Attacking Object Detector Using A Universal Targeted Label-Switch Patch

TL;DR

This paper introduces a novel universal targeted label-switch attack on object detectors like YOLO, using a specially designed patch that can be applied to multiple objects and remains effective in physical environments.

Contribution

It presents a new attack method with a tailored projection function and a unique loss function, enabling label switching on multiple objects in digital and physical domains.

Findings

The attack successfully switches object labels in various scenarios.

The universal patch transfers effectively from digital to physical settings.

The method is effective across different object detectors and camera setups.

Abstract

Adversarial attacks against deep learning-based object detectors (ODs) have been studied extensively in the past few years. These attacks cause the model to make incorrect predictions by placing a patch containing an adversarial pattern on the target object or anywhere within the frame. However, none of prior research proposed a misclassification attack on ODs, in which the patch is applied on the target object. In this study, we propose a novel, universal, targeted, label-switch attack against the state-of-the-art object detector, YOLO. In our attack, we use (i) a tailored projection function to enable the placement of the adversarial patch on multiple target objects in the image (e.g., cars), each of which may be located a different distance away from the camera or have a different view angle relative to the camera, and (ii) a unique loss function capable of changing the label of the attacked objects. The proposed universal patch, which is trained in the digital domain, is transferable to the physical domain. We performed an extensive evaluation using different types of object detectors, different video streams captured by different cameras, and various target classes, and evaluated different configurations of the adversarial patch in the physical domain.