pith. sign in

arxiv: 1712.09665 · v2 · pith:FQ7KEVPJnew · submitted 2017-12-27 · 💻 cs.CV

Adversarial Patch

classification 💻 cs.CV
keywords adversarialpatchestheybecausescenecauseclassclassifiers
0
0 comments X
read the original abstract

We present a method to create universal, robust, targeted adversarial image patches in the real world. The patches are universal because they can be used to attack any scene, robust because they work under a wide variety of transformations, and targeted because they can cause a classifier to output any target class. These adversarial patches can be printed, added to any scene, photographed, and presented to image classifiers; even when the patches are small, they cause the classifiers to ignore the other items in the scene and report a chosen target class. To reproduce the results from the paper, our code is available at https://github.com/tensorflow/cleverhans/tree/master/examples/adversarial_patch

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 27 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Test-time Adversarial Takeover: A Real-time Hijacking Interface against Robotic Diffusion Policies

    cs.RO 2026-06 unverdicted novelty 8.0

    TAKO demonstrates real-time adversarial takeover of robotic diffusion policies via reusable universal patches on visual inputs, achieving 100% success in steering attacker-chosen trajectories across multiple tasks, en...

  2. ForesightSafety-VLA: A Unified Diagnostic Safety Benchmark for Vision-Language-Action Models

    cs.RO 2026-06 unverdicted novelty 7.0

    ForesightSafety-VLA creates a diagnostic benchmark for VLA safety with taxonomy across physical, language, and visual risks, showing perception and structure variations cause more safety degradation than language chan...

  3. ForesightSafety-VLA: A Unified Diagnostic Safety Benchmark for Vision-Language-Action Models

    cs.RO 2026-06 unverdicted novelty 7.0

    ForesightSafety-VLA is a new benchmark with 13 safety categories, cumulative cost and risk exposure metrics, and controlled variations to diagnose safety failures in VLA models rather than aggregate task success.

  4. Shoot the Honey, Cloak the Player: Towards Zero-Runtime-Overhead Proactive Defense and Detection for Visual Game Cheating

    cs.CR 2026-06 unverdicted novelty 7.0

    AimTrap is an end-to-end system using Adversarial Camouflage Textures (ACT) and Adversarial Honeypot Textures (AHT) synthesized via differentiable rendering to defend against and detect visual aimbots, with reported s...

  5. How Do Document Parsers Break? Auditing Structural Vulnerability in Document Intelligence

    cs.CL 2026-05 unverdicted novelty 7.0

    ProSA auditing framework shows that structural loss metrics track OCR instability and downstream QA degradation far better than area-based footprint measures across two document parsers on 1,000 pages.

  6. How Do Document Parsers Break? Auditing Structural Vulnerability in Document Intelligence

    cs.CL 2026-05 conditional novelty 7.0

    A new output-level auditing framework with B-SLR and exposure descriptors shows that structure-targeted perturbations better predict OCR instability and downstream degradation than footprint size in document parsers.

  7. Thermally Activated Dual-Modal Adversarial Clothing against AI Surveillance Systems

    cs.AI 2025-11 unverdicted novelty 7.0

    Thermally activated clothing with thermochromic dyes and heaters creates dynamic adversarial patterns that evade AI surveillance in visible and infrared modalities while appearing ordinary when inactive.

  8. Adversarial Hubness in Multi-Modal Retrieval

    cs.CR 2024-12 unverdicted novelty 7.0

    Adversarial hubs can be generated to be retrieved as top-1 for over 84% of test queries in text-to-image retrieval, far exceeding natural hubs.

  9. Off the Rails: Hijacking the Scoring Head in Generative End-to-End Driving Planners with Safety-Violating Adversarial Perturbations

    cs.RO 2026-06 unverdicted novelty 6.0

    Derail adversarial perturbations hijack the scoring head in generative E2E driving planners, flipping safe to unsafe trajectory selection with 39-80% score drops and up to 50% collision rates.

  10. Amnesia: A Stealthy Replay Attack on Continual Learning Dreams

    cs.CR 2026-06 unverdicted novelty 6.0

    Amnesia is a replay composition attack on continual learning that tilts class distributions under visibility (delta) and mass (f) budgets to reduce accuracy while evading audits.

  11. Test-Time Collective Action: Proxy-Based Perturbations for Correcting Algorithmic Harms

    cs.LG 2026-05 unverdicted novelty 6.0

    Groups of users can extract a proxy from a black-box model via pooled queries and apply optimized per-class perturbations at test time to close most subgroup accuracy gaps on image classification tasks.

  12. TRAP: Tail-aware Ranking Attack for World-Model Planning

    cs.LG 2026-05 unverdicted novelty 6.0

    TRAP is a tail-aware ranking attack that plants a backdoor in world models so that a trigger causes the model to reorder a few critical imagined trajectories and redirect planning while preserving normal behavior on c...

  13. Transferable Physical-World Adversarial Patches Against Object Detection in Autonomous Driving

    cs.CV 2026-04 unverdicted novelty 6.0

    AdvAD produces physical-world adversarial patches with improved transferability to unseen object detectors by multi-model optimization, adaptive balancing, and physical variation robustness.

  14. Transferable Physical-World Adversarial Patches Against Pedestrian Detection Models

    cs.CV 2026-04 unverdicted novelty 6.0

    TriPatch generates transferable physical adversarial patches via multi-stage triplet loss, appearance consistency, and data augmentation to achieve higher attack success rates on pedestrian detectors than prior methods.

  15. Street-Legal Physical-World Adversarial Rim for License Plates

    cs.CV 2026-04 conditional novelty 6.0

    SPAR is a street-legal physical rim that cuts modern ALPR accuracy by 60% and reaches 18% targeted impersonation while costing under $100 and requiring no plate modification.

  16. Remote Rowhammer Attack using Adversarial Observations on Federated Learning Clients

    cs.LG 2025-05 unverdicted novelty 6.0

    A reinforcement learning attacker manipulates client sensor observations in federated learning to induce repetitive server memory updates, achieving around 70% repeated update rate and enabling remote Rowhammer bit fl...

  17. Robust Synthesis of Adversarial Visual Examples Using a Deep Image Prior

    cs.CV 2019-07 unverdicted novelty 6.0

    A DIP-based optimization produces adversarial perturbations and patches that are more robust to affine transformations than standard high-frequency noise while staying imperceptible.

  18. Explaining Deep Learning Models with Constrained Adversarial Examples

    cs.LG 2019-06 unverdicted novelty 6.0

    Introduces CADEX to generate domain-constrained counterfactual explanations for ML models using adversarial perturbations.

  19. On Physical Adversarial Patches for Object Detection

    cs.CV 2019-06 unverdicted novelty 6.0

    A physical patch suppresses all object detections by YOLOv3 even for distant objects without overlapping them.

  20. Understanding Adversarial Transferability in Vision-Language Models for Autonomous Driving: A Cross-Architecture Analysis

    cs.CV 2026-04 unverdicted novelty 5.0

    Adversarial patches transfer across three VLM architectures in autonomous driving scenarios with 73-91% success rates and affect 65-79% of critical decision frames even without target-specific optimization.

  21. Survival of the Cheapest: Cost-Aware Hardware Adaptation for Adversarial Robustness

    cs.CR 2024-09 unverdicted novelty 5.0

    A decision-support framework applies AFT models to show Nvidia L4 GPUs yield 20% longer adversarial survival time at 75% lower cost than V100, with inference latency as the strongest robustness predictor.

  22. AEGIS: A Semantic GAN and Evidential Learning Frameworkfor Robust Adversarial Detection in Vision Sensors

    cs.CV 2026-06 unverdicted novelty 4.0

    AEGIS combines SemantiGAN filtering with evidential learning on five handcrafted instability metrics to detect adversarial attacks, reporting 92.1% AUROC on Tiny ImageNet across six attack types.

  23. Budget-Aware Adaptive Adversarial Patches for Black-Box Object Detection

    cs.CV 2026-06 unverdicted novelty 4.0

    Introduces a budget-adaptive black-box adversarial patch attack that jointly optimizes location, size, and appearance for object detectors with plain-view success metrics.

  24. Comparative Analysis of Inference-Time Defense Methods for Multimodal Large Language Models

    cs.CR 2026-06 unverdicted novelty 4.0

    Empirical comparison finds no single inference-time defense dominates for MLLMs, combinations cause 97-100% over-refusal on benign queries, and adaptive selection based on model and attack type is recommended.

  25. Digital-to-Physical Transfer of Adversarial Patches for Aerial Vehicle Detection

    cs.CV 2026-05 unverdicted novelty 4.0

    Digitally optimized adversarial patches with printability constraints reduce objectness in YOLOv3 aerial detectors, with physical transfer success varying by ON/OFF configuration and weather augmentation showing limit...

  26. RACF: A Resilient Autonomous Car Framework with Object Distance Correction

    cs.RO 2026-04 unverdicted novelty 4.0

    RACF corrects inconsistent depth camera distance estimates in autonomous vehicles using LiDAR and kinematic redundancy, achieving up to 35% RMSE reduction and better braking in tests on a Quanser QCar 2 platform.

  27. Physical Adversarial Attacks on AI Surveillance Systems:Detection, Tracking, and Visible--Infrared Evasion

    cs.CV 2026-04 unverdicted novelty 3.0

    The paper organizes existing physical adversarial attack literature into a surveillance-oriented taxonomy emphasizing temporal persistence, multi-modal sensing, carrier realism, and system-level objectives, concluding...