Inconspicuous Adversarial Patches for Fooling Image Recognition Systems on Mobile Devices

TL;DR

This paper introduces a novel method for generating inconspicuous adversarial patches on a single image that effectively fool mobile image recognition systems while remaining undetectable to humans and resistant to detection methods.

Contribution

The paper proposes a new approach to create stealthy adversarial patches using a single image, leveraging perceptual sensitivity and multi-scale generation for strong attack and transferability.

Findings

Effective in fooling models in white-box settings

High transferability in black-box scenarios

Patches are hard to detect visually and by humans

Abstract

Deep learning based image recognition systems have been widely deployed on mobile devices in today's world. In recent studies, however, deep learning models are shown vulnerable to adversarial examples. One variant of adversarial examples, called adversarial patch, draws researchers' attention due to its strong attack abilities. Though adversarial patches achieve high attack success rates, they are easily being detected because of the visual inconsistency between the patches and the original images. Besides, it usually requires a large amount of data for adversarial patch generation in the literature, which is computationally expensive and time-consuming. To tackle these challenges, we propose an approach to generate inconspicuous adversarial patches with one single image. In our approach, we first decide the patch locations basing on the perceptual sensitivity of victim models, then produce adversarial patches in a coarse-to-fine way by utilizing multiple-scale generators and discriminators. The patches are encouraged to be consistent with the background images with adversarial training while preserving strong attack abilities. Our approach shows the strong attack abilities in white-box settings and the excellent transferability in black-box settings through extensive experiments on various models with different architectures and training methods. Compared to other adversarial patches, our adversarial patches hold the most negligible risks to be detected and can evade human observations, which is supported by the illustrations of saliency maps and results of user evaluations. Lastly, we show that our adversarial patches can be applied in the physical world.