Timezone: »

 
REAP: A Large-Scale Realistic Adversarial Patch Benchmark
Nabeel Hingun · Chawin Sitawarin · Jerry Li · David Wagner

@
in Workshop on Machine Learning Safety »

Machine learning models are known to be susceptible to adversarial perturbation. One famous attack is the adversarial patch, a sticker with a crafted pattern that makes the model incorrectly predict the object it is placed on. This attack presents a critical threat to cyber-physical systems such as autonomous cars. Despite the significance of the problem, conducting research in this setting has been difficult; evaluating attacks and defenses in the real world is exceptionally costly while synthetic data are unrealistic. In this work, we propose the REAP (REalistic Adversarial Patch) Benchmark, a digital benchmark that allows the user to evaluate patch attacks on real images, and under real-world conditions. Built on top of the Mapillary Vistas dataset, our benchmark contains over 14,000 traffic signs. Each sign is augmented with a pair of geometric and lighting transformations, which can be used to apply a digitally generated patch realistically onto the sign, while matching real-world conditions. Using our benchmark, we perform the first large-scale assessments of adversarial patch attacks under realistic conditions. We release our benchmark publicly at https://github.com/wagner-group/reap-benchmark.

[ Poster [ Topia

Author Information

Nabeel Hingun (University of California Berkeley)
Chawin Sitawarin (University of California, Berkeley)
Jerry Li (Microsoft)
David Wagner (University of California Berkeley)

More from the Same Authors