Adversarial Universal Stickers: Universal Perturbation Attacks on Traffic Sign using Stickers
Anthony Etim, Jakub Szefer
TL;DR
The paper investigates universal perturbations in traffic-sign recognition by introducing simple black/white stickers that, when placed at a common location on any street sign, can cause misclassification across sign types. It presents a virtual testing framework using Street View images to safely evaluate attacks and demonstrates that a single or two stickers can achieve high misclassification rates, with confidence levels reaching up to $90\%$ in some cases. The attack workflow involves computing a universal perturbation mask from sign geometries, exhaustively locating the sticker within this region, and applying it to Street View images to evaluate robustness. The findings reveal practical security risks for autonomous driving perception systems and highlight the need for defenses that account for spatially invariant perturbations across diverse sign types.
Abstract
Adversarial attacks on deep learning models have proliferated in recent years. In many cases, a different adversarial perturbation is required to be added to each image to cause the deep learning model to misclassify it. This is ineffective as each image has to be modified in a different way. Meanwhile, research on universal perturbations focuses on designing a single perturbation that can be applied to all images in a data set, and cause a deep learning model to misclassify the images. This work advances the field of universal perturbations by exploring universal perturbations in the context of traffic signs and autonomous vehicle systems. This work introduces a novel method for generating universal perturbations that visually look like simple black and white stickers, and using them to cause incorrect street sign predictions. Unlike traditional adversarial perturbations, the adversarial universal stickers are designed to be applicable to any street sign: same sticker, or stickers, can be applied in same location to any street sign and cause it to be misclassified. Further, to enable safe experimentation with adversarial images and street signs, this work presents a virtual setting that leverages Street View images of street signs, rather than the need to physically modify street signs, to test the attacks. The experiments in the virtual setting demonstrate that these stickers can consistently mislead deep learning models used commonly in street sign recognition, and achieve high attack success rates on dataset of US traffic signs. The findings highlight the practical security risks posed by simple stickers applied to traffic signs, and the ease with which adversaries can generate adversarial universal stickers that can be applied to many street signs.