While machine learning applications are getting mainstream owing to a demonstrated efficiency in solving complex problems, they suffer from inherent vulnerability to adversarial attacks. Adversarial attacks consist of additive noise to an input which can fool a detector. Recently, successful real-world printable adversarial patches were proven efficient against state-of-the-art neural networks. In the transition from digital noise based attacks to real-world physical attacks, the myriad of factors affecting object detection will also affect adversarial patches. Among these factors, view angle is one of the most influential, yet under-explored. In this paper, we study the effect of view angle on the effectiveness of an adversarial patch. To this aim, we propose the first approach that considers a multi-view context by combining existing adversarial patches with a perspective geometric transformation in order to simulate the effect of view angle changes. Our approach has been evaluated on two datasets: the first dataset which contains most real world constraints of a multi-view context, and the second dataset which empirically isolates the effect of view angle. The experiments show that view angle significantly affects the performance of adversarial patches, where in some cases the patch loses most of its effectiveness. We believe that these results motivate taking into account the effect of view angles in future adversarial attacks, and open up new opportunities for adversarial defenses.
翻译:机器学习应用由于在解决复杂问题方面的明显效率而逐渐成为主流,但它们在本质上容易受到对抗性攻击的影响。反向攻击包括添加噪音,成为能够愚弄探测器的输入物。最近,成功的真实世界可打印对抗性补丁被证明对最先进的神经网络是有效的。在从数字噪音攻击向现实世界物理攻击的过渡中,影响物体探测的各种因素也会影响对立补丁。在这些因素中,视觉角度是最具影响力的,但却是探索不足的。在本文中,我们研究了观点角度对对抗性补丁的效果的影响。为此,我们提出第一种办法,通过将现有的对抗性补丁与视角的几何转换相结合来考虑多视角环境,以模拟观点角度变化的效果。我们的方法在两个数据集上进行了评估:第一个数据集包含多视角环境最真实的世界制约因素,第二个数据集是实验性地分离了观点角度的效果。实验显示,这一视角对敌对性补丁的效果产生了显著影响,在一些新视角中,我们相信这些新视角会丧失了这些新视角。