pith. sign in

arxiv: 1907.00374 · v1 · pith:LFOPWFHHnew · submitted 2019-06-30 · 💻 cs.CR · cs.CV· eess.IV

Fooling a Real Car with Adversarial Traffic Signs

Nir Morgulis , Alexander Kreines , Shachar Mendelowitz , Yuval Weisglass This is my paper

Pith reviewed 2026-05-25 12:33 UTC · model grok-4.3

classification 💻 cs.CR cs.CVeess.IV
keywords adversarial examplestraffic signsreal-world attacksblack-box attacksproduction systemsphysical perturbationsautonomous vehicles
0
0 comments X

The pith

Digitally generated adversarial traffic signs fool production-grade systems in a real moving car.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper demonstrates a pipeline to generate traffic signs that appear normal but cause misclassification by neural networks and legacy vision systems. These signs are created to work across different classifiers in black-box settings and are tested by printing them and placing them on roads for drive-by capture by a real car's camera. The authors confirm success in actual vehicle experiments with production-grade recognition systems. A reader would care because this bridges digital adversarial attacks to physical-world threats on deployed automotive hardware. If the results hold, it shows that perturbations can survive printing, lighting changes, and motion without needing model-specific knowledge.

Core claim

The paper presents a robust pipeline for reproducible production of adversarial traffic signs that can fool a wide range of classifiers, both open-source and production-grade in the real world. Most attacks were performed in black-box mode, and efficiency was confirmed in drive-by experiments with a production-grade traffic sign recognition system of a real car.

What carries the argument

A pipeline that produces adversarial perturbations on traffic sign images designed to transfer across classifiers and remain effective after physical printing and real-world imaging.

If this is right

  • The same signs can attack both neural networks and legacy computer vision systems.
  • Black-box transfer allows signs generated for one classifier to affect many others.
  • Physical realization and vehicle motion do not eliminate the attack effectiveness.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This opens questions about whether similar pipelines could target other real-world vision systems beyond traffic signs.
  • Defenses might need to incorporate physical-world robustness testing rather than digital-only evaluation.
  • The success rate in drive-by conditions suggests physical adversarial examples may require new mitigation strategies in safety-critical applications.

Load-bearing premise

That perturbations optimized in digital images will continue to cause misclassifications once printed on physical signs viewed by a moving vehicle's camera under real lighting and distance variations.

What would settle it

Repeated drive-by tests with printed signs on the road that produce no misclassifications in the real car's production-grade system under standard conditions would falsify the claim.

read the original abstract

The attacks on the neural-network-based classifiers using adversarial images have gained a lot of attention recently. An adversary can purposely generate an image that is indistinguishable from a innocent image for a human being but is incorrectly classified by the neural networks. The adversarial images do not need to be tuned to a particular architecture of the classifier - an image that fools one network can fool another one with a certain success rate.The published works mostly concentrate on the use of modified image files for attacks against the classifiers trained on the model databases. Although there exists a general understanding that such attacks can be carried in the real world as well, the works considering the real-world attacks are scarce. Moreover, to the best of our knowledge, there have been no reports on the attacks against real production-grade image classification systems.In our work we present a robust pipeline for reproducible production of adversarial traffic signs that can fool a wide range of classifiers, both open-source and production-grade in the real world. The efficiency of the attacks was checked both with the neural-network-based classifiers and legacy computer vision systems. Most of the attacks have been performed in the black-box mode, e.g. the adversarial signs produced for a particular classifier were used to attack a variety of other classifiers. The efficiency was confirmed in drive-by experiments with a production-grade traffic sign recognition systems of a real car.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper claims to introduce a reproducible pipeline for generating adversarial traffic signs that fool a range of neural-network classifiers (open-source and production-grade) in both digital and physical settings. It emphasizes black-box transferability and reports that the attacks were validated through drive-by experiments on a real car's production-grade traffic sign recognition system.

Significance. If the physical transfer results hold with adequate controls and statistics, the work would be significant for showing that digitally optimized perturbations can survive printing, outdoor placement, variable lighting, perspective, and motion to affect a deployed automotive vision system—an extension beyond purely digital or lab-based attacks.

major comments (1)
  1. [Abstract] Abstract: the statement that 'the efficiency of the attacks was confirmed in drive-by experiments with a production-grade traffic sign recognition systems of a real car' supplies no quantitative success rates, trial counts, distance/speed ranges, lighting conditions, or failure cases. This information is load-bearing for the central claim of real-world effectiveness.
minor comments (1)
  1. [Abstract] The abstract refers to 'legacy computer vision systems' without clarifying which systems or how they were evaluated relative to the neural-network attacks.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive comment on the abstract. We agree that quantitative details are important for supporting the central claim and will revise the abstract accordingly.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the statement that 'the efficiency of the attacks was confirmed in drive-by experiments with a production-grade traffic sign recognition systems of a real car' supplies no quantitative success rates, trial counts, distance/speed ranges, lighting conditions, or failure cases. This information is load-bearing for the central claim of real-world effectiveness.

    Authors: We agree that the abstract should summarize the quantitative aspects of the drive-by experiments. In the revised version we will update the abstract to include reported success rates, trial counts, distance and speed ranges, lighting conditions, and mention of observed failure cases. These details appear in the experimental sections of the manuscript; we will ensure they are also reflected concisely in the abstract. revision: yes

Circularity Check

0 steps flagged

Purely experimental work; no derivation chain or fitted predictions present.

full rationale

The manuscript presents an experimental pipeline for printing, placing, and drive-by testing of adversarial traffic signs against both open-source and production vehicle classifiers. No equations, first-principles derivations, parameter fitting, or predictions appear in the abstract or described full text. Claims rest on physical trials rather than any reduction of outputs to inputs by construction. Self-citations, if present, are not load-bearing for any mathematical result. This matches the default expectation of no circularity for purely empirical papers.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

No mathematical derivation or new parameters; the work applies existing adversarial generation methods to the physical domain under standard computer vision assumptions.

axioms (1)
  • domain assumption Adversarial perturbations generated in digital space can transfer to physical objects while preserving misclassification effect.
    Central to the pipeline but not proven in the abstract.

pith-pipeline@v0.9.0 · 5775 in / 999 out tokens · 34161 ms · 2026-05-25T12:33:26.309885+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

47 extracted references · 47 canonical work pages · 19 internal anchors

  1. [1]

    Lane detection and tracking using B -Snake

    Wang Y, Teoh EK, Shen D. Lane detection and tracking using B -Snake. Image Vis Comput . 2004;22(4):269-280. doi:10.1016/j.imavis.2003.10.003

    work page doi:10.1016/j.imavis.2003.10.003 2004

  2. [2]

    Kim Z. UC Berkeley UC Berkeley Previously Published Works Title Robust lane detection and tracking in challenging scenarios Publication Date Robust Lane Detection and Tracking in Challenging Scenarios. IEEE Trans Intell Transp Syst. 2008;9(1). doi:10.1109/TITS.2007.908582

    work page doi:10.1109/tits.2007.908582 2008

  3. [3]

    Ultra -Low Complexity Block-Based Lane Detection and Departure Warning System

    Wu C Bin, Wang LH, Wang KC. Ultra -Low Complexity Block-Based Lane Detection and Departure Warning System. IEEE Trans Circuits Syst Video Technol . 2019;29(2):582 -593. doi:10.1109/TCSVT.2018.2805704

    work page doi:10.1109/tcsvt.2018.2805704 2019

  4. [4]

    Towards reliable traffic sign recognition

    Höferlin B, Zimmermann K. Towards reliable traffic sign recognition. In: IEEE Intelligent Vehicles Symposium, Proceedings. ; 2009:324-329. doi:10.1109/IVS.2009.5164298 16

    work page doi:10.1109/ivs.2009.5164298 2009

  5. [5]

    Vision -based traffic sign detection and analysis for intelligent driver assistan ce systems: Perspectives and survey

    Møgelmose A, Trivedi MM, Moeslund TB. Vision -based traffic sign detection and analysis for intelligent driver assistan ce systems: Perspectives and survey. IEEE Trans Intell Transp Syst . 2012;13(4):1484-1497. doi:10.1109/TITS.2012.2209421

    work page doi:10.1109/tits.2012.2209421 2012

  6. [6]

    Stallkamp J, Schlipsing M, Salmen J, Igel C. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition . Neural Networks . 2012;32:323 -332. doi:10.1016/j.neunet.2012.02.016

    work page doi:10.1016/j.neunet.2012.02.016 2012

  7. [7]

    Traffic sign recognition with multi -scale convolutional networks

    Sermanet P, Lecun Y. Traffic sign recognition with multi -scale convolutional networks. In: Proceedings of the International Joint Conference on Neural Networks . ; 2011:2809 -2813. doi:10.1109/IJCNN.2011.6033589

    work page doi:10.1109/ijcnn.2011.6033589 2011

  8. [8]

    Obstacle detection for self -driving cars using only monocular cameras and wheel odometry

    Häne C, Sattler T, Pollefeys M. Obstacle detection for self -driving cars using only monocular cameras and wheel odometry. In: IEEE International Conference on Intelligent Robots and Systems. Vol 2015-Decem. ; 2015:5101-5108. doi:10.1109/IROS.2015.7354095

    work page doi:10.1109/iros.2015.7354095 2015

  9. [9]

    Detecting unexpected obstacles for self-driving cars: Fusing deep learning and geometric modeling

    Ramos S, Gehrig S, Pinggera P, Franke U, Rother C. Detecting unexpected obstacles for self-driving cars: Fusing deep learning and geometric modeling. In: IEEE Intelligent Vehicles Symposium, Proceedings. ; 2017:1025-1032. doi:10.1109/IVS.2017.7995849

    work page doi:10.1109/ivs.2017.7995849 2017

  10. [10]

    Enabling pedestrian safety using computer vision techniques: A case study of the 2018 uber inc

    Kohli P, Chadha A. Enabling pedestrian safety using computer vision techniques: A case study of the 2018 uber inc. self -driving car crash. In: Lecture Notes in Networks and Systems . Vol 69. ; 2020:261-279. doi:10.1007/978-3-030-12388-8_19

    work page doi:10.1007/978-3-030-12388-8_19 2018

  11. [11]

    Energy -Efficient Resource Allocation for LTE -A Networks

    Rostami S, Arshad K, Rapajic P. Energy -Efficient Resource Allocation for LTE -A Networks. IEEE Commun Lett. 2016;20(7):1429-1432. doi:10.1109/LCOMM.2016.2562106

    work page doi:10.1109/lcomm.2016.2562106 2016

  12. [12]

    Looking at Humans in the Age of Self -Driving a nd Highly Automated Vehicles

    Ohn-Bar E, Trivedi MM. Looking at Humans in the Age of Self -Driving a nd Highly Automated Vehicles. IEEE Trans Intell Veh. 2016;1(1):90-104. doi:10.1109/tiv.2016.2571067

    work page doi:10.1109/tiv.2016.2571067 2016

  13. [13]

    Towards fully autonomous driving: Systems and algorithms

    Levinson J, Askeland J, Becker J, et al. Towards fully autonomous driving: Systems and algorithms. In: IEEE Intelligent Vehicles Symposium, Proceedings . ; 2011:163 -168. doi:10.1109/IVS.2011.5940562

    work page doi:10.1109/ivs.2011.5940562 2011

  14. [14]

    The History Began from AlexNet: A Comprehensive Survey on Deep Learning Approaches

    Alom MZ, Taha TM, Yakopcic C, et al. The History Began from AlexNet: A Comprehensive Survey on Deep Learning Approaches. 2018. http://arxiv.org/abs/1803.01164

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  15. [15]

    Intriguing properties of neural networks

    Szegedy C, Zaremba W, Sutskever I, et a l. Intriguing properties of neural networks. 2013. https://arxiv.org/pdf/1312.6199.pdf

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  16. [16]

    Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

    Akhtar N, Mian A. Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey. IEEE Access. 2018;6:14410-14430. doi:10.1109/ACCESS.2018.2807385

    work page doi:10.1109/access.2018.2807385 2018

  17. [17]

    Towards Evaluating the Robustness of Neural Networks

    Carlini N, Wagner D. Towards Evaluating the Robustness of Neural Networks. In: Proceedings - IEEE Symposium on Security and Privacy. ; 2017:39-57. doi:10.1109/SP.2017.49

    work page doi:10.1109/sp.2017.49 2017

  18. [18]

    Universal adversarial per turbations

    Moosavi-Dezfooli SM, Fawzi A, Fawzi O, Frossard P. Universal adversarial per turbations. In: Proceedings - 30th IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2017 . Vol 2017-Janua. ; 2017:86-94. doi:10.1109/CVPR.2017.17

    work page doi:10.1109/cvpr.2017.17 2017

  19. [19]

    DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks

    Moosavi-Dezfooli SM, Fawzi A, Frossard P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition. Vol 2016-Decem. ; 2016:2574-2582. doi:10.1109/CVPR.2016.282 17

    work page doi:10.1109/cvpr.2016.282 2016

  20. [20]

    Houdini: Fooling Deep Structured Prediction Models

    Cisse M, Adi Y, Neverova N, Keshet J. Houdini: Fooling Deep Structured Prediction Models. 2017. http://arxiv.org/abs/1707.05373

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  21. [21]

    Exploring the Space of Black-box Attacks on Deep Neural Networks

    Bhagoji AN, He W, Li B, Song D. Exploring the Space of Black-box Attacks on Deep Neural Networks

    work page

  22. [22]

    http://arxiv.org/abs/1712.09491

    work page internal anchor Pith review Pith/arXiv arXiv

  23. [23]

    Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples

    Papernot N, McDaniel P, Goodfellow I. Transferabil ity in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. 2016. https://arxiv.org/pdf/1605.07277.pdf

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  24. [24]

    The Space of Transferable Adversarial Examples

    Tramèr F, Papernot N, Goodfellow I, Boneh D, McDaniel P. The Space of Transferable Adversarial Examples. 2017. http://arxiv.org/abs/1704.03453

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  25. [25]

    Delving into Transferable Adversarial Examples and Black-box Attacks

    Liu Y, Chen X, Liu C, Song D. Delving into Transferable Adversarial Examples and Black-box Attacks

    work page

  26. [26]

    https://arxiv.org/pdf/1611.02770.pdf

    work page internal anchor Pith review Pith/arXiv arXiv

  27. [27]

    On the Robustness of Semantic Segmentation Models to Adversarial Attacks

    Arnab A, Miksik O, Torr PHS. On the Robustness of Semantic Segmentation Models to Adversarial Attacks. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition. ; 2018:888-897. doi:10.1109/CVPR.2018.00099

    work page doi:10.1109/cvpr.2018.00099 2018

  28. [28]

    Physical Adversarial Examples for Object Detectors

    Eykholt K, Evtimov I, Fernandes E, et al. Physical Adversarial Examples for Object Detectors. 2018. https://arxiv.org/abs/1807.07769

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  29. [29]

    Synthesizing Robust Adversarial Examples

    Athalye A, Engstrom L, Ilyas A, Kwok K. Synthesizing Robust Adversarial Examples. 2017. https://arxiv.org/abs/1707.07397

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  30. [30]

    DARTS: Deceiving Autonomous Cars with Toxic Signs

    Sitawarin C, Bhagoji AN, Mosenia A, Chiang M, Mittal P. DARTS: Deceiving Autonomous Cars with Toxic Signs. 2018. https://arxiv.org/pdf/1802.06430.pdf

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  31. [31]

    Explaining and Harnessing Adversarial Examples

    Goodfellow IJ, Shlens J, Szegedy C. Explaining and Harnessing Adversarial Examples. 2014. http://arxiv.org/abs/1412.6572

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  32. [32]

    Adversarial Machine Learning at Scale

    Kurakin A, Goodfellow I, Bengio S. Adversarial Machine Learning at Scale. 2016. http://arxiv.org/abs/1611.01236

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  33. [33]

    Virtual Adversarial Training: A Regularization Method for Supervised and Semi-Supervised Learning

    Miyato T, Maeda S-I, Koyama M, Ishii S. Virtual Adversarial Training: A Regularization Method for Supervised and Semi-Supervised Learning. https://arxiv.org/pdf/1704.03976.pdf

    work page internal anchor Pith review Pith/arXiv arXiv

  34. [34]

    Learning with a Strong Adversary

    Huang R, Xu B, Schuurmans D, Szepesvari C. Learning with a Strong Adversary. 2015. http://arxiv.org/abs/1511.03034

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  35. [35]

    Understanding Adversarial Training: Increasing Local Stability of Neural Nets through Robust Optimization

    Shaham U, Yamada Y, Negahban S. Understanding Adversarial Training: Increasing Local Stability of Neural Nets through Robust Optimization. 2015. doi:10.1016/j.neucom.2018.04.027

    work page doi:10.1016/j.neucom.2018.04.027 2015

  36. [36]

    Ensemble Adversarial Training: Attacks and Defenses

    Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P. Ensemble Adversarial Training: Attacks and Defenses. 2017. http://arxiv.org/abs/1705.07204

    work page arXiv 2017

  37. [37]

    Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks

    Papernot N, McDaniel P, Wu X, Jha S, Swami A. Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks. In: Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016. ; 2016:582-597. doi:10.1109/SP.2016.41

    work page doi:10.1109/sp.2016.41 2016

  38. [38]

    Towards Deep Learning Models Resistant to Adversarial Attacks

    Madry A, Makelov A, Schmidt L, Tsipras D, V ladu A. Towards Deep Learning Models Resistant to Adversarial Attacks. 2017. http://arxiv.org/abs/1706.06083

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  39. [39]

    Adversarial Examples Are Not Easily Detected

    Carlini N, Wagner D. Adversarial Examples Are Not Easily Detected. In: Association for Computing Machinery (ACM). ; 2017:3-14. doi:10.1145/3128572.3140444 18

    work page doi:10.1145/3128572.3140444 2017

  40. [40]

    Foveation-based Mechanisms Alleviate Adversarial Examples

    Luo Y, Boix X, Roig G, Poggio T, Zhao Q. Foveation-Based Mechanisms Alleviate Adversarial Examples.; 2015. http://arxiv.org/abs/1511.06292

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  41. [41]

    NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles

    Lu J, Sibai H, Fabry E, Forsyth D. NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles. 2017. https://arxiv.org/abs/1707.03501

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  42. [42]

    Densely connected convolutional networks,

    Huang G, Liu Z, Van Der Maaten L, Weinberger KQ. Densely connected convolutional networks. In: Proceedings - 30th IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2 017. Vol 2017-Janua. ; 2017:2261-2269. doi:10.1109/CVPR.2017.243

    work page doi:10.1109/cvpr.2017.243 2017

  43. [43]

    Robust Physical-World Attacks on Deep Learning Models

    Eykholt K, Evtimov I, Fernandes E, et al. Robust Physical-World Attacks on Deep Learning Models

    work page

  44. [44]

    http://arxiv.org/abs/1707.08945

    work page internal anchor Pith review Pith/arXiv arXiv

  45. [45]

    ShapeShifter: Robust physical adversarial attack on faster R-CNN object detector

    Chen ST, Cornelius C, Martin J, Chau DHP. ShapeShifter: Robust physical adversarial attack on faster R-CNN object detector. In: Lecture Notes in Computer Science . Vol 11051 LNAI. ; 2019:52 -68. doi:10.1007/978-3-030-10925-7_4

    work page doi:10.1007/978-3-030-10925-7_4 2019

  46. [46]

    Investigating Human Priors for Playing Video Games

    Dubey R, Agrawal P, Pathak D, Griffiths TL, Efros AA. Investigating Human Priors for Playing Video Games. 2018:1-12. http://arxiv.org/abs/1802.10217

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  47. [47]

    Experimental Security Research of Tesla Autopilot .; 2019

    Keen Security Lab T. Experimental Security Research of Tesla Autopilot .; 2019. https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopi lot.pdf. Appendix Hyper Parameter Tuning The choice of hyper parameters proved to be a challenging task . We found that the optimal choice of hyper parameters is not always clear, and dif...

    work page 2019