Adversarial Patch
Reviewed by Pithpith:FQ7KEVPJopen to challenge →
read the original abstract
We present a method to create universal, robust, targeted adversarial image patches in the real world. The patches are universal because they can be used to attack any scene, robust because they work under a wide variety of transformations, and targeted because they can cause a classifier to output any target class. These adversarial patches can be printed, added to any scene, photographed, and presented to image classifiers; even when the patches are small, they cause the classifiers to ignore the other items in the scene and report a chosen target class. To reproduce the results from the paper, our code is available at https://github.com/tensorflow/cleverhans/tree/master/examples/adversarial_patch
This paper has not been read by Pith yet.
Forward citations
Cited by 28 Pith papers
-
Test-time Adversarial Takeover: A Real-time Hijacking Interface against Robotic Diffusion Policies
TAKO demonstrates real-time adversarial takeover of robotic diffusion policies via reusable universal patches on visual inputs, achieving 100% success in steering attacker-chosen trajectories across multiple tasks, en...
-
AirflowAttack: Thermal-Airflow Adversarial Perturbations against Infrared Remote-Sensing Vision-Language Models
A single input-agnostic thermal-airflow perturbation, optimized on one surrogate CLIP model, transfers to five CLIP backbones and six VLMs, degrading scene classification by up to 38.2%.
-
ForesightSafety-VLA: A Unified Diagnostic Safety Benchmark for Vision-Language-Action Models
ForesightSafety-VLA creates a diagnostic benchmark for VLA safety with taxonomy across physical, language, and visual risks, showing perception and structure variations cause more safety degradation than language chan...
-
ForesightSafety-VLA: A Unified Diagnostic Safety Benchmark for Vision-Language-Action Models
ForesightSafety-VLA is a new benchmark with 13 safety categories, cumulative cost and risk exposure metrics, and controlled variations to diagnose safety failures in VLA models rather than aggregate task success.
-
Shoot the Honey, Cloak the Player: Towards Zero-Runtime-Overhead Proactive Defense and Detection for Visual Game Cheating
AimTrap is an end-to-end system using Adversarial Camouflage Textures (ACT) and Adversarial Honeypot Textures (AHT) synthesized via differentiable rendering to defend against and detect visual aimbots, with reported s...
-
How Do Document Parsers Break? Auditing Structural Vulnerability in Document Intelligence
A new output-level auditing framework with B-SLR and exposure descriptors shows that structure-targeted perturbations better predict OCR instability and downstream degradation than footprint size in document parsers.
-
How Do Document Parsers Break? Auditing Structural Vulnerability in Document Intelligence
ProSA auditing framework shows that structural loss metrics track OCR instability and downstream QA degradation far better than area-based footprint measures across two document parsers on 1,000 pages.
-
Thermally Activated Dual-Modal Adversarial Clothing against AI Surveillance Systems
Thermally activated clothing with thermochromic dyes and heaters creates dynamic adversarial patterns that evade AI surveillance in visible and infrared modalities while appearing ordinary when inactive.
-
Adversarial Hubness in Multi-Modal Retrieval
Adversarial hubs can be generated to be retrieved as top-1 for over 84% of test queries in text-to-image retrieval, far exceeding natural hubs.
-
Off the Rails: Hijacking the Scoring Head in Generative End-to-End Driving Planners with Safety-Violating Adversarial Perturbations
Derail adversarial perturbations hijack the scoring head in generative E2E driving planners, flipping safe to unsafe trajectory selection with 39-80% score drops and up to 50% collision rates.
-
Amnesia: A Stealthy Replay Attack on Continual Learning Dreams
Amnesia is a replay composition attack on continual learning that tilts class distributions under visibility (delta) and mass (f) budgets to reduce accuracy while evading audits.
-
Test-Time Collective Action: Proxy-Based Perturbations for Correcting Algorithmic Harms
Groups of users can extract a proxy from a black-box model via pooled queries and apply optimized per-class perturbations at test time to close most subgroup accuracy gaps on image classification tasks.
-
TRAP: Tail-aware Ranking Attack for World-Model Planning
TRAP is a tail-aware ranking attack that plants a backdoor in world models so that a trigger causes the model to reorder a few critical imagined trajectories and redirect planning while preserving normal behavior on c...
-
Transferable Physical-World Adversarial Patches Against Object Detection in Autonomous Driving
AdvAD produces physical-world adversarial patches with improved transferability to unseen object detectors by multi-model optimization, adaptive balancing, and physical variation robustness.
-
Transferable Physical-World Adversarial Patches Against Pedestrian Detection Models
TriPatch generates transferable physical adversarial patches via multi-stage triplet loss, appearance consistency, and data augmentation to achieve higher attack success rates on pedestrian detectors than prior methods.
-
Street-Legal Physical-World Adversarial Rim for License Plates
SPAR is a street-legal physical rim that cuts modern ALPR accuracy by 60% and reaches 18% targeted impersonation while costing under $100 and requiring no plate modification.
-
Remote Rowhammer Attack using Adversarial Observations on Federated Learning Clients
A reinforcement learning attacker manipulates client sensor observations in federated learning to induce repetitive server memory updates, achieving around 70% repeated update rate and enabling remote Rowhammer bit fl...
-
Robust Synthesis of Adversarial Visual Examples Using a Deep Image Prior
A DIP-based optimization produces adversarial perturbations and patches that are more robust to affine transformations than standard high-frequency noise while staying imperceptible.
-
Explaining Deep Learning Models with Constrained Adversarial Examples
Introduces CADEX to generate domain-constrained counterfactual explanations for ML models using adversarial perturbations.
-
On Physical Adversarial Patches for Object Detection
A physical patch suppresses all object detections by YOLOv3 even for distant objects without overlapping them.
-
Understanding Adversarial Transferability in Vision-Language Models for Autonomous Driving: A Cross-Architecture Analysis
Adversarial patches transfer across three VLM architectures in autonomous driving scenarios with 73-91% success rates and affect 65-79% of critical decision frames even without target-specific optimization.
-
Survival of the Cheapest: Cost-Aware Hardware Adaptation for Adversarial Robustness
A decision-support framework applies AFT models to show Nvidia L4 GPUs yield 20% longer adversarial survival time at 75% lower cost than V100, with inference latency as the strongest robustness predictor.
-
AEGIS: A Semantic GAN and Evidential Learning Frameworkfor Robust Adversarial Detection in Vision Sensors
AEGIS combines SemantiGAN filtering with evidential learning on five handcrafted instability metrics to detect adversarial attacks, reporting 92.1% AUROC on Tiny ImageNet across six attack types.
-
Budget-Aware Adaptive Adversarial Patches for Black-Box Object Detection
Introduces a budget-adaptive black-box adversarial patch attack that jointly optimizes location, size, and appearance for object detectors with plain-view success metrics.
-
Comparative Analysis of Inference-Time Defense Methods for Multimodal Large Language Models
Empirical comparison finds no single inference-time defense dominates for MLLMs, combinations cause 97-100% over-refusal on benign queries, and adaptive selection based on model and attack type is recommended.
-
Digital-to-Physical Transfer of Adversarial Patches for Aerial Vehicle Detection
Digitally optimized adversarial patches with printability constraints reduce objectness in YOLOv3 aerial detectors, with physical transfer success varying by ON/OFF configuration and weather augmentation showing limit...
-
RACF: A Resilient Autonomous Car Framework with Object Distance Correction
RACF corrects inconsistent depth camera distance estimates in autonomous vehicles using LiDAR and kinematic redundancy, achieving up to 35% RMSE reduction and better braking in tests on a Quanser QCar 2 platform.
-
Physical Adversarial Attacks on AI Surveillance Systems:Detection, Tracking, and Visible--Infrared Evasion
The paper organizes existing physical adversarial attack literature into a surveillance-oriented taxonomy emphasizing temporal persistence, multi-modal sensing, carrier realism, and system-level objectives, concluding...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.