Physical Adversarial Attacks on Deep Neural Networks for Traffic Sign Recognition: A Feasibility Study

Fabian Woitschek, Georg Schneider

[ZF Friedrichshafen AG]

基于深度神经网络的物理对抗攻击用于交通标志识别的可行性研究

要点:

  1. 深度神经网络(DNN)在现实世界中越来越多地应用于安全关键应用,如高级驾驶员辅助系统。这种用例的一个例子是交通标志识别系统。同时,众所周知,当前的DNN可能会被对抗性攻击所欺骗,如果这些攻击可以在现实条件下应用,这会引发安全问题。
  2. 本文应用了不同的黑盒攻击方法来生成应用于物理环境中的扰动,并可以用于在不同环境条件下愚弄系统。这是第一个将物理攻击的一般框架与不同的黑箱攻击方法相结合的成果,并在相同的环境下研究不同方法对攻击成功率的影响。

一句话总结:

可以使用不同的方法执行可靠的物理对抗攻击,并且还可以降低由此产生的扰动的可感知性。即使在黑箱情况下也需要对DNN进行可行的防御,但同时也为使用对抗性训练等方法确保DNN安全奠定了基础,这种方法利用对抗性攻击来增强原始训练数据。

Deep Neural Networks (DNNs) are increasingly applied in the real world in safety critical applications like advanced driver assistance systems. An example for such use case is represented by traffic sign recognition systems. At the same time, it is known that current DNNs can be fooled by adversarial attacks, which raises safety concerns if those attacks can be applied under realistic conditions. In this work we apply different black-box attack methods to generate perturbations that are applied in the physical environment and can be used to fool systems under different environmental conditions. To the best of our knowledge we are the first to combine a general framework for physical attacks with different black-box attack methods and study the impact of the different methods on the success rate of the attack under the same setting. We show that reliable physical adversarial attacks can be performed with different methods and that it is also possible to reduce the perceptibility of the resulting perturbations. The findings highlight the need for viable defenses of a DNN even in the black-box case, but at the same time form the basis for securing a DNN with methods like adversarial training which utilizes adversarial attacks to augment the original training data.

https://arxiv.org/pdf/2302.13570.pdf

内容中包含的图片若涉及版权问题,请及时与我们联系删除