Tian,Wen Li

DOI: https://doi.org/10.1016/j.cviu.2023.103877

IF: 4.886

2023-01-01

Computer Vision and Image Understanding

Abstract:In the physical world, the interplay of light and shadow can significantly impact the performance of deep neural networks (DNNs), leading to substantial consequences, as exemplified by incidents such as the Tesla self-driving car collision caused by an unexpected light flash. Traditional methods involving stickers for physical attacks have inherent limitations, particularly in terms of stealthiness. In response, researchers have delved into light -based perturbations, including lasers and projectors, with the objective of achieving stealthy attacks. However, these efforts have often fallen short in terms of achieving robustness.In our study, we introduce a pioneering black-box light-based physical attack known as Adversarial Neon Beam (AdvNB). Our method stands out for its excellence in attack modeling, efficient attack simulation, and robust optimization, striking a harmonious balance between robustness and efficiency. We employ effectiveness, stealthiness, and robustness as the key metrics to evaluate the proposed AdvNB. Through rigorous evaluation, we attain an impressive 84.40% attack success rate in digital attacks, requiring an average of 189.70 queries. In real-world scenarios, our method excels with a 100% attack success rate indoors and a commendable 81.82% success rate outdoors. AdvNB demonstrates its stealthiness through comparisons with baseline samples, and it further underscores its robustness by consistently achieving a success rate exceeding 80% when targeting advanced DNN models. We carry out a comprehensive analysis of the proposed attack and note that the generated perturbations share similarities with objects present in the dataset or real-world settings. Additionally, we implement adversarial defense mechanisms against AdvNB. Given its superior performance compared to baseline methods as a light-based attack, we advocate for its broader acknowledgment and recommend its adoption as a reference point for future research and practical applications. Our code and data can be accessed from the following link: https://github.com/ChengYinHu/AdvNB.

Chengyin Hu,Yilong Wang,Kalibinuer Tiliwalidi,Wen Li

DOI: https://doi.org/10.48550/arXiv.2206.01034

2023-05-23

Abstract:Most existing deep neural networks (DNNs) are easily disturbed by slight noise. However, there are few researches on physical attacks by deploying lighting equipment. The light-based physical attacks has excellent covertness, which brings great security risks to many vision-based applications (such as self-driving). Therefore, we propose a light-based physical attack, called adversarial laser spot (AdvLS), which optimizes the physical parameters of laser spots through genetic algorithm to perform physical attacks. It realizes robust and covert physical attack by using low-cost laser equipment. As far as we know, AdvLS is the first light-based physical attack that perform physical attacks in the daytime. A large number of experiments in the digital and physical environments show that AdvLS has excellent robustness and covertness. In addition, through in-depth analysis of the experimental data, we find that the adversarial perturbations generated by AdvLS have superior adversarial attack migration. The experimental results show that AdvLS impose serious interference to advanced DNNs, we call for the attention of the proposed AdvLS. The code of AdvLS is available at: <a class="link-external link-https" href="https://github.com/ChengYinHu/AdvLS" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition,Artificial Intelligence

Chengyin Hu,Weiwen Shi,Ling Tian,Wen Li

DOI: https://doi.org/10.1049/cvi2.12264

IF: 1.484

2024-01-20

IET Computer Vision

Abstract:In view of the invisibility and robustness of the existing physical attacks, the authors propose the adversarial catoptric light, which uses genetic algorithm to optimise the physical parameters of the catoptric light to perform black‐box physical attacks. To deploy and implement the attack cost less than $5, this makes the method simple and feasible. (2) Extensive experiments are performed to verify the effectiveness, stealthiness and robustness of our method. (3) An in‐depth analysis of the proposed method was conducted and adversarial defence was performed on it, and the experimental results show that adversarial defence can effectively reduce the attack success rate, but cannot achieve thorough defence. Recent studies have demonstrated that finely tuned deep neural networks (DNNs) are susceptible to adversarial attacks. Conventional physical attacks employ stickers as perturbations, achieving robust adversarial effects but compromising stealthiness. Recent innovations utilise light beams, such as lasers and projectors, for perturbation generation, allowing for stealthy physical attacks at the expense of robustness. In pursuit of implementing both stealthy and robust physical attacks, the authors present an adversarial catoptric light (AdvCL). This method leverages the natural phenomenon of catoptric light to generate perturbations that are both natural and stealthy. AdvCL first formalises the physical parameters of catoptric light and then optimises these parameters using a genetic algorithm to derive the most adversarial perturbation. Finally, the perturbations are deployed in the physical scene to execute stealthy and robust attacks. The proposed method is evaluated across three dimensions: effectiveness, stealthiness, and robustness. Quantitative results obtained in simulated environments demonstrate the efficacy of the proposed method, achieving an attack success rate of 83.5%, surpassing the baseline. The authors utilise common catoptric light as a perturbation to enhance the method's stealthiness, rendering physical samples more natural in appearance. Robustness is affirmed by successfully attacking advanced DNNs with a success rate exceeding 80% in all cases. Additionally, the authors discuss defence strategies against AdvCL and introduce some light‐based physical attacks.

computer science, artificial intelligence,engineering, electrical & electronic

Yang Bai,Yuyuan Zeng,Yong Jiang,Yisen Wang,Shu-Tao Xia,Weiwei Guo

DOI: https://doi.org/10.48550/arXiv.2009.11508

2020-09-25

Abstract:Deep neural networks (DNNs) have demonstrated excellent performance on various tasks, however they are under the risk of adversarial examples that can be easily generated when the target model is accessible to an attacker (white-box setting). As plenty of machine learning models have been deployed via online services that only provide query outputs from inaccessible models (e.g. Google Cloud Vision API2), black-box adversarial attacks (inaccessible target model) are of critical security concerns in practice rather than white-box ones. However, existing query-based black-box adversarial attacks often require excessive model queries to maintain a high attack success rate. Therefore, in order to improve query efficiency, we explore the distribution of adversarial examples around benign inputs with the help of image structure information characterized by a Neural Process, and propose a Neural Process based black-box adversarial attack (NP-Attack) in this paper. Extensive experiments show that NP-Attack could greatly decrease the query counts under the black-box setting.

Machine Learning

Hui Wei,Hao Tang,Xuemei Jia,Zhixiang Wang,Hanxun Yu,Zhubo Li,Shin'ichi Satoh,Luc Van Gool,Zheng Wang

2023-10-01

Abstract:Despite the impressive achievements of Deep Neural Networks (DNNs) in computer vision, their vulnerability to adversarial attacks remains a critical concern. Extensive research has demonstrated that incorporating sophisticated perturbations into input images can lead to a catastrophic degradation in DNNs' performance. This perplexing phenomenon not only exists in the digital space but also in the physical world. Consequently, it becomes imperative to evaluate the security of DNNs-based systems to ensure their safe deployment in real-world scenarios, particularly in security-sensitive applications. To facilitate a profound understanding of this topic, this paper presents a comprehensive overview of physical adversarial attacks. Firstly, we distill four general steps for launching physical adversarial attacks. Building upon this foundation, we uncover the pervasive role of artifacts carrying adversarial perturbations in the physical world. These artifacts influence each step. To denote them, we introduce a new term: adversarial medium. Then, we take the first step to systematically evaluate the performance of physical adversarial attacks, taking the adversarial medium as a first attempt. Our proposed evaluation metric, hiPAA, comprises six perspectives: Effectiveness, Stealthiness, Robustness, Practicability, Aesthetics, and Economics. We also provide comparative results across task categories, together with insightful observations and suggestions for future research directions.

Computer Vision and Pattern Recognition

Bingyao Huang,Haibin Ling

DOI: https://doi.org/10.1109/vr51125.2022.00073

2022-03-01

Abstract:Light-based adversarial attacks use spatial augmented reality (SAR) techniques to fool image classifiers by altering the physical light condition with a controllable light source, e.g., a projector. Compared with physical attacks that place hand-crafted adversarial objects, projector-based ones obviate modifying the physical entities, and can be performed transiently and dynamically by altering the projection pattern. However, subtle light perturbations are insufficient to fool image classifiers, due to the complex environment and project-and-capture process. Thus, existing approaches focus on projecting clearly perceptible adversarial patterns, while the more interesting yet challenging goal, stealthy projector-based attack, remains open. In this paper, for the first time, we formulate this problem as an end-to-end differentiable process and propose a Stealthy Projector-based Adversarial Attack (SPAA) solution. In SPAA, we approximate the real Project-and-Capture process using a deep neural network named PCNet, then we include PCNet in the optimization of projector-based attacks such that the generated adversarial projection is physically plausible. Finally, to generate both robust and stealthy adversarial projections, we propose an algorithm that uses minimum perturbation and adversarial confidence thresholds to alternate between the adversarial loss and stealthiness loss optimization. Our experimental evaluations show that SPAA clearly outperforms other methods by achieving higher attack success rates and meanwhile being stealthier, for both targeted and untargeted attacks.

Jiawei Lian,Xiaofei Wang,Yuru Su,Mingyang Ma,Shaohui Mei

DOI: https://doi.org/10.1109/igarss52108.2023.10282092

2023-01-01

Abstract:Deep Neural Networks (DNNs) have been extensively utilized in aerial detection. However, DNNs are susceptible and vulnerable to adversarial examples Recently, physical attacks have gradually garnered attention due to their effectiveness and practicality, which pose great threats to some security-critical applications. In this paper, we take the first attempt to perform physical attacks in contextual form against aerial detection in the physical world. We propose an innovative contextual attack method against aerial detection in real scenarios, which achieves powerful attack performance and transfers well between various aerial object detectors without smearing or blocking the interested objects. Based on the findings that the targets’ contextual information plays an important role in aerial detection by observing the detectors’ attention maps, we fully use the contextual feature of the interested targets to elaborate background perturbations for the uncovered attacks in physical scenarios. Experiments with proportional scaling are conducted to evaluate the effectiveness of the proposed method, demonstrating its superiority in terms of both attack efficacy and physical practicality.

Donghua Wang,Wen Yao,Tingsong Jiang,Guijian Tang,Xiaoqian Chen

2023-09-18

Abstract:Over the past decade, deep learning has revolutionized conventional tasks that rely on hand-craft feature extraction with its strong feature learning capability, leading to substantial enhancements in traditional tasks. However, deep neural networks (DNNs) have been demonstrated to be vulnerable to adversarial examples crafted by malicious tiny noise, which is imperceptible to human observers but can make DNNs output the wrong result. Existing adversarial attacks can be categorized into digital and physical adversarial attacks. The former is designed to pursue strong attack performance in lab environments while hardly remaining effective when applied to the physical world. In contrast, the latter focus on developing physical deployable attacks, thus exhibiting more robustness in complex physical environmental conditions. Recently, with the increasing deployment of the DNN-based system in the real world, strengthening the robustness of these systems is an emergency, while exploring physical adversarial attacks exhaustively is the precondition. To this end, this paper reviews the evolution of physical adversarial attacks against DNN-based computer vision tasks, expecting to provide beneficial information for developing stronger physical adversarial attacks. Specifically, we first proposed a taxonomy to categorize the current physical adversarial attacks and grouped them. Then, we discuss the existing physical attacks and focus on the technique for improving the robustness of physical attacks under complex physical environmental conditions. Finally, we discuss the issues of the current physical adversarial attacks to be solved and give promising directions.

Computer Vision and Pattern Recognition

Hanyu Wu,Ke Yan,Peng Xu,Bei Hui,Ling Tian

DOI: https://doi.org/10.1109/isdfs60797.2024.10527292

2024-01-01

Abstract:Deep neural networks for image classification have been widely used to enhance user experience, but adversarial attacks continue to pose a threat to the security of deep neural networks related systems. To advance the development of more robust and secure models, research in this field is important. Laser attacks have overcome some issues of previous attacks. To enhance the laser-based attack strategy, we propose a novel physical adversarial attack method that optimizes cross-laser parameters using a Bayesian Optimization algorithm improved by contour detection technology. Our method solves the problems of traditional laser-based methods including positioning, insufficient perturbation intensity, low optimization efficiency, lack of multi-angle robustness, and optical path continuity issues. Digital and physical experiments were implemented, and our method achieved an attack success rate of up to 86.24%. Our adversarial attacks pose new challenges and requirements for artificial intelligence security.

Kevin Eykholt,Ivan Evtimov,Earlence Fernandes,Bo Li,Amir Rahmati,Chaowei Xiao,Atul Prakash,Tadayoshi Kohno,Dawn Song

DOI: https://doi.org/10.48550/arXiv.1707.08945

2018-04-11

Abstract:Recent studies show that the state-of-the-art deep neural networks (DNNs) are vulnerable to adversarial examples, resulting from small-magnitude perturbations added to the input. Given that that emerging physical systems are using DNNs in safety-critical situations, adversarial examples could mislead these systems and cause dangerous <a class="link-external link-http" href="http://situations.Therefore" rel="external noopener nofollow">this http URL</a>, understanding adversarial examples in the physical world is an important step towards developing resilient learning algorithms. We propose a general attack algorithm,Robust Physical Perturbations (RP2), to generate robust visual adversarial perturbations under different physical conditions. Using the real-world case of road sign classification, we show that adversarial examples generated using RP2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints. Due to the current lack of a standardized testing method, we propose a two-stage evaluation methodology for robust physical adversarial examples consisting of lab and field tests. Using this methodology, we evaluate the efficacy of physical adversarial manipulations on real objects. Witha perturbation in the form of only black and white stickers,we attack a real stop sign, causing targeted misclassification in 100% of the images obtained in lab settings, and in 84.8%of the captured video frames obtained on a moving vehicle(field test) for the target classifier.

Cryptography and Security,Machine Learning

Haoyu Wang,Chunhua Wu,Kangfeng Zheng

DOI: https://doi.org/10.1016/j.neunet.2024.106176

IF: 7.8

2024-05-01

Neural Networks

Abstract:Deep Learning algorithms have achieved state-of-the-art performance in various important tasks. However, recent studies have found that an elaborate perturbation may cause a network to misclassify, which is known as an adversarial attack. Based on current research, it is suggested that adversarial examples cannot be eliminated completely. Consequently, it is always possible to determine an attack that is effective against a defense model. We render existing adversarial examples invalid by altering the classification boundaries. Meanwhile, for valid adversarial examples generated against the defense model, the adversarial perturbations are increased so that they can be distinguished by the human eye. This paper proposes a method for implementing the abovementioned concepts through color space transformation. Experiments on CIFAR-10, CIFAR-100, and Mini-ImageNet demonstrate the effectiveness and versatility of our defense method. To the best of our knowledge, this is the first defense model based on the amplification of adversarial perturbations.

computer science, artificial intelligence,neurosciences

Jiawei Lian,Shaohui Mei,Xiaofei Wang,Yi Wang,Lefan Wang,Yingjie Lu,Mingyang Ma,Lap-Pui Chau

2024-08-17

Abstract:It has been widely substantiated that deep neural networks (DNNs) are susceptible and vulnerable to adversarial perturbations. Existing studies mainly focus on performing attacks by corrupting targeted objects (physical attack) or images (digital attack), which is intuitively acceptable and understandable in terms of the attack's effectiveness. In contrast, our focus lies in conducting background adversarial attacks in both digital and physical domains, without causing any disruptions to the targeted objects themselves. Specifically, an effective background adversarial attack framework is proposed to attack anything, by which the attack efficacy generalizes well between diverse objects, models, and tasks. Technically, we approach the background adversarial attack as an iterative optimization problem, analogous to the process of DNN learning. Besides, we offer a theoretical demonstration of its convergence under a set of mild but sufficient conditions. To strengthen the attack efficacy and transferability, we propose a new ensemble strategy tailored for adversarial perturbations and introduce an improved smooth constraint for the seamless connection of integrated perturbations. We conduct comprehensive and rigorous experiments in both digital and physical domains across various objects, models, and tasks, demonstrating the effectiveness of attacking anything of the proposed method. The findings of this research substantiate the significant discrepancy between human and machine vision on the value of background variations, which play a far more critical role than previously recognized, necessitating a reevaluation of the robustness and reliability of DNNs. The code will be publicly available at <a class="link-external link-https" href="https://github.com/JiaweiLian/Attack_Anything" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Kalibinuer Tiliwalidi,Bei Hui,Chengyin Hu,Jingjing Ge

DOI: https://doi.org/10.34190/iccws.19.1.2044

2024-03-21

International Conference on Cyber Warfare and Security

Abstract:Physical adversarial attacks present a novel and growing challenge in cybersecurity, especially for systems reliant on physical inputs for Deep Neural Networks (DNNs), such as those found in Internet of Things (IoT) devices. They are vulnerable to physical adversarial attacks where real-world objects or environments are manipulated to mislead DNNs, thereby threatening the operational integrity and security of IoT devices. The camera-based attacks are one of the most practical adversarial attacks, which are easy to implement and more robust than all the other attack methods, and pose a big threat to the security of IoT. This paper proposes Adversarial Camera Patch (ADCP), a novel approach that employs a single-camera patch to launch robust physical adversarial attacks against object detectors. ADCP optimizes the physical parameters of the camera patch using Particle Swarm Optimization (PSO) to identify the most adversarial configuration. The optimized camera patch is then attached to the lens to generate stealthy and robust adversarial samples physically. The effectiveness of the proposed approach is validated through ablation experiments in a digital environment, with experimental results demonstrating its effectiveness even under worst-case scenarios (minimal width, maximum transparency). Notably, ADCP exhibits higher robustness in both digital and physical domains compared to the baseline. Given the simplicity, robustness, and stealthiness of ADCP, we advocate for attention towards the ADCP framework as it offers a means to achieve streamlined, robust, and stealthy physical attacks. Our adversarial attacks pose new challenges and requirements for cybersecurity.

Andrew Du,Bo Chen,Tat-Jun Chin,Yee Wei Law,Michele Sasdelli,Ramesh Rajasegaran,Dillon Campbell

DOI: https://doi.org/10.1109/WACV51458.2022.00385

2022-01-01

Abstract:Deep neural networks (DNNs) have become essential for processing the vast amounts of aerial imagery collected using earth-observing satellite platforms. However, DNNs are vulnerable towards adversarial examples, and it is expected that this weakness also plagues DNNs for aerial imagery. In this work, we demonstrate one of the first efforts on physical adversarial attacks on aerial imagery, whereby adversarial patches were optimised, fabricated and installed on or near target objects (cars) to significantly reduce the efficacy of an object detector applied on overhead images. Physical adversarial attacks on aerial images, particularly those captured from satellite platforms, are challenged by atmospheric factors (lighting, weather, seasons) and the distance between the observer and target. To investigate the effects of these challenges, we devised novel experiments and metrics to evaluate the efficacy of physical adversarial attacks against object detectors in aerial scenes. Our results indicate the palpable threat posed by physical adversarial attacks towards DNNs for processing satellite imagery(1).

Yali Du,Meng Fang,Jinfeng Yi,Jun Cheng,Dacheng Tao

DOI: https://doi.org/10.1145/3270101.3270106

2018-01-01

Abstract:Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, which is not practical in the real world. We note one of the main reasons for the massive queries is that the adversarial example is required to be visually similar to the original image, but in many cases, how adversarial examples look like does not matter much. It inspires us to introduce a new attack called input-free attack, under which an adversary can choose an arbitrary image to start with and is allowed to add perceptible perturbations on it. Following this approach, we propose two techniques to significantly reduce the query complexity. First, we initialize an adversarial example with a gray color image on which every pixel has roughly the same importance for the target model. Then we shrink the dimension of the attack space by perturbing a small region and tiling it to cover the input image. To make our algorithm more effective, we stabilize a projected gradient ascent algorithm with momentum, and also propose a heuristic approach for region size selection. Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, which is not practical in the real world. We note one of the main reasons for the massive queries is that the adversarial example is required to be visually similar to the original image, but in many cases, how adversarial examples look like does not matter much. It inspires us to introduce a new attack called input-free attack, under which an adversary can choose an arbitrary image to start with and is allowed to add perceptible perturbations on it. Following this approach, we propose two techniques to significantly reduce the query complexity. First, we initialize an adversarial example with a gray color image on which every pixel has roughly the same importance for the target model. Then we shrink the dimension of the attack space by perturbing a small region and tiling it to cover the input image. To make our algorithm more effective, we stabilize a projected gradient ascent algorithm with momentum, and also propose a heuristic approach for region size selection. Through extensive experiments, we show that with only 1,701 queries on average, we can perturb a gray image to any target class of ImageNet with a 100% success rate on InceptionV3. Besides, our algorithm has successfully defeated two real-world systems, the Clarifai food detection API and the Baidu Animal Identification API.

Zhibo Wang,Mengkai Song,Siyan Zheng,Zhifei Zhang,Yang Song,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2019.2929047

2019-01-01

Abstract:Y Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to adversarial examples, which would seriously threaten security-sensitive applications. Existing works synthesized the adversarial examples by perturbing the original/benign images by leveraging the L-p-norm to penalize the perturbations, which restricts the pixel-wise distance between the adversarial images and correspondingly benign images. However, they added perturbations globally to the benign images without explicitly considering their content/spacial structure, resulting in noticeable artifacts especially in those originally clean regions, e.g., sky and smooth surface. In this paper, we propose an invisible adversarial attack, which synthesizes adversarial examples that are visually indistinguishable from benign ones. We adaptively distribute the perturbation according to human sensitivity to a local stimulus in the benign image, i.e., the higher insensitivity, the more perturbation. Two types of adaptive adversarial attacks are proposed: 1) coarse-grained and 2) fine-grained. The former conducts L-p-norm regularized by the novel spatial constraints, which utilizes the rich information of the cluttered regions to mask perturbation. The latter, called Just Noticeable Distortion (JND)-based adversarial attack, utilizes the proposed JND(p) metric for better measuring the perceptual similarity, and adaptively sets penalty by weighting the pixel-wise perceptual redundancy of an image. We conduct extensive experiments on the MNIST, CIFAR-10 and ImageNet datasets and a comprehensive user study with 50 participants. The experimental results demonstrate that JND(p) is a better metric for measuring the perceptual similarity than L-p-norm, and the proposed adaptive adversarial attacks can synthesize indistinguishable adversarial examples from benign ones and outperform the state-of-the-art methods.

Bowei Xi,Yujie Chen,Fan Fei,Zhan Tu,Xinyan Deng

DOI: https://doi.org/10.48550/arXiv.2107.02895

2021-06-30

Abstract:The paper develops a new adversarial attack against deep neural networks (DNN), based on applying bio-inspired design to moving physical objects. To the best of our knowledge, this is the first work to introduce physical attacks with a moving object. Instead of following the dominating attack strategy in the existing literature, i.e., to introduce minor perturbations to a digital input or a stationary physical object, we show two new successful attack strategies in this paper. We show by superimposing several patterns onto one physical object, a DNN becomes confused and picks one of the patterns to assign a class label. Our experiment with three flapping wing robots demonstrates the possibility of developing an adversarial camouflage to cause a targeted mistake by DNN. We also show certain motion can reduce the dependency among consecutive frames in a video and make an object detector "blind", i.e., not able to detect an object exists in the video. Hence in a successful physical attack against DNN, targeted motion against the system should also be considered.

Cryptography and Security,Machine Learning

Abhiram Gnanasambandam,Alex M. Sherman,Stanley H. Chan

DOI: https://doi.org/10.48550/arXiv.2108.06247

2021-08-16

Abstract:We introduce OPtical ADversarial attack (OPAD). OPAD is an adversarial attack in the physical space aiming to fool image classifiers without physically touching the objects (e.g., moving or painting the objects). The principle of OPAD is to use structured illumination to alter the appearance of the target objects. The system consists of a low-cost projector, a camera, and a computer. The challenge of the problem is the non-linearity of the radiometric response of the projector and the spatially varying spectral response of the scene. Attacks generated in a conventional approach do not work in this setting unless they are calibrated to compensate for such a projector-camera model. The proposed solution incorporates the projector-camera model into the adversarial attack optimization, where a new attack formulation is derived. Experimental results prove the validity of the solution. It is demonstrated that OPAD can optically attack a real 3D object in the presence of background lighting for white-box, black-box, targeted, and untargeted attacks. Theoretical analysis is presented to quantify the fundamental performance limit of the system.

Artificial Intelligence

Meng Shen,Hao Yu,Liehuang Zhu,Ke Xu,Qi Li,Jiankun Hu

DOI: https://doi.org/10.1109/tifs.2021.3102492

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural networks (DNNs) have been increasingly used in face recognition (FR) systems. Recent studies, however, show that DNNs are vulnerable to adversarial examples, which potentially mislead DNN-based FR systems in the physical world. Existing attacks either generate perturbations working merely in the digital world, or rely on customized equipment to generate perturbations that are not robust in the ever-changing physical environment. In this paper, we propose FaceAdv, a physical-world attack that crafts adversarial stickers to deceive FR systems. It mainly consists of a sticker generator and a convertor, where the former can craft several stickers with different shapes while the latter aims to digitally attach stickers to human faces and provide feedback to the generator to improve the effectiveness. We conduct extensive experiments to evaluate the effectiveness of FaceAdv on attacking three typical FR systems (i.e., ArcFace, CosFace and FaceNet). The results show that compared with a state-of-the-art attack, FaceAdv can significantly improve the success rates of both dodging and impersonating attacks. We also conduct comprehensive evaluations to demonstrate the robustness of FaceAdv.

computer science, theory & methods,engineering, electrical & electronic