Breaking the Illusion: Real-world Challenges for Adversarial Patches in Object Detection

TL;DR

This paper examines the real-world effectiveness of adversarial patches against YOLO object detection, highlighting environmental factors that influence attack success and the challenges in maintaining robustness outside digital environments.

Contribution

It provides an empirical analysis of physical adversarial patches, revealing how environmental variables affect their performance and exposing challenges in real-world attack deployment.

Findings

Adversarial patch effectiveness varies significantly with environmental factors.

Up to 64% discrepancy in patch performance due to real-world transformations.

Environmental influences are crucial for designing robust defenses against physical attacks.

Abstract

Adversarial attacks pose a significant threat to the robustness and reliability of machine learning systems, particularly in computer vision applications. This study investigates the performance of adversarial patches for the YOLO object detection network in the physical world. Two attacks were tested: a patch designed to be placed anywhere within the scene - global patch, and another patch intended to partially overlap with specific object targeted for removal from detection - local patch. Various factors such as patch size, position, rotation, brightness, and hue were analyzed to understand their impact on the effectiveness of the adversarial patches. The results reveal a notable dependency on these parameters, highlighting the challenges in maintaining attack efficacy in real-world conditions. Learning to align digitally applied transformation parameters with those measured in the real world still results in up to a 64\% discrepancy in patch performance. These findings underscore the importance of understanding environmental influences on adversarial attacks, which can inform the development of more robust defenses for practical machine learning applications.