Adversarial Neon Beam: Robust Physical-World Adversarial Attack to DNNs

Abstract

In the physical world, light affects the performance of deep neural networks. Nowadays, many products based on deep neural network have been put into daily life. There are few researches on the effect of light on the performance of deep neural network models. However, the adversarial perturbations generated by light may have extremely dangerous effects on these systems. In this work, we propose an attack method called adversarial neon beam (AdvNB), which can execute the physical attack by obtaining the physical parameters of adversarial neon beams with very few queries. Experiments show that our algorithm can achieve advanced attack effect in both digital test and physical test. In the digital environment, 99.3% attack success rate was achieved, and in the physical environment, 100% attack success rate was achieved. Compared with the most advanced physical attack methods, our method can achieve better physical perturbation concealment. In addition, by analyzing the experimental data, we reveal some new phenomena brought about by the adversarial neon beam attack. Visual comparison: The adversarial perturbations generated by RP2 [25] can be captured by the camera well, achieving good adversarial attack effect, but failed to achieve good concealment. Similarly, the adversarial perturbations generated by AdvLB [29] is difficult to achieve good concealment. In contrast, the adversarial perturbations generated by AdvNB can not only achieve higher attack success rate, but also achieve better concealment.