Snowball Adversarial Attack on Traffic Sign Classification

TL;DR

This paper introduces the Snowball Adversarial Attack, a method that uses visible perturbations to deceive traffic sign classifiers, exposing vulnerabilities in deep neural networks and emphasizing the need for better defenses.

Contribution

The paper presents a novel adversarial attack that employs visible perturbations, leveraging human object recognition robustness to fool machine learning models in traffic sign recognition.

Findings

Snowball Attack effectively confuses traffic sign classifiers across various images.

The attack significantly reduces model accuracy with minimal perturbation effort.

It highlights vulnerabilities in current deep neural networks for image recognition.

Abstract

Adversarial attacks on machine learning models often rely on small, imperceptible perturbations to mislead classifiers. Such strategy focuses on minimizing the visual perturbation for humans so they are not confused, and also maximizing the misclassification for machine learning algorithms. An orthogonal strategy for adversarial attacks is to create perturbations that are clearly visible but do not confuse humans, yet still maximize misclassification for machine learning algorithms. This work follows the later strategy, and demonstrates instance of it through the Snowball Adversarial Attack in the context of traffic sign recognition. The attack leverages the human brain's superior ability to recognize objects despite various occlusions, while machine learning algorithms are easily confused. The evaluation shows that the Snowball Adversarial Attack is robust across various images and is able to confuse state-of-the-art traffic sign recognition algorithm. The findings reveal that Snowball Adversarial Attack can significantly degrade model performance with minimal effort, raising important concerns about the vulnerabilities of deep neural networks and highlighting the necessity for improved defenses for image recognition machine learning models.