Object Addition Attacks: Mechanisms & Implications

• Object Addition Attacks (OAA) are adversarial techniques that induce false detections by fabricating phantom objects via digital perturbations, backdoor triggers, or physical artifacts.
• They exploit vulnerabilities in detection pipelines through methods like adversarial noise, trigger-based poisoning, and mirror-based LiDAR spoofing to bypass system defenses.
• Empirical studies show significant detection degradation—such as over 50% mAP drop—highlighting critical challenges and the need for robust sensor fusion and context-aware defenses.

Object Addition Attacks (OAA) comprise a family of adversarial techniques aimed at deceiving detection or perception systems—both in 2D image-based and 3D LiDAR-based sensing—by inducing the system to report additional, non-existent objects in its output. In OAA, the adversary manipulates the system’s inputs (pixel values, physical environment, or sensor returns) so that the detector fabricates extra bounding boxes, detections, or “phantom” objects. The OAA class spans digital adversarial examples, backdoor-induced hallucinations, and physical/world attacks, and is of particular relevance in safety- and security-critical applications such as autonomous driving, robotics, and surveillance. This article surveys the core mechanisms, models, empirical evidence, and implications of Object Addition Attacks, as established by recent research across modalities.

1. Conceptual Foundations and Taxonomy

OAAs target the integrity of object detection by causing the system to output redundant, spurious, or fabricated objects not present in the true scene (Nguyen et al., 4 Aug 2024). They are distinct from object removal (“vanishing”), localization, or misclassification attacks in that their primary effect is the introduction of false positive detections. Subtypes are classified by the means of attack and the component under manipulation:

• Adversarial perturbations: Carefully crafted pixel-level noise designed to raise the objectness score or classification confidence in specific image regions, bypassing non-maximal suppression (NMS) or similar postprocessing modules.
• Backdoor attacks: Model poisoning at training time (potentially clean-label), such that a trigger pattern induces the network to output additional detections on trigger presentation, termed object generation attack (OGA) (&&&1&&&, Cheng et al., 2023, Shin, 20 Mar 2024).
• Physical/world attacks: Real-world artifacts (e.g., adversarial patches, 3D objects, mirrors) introduced into the scene, causing the detector to report phantom objects (Lian et al., 17 Aug 2024, Yahia et al., 21 Sep 2025).

OAAs exploit architectural properties such as large receptive fields, proposal generation, and post-processing stages in detectors. The taxonomy is summarized in Table 1.

Taxonomy Axis	OAA Example	Reference
Attack Vector	Digital, Physical, Backdoor	(Nguyen et al., 4 Aug 2024, Chan et al., 2022, Yahia et al., 21 Sep 2025)
Target Module	Objectness score, NMS, data association	(Nguyen et al., 4 Aug 2024, Liu et al., 2023)
Application Domain	Vision (2D/3D), LiDAR, Surveillance	(Yahia et al., 21 Sep 2025, Lian et al., 17 Aug 2024)

2. Core Digital Attack Mechanisms

Digital OAAs commonly use adversarial optimization to introduce imperceptible or local perturbations that fabricate new objects' detections. DAedalus and related approaches explicitly manipulate the objectness score and classification confidence so as to create bounding boxes in locations with no true objects (Nguyen et al., 4 Aug 2024).

Let $x$ be the original image, $\delta$ the adversarial perturbation, $f$ the detector, and $L_{\text{adv}}$ the loss. The general optimization is

$$\delta^* = \arg\min_\delta L_{\text{adv}}(x+\delta, y; \Theta)$$

where $L_{\text{adv}}$ is designed to maximize the number of false positives by increasing objectness and classification outputs for selected regions. In practice, this is combined with loss terms to reduce box overlap (low IoU) to evade NMS filtering, following the method in (Nguyen et al., 4 Aug 2024).

Notable digital OAA variants include:

• Diffused Patch Attacks (DPAttack): Places asteroid-shaped or grid-shaped small perturbations inside object bounding boxes to alter detector outputs with less than 2% pixels changed. Empirically, DPAttack achieves nearly 100% success rate in disabling YOLOv4 detection performance, and 65–86% on Faster RCNN, despite perturbing a visually indiscernible area (Wu et al., 2020).
• Context-Aware Attacks: Leverage object co-occurrence, spatial layout, and size statistics to increase the plausibility of added objects in the context, yielding up to 20 percentage points improvement in black-box transfer success over context-agnostic methods (Cai et al., 2021).
• Layout-Aware Attacks (GLOW): Explicitly optimize the semantic and geometric consistency of object addition, ensuring added objects are spatially and categorically coherent with the scene, overcoming many context consistency defenses (Liu et al., 2023).

3. Backdoor and Clean-Label OAA

Backdoor-based OAAs compromise detector training by embedding a hidden association between a trigger pattern and an output that artificially “adds” an object.

The technical instantiation follows these steps (Chan et al., 2022, Shin, 20 Mar 2024):

1. Trigger Injection: For some training samples, overlay a pattern $x_{\text{trigger}}$ at location $(a, b)$. The poisoned image is

$$x_{\text{poisoned}} = \alpha \otimes x_{\text{trigger}} + (1-\alpha) \otimes x$$

where $\alpha$ controls visibility of the trigger.

1. Annotation Augmentation: Corresponding to each injected trigger, augment the ground truth by appending a target-class bounding box $o_{\text{target}}$ centered at the trigger.
2. Backdoored Training: Train the detector on the mixture of clean and poisoned samples. At inference, the trigger causes the detector to generate a high-confidence bounding box at the trigger's location, even if no object is present.

SSL-OTA exploits the downstream fine-tuning of SSL-based detectors, achieving attack success rates over 85% at only 0.5% poison rates by blending triggers at both encoder and object annotation phases (Wang et al., 2023).

Clean-label variants (modifying images but not annotations) induce the detector to associate regions containing the trigger with object/non-object background through pixel-level cues alone, making such OAAs stealthy and resilient to annotation-level audits (Cheng et al., 2023).

4. Physical and Real-World Object Addition Attacks

OAAs extend to the physical world by introducing tangible objects (patches, 3D props, or reflective surfaces) that manipulate the sensor stream. Key insights are summarized below:

• Patch-based Attacks: PADetBench standardizes the evaluation of 23 physical attack strategies across 48 detectors in simulation. Results indicate vehicle detection systems are 2–4× more vulnerable to OAA than pedestrian detectors; e.g., recall degradation can exceed 50% for vehicle OAAs under adverse dynamics (Lian et al., 17 Aug 2024). The attack success rate is computed as $$ASR = 1 - \frac{M_{\text{attack}}}{M_{\text{clean}}}$$ where $M$ is the mAP or mAR metric.
• Mirror-Based LiDAR OAA: By placing planar mirrors, an attacker can inject “phantom” points into a 3D point cloud, causing the AV to perceive non-existent obstacles (Yahia et al., 21 Sep 2025). This follows the physics of specular reflection:

$$\vec{v}_{\text{ref}} = \vec{v}_{\text{in}} - 2(\vec{v}_{\text{in}} \cdot \vec{n})\vec{n}$$

where $\vec{n}$ is the mirror normal. Experiments show that with increasing mirror area (up to 0.6 m²) and tilt, dense clusters of false detections appear in the AV’s perception layer, triggering control actions such as emergency braking.

• Variable-Size Triggers: In the real world, the effectiveness of visual triggers depends on scale and illumination. Variable-size triggers, which scale with object bounding box dimensions, are shown to enhance real-world OAA resilience, achieving attack success rates above 80–85% under varying conditions (Qian et al., 2023). Malicious adversarial training further increases robustness to environmental noise.

5. Evaluation Metrics and Empirical Outcomes

OAA effectiveness is quantified by several metrics, including:

• Attack Success Rate (ASR): Proportion of triggered samples leading to successful fabricated detection (usually defined as a detection at the trigger with confidence and IoU above thresholds).
• mAP/mAR Degradation: Reduction in mean average precision or recall relative to the clean baseline as a result of fabricated objects (Lian et al., 17 Aug 2024).
• AP_attack: Average precision on the fabricated (targeted) class in backdoor or adversarial settings (Chan et al., 2022, Wang et al., 2023).
• Bounding Box Ratio (BBR), Overall Score (OS): Specific to patch-based attacks, ratios capture the fraction of original detections retained and the combined penalty for altered pixels and reduced detection counts (Wu et al., 2020).

Experimental campaigns report:

• Digital OAAs (DPAttack, TOG): up to 100% OAA success on YOLO models with sub-2% pixel change (Wu et al., 2020, Nguyen et al., 4 Aug 2024).
• Clean-label/backdoor OAA: ASR >95% at ≤10% poison rates without degrading benign mAP (Cheng et al., 2023, Chan et al., 2022).
• Physical OAAs: mAR degradations up to 50% for vehicles, with high context and view dependence (Lian et al., 17 Aug 2024); LiDAR OAAs triggering deterministic AV control failures (Yahia et al., 21 Sep 2025).

6. Defense Strategies and Open Research Challenges

Initial countermeasures to OAAs include:

• Patch/Trigger Detection and Filtering: Entropy-based runtime detection (Detector Cleanse) flags anomalous entropy distributions in feature space (Chan et al., 2022). However, subtle or invisible triggers elude entropy-based methods (STRIP), especially when perturbations are spatially localized or mask-generated (Shin, 20 Mar 2024).
• Contextual Consistency Checks: Enforcing global semantic and geometric consistency using context-aware models can mitigate context-inconsistent OAAs but is insufficient against attacks that explicitly optimize for layout realism (Liu et al., 2023).
• Sensor Fusion and Cross-Modality Validation: In physical and LiDAR-based attacks, multi-modal verification (e.g., validating LiDAR points with thermal or camera data) can flag detections unsupported by all modalities (Yahia et al., 21 Sep 2025). However, environmental factors weaken such strategies in practice.
• Light Fingerprinting and Optical Statistics: Extracting feature-level signatures from sensor returns can distinguish specular (mirror-induced) artifacts from legitimate object surfaces, though real-world variability and data scarcity constrain deep learning–based discrimination (Yahia et al., 21 Sep 2025).

Broader research gaps involve the development of robust NMS variants (Nguyen et al., 4 Aug 2024), improved modeling of digital–physical and physical–digital transformations for transferability analysis (Lian et al., 17 Aug 2024), adversarial training directly targeting OAA objectives, and holistic evaluation frameworks that accommodate multi-object, multi-sensor, and temporally coordinated attacks.

7. Implications and Future Research Directions

Object Addition Attacks represent a crucial vulnerability in both digital and physical perception pipelines for autonomous systems, with practical exploits demonstrated on both vision and LiDAR modalities (Yahia et al., 21 Sep 2025, Lian et al., 17 Aug 2024). Advancements in context and layout-aware attack generation yield more transferable and stealthy OAAs (Cai et al., 2021, Liu et al., 2023). Physical attacks underline the gap between theoretical and real-world robustness, as current detectors often fail under adversarial object fabrication in the wild (Lian et al., 17 Aug 2024).

Open directions include:

• Improved defenses robust to both digital and physical OAAs, including robust NMS, advanced trigger detection, and better multi-modality fusion (Nguyen et al., 4 Aug 2024, Yahia et al., 21 Sep 2025).
• Benchmarks and simulation frameworks that account for complex world conditions, sensor noise, and adversarial realism at scale (Lian et al., 17 Aug 2024).
• Theoretical modeling and empirical assessment of adaptive and dynamic OAAs that tailor their input modifications in response to arbitrary environmental state changes (Qian et al., 2023).

A plausible implication is that without systematic progress across algorithmic, architectural, and sensor-level defense strategies, OAAs will remain an acute threat to deployment of autonomous detection systems in open-world environments.