Timezone: »

Adversarial camera stickers: A physical camera-based attack on deep learning systems
Juncheng Li · Frank R Schmidt · Zico Kolter

Tue Jun 11 11:35 AM -- 11:40 AM (PDT) @ Grand Ballroom

Recent work has thoroughly documented the susceptibility of deep learning systems to adversarial examples, but most such instances directly manipulate the digital input to a classifier. Although a smaller line of work has considered physical adversarial attacks, in all cases these involve manipulating the object of interest, i.e., putting a physical sticker on a object to misclassify it, or manufacturing an object specifically intended to be misclassified. In this work we consider an alternative question: is it possible to fool deep classifiers, over all perceived objects of a certain type, by physically manipulating the camera itself? We show that this is indeed possible, that by placing a carefully crafted and mainly-translucent sticker over the lens of a camera, one can create universal perturbations of the observed images that are inconspicuous, yet reliably misclassify target objects as a different (targeted) class. To accomplish this, we propose an iterative procedure for both updating the attack perturbation (to make it adversarial for a given classifier), and the threat model itself (to ensure it is physically realizable). For example, we show that we can achieve physically-realizable attacks that fool ImageNet classifiers in a targeted fashion 49.6\% of the time. This presents a new class of physically-realizable threat models to consider in the context of adversarially robust machine learning.

Author Information

Juncheng Li (Carnegie Mellon University)
Frank R Schmidt (Robert Bosch GmbH)
Zico Kolter (Carnegie Mellon University / Bosch Center for AI)

Related Events (a corresponding poster, oral, or spotlight)

More from the Same Authors