ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector (1804.05810v3)

Abstract: Given the ability to directly manipulate image pixels in the digital input space, an adversary can easily generate imperceptible perturbations to fool a Deep Neural Network (DNN) image classifier, as demonstrated in prior work. In this work, we propose ShapeShifter, an attack that tackles the more challenging problem of crafting physical adversarial perturbations to fool image-based object detectors like Faster R-CNN. Attacking an object detector is more difficult than attacking an image classifier, as it needs to mislead the classification results in multiple bounding boxes with different scales. Extending the digital attack to the physical world adds another layer of difficulty, because it requires the perturbation to be robust enough to survive real-world distortions due to different viewing distances and angles, lighting conditions, and camera limitations. We show that the Expectation over Transformation technique, which was originally proposed to enhance the robustness of adversarial perturbations in image classification, can be successfully adapted to the object detection setting. ShapeShifter can generate adversarially perturbed stop signs that are consistently mis-detected by Faster R-CNN as other objects, posing a potential threat to autonomous vehicles and other safety-critical computer vision systems.

Overview of "ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector"

The paper "ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector" investigates an innovative method for creating physical adversarial examples aimed at misleading object detection systems. Unlike traditional digital attacks on image classifiers, the research extends its scope to include real-world applications involving object detectors, specifically targeting the Faster R-CNN architecture. The authors introduce ShapeShifter, a technique that generalizes the Expectation over Transformation method to the domain of object detection, achieving robust, reproducible adversarial attacks in physical space.

Highlights and Numerical Results

The authors demonstrate their approach by creating adversarially perturbed images of stop signs. These images consistently mislead the object detector, classifying stop signs as completely unrelated objects, such as people or sports balls, at notable success rates during various real-world testing conditions. Crucially, in controlled indoor settings, their targeted high-confidence perturbations reached an 87% success rate for misclassification into the 'person' class and a 40% success rate for 'sports ball'. The untargeted attack achieved a success rate of over 70% when the goal was simply to prevent correct detection as a stop sign. Moreover, in real-world drive-by tests, the perturbed stop signs maintained high misdetection rates, highlighting the robustness of the adversarial perturbations even when environmental variables such as distance, lighting, and angle came into play.

Methodological Insights

The methodological core of the paper adapts the Expectation over Transformation technique from image classification to object detection. This adaptation required handling non-differentiability issues inherent in the object detection pipeline, particularly concerning region proposals in Faster R-CNN. The authors achieve this by decoupling the forward pass in the training process, effectively stabilizing the regions used for backpropagation during each iteration.

Furthermore, the work challenges the prevailing conventional boundary by extending adversarial perturbation strategies into the physical domain. This is a significant advancement because it rigorously tests the durability and persistence of adversarial attacks in environments that parallel their real-world deployment scenarios.

Theoretical and Practical Implications

The successful demonstration of physical adversarial attacks exposes significant vulnerabilities in state-of-the-art object detectors, emphasizing the need for enhanced defensive measures. The findings imply that current systems reliant on object detectors in safety-critical applications, such as autonomous vehicles, are potentially at risk if exposed to such adversarial examples.

From a theoretical perspective, the research underscores the urgency to design model training processes and architectures with built-in adversarial resilience, particularly considering physical-world constraints. Additionally, it raises questions about the fundamental robustness of modern neural network architectures when deployed in uncontrolled settings.

Future Developments

The future of adversarial research in object detection appears challenging yet essential. One avenue for future exploration is developing defensive strategies that can withstand adversarial attacks in both digital and physical spaces. Another possible progression is the investigation of transferring adversarial techniques across different model architectures and real-world applications to evaluate their universal applicability and optimization.

In conclusion, "ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector" provides a compelling examination of adversarial attacks within the object detection domain. Its exploration into the physical dimensions of such attacks opens new dialogue within the research community, emphasizing both the critical risks posed by these adversarial examples and the urgent necessity for robust countermeasures.