Human-Producible Adversarial Examples
David Khachaturov, Yue Gao, Ilia Shumailov, Robert Mullins, Ross, Anderson, Kassem Fawaz
TL;DR
This paper introduces a novel method for creating physical adversarial examples called adversarial tags, which are simple to produce with a marker pen and can significantly disrupt object detection models like YOLO.
Contribution
The authors present the first human-producible physical adversarial examples using minimal line drawings, demonstrating effectiveness and robustness in real-world scenarios.
Findings
Drawing 4 lines disrupts YOLO in 54.8% of cases
Drawing 9 lines disrupts YOLO in 81.8% of cases
Untrained humans can produce effective adversarial tags
Abstract
Visual adversarial examples have so far been restricted to pixel-level image manipulations in the digital world, or have required sophisticated equipment such as 2D or 3D printers to be produced in the physical real world. We present the first ever method of generating human-producible adversarial examples for the real world that requires nothing more complicated than a marker pen. We call them . First, building on top of differential rendering, we demonstrate that it is possible to build potent adversarial examples with just lines. We find that by drawing just lines we can disrupt a YOLO-based model in of cases; increasing this to lines disrupts of the cases tested. Next, we devise an improved method for line placement to be invariant to human drawing error. We evaluate our system thoroughly in both digital and analogue worlds and…
Peer Reviews
Decision·Submitted to ICLR 2024
1. This paper delves into a captivating avenue for generating adversarial perturbations. 2. Moreover, the authors have thoughtfully crafted a robust loss function aimed at ensuring that the adversarial lines are feasibly replicable by humans.
1. The "Method" section would benefit from additional granularity. Specifically, it remains unclear how overlapping of the randomly generated lines is addressed. Are there any constraints or specific guidelines governing the generation of these random lines? 2. The decision to employ only four line-defining points warrants clarification. Is there a theoretical foundation or empirical rationale that supports this choice? 3. There are noticeable writing inconsistencies. For instance, the abbreviat
* The writing quality is high and only a few minor typos are noticeable. * The investigated problem is interesting and well-separated from existing literature. The plausible implementation of adversarial distortion by humans is still an under-studied area. The submission may offer some impact to the literature. * The paper is well organized and flows easily from section to section. * Experiments are intuitive and investigate key aspects of the methodology. The authors attempted a user study w
* The user study consisted of only four participants, and does not investigate the effects of artistic ability. The sample size seems too low to draw any broad conclusions. It wasn't mentioned if the participants had a limited time budget to replicate the lines, which might be an important consideration in replication. * The evaluation only considers a single YoloV8 classifier, rather than checking on multiple architectures and robustness levels, which are valid in the author's threat model. I
- The paper's central concept—developing adversarial examples that can be created with something as simple as a single marker pen—is intriguing. This raises significant security concerns, particularly the possibility of attackers drawing lines on the ground to mislead autonomous driving systems. - The authors suggest employing Jitter and Erasing as augmentation techniques during the optimization process of adversarial examples. These methods could potentially enhance the robustness of adversaria
- The most significant shortcoming of this paper is the extremely insufficient evaluations. Attacks like the ones proposed are designed to be executed in real-world scenarios, which are typically "black-box" in nature. To only assess such attacks in "white-box" settings is not adequate; after all, any attack designed to maximize the loss function might perform well against known classifiers in such a setting. - Additionally, the experimentation is conducted exclusively on the YOLOv8 model. To en
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Cell Image Analysis Techniques · Advanced Neural Network Applications