Shadows Aren't So Dangerous After All: A Fast and Robust Defense Against Shadow-Based Adversarial Attacks

TL;DR

This paper introduces a fast, robust defense method against shadow-based adversarial attacks on road sign classifiers by augmenting images with edge and threshold maps, significantly improving robustness over previous adversarial training approaches.

Contribution

The paper proposes a novel defense technique using image augmentation with edge and threshold maps to counter shadow attacks in road sign recognition, outperforming existing adversarial training methods.

Findings

Achieves 78% robustness against shadow attacks on GTSRB

Maintains 98% accuracy on benign test images

Demonstrates similarity to ε perturbation-based attacks

Abstract

Robust classification is essential in tasks like autonomous vehicle sign recognition, where the downsides of misclassification can be grave. Adversarial attacks threaten the robustness of neural network classifiers, causing them to consistently and confidently misidentify road signs. One such class of attack, shadow-based attacks, causes misidentifications by applying a natural-looking shadow to input images, resulting in road signs that appear natural to a human observer but confusing for these classifiers. Current defenses against such attacks use a simple adversarial training procedure to achieve a rather low 25\% and 40\% robustness on the GTSRB and LISA test sets, respectively. In this paper, we propose a robust, fast, and generalizable method, designed to defend against shadow attacks in the context of road sign recognition, that augments source images with binary adaptive threshold and edge maps. We empirically show its robustness against shadow attacks, and reformulate the problem to show its similarity to $\varepsilon$ perturbation-based attacks. Experimental results show that our edge defense results in 78\% robustness while maintaining 98\% benign test accuracy on the GTSRB test set, with similar results from our threshold defense. Link to our code is in the paper.