Multi-View Black-Box Physical Attacks on Infrared Pedestrian Detectors Using Adversarial Infrared Grid
0
🎯
Sign in to get full access
Overview
- This paper presents a novel attack method called "Adversarial Infrared Grid" that can bypass infrared pedestrian detectors used in autonomous vehicles and robotics.
- The attack leverages physical world perturbations in the infrared spectrum to fool the target detectors, without requiring access to the detector's internals or training data.
- The authors demonstrate the effectiveness of their attack method across multiple viewing angles and show that it can achieve high targeted misclassification rates against state-of-the-art infrared pedestrian detectors.
Plain English Explanation
The paper describes a way to trick infrared pedestrian detectors used in self-driving cars and robots. These detectors use infrared cameras to spot people, but the researchers found a method to make the detectors "not see" pedestrians in the real world.
They created a special grid of infrared lights that can be placed in the environment. When the infrared detectors see this grid, they become confused and fail to correctly identify the people around it. This works from different angles, so the grid can be placed to hide pedestrians from the detectors' view.
The key insight is that by carefully designing the infrared pattern, they can exploit vulnerabilities in how the detectors work, without needing access to the detector's inner workings or training data. This makes the attack more practical to deploy in the real world compared to other adversarial approaches that require that kind of access.
Technical Explanation
The paper proposes a novel "Adversarial Infrared Grid" attack that can fool infrared-based pedestrian detectors used in autonomous vehicles and robotics. Unlike previous white-box attacks that require access to the model architecture and training data, this is a black-box attack that only relies on the target detector's observable inputs and outputs.
The core idea is to create a physical infrared grid pattern that, when placed in the environment, induces the target detector to misclassify pedestrians as non-pedestrians. The authors show that by optimizing the grid parameters, such as the positions and intensities of the infrared LEDs, they can generate an adversarial infrared pattern that is effective across multiple viewpoints, as demonstrated in their experiments.
The optimization process leverages techniques like "Integrated Gradients" to estimate the gradient of the detector's output with respect to the infrared grid, without requiring access to the model internals. This allows them to perform a "ControlLoc" style attack, where they can control the location of the misclassification.
The authors evaluate their attack on state-of-the-art infrared pedestrian detectors and demonstrate high targeted misclassification rates, even when the grid is placed at various distances and angles relative to the detector.
Critical Analysis
The paper presents a compelling attack that highlights the vulnerability of infrared-based perception systems to physical-world perturbations. The authors make a strong case for the practical feasibility of their approach, as it does not require access to the target model's internals or training data.
However, the paper does not discuss potential mitigations or defense strategies that could be employed to make these detectors more robust against such attacks. Future research could explore techniques to detect or neutralize adversarial infrared patterns in the environment.
Additionally, the authors focus solely on pedestrian detection, but the implications of this attack could extend to other infrared-based perception tasks, such as vehicle or object detection. Further research is needed to understand the broader impact and applicability of this attack methodology.
Conclusion
This paper introduces a novel black-box physical attack called the "Adversarial Infrared Grid" that can effectively fool state-of-the-art infrared pedestrian detectors used in autonomous vehicles and robotics. By carefully designing an optimized infrared pattern, the authors demonstrate the ability to induce targeted misclassifications of pedestrians across multiple viewing angles, without requiring access to the detector's internals or training data.
The significance of this work lies in its potential impact on the safety and reliability of infrared-based perception systems in real-world applications. The findings highlight the need for further research into developing robust defense mechanisms to mitigate such physical-world adversarial attacks and ensure the trustworthiness of these critical systems.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
🎯
0
Multi-View Black-Box Physical Attacks on Infrared Pedestrian Detectors Using Adversarial Infrared Grid
Kalibinuer Tiliwalidi, Chengyin Hu, Weiwen Shi
While extensive research exists on physical adversarial attacks within the visible spectrum, studies on such techniques in the infrared spectrum are limited. Infrared object detectors are vital in modern technological applications but are susceptible to adversarial attacks, posing significant security threats. Previous studies using physical perturbations like light bulb arrays and aerogels for white-box attacks, or hot and cold patches for black-box attacks, have proven impractical or limited in multi-view support. To address these issues, we propose the Adversarial Infrared Grid (AdvGrid), which models perturbations in a grid format and uses a genetic algorithm for black-box optimization. These perturbations are cyclically applied to various parts of a pedestrian's clothing to facilitate multi-view black-box physical attacks on infrared pedestrian detectors. Extensive experiments validate AdvGrid's effectiveness, stealthiness, and robustness. The method achieves attack success rates of 80.00% in digital environments and 91.86% in physical environments, outperforming baseline methods. Additionally, the average attack success rate exceeds 50% against mainstream detectors, demonstrating AdvGrid's robustness. Our analyses include ablation studies, transfer attacks, and adversarial defenses, confirming the method's superiority.
Read more7/9/2024
0
Infrared Adversarial Car Stickers
Xiaopei Zhu, Yuqiu Liu, Zhanhao Hu, Jianmin Li, Xiaolin Hu
Infrared physical adversarial examples are of great significance for studying the security of infrared AI systems that are widely used in our lives such as autonomous driving. Previous infrared physical attacks mainly focused on 2D infrared pedestrian detection which may not fully manifest its destructiveness to AI systems. In this work, we propose a physical attack method against infrared detectors based on 3D modeling, which is applied to a real car. The goal is to design a set of infrared adversarial stickers to make cars invisible to infrared detectors at various viewing angles, distances, and scenes. We build a 3D infrared car model with real infrared characteristics and propose an infrared adversarial pattern generation method based on 3D mesh shadow. We propose a 3D control points-based mesh smoothing algorithm and use a set of smoothness loss functions to enhance the smoothness of adversarial meshes and facilitate the sticker implementation. Besides, We designed the aluminum stickers and conducted physical experiments on two real Mercedes-Benz A200L cars. Our adversarial stickers hid the cars from Faster RCNN, an object detector, at various viewing angles, distances, and scenes. The attack success rate (ASR) was 91.49% for real cars. In comparison, the ASRs of random stickers and no sticker were only 6.21% and 0.66%, respectively. In addition, the ASRs of the designed stickers against six unseen object detectors such as YOLOv3 and Deformable DETR were between 73.35%-95.80%, showing good transferability of the attack performance across detectors.
Read more5/17/2024
🔎
0
Defending Against Physical Adversarial Patch Attacks on Infrared Human Detection
Lukas Strack, Futa Waseda, Huy H. Nguyen, Yinqiang Zheng, Isao Echizen
Infrared detection is an emerging technique for safety-critical tasks owing to its remarkable anti-interference capability. However, recent studies have revealed that it is vulnerable to physically-realizable adversarial patches, posing risks in its real-world applications. To address this problem, we are the first to investigate defense strategies against adversarial patch attacks on infrared detection, especially human detection. We propose a straightforward defense strategy, patch-based occlusion-aware detection (POD), which efficiently augments training samples with random patches and subsequently detects them. POD not only robustly detects people but also identifies adversarial patch locations. Surprisingly, while being extremely computationally efficient, POD easily generalizes to state-of-the-art adversarial patch attacks that are unseen during training. Furthermore, POD improves detection precision even in a clean (i.e., no-attack) situation due to the data augmentation effect. Our evaluation demonstrates that POD is robust to adversarial patches of various shapes and sizes. The effectiveness of our baseline approach is shown to be a viable defense mechanism for real-world infrared human detection systems, paving the way for exploring future research directions.
Read more6/11/2024
🌿
0
Patch of Invisibility: Naturalistic Physical Black-Box Adversarial Attacks on Object Detectors
Raz Lapid, Eylon Mizrahi, Moshe Sipper
Adversarial attacks on deep-learning models have been receiving increased attention in recent years. Work in this area has mostly focused on gradient-based techniques, so-called white-box attacks, wherein the attacker has access to the targeted model's internal parameters; such an assumption is usually unrealistic in the real world. Some attacks additionally use the entire pixel space to fool a given model, which is neither practical nor physical (i.e., real-world). On the contrary, we propose herein a direct, black-box, gradient-free method that uses the learned image manifold of a pretrained generative adversarial network (GAN) to generate naturalistic physical adversarial patches for object detectors. To our knowledge this is the first and only method that performs black-box physical attacks directly on object-detection models, which results with a model-agnostic attack. We show that our proposed method works both digitally and physically. We compared our approach against four different black-box attacks with different configurations. Our approach outperformed all other approaches that were tested in our experiments by a large margin.
Read more8/20/2024