Traversing the Subspace of Adversarial Patches
This work addresses the fundamental understanding of adversarial attacks in computer vision, but it is incremental as it compares existing methods without introducing new techniques.
The paper analyzed adversarial patches for person detection to test the manifold hypothesis, finding that advanced dimensionality reduction methods did not outperform simple PCA in attack performance.
Despite ongoing research on the topic of adversarial examples in deep learning for computer vision, some fundamentals of the nature of these attacks remain unclear. As the manifold hypothesis posits, high-dimensional data tends to be part of a low-dimensional manifold. To verify the thesis with adversarial patches, this paper provides an analysis of a set of adversarial patches and investigates the reconstruction abilities of three different dimensionality reduction methods. Quantitatively, the performance of reconstructed patches in an attack setting is measured and the impact of sampled patches from the latent space during adversarial training is investigated. The evaluation is performed on two publicly available datasets for person detection. The results indicate that more sophisticated dimensionality reduction methods offer no advantages over a simple principal component analysis.