A Reliable Approach for Generating Realistic Adversarial Attack via Trust Region-Based Optimization

Abstract

Adversarial attacks involve introducing minimal perturbations into the original input to manipulate deep learning models into making incorrect network predictions. Despite substantial interest, there remains insufficient research investigating the impact of adversarial attacks in real-world scenarios. Moreover, adversarial attacks have been extensively examined within the digital domain, but adapting them to realistic scenarios brings new challenges and opportunities. Existing physical world adversarial attacks often look perceptible and attention-grabbing, failing to imitate real-world scenarios credibly when tested on object detectors. This research attempts to craft a physical world adversarial attack that deceives object recognition systems and human observers to address the mentioned issues. The devised attacking approach tried to simulate the realistic appearance of stains left by rain particles on traffic signs, making the adversarial examples blend seamlessly into their environment. This work proposed a region reflection algorithm to localize the optimal perturbation points that reflected the trusted regions by employing the trust region optimization with a multi-quadratic function. The experimental evaluation reveals that the proposed work achieved an average attack success rate (ASR) of 94.18%. Experimentation underscores its applicability in a dynamic range of real-world settings through experiments involving distance and angle variations in physical world settings. However, the performance evaluation across various detection models reveals its generalizable and transferable nature. The outcomes of this study help to understand the vulnerabilities of object detectors and inspire AI (artificial intelligence) researchers to develop more robust and resilient defensive mechanisms.