Invisible Perturbations: Physical Adversarial Examples Exploiting the Rolling Shutter Effect (2011.13375v3)

Abstract: Physical adversarial examples for camera-based computer vision have so far been achieved through visible artifacts -- a sticker on a Stop sign, colorful borders around eyeglasses or a 3D printed object with a colorful texture. An implicit assumption here is that the perturbations must be visible so that a camera can sense them. By contrast, we contribute a procedure to generate, for the first time, physical adversarial examples that are invisible to human eyes. Rather than modifying the victim object with visible artifacts, we modify light that illuminates the object. We demonstrate how an attacker can craft a modulated light signal that adversarially illuminates a scene and causes targeted misclassifications on a state-of-the-art ImageNet deep learning model. Concretely, we exploit the radiometric rolling shutter effect in commodity cameras to create precise striping patterns that appear on images. To human eyes, it appears like the object is illuminated, but the camera creates an image with stripes that will cause ML models to output the attacker-desired classification. We conduct a range of simulation and physical experiments with LEDs, demonstrating targeted attack rates up to 84%.

• The paper demonstrates a novel technique to create physical adversarial examples invisible to the human eye by modulating light to exploit camera rolling shutters.
• This method uses time-varying light patterns, undetectable by humans, to induce specific image striping effects that cause misclassification in machine learning models.
• The findings reveal potential vulnerabilities in camera-based vision systems used in areas like security and autonomous navigation, underscoring the need for resilient models or complementary defenses.

Overview of Invisible Perturbations Exploiting the Rolling Shutter Effect

The paper "Invisible Perturbations: Physical Adversarial Examples Exploiting the Rolling Shutter Effect," discusses the feasibility and execution of adversarial attacks on camera-based computer vision systems using invisible perturbations. The authors outline the process of creating adversarial examples that are imperceptible to the human eye, exploiting the rolling shutter effect used by many consumer-grade cameras.

Key Contributions

The methodology presented distinguishes itself from previous approaches that employ visible changes to objects, such as stickers or colored patches. Instead, the approach capitalizes on modulating light sources to induce adversarial patterns visible only to cameras operating under a rolling shutter mechanism. This mechanism creates specific striping effects on images captured by such cameras, leading to misclassification by machine learning models.

The authors demonstrate the ability to manipulate the illumination of objects so that the resultant image captured by a camera induces machine learning models to output incorrect classifications. The core of their contribution is an algorithm that crafts a time-varying light pattern that modulates high-frequency light signals undetectable to human observers.

Strong Numerical Results

In their experimental characterization, the authors report targeted attack success rates up to 84% on a state-of-the-art ResNet-101 classifier trained on ImageNet. The success of this attack is notably influenced by various factors such as camera exposure settings, ambient lighting conditions, and viewpoint transformations. Short exposure settings (about 1/750 seconds or shorter) enhance the attack's effectiveness, corroborated by both simulation and physical tests.

Challenges and Solutions

The paper discusses several challenges associated with executing these attacks, such as desynchronization between the camera and light source, camera exposure settings, and color discrepancies between emitted and perceived light. To mitigate these, the authors develop a differentiable model that simulates image formation under rolling shutter conditions, allowing them to robustly optimize the light signals against various environmental and optical constraints.

To accommodate varying ambient light conditions, the authors suggest predefining signals optimized for distinct ambient intensities which can be dynamically switched based on qualitative ambient light measurement.

Implications and Future Directions

The implications of this research are profound, indicating potential vulnerabilities in systems reliant on camera-based vision for security and autonomous operations. The practicality of using light modulation instead of visible physical modifications highlights an emergent threat vector that could impact applications in AR, robotics, and autonomous vehicles.

From a theoretical perspective, such adversarial attacks underpin the need for developing more resilient models or employing complementary defenses to ensure reliable visual recognition despite adversarial attempts.

Moving forward, research could focus on exploring methods to counteract these subtle perturbations, perhaps by adjusting camera sensor designs or incorporating optical pre-processing to detect anomalies introduced by adversarial light modulation.

In conclusion, the paper presents an innovative perspective on physical adversarial attacks, advancing the discourse on machine vision safety and security by uncovering a novel method to exploit rolling shutter effects invisible to human perception but impactful on computer vision.