Dual Attention Suppression Attack: Generate Adversarial Camouflage in Physical World

Abstract: Deep learning models are vulnerable to adversarial examples. As a more threatening type for practical deep learning systems, physical adversarial examples have received extensive research attention in recent years. However, without exploiting the intrinsic characteristics such as model-agnostic and human-specific patterns, existing works generate weak adversarial perturbations in the physical world, which fall short of attacking across different models and show visually suspicious appearance. Motivated by the viewpoint that attention reflects the intrinsic characteristics of the recognition process, this paper proposes the Dual Attention Suppression (DAS) attack to generate visually-natural physical adversarial camouflages with strong transferability by suppressing both model and human attention. As for attacking, we generate transferable adversarial camouflages by distracting the model-shared similar attention patterns from the target to non-target regions. Meanwhile, based on the fact that human visual attention always focuses on salient items (e.g., suspicious distortions), we evade the human-specific bottom-up attention to generate visually-natural camouflages which are correlated to the scenario context. We conduct extensive experiments in both the digital and physical world for classification and detection tasks on up-to-date models (e.g., Yolo-V5) and significantly demonstrate that our method outperforms state-of-the-art methods.

• The paper presents a dual mechanism combining model and human attention suppression to generate effective adversarial camouflage.
• It employs connected graph disruptions and context-aligned seed patches, significantly reducing model accuracy (up to 41.02% drop).
• The method improves attack transferability and stealth in physical environments, highlighting critical challenges for model robustness.

Dual Attention Suppression Attack: Generation of Adversarial Camouflage

The research presented in the paper focuses on advancing the understanding and creation of adversarial examples specifically within the physical world. Adversarial examples pose significant challenges to deep learning models as they leverage small, often imperceptible perturbations to manipulate model predictions. This research introduces the Dual Attention Suppression (DAS) attack method, a novel approach to generate adversarial camouflages that are both transferable across models and visually indistinguishable to human perception.

Analytical Highlights

Deep neural networks (DNNs), despite their impressive performance across various domains, remain vulnerable to adversarial attacks. In this study, the authors propose a method that addresses the shortcomings of existing physical adversarial attacks by incorporating both model and human attention suppression mechanisms. The paper surveys earlier approaches which generated perturbations lacking in visual plausibility and robust transferability across different models. The DAS attack stands out due to its focus on leveraging attention patterns, which are seen as intrinsic to the recognition capabilities of both computational models and the human visual system.

Methodological Insights

The DAS attack method employs a dual mechanism to enhance the efficacy of adversarial camouflages:

1. Model Attention Distraction: This facet of the method distracts model attention by dispersing it from targeted objects to non-significant regions. It exploits a biological observation that similar stimulus features yield comparable neural activities—analogously hypothesized in DNNs. Shared attention patterns among diverse models are manipulated via connected graph disruptions to reduce focused accuracy on salient objects, thus increasing attack transferability.
2. Human Visual Attention Evasion: Human-specific visual cues are evaded by generating camouflages that blend with contextual scenarios. The employment of semantics and shape correlations ensures that the generated perturbations are contextually and perceptually aligned with the environment, reducing chances of detection by the human eye. A seed content patch with relevant contextual imagery is utilised to maintain visual coherence.

Experimental Framework

The authors conducted extensive experiments in both digital and physical environments on state-of-the-art models such as Yolo-V5 for detection and Inception-V3 for classification. The results indicate that the DAS method significantly outperforms predecessor methodologies in reducing model accuracy and evading human detection. Notably, accuracy reductions showed a maximum drop of 41.02% on ResNet-152 vs. baseline methods, confirming the DAS method's superiority in maintaining low suspicion while achieving higher transferability in adversarial contexts.

Implications and Future Directions

The DAS method potentially shifts the paradigm of adversarial attacks by harnessing dual attention mechanisms, opening new avenues for both adversarial research and model robustness studies. Understanding and mitigating adversarial effects in real-world scenarios remains a critical challenge; thus, future work might explore the synergy between adversarial attack techniques and defense mechanisms to enhance model resilience.

Moreover, the findings underline the necessity for researchers to consider both cognitive and computational attention models when designing systems susceptible to adversarial threats. As AI models continue spreading into safety-critical domains such as autonomous driving, safeguarding against such sophisticated attacks becomes paramount.

The future potential of DAS and similar strategies suggests extensive practical applications beyond mere adversarial perturbation, contributing to more robust artificial intelligence frameworks capable of withstanding nuanced adversarial manipulation.