Adversarial Camouflage: Hiding Physical-World Attacks with Natural Styles

TL;DR

AdvCam is a novel method that creates stealthy physical-world adversarial examples by blending large perturbations into natural styles, making them appear legitimate and fooling neural networks while remaining visually inconspicuous.

Contribution

This paper introduces AdvCam, a new approach that camouflages adversarial perturbations into natural styles, enhancing stealthiness and effectiveness in both digital and physical scenarios.

Findings

AdvCam produces highly camouflaged adversarial examples that fool state-of-the-art classifiers.

The method is effective in both digital and physical-world settings.

AdvCam can also be used to protect private information from detection.

Abstract

Deep neural networks (DNNs) are known to be vulnerable to adversarial examples. Existing works have mostly focused on either digital adversarial examples created via small and imperceptible perturbations, or physical-world adversarial examples created with large and less realistic distortions that are easily identified by human observers. In this paper, we propose a novel approach, called Adversarial Camouflage (\emph{AdvCam}), to craft and camouflage physical-world adversarial examples into natural styles that appear legitimate to human observers. Specifically, \emph{AdvCam} transfers large adversarial perturbations into customized styles, which are then "hidden" on-target object or off-target background. Experimental evaluation shows that, in both digital and physical-world scenarios, adversarial examples crafted by \emph{AdvCam} are well camouflaged and highly stealthy, while remaining effective in fooling state-of-the-art DNN image classifiers. Hence, \emph{AdvCam} is a flexible approach that can help craft stealthy attacks to evaluate the robustness of DNNs. \emph{AdvCam} can also be used to protect private information from being detected by deep learning systems.