Abstract
Physical adversarial attacks against vehicle detection are gaining attention. However, most prior works focus on improving attack ability by amplifying the intensity and scope of perturbations, which results in a visually suspicious appearance that exposes attackers’ behavior. Motivated by the shape preference characteristic exhibited in human cognitive processes, we propose a shape constraint physical camouflage attack (SC-PCA) to generate vehicle camouflage. To generate naturalistic perturbations, we use a contour image as the control condition and introduce a shape-aware loss in conditional generative adversarial network. Then, we map the perturbations onto the surface of the target vehicle to form the camouflage. By setting different transformation parameters, vehicle images of multiple perspectives and multiple scenes can be rendered. Experiments conducted in both digital and physical worlds demonstrate that our method has a good attack ability, can deceive the vehicle detector in the real world, and can adapt to various angle, distance, and background changes. Moreover, the outcome of the human perception survey indicates that our approach outperforms the state-of-the-art techniques.
Similar content being viewed by others
References
Qiu, H., Zheng, Q., Memmi, G., et al. (2020). Deep residual learning-based enhanced jpeg compression in the internet of things. IEEE Transactions on Industrial Informatics, 17(3), 2124–2133.
Zhang, Y., Qiu, M., & Gao, H. (2023). Communication-efficient stochastic gradient descent ascent with momentum algorithms. In: Proceedings of the 32nd International Joint Conference on Artificial Intelligence.
Ling, C., Jiang, J., Wang, J., et al. (2023). Deep graph representation learning and optimization for influence maximization. In: Proceedings of the 40th International Conference on Machine Learning, pp 21350–21361.
Qiu, H., Qiu, M., & Lu, R. (2019). Secure v2x communication network based on intelligent pki and edge computing. IEEE Network, 34(2), 172–178.
Song, Y., Li, Y., Jia, L., & Qiu, M. (2019). Retraining strategy-based domain adaption network for intelligent fault diagnosis. IEEE Transactions on Industrial Informatics, 16(9), 6163–6171.
Huang, H., Chaturvedi, V., Quan, G., Fan, J., & Qiu, M. (2014). Throughput maximization for periodic real-time systems under the maximal temperature constraint. ACM Transactions on Embedded Computing Systems (TECS), 13(2s), 1–22.
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572
Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (sp), IEEE, pp 39–57.
Moosavi-Dezfooli, S. M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp 2574–2582.
Qiu, H., Zeng, Y., Guo, S., et al. (2021). Deepsweep: An evaluation framework for mitigating dnn backdoor attacks using data augmentation. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp 363–377.
Qiu, M., & Qiu, H. (2020). Review on image processing based adversarial example defenses in computer vision. In: IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE, pp 94–99.
Madry, A., Makelov, A., Schmidt, L., et al. (2018). Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations, pp 1–23.
Serban, A., Poll, E., & Visser, J. (2020). Adversarial examples on object recognition: A comprehensive survey. ACM Computing Surveys (CSUR), 53(3), 1–38.
Athalye, A., Engstrom, L., Ilyas, A., et al. (2018). Synthesizing robust adversarial examples. In: International Conference on Machine Learning, PMLR, pp 284–293.
Su, J., Vargas, D. V., & Sakurai, K. (2019). One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 23(5), 828–841.
Zeng, Y., Pan, M., Just, H. A., et al. (2023). Narcissus: A practical clean-label backdoor attack with limited information. In: Proceedings of the ACM Conference on Computer and Communications Security, pp 1–14.
Nie, S., Liu, L., & Du, Y. (2017). Free-fall: Hacking tesla from wireless to can bus. Briefing, Black Hat USA, 25, 1–16.
Nassi, B., Mirsky, Y., Nassi, D., et al. (2020) Phantom of the adas: Securing advanced driver-assistance systems from split-second phantom attacks. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 293–308.
Xiao, Z., Gao, X., Fu, C., et al. (2021). Improving transferability of adversarial patches on face recognition with generative models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 11845–11854.
Finlayson, S. G., Bowers, J. D., Ito, J., et al. (2019). Adversarial attacks on medical machine learning. Science, 363(6433), 1287–1289.
Hu, C., & Shi, W. (2022). Adversarial color film: Effective physical-world attack to dnns. arXiv preprint arXiv:2209.02430
Sayles, A., Hooda, A., Gupta, M., et al. (2021). Invisible perturbations: Physical adversarial examples exploiting the rolling shutter effect. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 14666–14675.
Xiao, C., Yang, D., Li, B., et al. (2019). Meshadv: Adversarial meshes for visual recognition. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 6898–6907.
Gnanasambandam, A., Sherman, A. M., & Chan, S. H. (2021). Optical adversarial attack. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp 92–101.
Duan, R., Mao, X., Qin, A. K., et al. (2021). Adversarial laser beam: Effective physical-world attack to dnns in a blink. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 16062–16071.
Zhong, Y., Liu, X., Zhai, D., et al. (2022). Shadows can be dangerous: Stealthy and effective physical-world adversarial attack by natural phenomenon. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 15345–15354.
Eykholt, K., Evtimov, I., Fernandes, E., et al. (2018). Robust physical-world attacks on deep learning visual classification. In: Proceedings of the IEEE conference on Computer Vision And Pattern Recognition, pp 1625–1634.
Liu, A., Liu, X., Fan, J., et al. (2019). Perceptual-sensitive gan for generating adversarial patches. In: Proceedings of the AAAI conference on artificial intelligence, pp 1028–1035.
Liu, A., Wang, J., Liu, X., et al. (2020). Bias-based universal adversarial patch attack for automatic check-out. In: Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XIII 16, Springer, pp 395–410.
Thys, S., Van Ranst, W., & Goedemé, T. (2019). Fooling automated surveillance cameras: adversarial patches to attack person detection. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pp 1–7.
Xu, K., Zhang, G., Liu, S., et al. (2020). Adversarial t-shirt! evading person detectors in a physical world. In: Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part V 16, Springer, pp 665–681.
Hu, Y. C. T., Kung, B. H., Tan, D. S., et al. (2021). Naturalistic physical adversarial patch for object detectors. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp 7848–7857.
Ritter, S., Barrett, D. G., Santoro, A., et al. (2017). Cognitive psychology for deep neural networks: A shape bias case study. In: International Conference on Machine Learning, PMLR, pp 2940–2949
Landau, B., Smith, L. B., & Jones, S. S. (1988). The importance of shape in early lexical learning. Cognitive Development, 3(3), 299–321.
Wang, D., Jiang, T., Sun, J., et al. (2022). Fca: Learning a 3d full-coverage vehicle camouflage for multi-view physical adversarial attack. In: Proceedings of the AAAI Conference on Artificial Intelligence, pp 2414–2422
Song, D., Eykholt, K., Evtimov, I., et al. (2018). Physical adversarial examples for object detectors. In: 12th USENIX workshop on offensive technologies (WOOT 18), pp 1–10.
Brown, T. B., Mané, D., Roy, A., et al. (2017). Adversarial patch. arXiv preprint arXiv:1712.09665
Zhang, Y., Foroosh, H., David, P., et al. (2019). Camou: Learning physical vehicle camouflages to adversarially attack detectors in the wild. In: International Conference on Learning Representations, pp 1–20
Duan, R., Ma, X., Wang, Y., et al. (2020). Adversarial camouflage: Hiding physical-world attacks with natural styles. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 1000–1008
Huang, L., Gao, C., Zhou, Y., et al. (2020). Universal physical camouflage attacks on object detectors. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 720–729
Wu, T., Ning, X., Li, W., et al. (2020). Physical adversarial attack on vehicle detector in the carla simulator. arXiv preprint arXiv:2007.16118
Wang, J., Liu, A., Yin, Z., et al. (2021). Dual attention suppression attack: Generate adversarial camouflage in physical world. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 8565–8574.
Selvaraju, R. R., Cogswell, M., Das, A., et al. (2017). Grad-cam: Visual explanations from deep networks via gradient-based localization. In: Proceedings of the IEEE International Conference on Computer Vision, pp 618–626.
Goodfellow, I., Pouget-Abadie, J., Mirza, M., et al. (2014). Generative adversarial nets. Advances in Neural Information Processing Systems, 27.
Mirza, M., & Osindero, S. (2014). Conditional generative adversarial nets. arXiv preprint arXiv:1411.1784
Gazzaniga, M. S. (2004). The cognitive neurosciences. MIT press.
Isola, P., Zhu, J. Y., Zhou, T., et al. (2017). Image-to-image translation with conditional adversarial networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp 1125–1134
Zhao, H., Gallo, O., Frosio, I., et al. (2016). Loss functions for image restoration with neural networks. IEEE Transactions on Computational Imaging, 3(1), 47–57.
Sharif, M., Bhagavatula, S., Bauer, L., et al. (2016). Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of the 2016 ACM Sigsac Conference on Computer and Communications Security, pp 1528–1540
Kato, H., Ushiku, Y., & Harada, T. (2018). Neural 3d mesh renderer. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp 3907–3916.
Liu, W., Anguelov, D., Erhan, D., et al. (2016). SSD: Single shot multibox detector. In: European Conference on Computer Vision, Springer, pp 21–37.
Girshick, R. (2015). Fast R-CNN. In: Proceedings of the IEEE International Conference on Computer Vision, pp 1440–1448.
Ge, Z., Liu, S., Wang, F., et al. (2021). Yolox: Exceeding yolo series in 2021. arXiv preprint arXiv:2107.08430
Wang, C. Y., Bochkovskiy, A., & Liao, H. Y. M. (2022). Yolov7: Trainable bag-of-freebies sets new state-of-the-art for real-time object detectors. arXiv preprint arXiv:2207.02696
Wang, Z., Bovik, A. C., Sheikh, H. R., et al. (2004). Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing, 13(4), 600–612.
Author information
Authors and Affiliations
Contributions
Hao Wang: Conceptualization, Methodology, Writing - Review & Editing. Jingjing Qin: Software, Validation, Formal Analysis, Writing - Original Draft. Yixue Huang: Algorithm Implementation, Visualization. Genping Wu: Methodology, Formal Analysis. Hongfeng Zhang: Software, Algorithm Implementation. Jintao Yang: Methodology, Writing - Review & Editing.
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Wang, H., Qin, J., Huang, Y. et al. SC-PCA: Shape Constraint Physical Camouflage Attack Against Vehicle Detection. J Sign Process Syst 95, 1405–1424 (2023). https://doi.org/10.1007/s11265-023-01890-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11265-023-01890-8