Deep Neural Networks (DNNs) are increasingly applied in the real world in safety critical applications like advanced driver assistance systems. An example for such use case is represented by traffic sign recognition systems. At the same time, it is known that current DNNs can be fooled by adversarial attacks, which raises safety concerns if those attacks can be applied under realistic conditions. In this work we apply different black-box attack methods to generate perturbations that are applied in the physical environment and can be used to fool systems under different environmental conditions. To the best of our knowledge we are the first to combine a general framework for physical attacks with different black-box attack methods and study the impact of the different methods on the success rate of the attack under the same setting. We show that reliable physical adversarial attacks can be performed with different methods and that it is also possible to reduce the perceptibility of the resulting perturbations. The findings highlight the need for viable defenses of a DNN even in the black-box case, but at the same time form the basis for securing a DNN with methods like adversarial training which utilizes adversarial attacks to augment the original training data.

翻译：深度神经网络（DNN）正越来越多地应用于高级驾驶辅助系统等安全关键型现实场景中，交通标志识别系统便是此类应用的一个典型实例。与此同时，当前DNN易受对抗攻击欺骗已是共识，这引发了关于这些攻击能否在真实条件下实施的担忧。本研究采用多种黑盒攻击方法生成物理环境中的扰动，并探究其在不同环境条件下欺骗系统的能力。据我们所知，本研究首次将通用物理攻击框架与不同黑盒攻击方法相结合，并在相同设置下系统评估不同方法对攻击成功率的影响。实验表明，多种方法均可实现可靠的物理对抗攻击，同时可有效降低生成扰动的可感知性。研究结果凸显了黑盒场景下仍需为DNN设计有效防御措施的紧迫性，但同时也为通过对抗训练（利用对抗攻击增强原始训练数据）等方法来加固DNN安全提供了理论依据。