Owing to the extensive application of infrared object detectors in the safety-critical tasks, it is necessary to evaluate their robustness against adversarial examples in the real world. However, current few physical infrared attacks are complicated to implement in practical application because of their complex transformation from digital world to physical world. To address this issue, in this paper, we propose a physically feasible infrared attack method called "adversarial infrared patches". Considering the imaging mechanism of infrared cameras by capturing objects' thermal radiation, adversarial infrared patches conduct attacks by attaching a patch of thermal insulation materials on the target object to manipulate its thermal distribution. To enhance adversarial attacks, we present a novel aggregation regularization to guide the simultaneous learning for the patch' shape and location on the target object. Thus, a simple gradient-based optimization can be adapted to solve for them. We verify adversarial infrared patches in different object detection tasks with various object detectors. Experimental results show that our method achieves more than 90\% Attack Success Rate (ASR) versus the pedestrian detector and vehicle detector in the physical environment, where the objects are captured in different angles, distances, postures, and scenes. More importantly, adversarial infrared patch is easy to implement, and it only needs 0.5 hours to be constructed in the physical world, which verifies its effectiveness and efficiency.

翻译：由于红外目标检测器在安全关键任务中的广泛应用，有必要评估其在实际场景中对对抗样本的鲁棒性。然而，当前少数物理红外攻击因从数字世界到物理世界的复杂转换，在实际应用中难以实施。为解决此问题，本文提出一种物理可行的红外攻击方法——"对抗红外斑块"。考虑到红外相机通过捕捉物体热辐射的成像机制，对抗红外斑块通过在目标物体上附着隔热材料斑块来操纵其热分布，从而实施攻击。为增强对抗攻击效果，我们提出一种新型聚合正则化方法，以引导斑块形状和位置在目标物体上的同步学习。由此，可适用简单的基于梯度的优化进行求解。我们在不同目标检测任务中使用多种目标检测器验证了对抗红外斑块的有效性。实验结果表明：在物理环境中，当物体以不同角度、距离、姿态和场景被捕获时，该方法对行人检测器和车辆检测器的攻击成功率（ASR）超过90%。更重要的是，对抗红外斑块易于实施，在物理世界中仅需0.5小时即可构建，充分验证了其有效性和高效性。