Why Don't You Clean Your Glasses? Perception Attacks with Dynamic Optical Perturbations

TL;DR

This paper introduces EvilEye, a novel physical-world perception attack using dynamic optical perturbations via transparent displays, demonstrating high robustness and success rates across varying lighting conditions against autonomous systems.

Contribution

EvilEye is the first sensor-first, dynamic physical adversarial attack leveraging optical transformations, significantly improving robustness and success rate over existing methods.

Findings

EvilEye achieves high attack success rates across diverse lighting conditions.

Dynamic perturbations outperform static ones in robustness.

EvilEye bypasses state-of-the-art physical adversarial detection methods.

Abstract

Camera-based autonomous systems that emulate human perception are increasingly being integrated into safety-critical platforms. Consequently, an established body of literature has emerged that explores adversarial attacks targeting the underlying machine learning models. Adapting adversarial attacks to the physical world is desirable for the attacker, as this removes the need to compromise digital systems. However, the real world poses challenges related to the "survivability" of adversarial manipulations given environmental noise in perception pipelines and the dynamicity of autonomous systems. In this paper, we take a sensor-first approach. We present EvilEye, a man-in-the-middle perception attack that leverages transparent displays to generate dynamic physical adversarial examples. EvilEye exploits the camera's optics to induce misclassifications under a variety of illumination conditions. To generate dynamic perturbations, we formalize the projection of a digital attack into the physical domain by modeling the transformation function of the captured image through the optical pipeline. Our extensive experiments show that EvilEye's generated adversarial perturbations are much more robust across varying environmental light conditions relative to existing physical perturbation frameworks, achieving a high attack success rate (ASR) while bypassing state-of-the-art physical adversarial detection frameworks. We demonstrate that the dynamic nature of EvilEye enables attackers to adapt adversarial examples across a variety of objects with a significantly higher ASR compared to state-of-the-art physical world attack frameworks. Finally, we discuss mitigation strategies against the EvilEye attack.