Unified Adversarial Patch for Cross-modal Attacks in the Physical World

TL;DR

This paper introduces a unified adversarial patch capable of simultaneously fooling both visible and infrared object detectors in physical environments, highlighting potential security risks in multi-modal sensor deployments.

Contribution

The work presents a novel shape optimization and score-aware evaluation method to create a single patch effective across different sensor modalities, a significant advancement over single-modal attacks.

Findings

Achieved over 70% attack success rate on YOLOv3 and Faster R-CNN.

Demonstrated physical-world effectiveness under various angles, distances, and scenes.

Proved the feasibility of cross-modal adversarial attacks in real-world scenarios.

Abstract

Recently, physical adversarial attacks have been presented to evade DNNs-based object detectors. To ensure the security, many scenarios are simultaneously deployed with visible sensors and infrared sensors, leading to the failures of these single-modal physical attacks. To show the potential risks under such scenes, we propose a unified adversarial patch to perform cross-modal physical attacks, i.e., fooling visible and infrared object detectors at the same time via a single patch. Considering different imaging mechanisms of visible and infrared sensors, our work focuses on modeling the shapes of adversarial patches, which can be captured in different modalities when they change. To this end, we design a novel boundary-limited shape optimization to achieve the compact and smooth shapes, and thus they can be easily implemented in the physical world. In addition, to balance the fooling degree between visible detector and infrared detector during the optimization process, we propose a score-aware iterative evaluation, which can guide the adversarial patch to iteratively reduce the predicted scores of the multi-modal sensors. We finally test our method against the one-stage detector: YOLOv3 and the two-stage detector: Faster RCNN. Results show that our unified patch achieves an Attack Success Rate (ASR) of 73.33% and 69.17%, respectively. More importantly, we verify the effective attacks in the physical world when visible and infrared sensors shoot the objects under various settings like different angles, distances, postures, and scenes.