Adversarial Scratches: Deployable Attacks to CNN Classifiers

TL;DR

This paper introduces Adversarial Scratches, a new physical-world attack method on CNN classifiers using Bézier Curve-based scratches, which is more deployable and efficient than existing adversarial attacks.

Contribution

The paper proposes a novel L0 black-box attack using Bézier Curves to create physically deployable adversarial scratches on images, outperforming existing methods in efficiency and effectiveness.

Findings

Achieves higher fooling rates than comparable deployable attacks.

Requires fewer queries and modifies fewer pixels.

Effective on traffic sign images and real-world API scenarios.

Abstract

A growing body of work has shown that deep neural networks are susceptible to adversarial examples. These take the form of small perturbations applied to the model's input which lead to incorrect predictions. Unfortunately, most literature focuses on visually imperceivable perturbations to be applied to digital images that often are, by design, impossible to be deployed to physical targets. We present Adversarial Scratches: a novel L0 black-box attack, which takes the form of scratches in images, and which possesses much greater deployability than other state-of-the-art attacks. Adversarial Scratches leverage B\'ezier Curves to reduce the dimension of the search space and possibly constrain the attack to a specific location. We test Adversarial Scratches in several scenarios, including a publicly available API and images of traffic signs. Results show that, often, our attack achieves higher fooling rate than other deployable state-of-the-art methods, while requiring significantly fewer queries and modifying very few pixels.