论文信息 - Evading Real-Time Person Detectors by Adversarial T-shirt

Evading Real-Time Person Detectors by Adversarial T-shirt

It is known that deep neural networks (DNNs) could be vulnerable to adversarial attacks. The so-called physical adversarial examples deceive DNN-based decision makers by attaching adversarial patches to real objects. However, most of the existing works on physical adversarial attacks focus on static objects such as glass frame, stop sign and image attached to a cardboard. In this work, we propose Adversarial T-shirt, a robust physical adversarial example for evading person detectors even if it suffers from deformation due to a moving person’s pose change. To the best of our knowledge, the effect of deformation is first modelled for designing physical adversarial examples with respect to non-rigid objects such as T-shirts. We show that the proposed method achieve 79% and 63% attack success rates in digital and physical worlds respectively against YOLOv2. In contrast, the state-of-the-art physical attack method to fool a person detector only achieves 27% attack success rate. Furthermore, by leveraging min-max optimization, we extend our method to the ensemble attack setting against object detectors YOLOv2 and Faster R-CNN simultaneously.

[1] Chuang Gan,et al. Interpreting Adversarial Examples by Activation Promotion and Suppression , 2019, ArXiv.

[2] Duen Horng Chau,et al. ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector , 2018, ECML/PKDD.

[3] Ruigang Yang,et al. Adversarial Objects Against LiDAR-Based Autonomous Driving Systems , 2019, ArXiv.

[4] Fred L. Bookstein,et al. Principal Warps: Thin-Plate Splines and the Decomposition of Deformations , 1989, IEEE Trans. Pattern Anal. Mach. Intell..

[5] Atul Prakash,et al. Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[6] Trevor Darrell,et al. Rich Feature Hierarchies for Accurate Object Detection and Semantic Segmentation , 2013, 2014 IEEE Conference on Computer Vision and Pattern Recognition.

[7] Chun-Liang Li,et al. Beyond Pixel Norm-Balls: Parametric Adversaries using an Analytically Differentiable Renderer , 2018, ICLR.

[8] Pietro Perona,et al. Microsoft COCO: Common Objects in Context , 2014, ECCV.

[9] Jiajun Lu,et al. Adversarial Examples that Fool Detectors , 2017, ArXiv.

[10] David A. Wagner,et al. Audio Adversarial Examples: Targeted Attacks on Speech-to-Text , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[11] Yanzhi Wang,et al. ADMM attack: an enhanced adversarial attack for deep neural networks with undetectable distortions , 2019, ASP-DAC.

[12] Jonathon Shlens,et al. Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[13] Zhengyou Zhang,et al. A Flexible New Technique for Camera Calibration , 2000, IEEE Trans. Pattern Anal. Mach. Intell..

[14] Toon Goedemé,et al. Fooling Automated Surveillance Cameras: Adversarial Patches to Attack Person Detection , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[15] Kaiming He,et al. Faster R-CNN: Towards Real-Time Object Detection with Region Proposal Networks , 2015, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[16] Sijia Liu,et al. Topology Attack and Defense for Graph Neural Networks: An Optimization Perspective , 2019, IJCAI.

[17] J. Zico Kolter,et al. Adversarial camera stickers: A physical camera-based attack on deep learning systems , 2019, ICML.

[18] Anand Rangarajan,et al. Non-rigid point matching: algorithms, extensions and applications , 2001 .

[19] Serge J. Belongie,et al. Approximate Thin Plate Spline Mappings , 2002, ECCV.

[20] Ross B. Girshick,et al. Fast R-CNN , 2015, 1504.08083.

[21] Bo Li,et al. Beyond Adversarial Training: Min-Max Optimization in Adversarial Attack and Defense , 2019, ArXiv.

[22] Luyu Wang,et al. On the Sensitivity of Adversarial Robustness to Input Data Distributions , 2018, ICLR.

[23] Deniz Erdogmus,et al. Structured Adversarial Attack: Towards General Implementation and Better Interpretability , 2018, ICLR.

[24] Dawn Song,et al. Physical Adversarial Examples for Object Detectors , 2018, WOOT @ USENIX Security Symposium.

[25] Andreas Geiger,et al. Automatic camera and range sensor calibration using a single shot , 2012, 2012 IEEE International Conference on Robotics and Automation.

[26] Lujo Bauer,et al. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition , 2016, CCS.

[27] Andrew Zisserman,et al. Spatial Transformer Networks , 2015, NIPS.

[28] Jimmy Ba,et al. Adam: A Method for Stochastic Optimization , 2014, ICLR.

[29] Prateek Mittal,et al. Rogue Signs: Deceiving Traffic Sign Recognition with Malicious Ads and Logos , 2018, ArXiv.

[30] Logan Engstrom,et al. Synthesizing Robust Adversarial Examples , 2017, ICML.

[31] David A. Wagner,et al. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[32] Ali Farhadi,et al. YOLO9000: Better, Faster, Stronger , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[33] Wei Liu,et al. SSD: Single Shot MultiBox Detector , 2015, ECCV.