Machine learning models are known to be susceptible to adversarial perturbation. One famous attack is the adversarial patch, a sticker with a particularly crafted pattern that makes the model incorrectly predict the object it is placed on. This attack presents a critical threat to cyber-physical systems that rely on cameras such as autonomous cars. Despite the significance of the problem, conducting research in this setting has been difficult; evaluating attacks and defenses in the real world is exceptionally costly while synthetic data are unrealistic. In this work, we propose the REAP (REalistic Adversarial Patch) benchmark, a digital benchmark that allows the user to evaluate patch attacks on real images, and under real-world conditions. Built on top of the Mapillary Vistas dataset, our benchmark contains over 14,000 traffic signs. Each sign is augmented with a pair of geometric and lighting transformations, which can be used to apply a digitally generated patch realistically onto the sign. Using our benchmark, we perform the first large-scale assessments of adversarial patch attacks under realistic conditions. Our experiments suggest that adversarial patch attacks may present a smaller threat than previously believed and that the success rate of an attack on simpler digital simulations is not predictive of its actual effectiveness in practice. We release our benchmark publicly at https://github.com/wagner-group/reap-benchmark.

翻译：机器学习模型已知易受对抗性扰动的影响。一种著名的攻击方式是对抗性补丁，即带有特定绘制图案的贴纸，可导致模型对贴有该贴纸的物体做出错误预测。此类攻击对依赖摄像头（如自动驾驶汽车）的信息物理系统构成了严重威胁。尽管问题意义重大，但在该场景下进行研究一直面临困难：在真实世界中评估攻击与防御代价高昂，而合成数据又不具真实性。本文提出REAP（逼真对抗性补丁）基准，这是一个数字基准，允许用户在真实图像及真实世界条件下评估补丁攻击。该基准基于Mapillary Vistas数据集构建，包含超过14,000个交通标志。每个标志都附带一对几何变换与光照变换，可用于将数字生成的补丁逼真地应用于标志上。利用该基准，我们首次在真实条件下对对抗性补丁攻击进行了大规模评估。实验表明，对抗性补丁攻击的威胁可能小于此前预期，且在简单数字模拟中的攻击成功率无法预测其在实际场景中的有效性。我们在https://github.com/wagner-group/reap-benchmark上公开发布该基准。