pith. sign in

arxiv: 2606.00159 · v1 · pith:DOT7XBTKnew · submitted 2026-05-29 · 💻 cs.CV · cs.AI

Digital-to-Physical Transfer of Adversarial Patches for Aerial Vehicle Detection

Jung Heum Woo , Eun-Kyu Lee This is my paper

Pith reviewed 2026-06-28 23:04 UTC · model grok-4.3

classification 💻 cs.CV cs.AI
keywords adversarial patchesaerial vehicle detectionphysical adversarial attacksdigital-to-physical transferYOLOv3 detectorobjectness scorenon-printability scoretotal variation constraint
0
0 comments X

The pith

Adversarial patches optimized digitally transfer to physical attacks on aerial vehicle detectors, with on-vehicle placement showing greater robustness than off-vehicle placement.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that patches can be optimized in digital space to lower the objectness scores of aerial vehicle detectors and then printed for real-world use. Experiments compare three physical placements and find that the configuration with consistent visibility maintains effectiveness better than the one strongest in simulation. A reader would care because aerial detectors support monitoring tasks where physical tampering could evade detection without obvious digital clues. The work also tests whether adding weather variations during optimization helps and reports it does not in these setups.

Core claim

Adversarial patches are optimized digitally by minimizing the maximum objectness score of a YOLOv3 detector while adding non-printability score and total variation terms to promote printability and smoothness; when printed and deployed, the ON placement achieves lower objectness score ratios in physical tests than the OFF placement despite the OFF patch performing best digitally.

What carries the argument

Loss function minimizing maximum objectness score with added non-printability score and total variation constraints.

If this is right

  • The OFF configuration reduces objectness most in digital images but loses relative advantage once printed and placed.
  • The ON configuration maintains lower objectness score ratios in physical environments because of consistent visibility.
  • Weather-based augmentation during digital optimization does not improve physical transfer in the tested cases.
  • Physical deployment of such patches constitutes a realistic threat to aerial detection systems used for monitoring.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Security evaluations of aerial detectors should include physical placement tests rather than relying solely on digital metrics.
  • Different detector architectures or camera resolutions might change which placement configuration transfers most effectively.
  • Countermeasures could focus on detecting unusual patterns on vehicle surfaces rather than only on background changes.

Load-bearing premise

Digital optimization with printability and smoothness constraints will produce patches whose attack strength survives the shift to physical conditions without being dominated by unmodeled variables such as lighting or camera angle.

What would settle it

Physical flight tests in which the printed ON patch produces objectness scores above the reported 0.343 ratio across multiple viewing angles and lighting conditions.

Figures

Figures reproduced from arXiv: 2606.00159 by Eun-Kyu Lee, Jung Heum Woo.

Figure 1
Figure 1. Figure 1: Illustration of the three patch configurations: ( [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the adversarial patch optimization process. [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Example images from the datasets used in this study: ( [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Examples of the seven image-level weather augmentation cases used in patch training and [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Visual examples of optimized patches under different TV loss coefficients: ( [PITH_FULL_IMAGE:figures/full_fig_p013_5.png] view at source ↗
read the original abstract

Deep neural network (DNN)-based object detectors are widely used for analyzing aerial and satellite imagery in applications such as environmental monitoring and urban analytics. Despite their strong performance, these models are known to be vulnerable to adversarial examples, and physical adversarial attacks using printable patterns pose realistic security threats. In this paper, we evaluate physical adversarial patch attacks against an aerial vehicle detector by bridging digital optimization and real-world deployment. Adversarial patches are optimized in the digital domain using a loss function that minimizes the maximum objectness score while incorporating non-printability score (NPS) and total variation (TV) constraints to ensure both printability and spatial smoothness. The optimized patches are printed and deployed in three configurations: ON, OFF, and OFF-Side. Experiments using a YOLOv3 detector show that while the OFF patch achieves the highest effectiveness in the digital domain (85.51% Average Objectness Reduction Rate (AORR)), the ON patch demonstrates superior robustness in physical environments (0.197-0.343 Objectness Score Ratio (OSR)) due to its consistent visibility. Furthermore, our results indicate that weather-based augmentation does not necessarily improve patch optimization in this domain. These findings provide critical insights into the practical vulnerabilities of aerial object detection systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper claims to optimize adversarial patches digitally against a YOLOv3 aerial vehicle detector using a loss that minimizes maximum objectness while adding NPS and TV constraints for printability and smoothness. The patches are then printed and tested in three physical configurations (ON, OFF, OFF-Side). Digital results show the OFF patch achieving the highest effectiveness (85.51% AORR), but physical results indicate the ON patch is more robust (OSR 0.197-0.343) due to consistent visibility, and that weather-based augmentation does not improve optimization.

Significance. If the physical transfer results are shown to be robust to unmodeled factors, the work would offer useful empirical data on digital-to-physical gaps in adversarial patch attacks for aerial detection, including the observed ranking reversal between domains.

major comments (2)
  1. [Abstract] Abstract: the claim that the ON patch demonstrates superior robustness in physical environments (OSR 0.197-0.343) compared to OFF rests on the assumption that relative performance is preserved under physical deployment, yet no variance, sample sizes, or controls are reported for lighting, viewing angle, or distance across the three configurations; if these factors dominate objectness scores, the robustness conclusion and ranking reversal do not follow from the digital loss alone.
  2. [Abstract] Abstract: the statement that weather-based augmentation does not necessarily improve patch optimization lacks any quantitative comparison (e.g., AORR or loss values with vs. without augmentation) or description of the augmentation procedure, rendering the claim unsupported by the presented evidence.
minor comments (1)
  1. [Abstract] The abstract reports quantitative results but provides no details on experimental setup, number of images, or detector training data, which should be added for reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for your thorough review of our manuscript. We have carefully considered the major comments and provide point-by-point responses below. We will revise the manuscript accordingly to address the concerns raised.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the claim that the ON patch demonstrates superior robustness in physical environments (OSR 0.197-0.343) compared to OFF rests on the assumption that relative performance is preserved under physical deployment, yet no variance, sample sizes, or controls are reported for lighting, viewing angle, or distance across the three configurations; if these factors dominate objectness scores, the robustness conclusion and ranking reversal do not follow from the digital loss alone.

    Authors: The physical experiments involved repeated trials across the configurations to account for variability in real-world conditions. However, we recognize that the abstract does not explicitly report sample sizes or variance. In the revised manuscript, we will update the abstract to include these details, such as the number of physical tests performed and the range of distances and angles used. The observed OSR values are averages from these experiments, supporting the robustness claim for the ON configuration. We will also clarify that while unmodeled factors could influence results, the consistent visibility of the ON patch contributed to its performance. revision: yes

  2. Referee: [Abstract] Abstract: the statement that weather-based augmentation does not necessarily improve patch optimization lacks any quantitative comparison (e.g., AORR or loss values with vs. without augmentation) or description of the augmentation procedure, rendering the claim unsupported by the presented evidence.

    Authors: We agree that the claim in the abstract requires supporting quantitative evidence to be fully substantiated. The manuscript describes the weather augmentation procedure in the methods, but we will revise the abstract to include a direct comparison, for instance by stating the AORR achieved with and without the augmentation. This will make the statement evidence-based. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical optimization and physical transfer results are self-contained

full rationale

The paper describes a standard adversarial patch optimization pipeline (loss minimizing max objectness + NPS + TV constraints) followed by physical printing and testing on YOLOv3. Results (digital AORR, physical OSR) are reported as direct experimental outcomes across ON/OFF/OFF-Side configurations. No equations, uniqueness theorems, or predictions are presented that reduce by construction to fitted inputs or self-citations. The central claims rest on measured transfer performance rather than any definitional or self-referential step.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The evaluation depends on the assumption that the chosen loss function and constraints capture the key factors for physical transferability in aerial detection scenarios.

free parameters (1)
  • Weights in the combined loss function for objectness, NPS, and TV
    The optimization uses a loss that combines these terms but specific balancing weights are not specified in the abstract and would typically be tuned.
axioms (1)
  • domain assumption Digital adversarial optimization with printability constraints transfers to physical world performance
    The paper bridges digital and physical by printing and testing, relying on this transfer holding.

pith-pipeline@v0.9.1-grok · 5752 in / 1303 out tokens · 32040 ms · 2026-06-28T23:04:59.634227+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

30 extracted references · 4 canonical work pages · 4 internal anchors

  1. [1]

    YOLOv3: An Incremental Improvement

    Redmon, J.; Farhadi, A. YOLOv3: An incremental improvement. arXiv 2018, arXiv:1804.02767

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  2. [2]

    Microsoft COCO: Common objects in context

    Lin, T.-Y .; Maire, M.; Belongie, S.; Hays, J.; Perona, P.; Ramanan, D.; Dollar, P.; Zitnick, C.L. Microsoft COCO: Common objects in context. In Proceedings of the European Conference on Computer Vision (ECCV), Zurich, Switzerland, 6–12 September 2014; pp. 740–755

    2014

  3. [3]

    A large contextual dataset for classi- fication, detection and counting of cars with deep learning

    Mundhenk, T.N.; Konjevod, G.; Sakla, W.A.; Boakye, K. A large contextual dataset for classi- fication, detection and counting of cars with deep learning. In Proceedings of the European Conference on Computer Vision (ECCV), Amsterdam, The Netherlands, 11–14 October 2016; pp. 785–800

    2016

  4. [4]

    Using convolutional networks and satellite imagery to identify patterns in urban environments at a large scale

    Albert, A.; Kaur, J.; Gonzalez, M.C. Using convolutional networks and satellite imagery to identify patterns in urban environments at a large scale. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Halifax, NS, Canada, 13–17 August 2017

    2017

  5. [5]

    Vehicle detection in remote sensing images leveraging on simultaneous super-resolution.IEEE Geoscience and Remote Sensing Letters2019,17, 676–680

    Ji, H.; Gao, Z.; Mei, T.; Ramesh, B. Vehicle detection in remote sensing images leveraging on simultaneous super-resolution.IEEE Geoscience and Remote Sensing Letters2019,17, 676–680

  6. [6]

    Poly kernel inception network for remote sensing detection

    Cai, X.; Lai, Q.; Wang, Y .; Wang, W.; Sun, Z.; Yao, Y . Poly kernel inception network for remote sensing detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2024; pp. 27706–27716

    2024

  7. [7]

    MutDet: Mutually optimizing pre-training for remote sensing object detection

    Huang, Z.; Feng, Y .; Liu, Q.; Wang, Y . MutDet: Mutually optimizing pre-training for remote sensing object detection. In Proceedings of the European Conference on Computer Vision (ECCV), Cham, Switzerland, September 2024; Springer Nature Switzerland; pp. 1–17

    2024

  8. [8]

    Explaining and Harnessing Adversarial Examples

    Goodfellow, I.J.; Shlens, J.; Szegedy, C. Explaining and harnessing adversarial examples. arXiv 2014, arXiv:1412.6572. 16

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  9. [9]

    DeepFool: A simple and accurate method to fool deep neural networks

    Moosavi-Dezfooli, S.M.; Fawzi, A.; Frossard, P. DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV , USA, 27–30 June 2016

    2016

  10. [10]

    Universal adversarial perturbations

    Moosavi-Dezfooli, S.M.; Fawzi, A.; Frossard, P. Universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, USA, 21–26 July 2017

    2017

  11. [11]

    Towards evaluating the robustness of neural networks

    Carlini, N.; Wagner, D. Towards evaluating the robustness of neural networks. In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2017

    2017

  12. [12]

    Adversarial examples in the physical world

    Kurakin, A.; Goodfellow, I.J.; Bengio, S. Adversarial examples in the physical world. In Artificial Intelligence Safety and Security; Chapman and Hall/CRC: Boca Raton, FL, USA, 2018; pp. 99–112

    2018

  13. [13]

    Adversarial Patch

    Brown, T.B.; Mane, D.; Roy, A.; Abadi, M.; Gilmer, J. Adversarial patch. arXiv 2017, arXiv:1712.09665

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  14. [14]

    AdvHat: Real-world adversarial attack on ArcFace face ID system

    Komkov, S.; Petiushko, A. AdvHat: Real-world adversarial attack on ArcFace face ID system. In Proceedings of the 25th International Conference on Pattern Recognition (ICPR), Milan, Italy, 10–15 January 2021

    2021

  15. [15]

    Fooling automated surveillance cameras: Adversarial patches to attack person detection

    Thys, S.; Van Ranst, W.; Goedeme, T. Fooling automated surveillance cameras: Adversarial patches to attack person detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, Long Beach, CA, USA, 16–20 June 2019

    2019

  16. [16]

    DAP: A dynamic adversarial patch for evading person detectors

    Guesmi, A.; Ding, R.; Hanif, M.A.; Alouani, I.; Shafique, M. DAP: A dynamic adversarial patch for evading person detectors. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2024; pp. 24595–24604

    2024

  17. [17]

    Revisiting adversarial patches for designing camera-agnostic attacks against person detection.Advances in Neural Information Processing Systems2024,37, 8047–8064

    Wei, H.; Wang, Z.; Zhang, K.; Hou, J.; Liu, Y .; Tang, H.; Wang, Z. Revisiting adversarial patches for designing camera-agnostic attacks against person detection.Advances in Neural Information Processing Systems2024,37, 8047–8064

  18. [18]

    PapMOT: Exploring adversarial patch attack against multiple object tracking

    Long, J.; Jiang, T.; Yao, W.; Jia, S.; Zhang, W.; Zhou, W.; Ma, C.; Chen, X. PapMOT: Exploring adversarial patch attack against multiple object tracking. In Proceedings of the European Conference on Computer Vision (ECCV), Cham, Switzerland, September 2024; Springer Nature Switzerland; pp. 128–144

    2024

  19. [19]

    Gradient-reweighted adversarial camouflage for physical object detection evasion

    Liang, J.; Liang, S.; Lou, T.; Zhang, M.; Li, W.; Fan, D.; Cao, X. Gradient-reweighted adversarial camouflage for physical object detection evasion. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2025; pp. 13880–13889

    2025

  20. [20]

    PAD: Patch-agnostic defense against adversarial patch attacks

    Jing, L.; Wang, R.; Ren, W.; Dong, X.; Zou, C. PAD: Patch-agnostic defense against adversarial patch attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2024; pp. 24472–24481

    2024

  21. [21]

    Revisiting adversarial patch defenses on object detectors: Unified evaluation, large-scale dataset, and new insights

    Zheng, J.; Sun, J.; Lin, C.; Zhao, Z.; Ma, C.; Zhang, C.; Wang, C.; Wang, Q.; Shen, C. Revisiting adversarial patch defenses on object detectors: Unified evaluation, large-scale dataset, and new insights. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2025; pp. 23476–23486

    2025

  22. [22]

    Note on Attacking Object Detectors with Adversarial Stickers

    Eykholt, K.; Evtimov, I.; Fernandes, E.; Li, B.; Song, D.; Kohno, T.; Rahmati, A.; Prakash, A.; Tramer, F. Note on attacking object detectors with adversarial stickers. arXiv 2017, arXiv:1712.08062

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  23. [23]

    Physical adversarial examples for object detectors

    Song, D.; Eykholt, K.; Evtimov, I.; Fernandes, E.; Li, B.; Rahmati, A.; Tramer, F.; Prakash, A.; Kohno, T. Physical adversarial examples for object detectors. In Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT 18), Baltimore, MD, USA, 13 August 2018

    2018

  24. [24]

    ShapeShifter: Robust physical adversarial attack on Faster R-CNN object detector

    Chen, S.-T.; Cornelius, C.; Martin, J.; Chau, D.H.P. ShapeShifter: Robust physical adversarial attack on Faster R-CNN object detector. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases (ECML PKDD), Dublin, Ireland, 10–14 September 2018. 17

    2018

  25. [25]

    On physical adversarial patches for object detection

    Lee, M.; Kolter, Z. On physical adversarial patches for object detection. In Proceedings of the ICML Workshop on Security and Privacy of Machine Learning, Long Beach, CA, USA, 9–15 June 2019

    2019

  26. [26]

    Adversarial patch camouflage against aerial detection

    Den Hollander, R.; Adhikari, A.; Tolios, I.; van Bekkum, M.; Bal, A.; Hendriks, S.; Kruithof, M.; Gross, D.; Jansen, N.; Perez, G.; Buurman, K.; Raaijmakers, S. Adversarial patch camouflage against aerial detection. In Artificial Intelligence and Machine Learning in Defense Applications II; SPIE: Bellingham, W A, USA, 2020; V ol. 11543

    2020

  27. [27]

    Adversarial examples in remote sensing

    Czaja, W.; Fendley, N.; Pekala, M.; Ratto, C.; Wang, I.-J. Adversarial examples in remote sensing. In Proceedings of the 26th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems, Seattle, W A, USA, 6–9 November 2018

    2018

  28. [28]

    Digital-to-physical visual consistency optimization for adversarial patch generation in remote sensing scenes.IEEE Transactions on Geoscience and Remote Sensing2024,62, 1–17

    Chen, J.; Zhang, Y .; Liu, C.; Chen, K.; Zou, Z.; Shi, Z. Digital-to-physical visual consistency optimization for adversarial patch generation in remote sensing scenes.IEEE Transactions on Geoscience and Remote Sensing2024,62, 1–17

  29. [29]

    Physical adversarial background patch against aerial object detection based on Pareto efficiency.IEEE Transactions on Geoscience and Remote Sensing2025

    Li, H.; Li, J.; Gong, M.; Yu, H.; Dang, K.; Zhou, Y .; Qin, A.K.; Wu, Y . Physical adversarial background patch against aerial object detection based on Pareto efficiency.IEEE Transactions on Geoscience and Remote Sensing2025

  30. [30]

    Physical adversarial attacks on an aerial imagery object detector

    Du, A.; Chen, B.; Chin, T.-J.; Law, Y .W.; Sasdelli, M.; Rajasegaran, R.; Campbell, D. Physical adversarial attacks on an aerial imagery object detector. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV), Waikoloa, HI, USA, 3–8 January 2022. 18

    2022