TY - GEN
T1 - Public-attention-based Adversarial Attack on Traffic Sign Recognition
AU - Chi, Lijun
AU - Msahli, Mounira
AU - Memmi, Gerard
AU - Qiu, Han
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - Autonomous driving systems (ADS) can instantaneously and accurately recognize traffic signs by using deep neural networks (DNNs). Although adversarial attacks are well-known to easily fool DNNs by adding tiny but malicious perturbations, most attack methods require sufficient information about the victim models (white-box) to perform. In this paper, we propose a black-box attack in the recognition system of ADS, Public Attention Attacks (PAA), that can attack a black-box model by collecting the generic attention patterns of other white-box DNNs to transfer the attack. Particularly, we select multiple dual or triple attention patterns of white-box model combinations to generate the transferable adversarial perturbations for PAA attacks. We perform the experimentation on four well-trained models in different adversarial settings separately. The results indicate that when more white-box models the adversary collects to perform PAA, the higher the attack success rate (ASR) he can achieve to attack the target black-box model.
AB - Autonomous driving systems (ADS) can instantaneously and accurately recognize traffic signs by using deep neural networks (DNNs). Although adversarial attacks are well-known to easily fool DNNs by adding tiny but malicious perturbations, most attack methods require sufficient information about the victim models (white-box) to perform. In this paper, we propose a black-box attack in the recognition system of ADS, Public Attention Attacks (PAA), that can attack a black-box model by collecting the generic attention patterns of other white-box DNNs to transfer the attack. Particularly, we select multiple dual or triple attention patterns of white-box model combinations to generate the transferable adversarial perturbations for PAA attacks. We perform the experimentation on four well-trained models in different adversarial settings separately. The results indicate that when more white-box models the adversary collects to perform PAA, the higher the attack success rate (ASR) he can achieve to attack the target black-box model.
KW - Adversarial attack
KW - attention heat map
KW - deep neural networks
KW - traffic sign recognition
KW - trans-ferability
UR - https://www.scopus.com/pages/publications/85150646585
U2 - 10.1109/CCNC51644.2023.10060485
DO - 10.1109/CCNC51644.2023.10060485
M3 - Conference contribution
AN - SCOPUS:85150646585
T3 - Proceedings - IEEE Consumer Communications and Networking Conference, CCNC
SP - 740
EP - 745
BT - 2023 IEEE 20th Consumer Communications and Networking Conference, CCNC 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 20th IEEE Consumer Communications and Networking Conference, CCNC 2023
Y2 - 8 January 2023 through 11 January 2023
ER -