Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AdvART: Adversarial Art for Camouflaged Object Detection Attacks

Amira Guesmi, Ioan Marius Bilasco, Muhammad Shafique, Ihsen Alouani

TL;DR

AdvART tackles the practical challenge of stealthy, physically realizable adversarial patches for object detectors by introducing a pixel-space optimization with a semantic similarity constraint that enforces natural/artistic patterns. The framework combines a patch transformer, a multi-term loss including detection, similarity, and total-variation components, and robustness via Expectation Over Transformation and TV regularization. It demonstrates transferable, high-attack-efficiency patches across detectors and datasets, while achieving superior subjective naturalness in human evaluations and strong physical-world performance, including edge deployments. This work offers a flexible, transformation-aware alternative to GAN-based naturalistic patches, with significant implications for evaluating and strengthening real-world detector robustness on edge devices.

Abstract

Physical adversarial attacks pose a significant practical threat as it deceives deep learning systems operating in the real world by producing prominent and maliciously designed physical perturbations. Emphasizing the evaluation of naturalness is crucial in such attacks, as humans can readily detect and eliminate unnatural manipulations. To overcome this limitation, recent work has proposed leveraging generative adversarial networks (GANs) to generate naturalistic patches, which may not catch human's attention. However, these approaches suffer from a limited latent space which leads to an inevitable trade-off between naturalness and attack efficiency. In this paper, we propose a novel approach to generate naturalistic and inconspicuous adversarial patches. Specifically, we redefine the optimization problem by introducing an additional loss term to the cost function. This term works as a semantic constraint to ensure that the generated camouflage pattern holds semantic meaning rather than arbitrary patterns. The additional term leverages similarity metrics to construct a similarity loss that we optimize within the global objective function. Our technique is based on directly manipulating the pixel values in the patch, which gives higher flexibility and larger space compared to the GAN-based techniques that are based on indirectly optimizing the patch by modifying the latent vector. Our attack achieves superior success rate of up to 91.19\% and 72\%, respectively, in the digital world and when deployed in smart cameras at the edge compared to the GAN-based technique.

AdvART: Adversarial Art for Camouflaged Object Detection Attacks

TL;DR

AdvART tackles the practical challenge of stealthy, physically realizable adversarial patches for object detectors by introducing a pixel-space optimization with a semantic similarity constraint that enforces natural/artistic patterns. The framework combines a patch transformer, a multi-term loss including detection, similarity, and total-variation components, and robustness via Expectation Over Transformation and TV regularization. It demonstrates transferable, high-attack-efficiency patches across detectors and datasets, while achieving superior subjective naturalness in human evaluations and strong physical-world performance, including edge deployments. This work offers a flexible, transformation-aware alternative to GAN-based naturalistic patches, with significant implications for evaluating and strengthening real-world detector robustness on edge devices.

Abstract

Physical adversarial attacks pose a significant practical threat as it deceives deep learning systems operating in the real world by producing prominent and maliciously designed physical perturbations. Emphasizing the evaluation of naturalness is crucial in such attacks, as humans can readily detect and eliminate unnatural manipulations. To overcome this limitation, recent work has proposed leveraging generative adversarial networks (GANs) to generate naturalistic patches, which may not catch human's attention. However, these approaches suffer from a limited latent space which leads to an inevitable trade-off between naturalness and attack efficiency. In this paper, we propose a novel approach to generate naturalistic and inconspicuous adversarial patches. Specifically, we redefine the optimization problem by introducing an additional loss term to the cost function. This term works as a semantic constraint to ensure that the generated camouflage pattern holds semantic meaning rather than arbitrary patterns. The additional term leverages similarity metrics to construct a similarity loss that we optimize within the global objective function. Our technique is based on directly manipulating the pixel values in the patch, which gives higher flexibility and larger space compared to the GAN-based techniques that are based on indirectly optimizing the patch by modifying the latent vector. Our attack achieves superior success rate of up to 91.19\% and 72\%, respectively, in the digital world and when deployed in smart cameras at the edge compared to the GAN-based technique.
Paper Structure (20 sections, 8 equations, 7 figures, 9 tables)

This paper contains 20 sections, 8 equations, 7 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. AdvART: Our Adversarial Art Framework for Object Detection Attacks
  4. Problem formulation
  5. Overview of Our Framework
  6. Patch effectiveness
  7. Patch Stealthiness
  8. Patch Robustness
  9. Expectation Over Transformation (EOT) EOT
  10. Total Variation Norm (TV loss)
  11. Evaluation of attack performance
  12. Cross-Dataset Evaluation
  13. Subjective Evaluation for the Naturalness of Different Adversarial Patches
  14. Physical Attack Evaluations
  15. Discussion
  16. ...and 5 more sections

Figures (7)

  • Figure 1: Different results of different attempts to generate NAP patches Hu21 using different latent vector initialization for different GANs: a) BigGAN, and b) StyleGAN.
  • Figure 2: AdvART patch vs State-of-the-Art patches: (a) AdvART patch, (b) NAP Hu21, (c) UPC patch Huang2020, and (d) AdvYOLO thys2019.
  • Figure 3: Upper: Overview of the proposed framework: Bottom: Evolution of patch's appearance with the corresponding achieved mean average precision.
  • Figure 4: Illustrations of AdvART patch performance when printed on a t-shirt for different view angles.
  • Figure 5: Impact of different similarity metrics on the effectiveness of the generated patch.
  • ...and 2 more figures