| With the rapid development of artificial intelligence technology,artificial intelligence technology represented by deep neural network has been widely applied in various fields.Adversarial example attacks have aroused people’s attention to artificial intelligence security.By adding perturbations that humans cannot perceive,these adversarial example attacks can induce neural network models to output incorrect results.Early adversarial examples research work mainly focused on the digital world,however adversarial attacks based on the digital world are difficult to apply to the physical world.In recent years,adversarial attacks which can be launched in the physical world,especially the adversarial patch attacks,have already attracted more researchers’ attention.This paper researches vehicle hiding attacks in the physical world.First,we analyze the differences between digital world attacks and physical world attacks,summarizing the difficulties of adversarial attacks in the physical world.Then two methods for enhancing the robustness of adversarial patches and a method for selecting the attachment position of adversarial patches are proposed,which can be used to improve the robustness of physical world adversarial attacks.This paper firstly reveals the problems faced by physical world adversarial attacks in motion blur,and proposes corresponding solutions.The two main aspects of this study are as follows:(1)We analyze the existing problems of adversarial patches from the differences between the digital world and the physical world.Aiming at the problem of adversarial patches printing distortion in physical world,this paper proposes a nearest reduction algorithm to constrain the color selection of adversarial patches in CMYK color mode.Aiming at the problem of photo-acquisition distortion of adversarial patches in the physical world,this paper proposes the Pixel-Unet network,which is used to simulate the changes of adversarial patches during photo-acquisition.In this paper,the vulnerability position of vehicles is analyzed based on the feature visualization method called Grad-CAM,and the attachment position of adversarial patches is selected accordingly.We explore the impact of the adversarial patch attachment location in the physical world adversarial attacks.Experimental results show that the success rate of the adversarial patches trained in this paper can effectively improve the attack success rate.(2)This paper reveals the motion blur problem in real world adversarial attacks for the first time.Motion blur can distort adversarial patches,seriously affecting the attack performance.In this paper,two methods are proposed to improve the anti-blur ability of adversarial patches.Firstly,this paper proposes strip-shaped adversarial patch which requires that the pixel points in the motion direction should be consistent,resulting in that these patches can resist motion blur.Secondly,the motion blur layer is proposed to simulate real-world motion blur,and adding this layer when training the adversarial patches can effectively improve the ability of the adversarial patches to resist motion blur.Experiments show that both of the two methods above can resist motion blur to a certain extent. |
PDF Full Text Request