AdvLogo: Adversarial Patch Attack against Object Detectors based on Diffusion Models
This addresses security vulnerabilities in object detectors for applications like autonomous vehicles, but it is incremental as it builds on existing adversarial patch methods.
The paper tackles the problem of adversarial patch attacks on object detectors by proposing AdvLogo, a framework that uses diffusion models to generate patches that balance attack effectiveness and visual quality, achieving strong attack performance with high visual quality in experiments.
With the rapid development of deep learning, object detectors have demonstrated impressive performance; however, vulnerabilities still exist in certain scenarios. Current research exploring the vulnerabilities using adversarial patches often struggles to balance the trade-off between attack effectiveness and visual quality. To address this problem, we propose a novel framework of patch attack from semantic perspective, which we refer to as AdvLogo. Based on the hypothesis that every semantic space contains an adversarial subspace where images can cause detectors to fail in recognizing objects, we leverage the semantic understanding of the diffusion denoising process and drive the process to adversarial subareas by perturbing the latent and unconditional embeddings at the last timestep. To mitigate the distribution shift that exposes a negative impact on image quality, we apply perturbation to the latent in frequency domain with the Fourier Transform. Experimental results demonstrate that AdvLogo achieves strong attack performance while maintaining high visual quality.