Invisible Perturbations: Physical Adversarial Examples Exploiting the Rolling Shutter Effect

TL;DR

This paper introduces a novel method for creating invisible physical adversarial examples by modulating light to exploit the rolling shutter effect in cameras, causing targeted misclassifications without visible artifacts.

Contribution

It presents the first approach to generate invisible adversarial examples by manipulating illumination rather than object appearance, exploiting the rolling shutter effect in commodity cameras.

Findings

Targeted attack success rate up to 84% in physical experiments

Effective manipulation of light to induce specific misclassifications

Demonstrated feasibility on state-of-the-art ImageNet models

Abstract

Physical adversarial examples for camera-based computer vision have so far been achieved through visible artifacts -- a sticker on a Stop sign, colorful borders around eyeglasses or a 3D printed object with a colorful texture. An implicit assumption here is that the perturbations must be visible so that a camera can sense them. By contrast, we contribute a procedure to generate, for the first time, physical adversarial examples that are invisible to human eyes. Rather than modifying the victim object with visible artifacts, we modify light that illuminates the object. We demonstrate how an attacker can craft a modulated light signal that adversarially illuminates a scene and causes targeted misclassifications on a state-of-the-art ImageNet deep learning model. Concretely, we exploit the radiometric rolling shutter effect in commodity cameras to create precise striping patterns that appear on images. To human eyes, it appears like the object is illuminated, but the camera creates an image with stripes that will cause ML models to output the attacker-desired classification. We conduct a range of simulation and physical experiments with LEDs, demonstrating targeted attack rates up to 84%.