SAAIPAA: Optimizing aspect-angles-invariant physical adversarial attacks on SAR target recognition models

TL;DR

The SAR Aspect-Angles-Invariant Physical Adversarial Attack (SAAIPAA), a framework that determines the optimal positions and orientations of any given set of reflectors, regardless of their number or size, even when the attacker lacks knowledge of the SAR platform's aspect angles is proposed.

Abstract

Synthetic aperture radar (SAR) enables versatile, all-time, all-weather remote sensing. Coupled with automatic target recognition (ATR) leveraging machine learning (ML), SAR is empowering a wide range of Earth observation and surveillance applications. However, the surge of attacks based on adversarial perturbations against the ML algorithms underpinning SAR ATR is prompting the need for systematic research into adversarial perturbation mechanisms. Research in this area began in the digital (image) domain and evolved into the physical (signal) domain, resulting in physical adversarial attacks (PAAs) that strategically exploit corner reflectors as attack vectors to evade ML-based ATR. Existing PAAs assume that the attacker knows the SAR platform's aspect angles, restricting their applicability to idealized scenarios. We propose the SAR Aspect-Angles-Invariant Physical Adversarial Attack (SAAIPAA), a framework that determines the optimal positions and orientations of any given set of reflectors, regardless of their number or size, even when the attacker lacks knowledge of the SAR platform's aspect angles. This is enabled by rigorous physics-based modeling of the reflected signal and the SAR imaging process. To facilitate mapping between image and scene coordinates, we additionally propose a method for generating bounding boxes in densely sampled azimuthal SAR images, allowing the target object to serve as a spatial reference. The resultant physical evasion attacks are efficiently realizable and optimal over the considered range of aspect angles between a SAR platform and a target, achieving state-of-the-art fooling rates (80% for DenseNet-121 and ResNet50) in the white-box setting for a four-reflector configuration. When aspect angles are known to the attacker, an average fooling rate of is 99.2% attainable. In black-box settings, SAAIPAA transfers well between some models.

Figures (12)

• Figure 1: A target object (tank) observed by a SAR system from incidence aspect angle $\theta^a$ and azimuth aspect angle $\phi^a$. The attacker attempts to change the physical scene near the target object, to compromise the SAR ATR model.
• Figure 2: The strategy of SAAIPAA: (a) Physical-domain adversarial perturbations actuated by $m$ reflectors are optimized over $N$ observations through Eq. \ref{['eq:loss']}. (b) Top view of a sample reflector configuration, where $m=4$. Each $i$-th reflector is deployed optimally at position $(x_i, y_i)$ with orientation $(\theta_i, \phi_i)$, in a scene observed by a SAR platform from angles $(\theta^a, \phi^a)$.
• Figure 3: Top view of a target object (e.g., tank) observed by a SAR system from azimuth aspect angle $\phi^a$. The flight track is assumed to be perpendicular to the line of sight.
• Figure 5: Composite image created by aligning and averaging all images of the T-62 for $\theta^a = 75^\circ$: (a) without bounding box and (b) with bounding box $R^{\text{ref}}$.
• Figure 6: A SAR image sample of (a) a T-62 observed from $\theta^a = 75^\circ$ and $\phi^a = 200.2^\circ$, (b) the weighted mask $\mathcal{M}\left(x, y, R\right) d(y, R)^\alpha$ used to find $R$, and (c) the bounding box $R$ found by solving \ref{['eq:bb']}.