Natural Adversarial Patch Generation Method Based on Latent Diffusion Model
This addresses the issue of adversarial patch camouflage for real-world applications, though it is incremental as it builds on existing adversarial attack and diffusion model techniques.
The paper tackles the problem of adversarial patches being easily detectable by proposing the Latent Diffusion Patch (LDP) method, which uses a pretrained encoder and diffusion model to generate more natural-looking patches, achieving a visual subjectivity score of 87.3% while maintaining attack effectiveness.
Recently, some research show that deep neural networks are vulnerable to the adversarial attacks, the well-trainned samples or patches could be used to trick the neural network detector or human visual perception. However, these adversarial patches, with their conspicuous and unusual patterns, lack camouflage and can easily raise suspicion in the real world. To solve this problem, this paper proposed a novel adversarial patch method called the Latent Diffusion Patch (LDP), in which, a pretrained encoder is first designed to compress the natural images into a feature space with key characteristics. Then trains the diffusion model using the above feature space. Finally, explore the latent space of the pretrained diffusion model using the image denoising technology. It polishes the patches and images through the powerful natural abilities of diffusion models, making them more acceptable to the human visual system. Experimental results, both digital and physical worlds, show that LDPs achieve a visual subjectivity score of 87.3%, while still maintaining effective attack capabilities.