Camera-based autonomous systems that emulate human perception are increasingly being integrated into safety-critical platforms. Consequently, an established body of literature has emerged that explores adversarial attacks targeting the underlying machine learning models. Adapting adversarial attacks to the physical world is desirable for the attacker, as this removes the need to compromise digital systems. However, the real world poses challenges related to the "survivability" of adversarial manipulations given environmental noise in perception pipelines and the dynamicity of autonomous systems. In this paper, we take a sensor-first approach. We present EvilEye, a man-in-the-middle perception attack that leverages transparent displays to generate dynamic physical adversarial examples. EvilEye exploits the camera's optics to induce misclassifications under a variety of illumination conditions. To generate dynamic perturbations, we formalize the projection of a digital attack into the physical domain by modeling the transformation function of the captured image through the optical pipeline. Our extensive experiments show that EvilEye's generated adversarial perturbations are much more robust across varying environmental light conditions relative to existing physical perturbation frameworks, achieving a high attack success rate (ASR) while bypassing state-of-the-art physical adversarial detection frameworks. We demonstrate that the dynamic nature of EvilEye enables attackers to adapt adversarial examples across a variety of objects with a significantly higher ASR compared to state-of-the-art physical world attack frameworks. Finally, we discuss mitigation strategies against the EvilEye attack.

翻译：基于相机的自主系统模拟人类感知，正越来越多地被集成到安全关键平台中。因此，已有大量文献探索针对底层机器学习模型的对抗攻击。将对抗攻击适应到物理世界对攻击者而言是可取的，因为这消除了入侵数字系统的需要。然而，现实世界对感知流程中的环境噪声和自主系统的动态性提出了挑战，涉及对抗性操控的“生存能力”。在本文中，我们采取传感器优先的方法。我们提出了EvilEye，一种中间人感知攻击，利用透明显示器生成动态物理对抗样本。EvilEye通过利用相机的光学元件，在各种光照条件下诱导错误分类。为了生成动态扰动，我们通过光学流水线对捕获图像的变换函数进行建模，从而形式化数字攻击到物理域的投影。我们的广泛实验表明，与现有物理扰动框架相比，EvilEye生成的对抗扰动在不同环境光照条件下具有更强的鲁棒性，实现了高攻击成功率（ASR），同时绕过了最先进的物理对抗检测框架。我们证明，EvilEye的动态特性使攻击者能够跨多种物体适应对抗样本，与最先进的物理世界攻击框架相比，ASR显著更高。最后，我们讨论了针对EvilEye攻击的缓解策略。