Network transferability of adversarial patches in real-time object detection

TL;DR

This paper investigates how adversarial patches designed for object detection transfer across different neural network architectures and datasets, revealing that larger models produce more transferable patches.

Contribution

It provides an extensive evaluation of adversarial patch transferability across multiple object detector architectures and datasets, highlighting the impact of model size.

Findings

Larger models yield more transferable adversarial patches.

Transferability varies significantly across different detector architectures.

Patches optimized on larger models perform better across various networks.

Abstract

Adversarial patches in computer vision can be used, to fool deep neural networks and manipulate their decision-making process. One of the most prominent examples of adversarial patches are evasion attacks for object detectors. By covering parts of objects of interest, these patches suppress the detections and thus make the target object 'invisible' to the object detector. Since these patches are usually optimized on a specific network with a specific train dataset, the transferability across multiple networks and datasets is not given. This paper addresses these issues and investigates the transferability across numerous object detector architectures. Our extensive evaluation across various models on two distinct datasets indicates that patches optimized with larger models provide better network transferability than patches that are optimized with smaller models.