CONFERENCE PROCEEDINGS
Advanced Search
Home > Proceedings > Volume 13206 > Article
Presentation + Paper
13 November 2024 Adversarial AI image perturbation attack invariant to object scale and type
Michel van Lier, Richard J. M. den Hollander, Hugo J. Kuijf
Author Affiliations +
Proceedings Volume 13206, Artificial Intelligence for Security and Defence Applications II; 132060Y (2024) https://doi.org/10.1117/12.3031545
Event: Security + Defence, 2024, Edinburgh, United Kingdom
Abstract
Adversarial AI technologies can be used to make AI-based object detection in images malfunction. Evasion attacks make perturbations to the input images that can be unnoticeable to the human eye and exploit weaknesses in object detectors to prevent detection. However, evasion attacks have weaknesses themselves and can be sensitive to any apparent object type, orientation, positioning, and scale. This work will evaluate the performance of a white-box evasion attack and its robustness for these factors.

Video data from the ATR Algorithm Development Image Database is used, containing military and civilian vehicles at different ranges (1000-5000 m). A white-box evasion attack (adversarial objectness gradient) was trained to disrupt a YOLOv3 vehicles detector previously trained on this dataset. Several experiments were performed to assess whether the attack successfully prevented vehicle detection at different ranges. Results show that for an evasion attack trained on object at only 1500 m range and applied to all other ranges, the median mAP reduction is >95%. Similarly, when trained only on two vehicles and applied on all seven remaining vehicles, the median mAP reduction is >95%.

This means that evasion attacks can succeed with limited training data for multiple ranges and vehicles. Although a (perfect-knowledge) white-box evasion attack is a worst-case scenario in which a system is fully compromised, and its inner workings are known to an adversary, this work may serve as a basis for research into robustness and designing AIbased object detectors resilient to these attacks.
Conference Presentation
(2024) Published by SPIE. Downloading of the abstract is permitted for personal use only.
Citation Download Citation
Michel van Lier, Richard J. M. den Hollander, and Hugo J. Kuijf "Adversarial AI image perturbation attack invariant to object scale and type", Proc. SPIE 13206, Artificial Intelligence for Security and Defence Applications II, 132060Y (13 November 2024); https://doi.org/10.1117/12.3031545
ACCESS THE FULL ARTICLE
ORGANIZATIONAL
Sign in with credentials provided by your organization.
INSTITUTIONAL
Select your institution to access the SPIE Digital Library.
SELECT YOUR INSTITUTION
PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.
PERSONAL SIGN IN
No SPIE Account? Create one
;
PURCHASE THIS CONTENT
SUBSCRIBE TO DIGITAL LIBRARY
50 downloads per 1-year subscription
Members: $195
Non-members: $335 ADD TO CART
25 downloads per 1 - year subscription
Members: $145
Non-members: $250 ADD TO CART
PURCHASE SINGLE ARTICLE
Includes PDF, HTML & Video, when available
Members: $17.00
Non-members: $21.00 ADD TO CART
PROCEEDINGS
 12 PAGES + PRESENTATION
DOWNLOAD PAPER SAVE TO MY LIBRARY
WATCH
PRESENTATION
GET CITATION
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Object detection
Sensors
Mid-IR
Reverse modeling
Video
Cameras
Visualization
RELATED CONTENT
Group localisation and unsupervised detection and classification of basic crowd...
Proceedings of SPIE (February 20 2013)
Near real-time ASL recognition using a millimeter wave radar
Proceedings of SPIE (April 26 2021)
A robust hierarchical video shot detection method
Proceedings of SPIE (September 30 2011)
Automatic selection of visual features and classifiers
Proceedings of SPIE (December 23 1999)
Human-robot coordination using scripts
Proceedings of SPIE (May 09 2006)
Subscribe to Digital Library
Receive Erratum Email Alert
Back to Top