Traversing the Subspace of Adversarial Patches

TL;DR

This work investigates whether adversarial patches for object detectors lie on a low-dimensional manifold, as suggested by the manifold hypothesis. It analyzes a crafted set of patches with three dimensionality-reduction methods (PCA via Eigenpatches, convolutional autoencoders, and CVAEs), evaluating patch reconstruction quality and attack impact on a YOLOv7 tiny detector across INRIA and Crowdhuman datasets. The study finds that sophisticated nonlinear methods do not outperform PCA, and sampling patches from simple low-dimensional representations suffices for both attack execution and adversarial training effectiveness. Overall, the results support the manifold view of adversarial patches and indicate that PCA-based sampling provides a practical baseline for defense-oriented evaluations, with future work exploring additional manifold techniques and defenses.

Abstract

Despite ongoing research on the topic of adversarial examples in deep learning for computer vision, some fundamentals of the nature of these attacks remain unclear. As the manifold hypothesis posits, high-dimensional data tends to be part of a low-dimensional manifold. To verify the thesis with adversarial patches, this paper provides an analysis of a set of adversarial patches and investigates the reconstruction abilities of three different dimensionality reduction methods. Quantitatively, the performance of reconstructed patches in an attack setting is measured and the impact of sampled patches from the latent space during adversarial training is investigated. The evaluation is performed on two publicly available datasets for person detection. The results indicate that more sophisticated dimensionality reduction methods offer no advantages over a simple principal component analysis.

Figures (6)

• Figure 1: Reconstruction (right) of an adversarial patch (left) using the first 16 Eigenpatches (middle) Bayer2023.
• Figure 2: A schematic overview of the three dimensionality reduction methods. In general, the input is a prime patch, which will be encoded by a dimensionality reduction method. Both autoencoder approaches have a latent space with two dimensions. The number of dimensions for the PCA depends on the chosen number of principal components and varies between 16, 32, 64, and 128 dimensions. Based on the encoding in the latent space, the input is reconstructed.
• Figure 3: t-SNE plot of the model backbone activation when attacked with a certain patch. Each marker represents a single patch, embedded at the same position in the same image. The color indicates the impact of the patch on the mean average precision. The parameter set of the patch is given by its marker symbol. The plot includes the prime patches, 100 random sampled patches as well as 100 grayscale patches. The parameter settings (A-E) used to train a certain prime patch correspond to the parameters presented in Bayer2023.
• Figure 4: t-SNE plot of the pixel values of each prime patch. The color indicates the impact of the patch on the mean average precision measured with the INRIA Person test set. The parameter set of a patch is given by its marker symbol.
• Figure 5: t-SNE plots of the three reconstruction methods. Conditional Variational Autoencoder (CVAE), Autoencoder (AE) and Principal Component Analysis with 64 components (PCA(64)). Again, the color indicates the impact on the mean average precision measured with the INRIA Person test set. The marker symbol shows, whether it is a reconstruction from the corresponding construction method or a prime patch.