Public-attention-based Adversarial Attack on Traffic Sign Recognition
Abstract: Autonomous driving systems (ADS) can instantaneously and accurately recognize traffic signs by using deep neural networks (DNNs). Although adversarial attacks are well-known to easily fool DNNs by adding tiny but malicious perturbations, most attack methods require sufficient information about the victim models (white-box) to perform. In this paper, we propose a black-box attack in the recognition system of ADS, Public Attention Attacks (PAA), that can attack a black-box model by collecting the generic attention patterns of other white-box DNNs to transfer the attack. Particularly, we select multiple dual or triple attention patterns of white-box model combinations to generate the transferable adversarial perturbations for PAA attacks. We perform the experimentation on four well-trained models in different adversarial settings separately. The results indicate that when more white-box models the adversary collects to perform PAA, the higher the attack success rate (ASR) he can achieve to attack the target black-box model.
Loading