NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles

Lu, Jiayu; Sibai, Hussein; Fabry, Evan; Forsyth, David

doi:10.48550/arxiv.1707.03501

Cited by 92 publications

(79 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2) Image Transformation: Different distances, angles, and illuminations will result in image transformations that impact the robustness of the physical AEs. AEs generated through the L-BFGS attack [5], fast gradient sign method [7], and the C&W attack [6] often lose their adversarial nature once subjected to minor transformations [35,36]. To address this challenge, Athalye et al [12] introduced the Expectation Over Transformation (EOT).…”

Section: ) Cross-domain Conversionmentioning

confidence: 99%

See 1 more Smart Citation

Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems

Wang¹,

Lu²,

Zhang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Adversarial Examples (AEs) can deceive Deep Neural Networks (DNNs) and have received a lot of attention recently. However, majority of the research on AEs is in the digital domain and the adversarial patches are static. Such research is very different from many real-world DNN applications such as Traffic Sign Recognition (TSR) systems in autonomous vehicles. In TSR systems, object detectors use DNNs to process streaming video in real time. From the view of object detectors, the traffic sign's position and quality of the video are continuously changing, rendering the digital AEs ineffective in the physical world.In this paper, we propose a systematic pipeline to generate robust physical AEs against real-world object detectors. Robustness is achieved in three ways. First, we simulate the in-vehicle cameras by extending the distribution of image transformations with the blur transformation and the resolution transformation. Second, we design the single and multiple bounding boxes filters to improve the efficiency of the perturbation training. Third, we consider four representative attack vectors, namely Hiding Attack (HA), Appearance Attack (AA), Non-Target Attack (NTA) and Target Attack (TA). For each of them, a loss function is defined to minimize the impact of the fabrication process on the physical AEs.We perform a comprehensive set of experiments under a variety of environmental conditions by varying the distance from 0m to 30m, changing the angle from −60 • to 60 • , and considering illuminations in sunny and cloudy weather as well as at night. The experimental results show that the physical AEs generated from our pipeline are effective and robust when attacking the YOLO v5 based TSR system. The attacks have good transferability and can deceive other state-of-the-art object detectors. We launched HA and NTA on a brand-new 2021 model vehicle. Both attacks are successful in fooling the TSR system, which could be a lifethreatening case for autonomous vehicles. Finally, we discuss three defense mechanisms based on image preprocessing, AEs detection, and model enhancing.

show abstract

Section: ) Cross-domain Conversionmentioning

confidence: 99%

“…The L 0 attack was the first published attack that caused the targeted misclassification on the ImageNet dataset. Although most of the digital AEs lose their adversarial nature in the physical environment [35,36], these three classic methods are still used for generating physical AEs.…”

Section: Related Workmentioning

confidence: 99%

Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems

Wang¹,

Lu²,

Zhang³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…For this reason, significant efforts have been made to improve the robustness of models without resorting to AT. Proposed solutions cover a wide range of techniques based on curvature regularization [17], robust optimization to improve local stability [23], the use of additional unlabeled data [4], local linearization [21], Parseval networks [5], defensive distillation [19], model ensembles [18], channel-wise activations suppressing [2], feature denoising [29], self-supervised learning for adversarial purification [25], and input manipulations [7,9,15]. All the listed techniques, except those based on input manipulations, require training the model or an auxiliary module from scratch.…”

Section: Related Workmentioning

confidence: 99%

“…In [15] the authors analyze the effect of image rescaling on adversarial examples. [7] explores the possibility to improve robustness through JPG (re)compression, based on the intuition that adversarial perturbations are unlikely to leave an image in the space of JPG images.…”

Section: Related Workmentioning

confidence: 99%

“…Based on the above intuitions, this paper presents a novel image filtering framework aimed at improving robustness against adversarial attacks without resorting to AT. While it is not the first contribution introducing techniques based on input manipulation to prevent adversarial attacks [7,9,15], this work differs significantly from prior literature in the fundamental concepts at the basis of its functioning. The main difference between our method and others relying on input transformations is that we explicitly remove textures from input images while preserving the informative features.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improving Robustness with Image Filtering

Terzi¹,

Carletti²,

Susto³

2021

Preprint

View full text Add to dashboard Cite

Adversarial robustness is one of the most challenging problems in Deep Learning and Computer Vision research. All the state-of-the-art techniques require a time-consuming procedure that creates cleverly perturbed images. Due to its cost, many solutions have been proposed to avoid Adversarial Training. However, all these attempts proved ineffective as the attacker manages to exploit spurious correlations among pixels to trigger brittle features implicitly learned by the model. This paper first introduces a new image filtering scheme called Image-Graph Extractor (IGE) that extracts the fundamental nodes of an image and their connections through a graph structure. By leveraging the IGE representation, we build a new defense method, Filtering As a Defense, that does not allow the attacker to entangle pixels to create malicious patterns. Moreover, we show that data augmentation with filtered images effectively improves the model's robustness to data corruption. We validate our techniques on CIFAR-10, CIFAR-100, and ImageNet.

show abstract

Unsupervised Hard Example Mining from Videos for Improved Object Detection

Jin

RoyChowdhury

Jiang

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Important gains have recently been obtained in object detection by using training objectives that focus on hard negative examples, i.e., negative examples that are currently rated as positive or ambiguous by the detector. These examples can strongly influence parameters when the network is trained to correct them. Unfortunately, they are often sparse in the training data, and are expensive to obtain. In this work, we show how large numbers of hard negatives can be obtained automatically by analyzing the output of a trained detector on video sequences. In particular, detections that are isolated in time, i.e., that have no associated preceding or following detections, are likely to be hard negatives. We describe simple procedures for mining large numbers of such hard negatives (and also hard positives) from unlabeled video data. Our experiments show that retraining detectors on these automatically obtained examples often significantly improves performance. We present experiments on multiple architectures and multiple data sets, including face detection, pedestrian detection and other object categories.

show abstract

NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles

Cited by 92 publications

References 20 publications

Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems

Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems

Improving Robustness with Image Filtering

Unsupervised Hard Example Mining from Videos for Improved Object Detection

Contact Info

Product

Resources

About