Adversarial Patch Attacks

Research into physically realizable adversarial attacks on computer vision systems, focusing on patch-based perturbations that can fool models in real-world scenarios.

Back to home View Papers
Example of an adversarial patch on a stop sign

Project overview

A comprehensive study of adversarial patch attacks, from 2D static patches to 3D dynamic attacks on autonomous systems.

  • Developed semi-transparent patches balancing attack success and visual obtrusiveness
  • Analyzed robustness to geometric transformations (rotation, scale, location)
  • Introduced novel metrics like mean Attack Success over Transformations (mAST)
  • Explored adaptive active attacks (AAA) for 3D kinematic trajectories

Adversarial patch attacks explained

Unlike digital perturbations, patch attacks are physical stickers that can be placed in the real world to fool AI vision systems.

Imagine a small, specially designed sticker that, when viewed by a camera, causes an AI model to misclassify what's in the image. Unlike traditional adversarial attacks that require pixel-level modifications to digital images, patch attacks work in the physical world—think of them as "digital camouflage" that exploits vulnerabilities in how AI systems process visual information. These attacks are particularly concerning for autonomous vehicles, where a patch on a stop sign could make it appear as a speed limit sign to the car's computer vision system.

2D patch robustness analysis

Systematic evaluation of patch attack effectiveness under geometric transformations using the Expectation over Transformation (EoT) framework.

Geometric Transformations EoT Framework Scale Invariance Semi-transparent Patches

Analyzed how rotation, scaling, and positioning affect attack success rates. Findings showed that scale has the most significant impact on performance, with training distribution support directly influencing robustness to out-of-distribution transformations.

3D patch attacks and trajectories

Extending patch attacks to 3D space with adaptive active attacks (AAA) that optimize for observer pose and kinematic motion.

3D Pose Kinematic Trajectories Adaptive Attacks Autonomous Driving

Developed AAA attacks that consider the full 3D trajectory of an observer, demonstrating improved success rates (up to 15% for specific classes) over static patches. Introduced risk-based metrics to evaluate attack success probability while accounting for detection likelihood.

Key findings and implications

Insights into patch attack limitations and design principles for more robust computer vision systems.

Identified fundamental cutoff limits in attack effectiveness based on out-of-plane rotation angles. Demonstrated that increasing training distribution support improves invariance to transformations like rotation and looming motion. These results inform both attack development and defense strategies for real-world AI safety.

Papers and preview

Review the project papers and PDF previews that document our work on patch robustness, geometric transformation analysis, and adaptive attacks.

Paper 1: Semi-transparent patch design and scale-aware robustness analysis
Paper 2: Mean Attack Success over Transformations (mAST) and 3D pose invariance
Paper 3: Adaptive Active Attacks (AAA) along 3D trajectories