Detecting Physical Adversarial Patch Attacks with Object Detectors

Machine learning models are vulnerable to adversarial attacks which can cause integrity violations in real- world systems with machine learning components. Alarmingly, these attacks can also manifest in the physical world where an adversary can disrupt systems without gaining digital access. These attacks are becoming more concerning as safety-critical infrastructure such as healthcare and transportation increasingly rely on machine learning.This work is motivated by the need for safeguarding vision- based systems against physical adversarial pattern attacks—an important domain for autonomous vehicles. We propose the use of a separate detection module that can identify inputs that contain physical adversarial patterns. This approach allows for independent development of the defensive mechanism which can be updated without affecting the performance of the protected model. This methodology allows the model developers to focus on performance and leave security to a separate team. It is a practical approach that can provide security in cases where a model is acquired from a third party and cannot be re-trained.We perform experimentation demonstrating that we can detect unknown adversarial patterns with high accuracy using standard object detectors trained on datasets containing adversarial patches. A single detector is capable of detecting a variety of adversarial patterns trained from models with different datasets and tasks. Additionally, we introduce a new class of visually distinct adversarial patch attack we call GAN patches. Our experimentation shows that once observed the detection module can be updated to identify additional classes of patch attacks. Finally, we experiment with detectors trained trained on innocuous patches and examine how they can generalize to detecting a variety of known patch attacks.