Adversarial Camouflage: Hiding Physical-World Attacks With Natural Styles

• Published in: 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) pp. 997 - 1005
• Main Authors: Duan, Ranjie, Ma, Xingjun, Wang, Yisen, Bailey, James, Qin, A. K., Yang, Yun
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.06.2020
• Subjects: Cameras; Distortion; Feature extraction; Measurement; Perturbation methods; Robustness; Visualization
• ISSN: 2575-7075
• DOI: 10.1109/CVPR42600.2020.00108

Deep neural networks (DNNs) are known to be vulnerable to adversarial examples. Existing works have mostly focused on either digital adversarial examples created via small and imperceptible perturbations, or physical-world adversarial examples created with large and less realistic distortions that are easily identified by human observers. In this paper, we propose a novel approach, called Adversarial Camouflage (\emph{AdvCam}), to craft and camouflage physical-world adversarial examples into natural styles that appear legitimate to human observers. Specifically, \emph{AdvCam} transfers large adversarial perturbations into customized styles, which are then "hidden" on-target object or off-target background. Experimental evaluation shows that, in both digital and physical-world scenarios, adversarial examples crafted by \emph{AdvCam} are well camouflaged and highly stealthy, while remaining effective in fooling state-of-the-art DNN image classifiers. Hence, \emph{AdvCam} is a flexible approach that can help craft stealthy attacks to evaluate the robustness of DNNs.