Synthesizing Unrestricted False Positive Adversarial Objects Using Generative Models

TL;DR

This paper introduces a novel method for generating unrestricted false positive adversarial objects for object detection using pre-trained GANs, demonstrating transferability and physical-world robustness.

Contribution

It presents a new approach to create unrestricted adversarial objects for detection models without additional training, expanding adversarial attack capabilities.

Findings

Adversarial objects are indistinguishable from normal objects.

Generated adversarial objects transfer between different detectors.

Adversarial objects are robust in physical environments.

Abstract

Adversarial examples are data points misclassified by neural networks. Originally, adversarial examples were limited to adding small perturbations to a given image. Recent work introduced the generalized concept of unrestricted adversarial examples, without limits on the added perturbations. In this paper, we introduce a new category of attacks that create unrestricted adversarial examples for object detection. Our key idea is to generate adversarial objects that are unrelated to the classes identified by the target object detector. Different from previous attacks, we use off-the-shelf Generative Adversarial Networks (GAN), without requiring any further training or modification. Our method consists of searching over the latent normal space of the GAN for adversarial objects that are wrongly identified by the target object detector. We evaluate this method on the commonly used Faster R-CNN ResNet-101, Inception v2 and SSD Mobilenet v1 object detectors using logo generative iWGAN-LC and SNGAN trained on CIFAR-10. The empirical results show that the generated adversarial objects are indistinguishable from non-adversarial objects generated by the GANs, transferable between the object detectors and robust in the physical world. This is the first work to study unrestricted false positive adversarial examples for object detection.