Adversarial Examples that Fool Detectors

TL;DR

This paper demonstrates the existence of adversarial examples that can fool object detectors like Faster RCNN and YOLO, highlighting new security vulnerabilities in autonomous systems.

Contribution

It introduces a novel construction method for creating adversarial examples that successfully deceive object detectors, both digitally and physically.

Findings

Successfully fools Faster RCNN and YOLO detectors

Adversarial examples generalize across sequences digitally

Physical adversarial objects are feasible

Abstract

An adversarial example is an example that has been adjusted to produce a wrong label when presented to a system at test time. To date, adversarial example constructions have been demonstrated for classifiers, but not for detectors. If adversarial examples that could fool a detector exist, they could be used to (for example) maliciously create security hazards on roads populated with smart vehicles. In this paper, we demonstrate a construction that successfully fools two standard detectors, Faster RCNN and YOLO. The existence of such examples is surprising, as attacking a classifier is very different from attacking a detector, and that the structure of detectors - which must search for their own bounding box, and which cannot estimate that box very accurately - makes it quite likely that adversarial patterns are strongly disrupted. We show that our construction produces adversarial examples that generalize well across sequences digitally, even though large perturbations are needed. We also show that our construction yields physical objects that are adversarial.