Feasibility of Inconspicuous GAN-generated Adversarial Patches against Object Detection Svetlana Pavlitskaya1,* , Bianca-Marina Codău2 and J. Marius Zöllner1,2 1 FZI Research Center for Information Technology, 76131 Karlsruhe, Germany 2 Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, Germany Abstract Standard approaches for adversarial patch generation lead to noisy conspicuous patterns, which are easily recognizable by humans. Recent research has proposed several approaches to generate naturalistic patches using generative adversarial networks (GANs), yet only a few of them were evaluated on the object detection use case. Moreover, the state of the art mostly focuses on suppressing a single large bounding box in input by overlapping it with the patch directly. Suppressing objects near the patch is a different, more complex task. In this work, we have evaluated the existing approaches to generate inconspicuous patches. We have adapted methods, originally developed for different computer vision tasks, to the object detection use case with YOLOv3 and the COCO dataset. We have evaluated two approaches to generate naturalistic patches: by incorporating patch generation into the GAN training process and by using the pretrained GAN. For both cases, we have assessed a trade-off between performance and naturalistic patch appearance. Our experiments have shown, that using a pre-trained GAN helps to gain realistic-looking patches while preserving the performance similar to conventional adversarial patches. Keywords adversarial attacks, object detection, GANs Deep neural networks (DNNs) are vulnerable to adver- sarial attacks in which input data is deliberately modi- fied [1]. In case of image data, adversarial noise is added to an input sample, affecting the entire image. Another type of attack is an adversarial patch, which can be po- sitioned arbitrarily in a restricted region of an image. Patches can be applied to the input images digitally as well as in a real-world setting. But state-of-the-art re- (a) No attack (b) Pretrained DCGAN with search focuses on creating adversarial patches which patch transformations ap- are easily recognizable by the human eye. These are plied characterized by chaotic patterns, bright colors and do not resemble real-life objects but rather random noise [2, 3, 4]. A much harder problem is posed by creating inconspicuous patches as their purpose is to elude human detection while still being a threat to DNNs. Recently, methods to enforce realistic appearance of adversarial patches have been proposed [5, 6, 7]. Existing approaches aim at deterring image classifiers or steering (c) Pretrained BigGAN with la- (d) Pretrained BigGAN with models as well as object detectors. In the latter case, tent shift applied patch transformations ap- however, an adversarial patch manages to attack only plied one large object in an input image. Figure 1: Overview of the patches generated with the evalu- In this work, we perform extensive literature research ated methods and identify promising approaches to generate incon- spicuous adversarial patches. We further apply these The IJCAI-ECAI-22 Workshop on Artificial Intelligence Safety (AISafety methods to the object detection use case. Differently 2022), July 24-25, 2022, Vienna, Austria from the existing work on naturalistic patches against * Corresponding author. object detection, the focus of our work is to affect objects $ pavlitskaya@fzi.de (S. Pavlitskaya); bianca.codau@student.kit.edu (B. Codău); zoellner@fzi.de in the attacked image, which are located near the patch. (J. M. Zöllner) We run experiments in a digital setting in per-instance © 2022 Copyright 2022 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). and universal manner. We further analyse which ap- CEUR Workshop Proceedings http://ceur-ws.org ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org) (a) [9] (b) [3] (c) [10] (d) [13] (e) [14] (a) PhysGAN [6] (b) TnT attack [7] (c) Naturalistic [5] Figure 2: Examples of state-of-the-art conspicuous adversar- Figure 3: Examples of state-of-the-art inconspicuous adver- ial patches against object detection: (a-b) applied in a digital sarial patches against object detection setting, (d-e) printed on a t-shirt Recently, approaches of the second group, which rely proach is the most suitable for the selected setting and on GANs, have gained popularity. We group GAN-based discuss the trade-off between attack success and realistic approaches into two categories: (1) methods which in- appearance. clude patch generation directly into the GAN training process and (2) methods which generate an adversarial patch using a pretrained GAN. 1. Related Work A first attempt to use GANs to generate natural adver- sarial examples was performed by Zhao et al. [17]. Here, 1.1. Conspicuous Adversarial Patches a pretrained Wasserstein GAN [18] is combined with an The idea of an adversarial perturbation restricted to a inverter, which maps data to the latent representation. specific image area was first proposed by Brown et al. [2]. The experiments, however, were restricted to the image The first approaches focused on the image classification classification on MNIST and LSUN datasets as well as on use case [8]. Later, patch-based attacks for object detec- a text generation task. tion were also proposed [9, 3, 10]. A general approach consists in either maximizing the detector loss or, in case 1.2.1. Combined Patch-GAN Training of an object vanishing attack, minimizing the detector loss for the empty label [11]. PhysGAN attack [6] is one representative of the first To enable attacks in the real-world setting, the non- group of approaches. It is designed to generate patch printability loss component is usually added, which re- attacks and place them in road side video footage to deter stricts pixel values to the set of printable colours. Fur- steering prediction models. For a given input video se- thermore, the total variation loss is usually applied in quence, the algorithm learns a patch to be included into order to make colourful patterns of the generated adver- every frame. The PhysGAN model includes, next to a sarial patches appear smoother [12]. The patches then be generator-discriminator pair, an encoder for extracting printed, e.g. on a t-shirt to fool object detectors Examples the features out of input video frames. The encoder out- of adversarial patch attacks against object detection in put is then fed directly to the generator. The adversarial the real world are [13, 14]. Recently, a dataset of printable road sign, computed by the generator, and a real road sign adversarial patches against object detection was intro- are then sent to a discriminator. The resulting adversarial duced in [15]. However, adversarial patches generated in patch is then added to each frame of the original video the conventional way still have a conspicuous character sample creating an adversarial input. Finally, to obtain (see Figure 2). the perturbation, the generator is updated over the loss of the targeted model, calculated on the adversarial video slice, while taking the original frames as the ground truth. 1.2. Inconspicuous Adversarial Patches The resulting adversarial patch is indistinguishable from An inconspicuous adversarial patch can be enforced ei- the roadside poster and leads to a noticeable prediction ther by using a specific loss function or a generative ad- error. versarial network (GAN). The first group of approaches Another approach designed to generate more realis- maximizes the loss function to obtain patches that re- tic adversarial patches is the Perceptual-Sensitive GAN semble a certain real image. adv-watermark [16], for (PSGAN) [19]. It was evaluated on the traffic sign recog- instance, generates adversarial patches as image water- nition as well as on general image classification use cases. marks by performing a heuristic random search for the It adapts existing patches, which are then placed in re- global minimum as an adaptation of the Basin Hopping gions of an image in order to have the highest impact on (BH) optimization algorithm. final predictions. Similar to the Wasserstein GAN train- ing [18], the PSGAN discriminator is updated several times in each epoch, whereas the generator is updated success rate than the laVAN patch attack [8] while test- only once per epoch. Before each update, a minibatch of ing on the same image set. Finally, Doan et al. managed images and patches is sampled. The given minibatch of to create adversarial patches that resemble flowers, thus patches is fed to the generator to create the adversarial being less attention grabbing, but impacting the targeted patches. Moreover, an attention model is included to classification model. determine a patch position that has the highest impact on the class prediction. Closely related to PSGAN is the Inconspicuous Adver- 2. Approach sarial Patches (IAP) framework [20], which replicates the We identify two major groups of GAN-based approaches process of patch generation in PSGAN and repeats it for a to generate inconspicuous patches and describe the pro- series of generator-discriminator pairs. The goals is thus posed pipelines, adapted for the object detection use case. to reduce the conspicuousness of the patch by feeding Our pipeline assumes using a white-box gradient-based it through the chain of GAN models. In the beginning, approach for adversarial patch generation. the background images are analyzed and an attention map indicating the best position for patch placement is calculated. Each GAN pair represents a step in the 2.1. Combined Patch-GAN Training coarse-to-fine patch creation as it takes in the patch and In the first approach we incorporate adversarial patch background image at a different scale. The GAN training training directly into the GAN training pipeline. This process remains the same as the generator aims to create method attempts to map the processes of PhysGAN [6] realistic patches while the discriminator tries to distin- and PSGAN [19] models from steering model prediction guish them from the original images. IAP-generated and image classification respectively to the object detec- patches aim to be indistinguishable from the background tor attack. We thus simultaneously train a GAN model and thus resemble transparent masks. to create a latent space of realistic-looking patches and an adversarial patch to deter the object detector. 1.2.2. Using a Pretrained Generator An overview of the training pipeline in the case of In the second category, no full GAN training is performed. the combined Patch-GAN attacks is presented in Figure 4. Instead, a pretrained GAN is used to improve patch ap- The patch is initialized randomly in the generator input pearance. The Naturalistic Physical Adversarial Patch At- format and undergoes two updates in each training epoch: tack, developed by Hu et al. [5], aims to optimize for an one after the GAN training phase and one after the loss adversarial patch in the GAN latent space directly. First, computation of the targeted object detector. Updating the patch is initialized as a noise vector. After the initial- the patch after a GAN training step aims to restrict the ization, it performs a gradient update for each epoch and patch to the latent space of realistic images developed by for each image, on which the patch is placed before the the GAN model. attack. For each iteration, the noise is fed to the generator to obtain the adversarial patch. The resulting patch is Update input Compute adversarial perturbation then added to the current image, which is then passed Add patch to image to the object detector. To perform an attack, a bounding Initial input noise Generator Object Detector box with the highest objectness probability and highest class probability is selected. The gradient descent is then Discriminator Predict real or fake used on the resulting loss, which also contains a total variation loss. Using the approach described above, Hu et al. performed several digital attacks, where they exper- imented with six different patch sizes, as well as physical Figure 4: Overview of the combined Patch-GAN training attacks. Universal NaTuralistic adversarial paTches (TnT) at- We further consider two extensions to the algorithm. tack [7] is another approach relying on a pretrained GAN. First, we introduce a second generator update over the This approach aims at attacking image classifiers with detector loss for the adversarial predictions. It takes into realistic universal patches. It uses Wasserstein GAN [18] consideration the GAN loss for the generator, which gets with gradient penalty, which was pretrained on a dataset the current patch as an input, and the loss of the object of flower images. For the background images, they used detector for the adversarial image. The current patch images from the ImageNet dataset to test the effective- generation approach differs from PSGAN as the GAN ness of the attack in white-box and black-box setting. The loss is computed only over the patch and not over the TnT attack with high confidence scores on the pretrained entire adversarial image, similar to the PhysGAN. image classifier had an up the three times higher attack Second, we use two different random noise vectors during the patch training. One noise vector is reinitial- ized with each epoch and background image as it is used to train the two GAN components, while the other is the actual patch noise, initialized as before and optimized with each epoch and background image with the goal of reducing the loss of the object detector under attack. (a) Input image (b) YOLOv3 predictions 2.2. Patch Generation using a Pretrained Figure 6: YOLOv3 predictions on an unattacked COCO image GAN for the per-instance experiments The second approach focuses on restricting the trained patch to the images generated by a previously trained GAN model. Figure 5 shows the simplified pipeline for a tion1 , detection was performed at the resolution 416x416 Pretrained GAN Patch Attack. In this approach, random pixels. noise is fed into the generator to obtain a realistic im- The images to be attacked come from the COCO age. Similar to the combined Patch-GAN approach, the dataset [22]. For the per-instance attacks, we use an patch is applied to a background image and the resulting exemplary COCO image (see Figure 6). adversarial image is passed to the object detector under We use two GAN architectures: DCGAN [23] and Big- attack. The patch is then optimized to change the loss GAN [24]. To train DCGAN, we have used the Flower of the object detector. However, the parameters of the Recognition dataset [25]. The dataset contains 4,242 generator are no longer updated during patch training flower images of 320x240 pixels equally split into the as in the previous approach. classes daisy, dandelion, rose, sunflower, and tulip. The dataset was built for image classification, not for unsu- pervised training for image generation as needed for the Update input Compute adversarial perturbation GAN models. Therefore, we performed dataset cleaning by manually removing the images containing scenarios Fake patch Add to image such as a field of flowers or humans holding flowers, Initial input noise Generator Object Detector as these represent outliers from the intended GAN la- tent space, namely single flower generation. The clean Flowers Recognition dataset thus contains 1,385 images. DCGAN was trained with the batch size of 64 with Figure 5: Overview of the patch training with a pretrained the Adam optimizer and learning rate 0.0002. The gener- GAN generator ated images have a size of 64x64 pixels and are further resized to reach the patch size. For BigGAN, we used the open source PyTorch re-implementation2 , pretrained on Our approach differs from the Naturalistic Physical Imagenet. Patch Attack [5] in the attack procedure. In particular, We use the PGD algorithm [26] for attacks. All train- we no longer target the single person class and also fo- ings were performed on an NVIDIA RTX 1080 Ti GPU cus on considering all objects in the image instead of with 11GB VRAM. a single object having the highest objectness and class probabilities. 3.2. Conspicuous Baseline Patches 3. Experiments and Evaluation To enable a fair comparison, we have first generated conventional adversarial patches using PGD. We have To evaluate the feasibility of the identified GAN-based focused on the object vanishing attack, i.e. we have ap- approaches for inconspicuous patch generation for the plied loss maximization using empty ground truth labels object detection use case, we run experiments using to enforce suppression of object detections. YOLOv3 [21] as a model under attack. Figure 7 demonstrates the PGD patches of different sizes, We have experimented with various training times and learning rates. The 100x100 pixels PGD patch re- 3.1. Dataset and Models quires 7K epochs at learning rate 0.01 to suppress all We have performed experiments with YOLOv3 bounding boxes (see Figure 7a). The 80x80 pixels patch model [21], using an open source Python implementa- 1 https://github.com/eriklindernoren/PyTorch-YOLOv3 2 https://github.com/huggingface/pytorch-pretrained-BigGAN (a) Patch size 100x100 pixels, (b) Patch size 80x80 pixels, (a) Cropping and horizontal (b) Cropping and horizontal 7K epochs, lr=0.01 5K epochs, lr=0.5 flipping, 2K epochs flipping, 4K epochs (c) Patch size 80x80 pixels, 15K (d) Patch size 80x80 pixels, (c) 2,5K epochs (d) 5K epochs epochs, lr=0.01 15K epochs, lr=0.02 Figure 8: Attacks with the combined PGD-GAN training using two generator updates per epoch 3.3. Combined PGD-GAN Training For the combined PGD-GAN approach, we used the DCGAN architecture, while the PGD attack was imple- (e) Patch size 60x60 pixels, 10K (f) Patch size 60x60 pixels, 10K mented as done for the conspicuous baseline. epochs, lr=0.02 epochs, lr=0.5 Following the baseline, a model with one discriminator Figure 7: Attacks with conventional PGD patches and generator update per training step was first evalu- ated. After generator and discriminator parameters are updated at step 𝑡, the generator gets an updated patch at step 𝑡 + 1 and outputs a new patch. We then insert the only achieves the same result in 5K epochs when using new patch in the COCO image and produce predictions a learning rate of 0.5 as seen in Figure 7b. Training of with the YOLOv3 object detector. After computing the the 80x80 pixels patch with learning rates of 0.01 and YOLOv3 loss, the patch optimizer was run in order to up- 0.02 did not manage to suppress all bounding boxes even date the current patch state. This approach led to highly after 15K epochs (see Figures 7c and 7d). Because of its distorted patches not resembling the dataset, whereas the smaller attack surface, we train the 60x60 pixels patch patch itself had no impact on the surrounding bounding directly with a learning rate of 0.02. Figure 7e shows, boxes. however, that this patch does not manage to suppress We have achieved better results via introducing a sec- four bounding boxes, which are placed towards the im- ond generator update. We thus updated generator twice age margins. Using the learning rate of 0.5 for the 60x60 per epoch: first during the GAN training step and then af- pixels patch gives better results. Only one bounding box ter the patched image is evaluated and the loss of YOLOv3 remains in Figure 7f. The performance of the 60x60 pixels is calculated. Figure 8b shows, that, the patch images patch stagnates and the confidence score of the remain- remain in the dataset distribution after 4K epochs. How- ing bounding box does not decrease after 100K epochs, ever, with each newly generated image, a different flower at which point the training is stopped. type is created (a dandelion at 2K epochs and a daisy Overall, the conventional PGD patches are able to com- at 4K epochs). At both stages the covered person is not pletely supress all detections in an input images using a detected and the confidence score for the car in the back sufficiently large patch (at least 80x80x pixels, i.e. 3% of decreases. an input). The smaller the patch, the more it profits from Figures 8c and 8d demonstrate how this version of a higher learning rate and longer training time. the algorithm performs without horizontal flipping. The patch covers an entire cyclist, which prevents it from being identified. Moreover the adjacent cars are identi- fied as such only with a 0.57 and 0.68 confidence score Figure 9: Attack with the combined PGD-GAN training with (a) Interpolation, augmenta- (b) Interpolation, augmenta- generator update after the discriminator and patch updates. tions, 1K epochs tions, 3K epochs Results are shown after 1K epochs respectively, which are lower than in the corresponding clean image. However, the confidence score does not decline linearly over the epochs. For instance, the red bounding box in Figure 8d displays a higher confidence score of 0.68 at epoch 5K compared to only 0.52 in epoch (c) No interpolation, 3K (d) No interpolation, 5K 2500 as shown in Figure 8c. epochs epochs The last model that we have evaluated included up- dating the generator once per epoch, after both the dis- criminator and the patch were updated. Figure 9 shows that the patch developed with this method manages to suppress more bounding boxes in the neighbouring re- gion. However, the generator obviously does not learn the distribution of the GAN training dataset. In summary, we could generate realistic looking ad- (e) With latent shift applied, (f) With patch transforma- versarial patches with the combined approach. The best 1K epochs tions applied, 5K epochs performing version of the algorithm included two gen- erator updates per epoch. The attack success, however, Figure 10: Attacks with a pretrained DCGAN is worse than when conspicuous adversarial patches are used. epoch (see Figure 10b). 3.4. Using a Pretrained Generator Experiments without patch interpolation (i.e. using patches of size 64x64 pixels as generated by DCGAN) Next, we evaluate the usage of a pretrained GAN gen- also show the same darkening effect (see Figures 10c and erator. We have experimented with two GAN models: 10d). As expected, these patches also do not suppress the DCGAN and BigGAN. DCGAN was trained for 2K epochs surrounding boxes as well as the previous experiment on the Flowers Recognition dataset, which was prepro- due to their smaller attack surface, but the confidence cessed as described above. For the BigGAN, we have scores are decreased. This is also consistent with our used the pretrained model and set the chosen class to conspicuous baseline experiments. The adversarial patch, daisy (985). The patch optimization is the same as for the generated with the pretrained generator, only covers conspicuous baseline, the weight for the total variation part of the cyclist but the object detector cannot detect is set to 0.01. a person. In addition, the bounding boxes surrounding Figure 10 demonstrates the results for the experiments the patch have a lower confidence score. Affected are the with the pretrained DCGAN. We have first experimented detections of the cars to the right of the patch as well as with patches resized from 64x64 as generated by DC- the bicycle below it. GAN to 100x100 pixels using interpolation. As Figure 10a To mitigate the darkening patch effect, we further eval- shows, the patch is placed on a cyclist, which deters the uate two countermeasures. First, we apply latent shift object detector from recognizing the person, the bicycle interpolation. For that, we initialize a patch mask of ran- and the car behind them after 1K epochs using a learning domly distributed values and then apply it to the patch rate of 0.01. Moreover, the car to the left of the patch via interpolation. This procedure is repeated during each has the reduced confidence score of 0.53 compared to training epoch before applying the patch to the COCO the clean image score of 0.76. However, a major problem image. Figure 10e shows results for this approach after here is that the patch is getting darker with each training 3K training epochs. In this case, the patch value does not (a) Standard training, 7K (b) With latent shift applied, (a) No attack (b) Attack with a conspicuous epochs 7K epochs PGD patch (c) With patch transforma- (d) With patch transforma- tions applied, 7K epochs tions applied, 10K epochs (c) No attack (d) Attack with a pretrained Figure 11: Attacks with a pretrained BigGAN BigGAN with latent shift remain in the DCGAN image distribution, but resembles noise, which diverges from the flower images, and does not improve with longer training time. Moreover, the patch performs worse than the previous experiments dur- ing the evaluation. The person to the left is recognized (e) No attack (f) Attack with a pretrained by the object detector albeit with a lower score than in BigGAN with patch trans- the clean image. The other surrounding bounding boxes formations do not have a considerably reduced confidence score. A further attempt, aiming to improve the appearance of patches, is the usage of patch transformation, as sug- gested in [3]. This approach aims at making patches more robust and includes a number of transformations applied to a patch before it is added to an input image. In includes adding random noise to the patch as well as random changes in patch brightness and contrast. In par- (g) No attack (h) Attack with a pretrained ticular, we first multiply the patch with a contrast mask BigGAN with patch trans- and then add brightness and noise masks. In all cases, formations masks include randomly sample values, the contrast in- terval is restricted to [0.8, 1.2], the brightness interval is restricted to [-0.1, 0.1], the noise mask contains values in the interval [-0.1, 0.1]. As can be seen in Figure 10f, the patch stays in the latent space of the DCGAN model after 5K epochs. This, however, comes at a cost of small rise in the confidence of object detections near the patch. As the figures demonstrate, in our DCGAN experi- (i) No attack (j) Attack with a pretrained ments we have no control over the generated flower class, DCGAN with patch trans- so that patches may contain various flowers during the formations training. Figure 12: Examples of universal patch attacks generated for We further repeat the experiments with the BigGAN a subset of COCO, all trained for 1K epochs model. The chosen class is 985 representing daisies. The experiments are performed with the patches of 128x128 pixels, which is the size of the original BigGAN generator Conventional class=daisy latent shift PGD-GAN Pretrained Pretrained Pretrained Pretrained Combined DCGAN + BigGAN + BigGAN + BigGAN + No attack transfor- transfor- transfor- mations mations mations [5] with training Black PGD mAP 43.8 4.2 3.4 3.8 3.8 4.4 4.1 3.8 3.9 AP𝑝𝑒𝑟𝑠𝑜𝑛 80.3 55.2 28.4 40.4 41.8 39.3 32.0 41.2 46.0 AP𝑏𝑖𝑐𝑦𝑐𝑙𝑒 2.2 0.0 0.0 0.0 0.0 0.2 0.2 0.0 0.0 AP𝑐𝑎𝑟 7.9 3.1 0.0 1.2 0.3 0.4 0.3 0.3 0.3 Table 1 Mean average precision (mAP) and average precision (AP) for certain classes in % for universal patches, generated for a subset of COCO output. Figure 11a displays the patch attack result after dataset, containing objects of classes person, car, bicycle. 7K epochs. It turns completely black, however it still The resulting subset contains 1,146 images, which are manages to suppress the identification of the person to further split according to the COCO protocol to 1,101 the left of the patch. train and 45 test images. All universal patch training ex- Next, we assess the effect of adding the interpolation periments are run for 1K epochs over the entire training with the latent value. Figure 11b shows the patch result- dataset. The patch learning rate is set to 0.01 and the ing from 7K epochs. In this case, only the background of GAN learning rate for the combined PGD-GAN patch the flower images turns black while the flowers remain attack is set to 0.0002. The patch size during training is clearly visible. Moreover, the patch manages to suppress set to the original size of the GAN architecture output the bounding boxes of the cars above and to the right of (i.e., 64x64 for DCGAN and 128x128 for BigGAN) to avoid its position as well as the identification of the first cyclist information loss through resizing. The patch placement and the first bicycle on the left. is fixed similar in the per-instance experiments. Finally, we apply patch transformations. This helps Using the conventional PGD patches, we could sup- to fully overcome the problem of the dark patch back- press all bounding boxes in the test images. The univer- ground, as the patch background is not longer black, but sal patch generated using the pretrained BigGAN with resembles a field. As Figure 11c shows, the patch achieves patch transformations for brightness and contrast was similar results to the previous BigGAN experiment from also successful (see Figure 12). In comparison, the pre- Figure 11b. It suppresses the same bounding boxes and trained DCGAN patch attack has a reduced effect on the shows a confidence score of 0.75 for the car bounding box object detection (see Figure 12j). However, it reduces the in the upper left corner of the patch. This score is higher confidence scores of the surrounding bounding boxes sig- than in the previous BigGAN experiment but lower than nificantly. One major difference to the previous example in the clean image. Moreover, by training the pretrained is the quality of the image and of the generated object BigGAN patch with transformation for 10K epochs on respectively. The daisy image in this case is distorted and one COCO image, the bounding box in the upper left no longer recognizable as a flower. corner is suppressed as well (see Figure 11d). We have trained and evaluated several patches using In summary, the approach involving a pretrained gen- the same settings (see Table 1). We have also evaluated erator leads to a significantly higher image fidelity. In a a patch, generated using the approach by Hu et al. [5] standard setting, the patch tends to get completely black, using the open-source code3 . Following the procedure but the proposed latent shift and patch transformations in the paper, the training was performed on the INRIA help to overcome the problem. As expected, BigGAN led dataset [28] for 1K epochs. We also set the class to daisy. to significantly better patches due to larger capacity. Note, that direct comparison with the method by Hu et al. [5] is not possible due a different method to add patch 3.5. Universal Inconspicuous Patches to an image (see Figure 13). Instead of attacking object of a certain class by direct overlapping with a patch, we Finally, we evaluate whether the studied approaches to focus on a single patch at a fixed position in an image, generate inconspicuous patches can also be applied in which can attacks all objects. a universal manner. The goal of a universal attack is to Every approach managed to reduce the average mAP fool all images with a single perturbation [27]. For the experiments, we create a subset of the COCO 3 https://github.com/aiiu-lab/Naturalistic-Adversarial-Patch consuming, we have performed the experiments on com- bined PGD-GAN training only with a DCGAN model. Evaluating the combined training approach with a GAN of larger capacity might lead to even better results. During evaluation of the universal attacks, we could observe an evident trade-off between the patch appear- ance and the attack performance. Our pretrained DCGAN and combined PGD-GAN have demonstrated attack per- formance comparable to the state-of-the-art approach by Hu et al [5], although no direct comparison is possible Figure 13: A naturalistic patch, created using the framework because of different patch placement approaches. The by Hu et al. [5], attacks objects of the class person via overlap- pretrained DCGAN approach as well as the PGD GAN ap- ping with the clothing area proach led to a better attack success than the pretrained BigGAN method during evaluation. Overall, the perfor- mance on the test set under attack was significantly lower drastically, whereas the best result was obtained with than on the clean images. Although the attack strength of the conventional PGD attack, as expected. The patch the conspicuous patches could not be reached, the stud- generated according to [5] achieves the same mAP, as ied approaches present a promising trade-off between the pretrained BigGAN without transformations and the the attack success and naturalistic appearance. pretrained DCGAN with transformations. This patch also has the best results for the class person, but worst for the class car. Finally, the pretrained BigGAN patch Acknowledgments with transformation scores the highest mAP for both The research leading to these results is funded by the images, being least effective overall. In the case of one German Federal Ministry for Economic Affairs and Cli- of the pretrained BigGAN patches with patch transfor- mate Action within the project “KI Absicherung“ (grant mations, the mAP score of 4.4% is even higher than the 19A19005W) and by KASTEL Security Research Labs. black square mAP value. The patches generated with the The authors would like to thank the consortium for the pretrained BigGAN demonstrate, however, the most nat- successful cooperation. uralistic appearance out of all universal experiments, also compared to the results obtained with the framework by Hu et al. [5]. References [1] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Er- 4. Conclusion han, I. Goodfellow, R. Fergus, Intriguing Properties of Neural Networks, International Conference on In this work, we have evaluated the existing GAN-based Learning Representations (ICLR) (2014). methods for inconspicuous patch generation on the ob- [2] T. B. Brown, D. Mané, A. Roy, M. Abadi, J. Gilmer, ject detection use case. Following the analysis of the state Adversarial Patch, in: Advances in Neural Informa- of the art, we have identified two groups of promising tion Processing Systems (NIPS) - Workshops, 2017. approaches: the first method focuses on combining the [3] S. Thys, W. V. Ranst, T. Goedemé, Fooling auto- GAN training process with the training of the adversarial mated surveillance cameras: Adversarial patches patch, while the second one relies on a pretrained GAN to attack person detection, in: Conference on model during the patch training process. For each group, Computer Vision and Pattern Recognition (CVPR) we have adapted the procedure to attack the object detec- - Workshops, Computer Vision Foundation / IEEE, tor and ran the experiments on YOLOv3 as a model under 2019. attack both in per-instance and universal settings using [4] S. Pavlitskaya, S. Ünver, J. M. Zöllner, Feasibility the COCO dataset. All attacks were performed using the and suppression of adversarial patch attacks on end- PGD algorithm. Differently from the state of the art, we to-end vehicle control, in: International Conference focused on suppressing objects in the direct proximity of on Intelligent Transportation Systems (ITSC), IEEE, a patch, which is also a realistic attacks scenario. 2020. Our experiments have demonstrated, that using the [5] Y.-C.-T. Hu, J.-C. Chen, B.-H. Kung, K.-L. Hua, D. S. pretrained GAN generator leads to adversarial patches Tan, Naturalistic Physical Adversarial Patch for of higher visual fidelity. Better performing BigGAN led Object Detectors, in: International Conference on to more realistic looking patches compared to DCGAN. Computer Vision (ICCV), Springer, 2021. However, since BigGAN training on ImageNet is resource [6] Z. Kong, J. Guo, A. Li, C. Liu, PhysGAN: Generating Perceptual-Sensitive GAN for Generating Adver- Physical-World-Resilient Adversarial Examples for sarial Patches, in: AAAI Conference on Artificial Autonomous Driving, in: Conference on Computer Intelligence, 2019. Vision and Pattern Recognition (CVPR), Computer [20] T. Bai, J. Luo, J. Zhao, Inconspicuous adversarial Vision Foundation / IEEE, 2020. patches for fooling image-recognition systems on [7] B. G. Doan, M. Xue, S. Ma, E. Abbasnejad, D. C. mobile devices, IEEE Internet of Things Journal Ranasinghe, Tnt attacks! universal naturalistic (2021). adversarial patches against deep neural network [21] J. Redmon, A. Farhadi, Yolov3: An incremental systems, CoRR abs/2111.09999 (2021). improvement, CoRR abs/1804.02767 (2018). [8] D. Karmon, D. Zoran, Y. Goldberg, Lavan: Local- [22] T. Lin, M. Maire, S. J. Belongie, J. Hays, P. Perona, ized and visible adversarial noise, in: International D. Ramanan, P. Dollár, C. L. Zitnick, Microsoft Conference on Machine Learning (ICML), PMLR, COCO: common objects in context, in: European 2018. Conference on Computer Vision (ECCV), Springer, [9] X. Liu, H. Yang, Z. Liu, L. Song, Y. Chen, H. Li, 2014. DPATCH: an adversarial patch attack on object de- [23] A. Radford, L. Metz, S. Chintala, Unsupervised tectors, in: AAAI Workshop on Artificial Intelli- representation learning with deep convolutional gence Safety, 2019. generative adversarial networks, in: International [10] M. Lee, J. Z. Kolter, On physical adversarial patches Conference on Learning Representations (ICLR), for object detection, CoRR abs/1906.11897 (2019). 2016. [11] K. H. Chow, L. Liu, M. Loper, J. Bae, M. E. Gursoy, [24] A. Brock, J. Donahue, K. Simonyan, Large scale S. Truex, W. Wei, Y. Wu, Adversarial objectness gra- GAN training for high fidelity natural image syn- dient attacks in real-time object detection systems, thesis, in: International Conference on Learning in: International Conference on Trust, Privacy and Representations (ICLR), 2019. Security in Intelligent Systems and Applications [25] A. Mamaev, Flowers Recognition, (TPS-ISA), IEEE, 2020. https://www.kaggle.com/datasets/alxmamaev/flowers- [12] M. Sharif, S. Bhagavatula, L. Bauer, M. K. Reiter, recognition, 2018. Accessed: 2022-01-12. Accessorize to a crime: Real and stealthy attacks [26] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, on state-of-the-art face recognition, in: Conference A. Vladu, Towards Deep Learning Models Resistant on Computer and Communications Security (CCS), to Adversarial Attacks, International Conference ACM, 2016. on Learning Representations (ICLR) (2018). [13] K. Xu, G. Zhang, S. Liu, Q. Fan, M. Sun, H. Chen, [27] S. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, P. Frossard, P. Chen, Y. Wang, X. Lin, Adversarial t-shirt! evad- Universal adversarial perturbations, in: Confer- ing person detectors in a physical world, in: Eu- ence on Computer Vision and Pattern Recognition ropean Conference on Computer Vision (ECCV), (CVPR), Computer Vision Foundation / IEEE, 2017. Springer, 2020. [28] N. Dalal, B. Triggs, Histograms of oriented gra- [14] Z. Wu, S. Lim, L. S. Davis, T. Goldstein, Making dients for human detection, in: Conference on an invisibility cloak: Real world adversarial attacks Computer Vision and Pattern Recognition (CVPR), on object detectors, in: European Conference on Computer Vision Foundation / IEEE, 2005. Computer Vision (ECCV), Springer, 2020. [15] A. Braunegg, A. Chakraborty, M. Krumdick, N. Lape, S. Leary, K. Manville, E. M. Merkhofer, L. Strickhart, M. Walmer, APRICOT: A dataset of physical adversarial attacks on object detection, in: European Conference on Computer Vision (ECCV), Springer, 2020. [16] X. Jia, X. Wei, X. Cao, X. Han, Adv-watermark: A novel watermark perturbation for adversarial exam- ples, in: International Conference on Multimedia, ACM, 2020. [17] Z. Zhao, D. Dua, S. Singh, Generating natural ad- versarial examples, in: International Conference on Learning Representations (ICLR), 2018. [18] M. Arjovsky, S. Chintala, L. Bottou, Wasserstein GAN, CoRR abs/1701.07875 (2017). [19] A. Liu, X. Liu, J. Fan, Y. Ma, A. Zhang, H. Xie, D. Tao,