Camera-based autonomous systems that emulate human perception are increasingly being integrated into safety-critical platforms. Consequently, an established body of literature has emerged that explores adversarial attacks targeting the underlying machine learning models. Adapting adversarial attacks to the physical world is desirable for the attacker, as this removes the need to compromise digital systems. However, the real world poses challenges related to the "survivability" of adversarial manipulations given environmental noise in perception pipelines and the dynamicity of autonomous systems. In this paper, we take a sensor-first approach. We present EvilEye, a man-in-the-middle perception attack that leverages transparent displays to generate dynamic physical adversarial examples. EvilEye exploits the camera's optics to induce misclassifications under a variety of illumination conditions. To generate dynamic perturbations, we formalize the projection of a digital attack into the physical domain by modeling the transformation function of the captured image through the optical pipeline. Our extensive experiments show that EvilEye's generated adversarial perturbations are much more robust across varying environmental light conditions relative to existing physical perturbation frameworks, achieving a high attack success rate (ASR) while bypassing state-of-the-art physical adversarial detection frameworks. We demonstrate that the dynamic nature of EvilEye enables attackers to adapt adversarial examples across a variety of objects with a significantly higher ASR compared to state-of-the-art physical world attack frameworks. Finally, we discuss mitigation strategies against the EvilEye attack.

翻译：基于摄像头的自主系统模拟人类感知，正越来越多地被集成到安全关键平台中。因此，已有大量文献探索针对底层机器学习模型的对抗性攻击。将对抗性攻击适配到物理世界对于攻击者而言是可取的，因为这消除了破坏数字系统的需要。然而，现实世界带来了与感知流水线中环境噪声及自主系统动态性相关的对抗性操控“可存活性”挑战。在本文中，我们采取传感器优先的方法。我们提出了EvilEye，一种利用透明显示屏生成动态物理对抗样本的中间人感知攻击。EvilEye利用摄像头光学系统在各种光照条件下诱导误分类。为了生成动态扰动，我们通过光学流水线建模捕获图像的变换函数，将数字攻击的投影形式化到物理域。我们的广泛实验表明，与现有物理扰动框架相比，EvilEye生成的对抗扰动在各种环境光照条件下更为鲁棒，实现了高攻击成功率（ASR），同时绕过了最先进的物理对抗检测框架。我们证明，EvilEye的动态特性使攻击者能够在多种物体上适配对抗样本，其ASR显著高于最先进的物理世界攻击框架。最后，我们讨论了针对EvilEye攻击的缓解策略。