DePatch: Towards Robust Adversarial Patch for Evading Person Detectors in the Real World

TL;DR

DePatch tackles robustness of physical adversarial patches against real-world degradations by introducing block-wise decoupling of the patch, random erasing via $\mathcal{D}(\mathbf{P},n,r)$, border shifting via $\mathcal{S}(\cdot)$, and a Progressive Decoupling Strategy. The transformed patch is $\tilde{\mathbf{P}}=\mathcal{T}(\mathcal{S}(\mathcal{D}(\mathbf{P},n,r),s_h,s_v))$, and the optimization uses $L_{acc} + \alpha L_{nps} + \beta L_{tv}$ to maximize detector errors under realistic transformations. Across digital and real-world experiments on the Inria dataset and beyond, DePatch yields superior robustness against occlusions, illumination, pose changes, and supports patch expandability via Toroidal Cropping, with strong transferability within YOLO and R-CNN families. The results demonstrate practical viability for clothing-based and poster-based adversarial patches in real-world person-detection evasion.

Abstract

Recent years have seen an increasing interest in physical adversarial attacks, which aim to craft deployable patterns for deceiving deep neural networks, especially for person detectors. However, the adversarial patterns of existing patch-based attacks heavily suffer from the self-coupling issue, where a degradation, caused by physical transformations, in any small patch segment can result in a complete adversarial dysfunction, leading to poor robustness in the complex real world. Upon this observation, we introduce the Decoupled adversarial Patch (DePatch) attack to address the self-coupling issue of adversarial patches. Specifically, we divide the adversarial patch into block-wise segments, and reduce the inter-dependency among these segments through randomly erasing out some segments during the optimization. We further introduce a border shifting operation and a progressive decoupling strategy to improve the overall attack capabilities. Extensive experiments demonstrate the superior performance of our method over other physical adversarial attacks, especially in the real world.

Figures (8)

• Figure 1: Attacking YOLOv2 yolov2 using different adversarial patches in the real world. Our method remains effective in multiple complex conditions. The mosaics are added after detection for privacy.
• Figure 2: The overall pipeline for crafting the proposed DePatch.
• Figure 3: AP change of different patch-attack approaches on the Inria Person dataset under increasing degradation ratios
• Figure 4: Illustration of the proposed progressive decoupling strategy (PDS) for improving attacking performance.
• Figure 5: Three types of adversarial clothes crafted by covering them with expandable patches, i.e., AdvTexture advTexture and DePatch. SS shirt, LS shirt, and Dress denote short-sleeve shirt, long-sleeve shirt, and dress used for evaluations, respectively. The colors are inevitably influenced by the lightness, camera ISO, and more physical conditions.