Infrared physical adversarial examples are of great significance for studying the security of infrared AI systems that are widely used in our lives such as autonomous driving. Previous infrared physical attacks mainly focused on 2D infrared pedestrian detection which may not fully manifest its destructiveness to AI systems. In this work, we propose a physical attack method against infrared detectors based on 3D modeling, which is applied to a real car. The goal is to design a set of infrared adversarial stickers to make cars invisible to infrared detectors at various viewing angles, distances, and scenes. We build a 3D infrared car model with real infrared characteristics and propose an infrared adversarial pattern generation method based on 3D mesh shadow. We propose a 3D control points-based mesh smoothing algorithm and use a set of smoothness loss functions to enhance the smoothness of adversarial meshes and facilitate the sticker implementation. Besides, We designed the aluminum stickers and conducted physical experiments on two real Mercedes-Benz A200L cars. Our adversarial stickers hid the cars from Faster RCNN, an object detector, at various viewing angles, distances, and scenes. The attack success rate (ASR) was 91.49% for real cars. In comparison, the ASRs of random stickers and no sticker were only 6.21% and 0.66%, respectively. In addition, the ASRs of the designed stickers against six unseen object detectors such as YOLOv3 and Deformable DETR were between 73.35%-95.80%, showing good transferability of the attack performance across detectors.

翻译：红外物理对抗样本对于研究广泛应用于自动驾驶等领域的红外AI系统的安全性具有重要意义。以往的红外物理攻击主要聚焦于二维红外行人检测，这可能无法充分展现其对AI系统的破坏性。本文提出一种基于三维建模的红外探测器物理攻击方法，并应用于真实车辆。目标是设计一组红外对抗贴片，使车辆在不同视角、距离和场景下对红外探测器不可见。我们构建了具有真实红外特性的三维红外汽车模型，并提出一种基于三维网格阴影的红外对抗图案生成方法。我们提出基于三维控制点的网格平滑算法，并采用一组平滑损失函数增强对抗网格的平滑性以方便贴片制作。此外，我们设计了铝制贴片，并在两辆真实的梅赛德斯-奔驰A200L汽车上进行了物理实验。我们的对抗贴片使目标检测器Faster RCNN在不同视角、距离和场景下无法检测到车辆。真实车辆的攻击成功率（ASR）为91.49%，而随机贴片和无贴片条件下的攻击成功率仅为6.21%和0.66%。此外，该贴片对YOLOv3、Deformable DETR等六种未见过的目标检测器的攻击成功率介于73.35%-95.80%之间，显示出攻击性能在检测器间具有良好的可迁移性。