Towards an End-to-End (E2E) Adversarial Learning and Application in the Physical World

TL;DR

This paper introduces PAPLA, an end-to-end framework for generating adversarial patches directly in the physical domain using a projector, improving attack success in real-world scenarios over traditional digital-to-physical methods.

Contribution

The paper presents the first end-to-end physical-domain adversarial patch learning framework, PAPLA, utilizing a projector to generate effective adversarial patches directly in the physical environment.

Findings

PAPLA outperforms digital-to-physical methods in attack success rates.

Environmental factors significantly influence the effectiveness of projected adversarial patches.

Feasibility demonstrated on real-world objects like cars and stop signs.

Abstract

The traditional learning process of patch-based adversarial attacks, conducted in the digital domain and then applied in the physical domain (e.g., via printed stickers), may suffer from reduced performance due to adversarial patches' limited transferability from the digital domain to the physical domain. Given that previous studies have considered using projectors to apply adversarial attacks, we raise the following question: can adversarial learning (i.e., patch generation) be performed entirely in the physical domain with a projector? In this work, we propose the Physical-domain Adversarial Patch Learning Augmentation (PAPLA) framework, a novel end-to-end (E2E) framework that converts adversarial learning from the digital domain to the physical domain using a projector. We evaluate PAPLA across multiple scenarios, including controlled laboratory settings and realistic outdoor environments, demonstrating its ability to ensure attack success compared to conventional digital learning-physical application (DL-PA) methods. We also analyze the impact of environmental factors, such as projection surface color, projector strength, ambient light, distance, and angle of the target object relative to the camera, on the effectiveness of projected patches. Finally, we demonstrate the feasibility of the attack against a parked car and a stop sign in a real-world outdoor environment. Our results show that under specific conditions, E2E adversarial learning in the physical domain eliminates the transferability issue and ensures evasion by object detectors. Finally, we provide insights into the challenges and opportunities of applying adversarial learning in the physical domain and explain where such an approach is more effective than using a sticker.