Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking the Illusion: Real-world Challenges for Adversarial Patches in Object Detection

Jakob Shack, Katarina Petrovic, Olga Saukh

TL;DR

This study investigates the performance of adversarial patches for the YOLO object detection network in the physical world, highlighting the challenges in maintaining attack efficacy in real-world conditions and the importance of understanding environmental influences on adversarial attacks.

Abstract

Adversarial attacks pose a significant threat to the robustness and reliability of machine learning systems, particularly in computer vision applications. This study investigates the performance of adversarial patches for the YOLO object detection network in the physical world. Two attacks were tested: a patch designed to be placed anywhere within the scene - global patch, and another patch intended to partially overlap with specific object targeted for removal from detection - local patch. Various factors such as patch size, position, rotation, brightness, and hue were analyzed to understand their impact on the effectiveness of the adversarial patches. The results reveal a notable dependency on these parameters, highlighting the challenges in maintaining attack efficacy in real-world conditions. Learning to align digitally applied transformation parameters with those measured in the real world still results in up to a 64\% discrepancy in patch performance. These findings underscore the importance of understanding environmental influences on adversarial attacks, which can inform the development of more robust defenses for practical machine learning applications.

Breaking the Illusion: Real-world Challenges for Adversarial Patches in Object Detection

TL;DR

This study investigates the performance of adversarial patches for the YOLO object detection network in the physical world, highlighting the challenges in maintaining attack efficacy in real-world conditions and the importance of understanding environmental influences on adversarial attacks.

Abstract

Adversarial attacks pose a significant threat to the robustness and reliability of machine learning systems, particularly in computer vision applications. This study investigates the performance of adversarial patches for the YOLO object detection network in the physical world. Two attacks were tested: a patch designed to be placed anywhere within the scene - global patch, and another patch intended to partially overlap with specific object targeted for removal from detection - local patch. Various factors such as patch size, position, rotation, brightness, and hue were analyzed to understand their impact on the effectiveness of the adversarial patches. The results reveal a notable dependency on these parameters, highlighting the challenges in maintaining attack efficacy in real-world conditions. Learning to align digitally applied transformation parameters with those measured in the real world still results in up to a 64\% discrepancy in patch performance. These findings underscore the importance of understanding environmental influences on adversarial attacks, which can inform the development of more robust defenses for practical machine learning applications.

Paper Structure

This paper contains 19 sections, 1 equation, 17 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Discovering Vulnerabilities of Adversarial Patches
  5. Experimental setup
  6. Experimental variables
  7. Exploration based on a fixed indoor scene
  8. Discussion, Limitations, and Outlook
  9. Parameter Matching
  10. Geometric Transformations
  11. Color Transformations
  12. Further Details of Experimental Setup
  13. Performance comparison of local and global adversarial patches
  14. Rotation dependence
  15. Size dependence
  16. ...and 4 more sections

Figures (17)

  • Figure 1: Discrepancy between the hue transformation applied in the real world using a RGB light source (top) and digitally applied transformation using the best matching parameters got from a neural network (bottom).
  • Figure 2: Global (left) and local (right) adversarial patches used in this work to attack YOLOv3 and YOLOv5.
  • Figure 3: Global patch performance under different conditions. (a)-(b): relocating physical patch shows its localized effects; (a)-(c): digital patch shows stronger performance when compared to a physical patch at the same position; (c)-(d): patch rotation mitigates its effect; (e)-(f): patch size correlates positively with its effectiveness; (g)-(h): the effect of environmental brightness is mixed.
  • Figure 4: Detection confidence over patch position (left), and distance between the edge of the patch and the bounding box (right) for "tennis racket".
  • Figure 5: Mean average precision for patch rotations around all axes: physical experiment (left) and digital experiment (right). The patch sizes across domains were aligned.
  • ...and 12 more figures