Adversarial Camouflage: Hiding Physical-World Attacks with Natural Styles
This addresses the need for more realistic adversarial attacks to evaluate DNN robustness, with potential applications in privacy protection, though it is incremental in improving stealth over prior physical-world methods.
The paper tackles the problem of creating stealthy physical-world adversarial examples that are easily spotted by humans, by proposing Adversarial Camouflage (AdvCam) to hide large perturbations in natural styles, resulting in highly stealthy and effective attacks that fool state-of-the-art DNN classifiers.
Deep neural networks (DNNs) are known to be vulnerable to adversarial examples. Existing works have mostly focused on either digital adversarial examples created via small and imperceptible perturbations, or physical-world adversarial examples created with large and less realistic distortions that are easily identified by human observers. In this paper, we propose a novel approach, called Adversarial Camouflage (\emph{AdvCam}), to craft and camouflage physical-world adversarial examples into natural styles that appear legitimate to human observers. Specifically, \emph{AdvCam} transfers large adversarial perturbations into customized styles, which are then "hidden" on-target object or off-target background. Experimental evaluation shows that, in both digital and physical-world scenarios, adversarial examples crafted by \emph{AdvCam} are well camouflaged and highly stealthy, while remaining effective in fooling state-of-the-art DNN image classifiers. Hence, \emph{AdvCam} is a flexible approach that can help craft stealthy attacks to evaluate the robustness of DNNs. \emph{AdvCam} can also be used to protect private information from being detected by deep learning systems.