# Physical Adversarial Attacks on Deep Neural Networks for Traffic Sign   Recognition: A Feasibility Study

**Authors:** Fabian Woitschek, Georg Schneider

arXiv: 2302.13570 · 2023-03-10

## TL;DR

This study demonstrates the feasibility of physical adversarial attacks on traffic sign recognition DNNs using various black-box methods, highlighting safety concerns and the need for robust defenses in real-world applications.

## Contribution

First to combine a general physical attack framework with multiple black-box methods and analyze their effectiveness under real-world conditions.

## Key findings

- Physical attacks can reliably fool traffic sign DNNs in real environments.
- Different attack methods vary in success rates and perceptibility.
- Results emphasize the importance of developing defenses like adversarial training.

## Abstract

Deep Neural Networks (DNNs) are increasingly applied in the real world in safety critical applications like advanced driver assistance systems. An example for such use case is represented by traffic sign recognition systems. At the same time, it is known that current DNNs can be fooled by adversarial attacks, which raises safety concerns if those attacks can be applied under realistic conditions. In this work we apply different black-box attack methods to generate perturbations that are applied in the physical environment and can be used to fool systems under different environmental conditions. To the best of our knowledge we are the first to combine a general framework for physical attacks with different black-box attack methods and study the impact of the different methods on the success rate of the attack under the same setting. We show that reliable physical adversarial attacks can be performed with different methods and that it is also possible to reduce the perceptibility of the resulting perturbations. The findings highlight the need for viable defenses of a DNN even in the black-box case, but at the same time form the basis for securing a DNN with methods like adversarial training which utilizes adversarial attacks to augment the original training data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2302.13570/full.md

## Figures

24 figures with captions in the complete paper: https://tomesphere.com/paper/2302.13570/full.md

## References

29 references — full list in the complete paper: https://tomesphere.com/paper/2302.13570/full.md

---
Source: https://tomesphere.com/paper/2302.13570