Defenses Against Multi-Sticker Physical Domain Attacks on Classifiers
Xinwei Zhao, Matthew C. Stamm
TL;DR
This paper introduces new defense strategies against multi-sticker physical attacks on classifiers, demonstrating effectiveness across various levels of attacker knowledge and outperforming existing defenses.
Contribution
The paper proposes novel defenses specifically designed to counter multi-sticker physical domain attacks on classifiers, filling a gap in current security measures.
Findings
Proposed defenses outperform existing methods against multi-sticker attacks.
Defense strategies are effective with full, partial, and no prior attack information.
Extensive experiments validate the robustness of the proposed defenses.
Abstract
Recently, physical domain adversarial attacks have drawn significant attention from the machine learning community. One important attack proposed by Eykholt et al. can fool a classifier by placing black and white stickers on an object such as a road sign. While this attack may pose a significant threat to visual classifiers, there are currently no defenses designed to protect against this attack. In this paper, we propose new defenses that can protect against multi-sticker attacks. We present defensive strategies capable of operating when the defender has full, partial, and no prior information about the attack. By conducting extensive experiments, we show that our proposed defenses can outperform existing defenses against physical attacks when presented with a multi-sticker attack.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Anomaly Detection Techniques and Applications