Note on Attacking Object Detectors with Adversarial Stickers

TL;DR

This paper demonstrates that physical adversarial stickers can effectively fool state-of-the-art object detectors like YOLO and Faster-RCNN, highlighting vulnerabilities in these systems through static and dynamic tests.

Contribution

It introduces an algorithm to generate physical adversarial stickers that can reliably deceive object detectors, extending adversarial attacks to physical objects.

Findings

Adversarial stickers can cause mislabeling or non-detection of objects.

The attack transfers effectively between different detectors.

Physical stickers are a practical attack vector against object detection systems.

Abstract

Deep learning has proven to be a powerful tool for computer vision and has seen widespread adoption for numerous tasks. However, deep learning algorithms are known to be vulnerable to adversarial examples. These adversarial inputs are created such that, when provided to a deep learning algorithm, they are very likely to be mislabeled. This can be problematic when deep learning is used to assist in safety critical decisions. Recent research has shown that classifiers can be attacked by physical adversarial examples under various physical conditions. Given the fact that state-of-the-art objection detection algorithms are harder to be fooled by the same set of adversarial examples, here we show that these detectors can also be attacked by physical adversarial examples. In this note, we briefly show both static and dynamic test results. We design an algorithm that produces physical adversarial inputs, which can fool the YOLO object detector and can also attack Faster-RCNN with relatively high success rate based on transferability. Furthermore, our algorithm can compress the size of the adversarial inputs to stickers that, when attached to the targeted object, result in the detector either mislabeling or not detecting the object a high percentage of the time. This note provides a small set of results. Our upcoming paper will contain a thorough evaluation on other object detectors, and will present the algorithm.