REAP: A Large-Scale Realistic Adversarial Patch Benchmark

TL;DR

The REAP benchmark provides a realistic digital platform to evaluate adversarial patch attacks on traffic signs, revealing that such attacks may be less threatening in real-world scenarios than previously thought.

Contribution

This work introduces the REAP benchmark, enabling large-scale, realistic evaluation of adversarial patches on traffic signs using real images and transformations.

Findings

Adversarial patch attacks may be less effective in real-world conditions.

Success rates in digital simulations do not reliably predict real-world attack effectiveness.

REAP benchmark is publicly available for further research.

Abstract

Machine learning models are known to be susceptible to adversarial perturbation. One famous attack is the adversarial patch, a sticker with a particularly crafted pattern that makes the model incorrectly predict the object it is placed on. This attack presents a critical threat to cyber-physical systems that rely on cameras such as autonomous cars. Despite the significance of the problem, conducting research in this setting has been difficult; evaluating attacks and defenses in the real world is exceptionally costly while synthetic data are unrealistic. In this work, we propose the REAP (REalistic Adversarial Patch) benchmark, a digital benchmark that allows the user to evaluate patch attacks on real images, and under real-world conditions. Built on top of the Mapillary Vistas dataset, our benchmark contains over 14,000 traffic signs. Each sign is augmented with a pair of geometric and lighting transformations, which can be used to apply a digitally generated patch realistically onto the sign. Using our benchmark, we perform the first large-scale assessments of adversarial patch attacks under realistic conditions. Our experiments suggest that adversarial patch attacks may present a smaller threat than previously believed and that the success rate of an attack on simpler digital simulations is not predictive of its actual effectiveness in practice. We release our benchmark publicly at https://github.com/wagner-group/reap-benchmark.