Suppress with a Patch: Revisiting Universal Adversarial Patch Attacks against Object Detection
This work addresses security vulnerabilities in object detection systems, but it is incremental as it builds on existing adversarial patch methods.
The paper tackled the problem of improving universal adversarial patch attacks against object detection by analyzing patch generation parameters, finding that randomizing patch position during training significantly increases attack strength, with the best results achieved when patch position varied within a batch.
Adversarial patch-based attacks aim to fool a neural network with an intentionally generated noise, which is concentrated in a particular region of an input image. In this work, we perform an in-depth analysis of different patch generation parameters, including initialization, patch size, and especially positioning a patch in an image during training. We focus on the object vanishing attack and run experiments with YOLOv3 as a model under attack in a white-box setting and use images from the COCO dataset. Our experiments have shown, that inserting a patch inside a window of increasing size during training leads to a significant increase in attack strength compared to a fixed position. The best results were obtained when a patch was positioned randomly during training, while patch position additionally varied within a batch.