Patch-based adversarial attacks were proven to compromise the robustness and reliability of computer vision systems. However, their conspicuous and easily detectable nature challenge their practicality in real-world setting. To address this, recent work has proposed using Generative Adversarial Networks (GANs) to generate naturalistic patches that may not attract human attention. However, such approaches suffer from a limited latent space making it challenging to produce a patch that is efficient, stealthy, and robust to multiple real-world transformations. This paper introduces a novel approach that produces a Dynamic Adversarial Patch (DAP) designed to overcome these limitations. DAP maintains a naturalistic appearance while optimizing attack efficiency and robustness to real-world transformations. The approach involves redefining the optimization problem and introducing a novel objective function that incorporates a similarity metric to guide the patch's creation. Unlike GAN-based techniques, the DAP directly modifies pixel values within the patch, providing increased flexibility and adaptability to multiple transformations. Furthermore, most clothing-based physical attacks assume static objects and ignore the possible transformations caused by non-rigid deformation due to changes in a person's pose. To address this limitation, a 'Creases Transformation' (CT) block is introduced, enhancing the patch's resilience to a variety of real-world distortions. Experimental results demonstrate that the proposed approach outperforms state-of-the-art attacks, achieving a success rate of up to 82.28% in the digital world when targeting the YOLOv7 detector and 65% in the physical world when targeting YOLOv3tiny detector deployed in edge-based smart cameras.

翻译：基于补丁的对抗攻击已被证明能破坏计算机视觉系统的鲁棒性和可靠性。然而，其显著且易检测的特性对其在现实场景中的实用性构成挑战。为解决此问题，近期研究提出使用生成对抗网络（GAN）生成不易引起人类注意的自然化补丁。但此类方法存在潜在空间有限的问题，难以生成兼具高效性、隐蔽性及对多种真实世界变换鲁棒性的补丁。本文提出一种创新方法——生成动态对抗补丁（DAP），旨在克服上述局限。DAP在保持自然外观的同时，优化攻击效率及对真实世界变换的鲁棒性。该方法通过重新定义优化问题并引入包含相似性度量指标的新型目标函数来指导补丁生成。与基于GAN的技术不同，DAP直接修改补丁内像素值，从而增强对多种变换的灵活性与适应性。此外，多数基于衣物的物理攻击假设目标为静态物体，忽略了人体姿态变化引起的非刚性形变带来的潜在变换。为弥补此缺陷，本文引入"褶皱变换"（CT）模块，增强补丁对多种真实世界畸变的鲁棒性。实验结果表明，所提方法优于现有最优攻击，针对YOLOv7检测器在数字世界中的攻击成功率最高达82.28%，针对部署于边缘智能摄像头的YOLOv3tiny检测器在物理世界中的攻击成功率可达65%。