Object detection techniques for Unmanned Aerial Vehicles (UAVs) rely on Deep Neural Networks (DNNs), which are vulnerable to adversarial attacks. Nonetheless, adversarial patches generated by existing algorithms in the UAV domain pay very little attention to the naturalness of adversarial patches. Moreover, imposing constraints directly on adversarial patches makes it difficult to generate patches that appear natural to the human eye while ensuring a high attack success rate. We notice that patches are natural looking when their overall color is consistent with the environment. Therefore, we propose a new method named Environmental Matching Attack(EMA) to address the issue of optimizing the adversarial patch under the constraints of color. To the best of our knowledge, this paper is the first to consider natural patches in the domain of UAVs. The EMA method exploits strong prior knowledge of a pretrained stable diffusion to guide the optimization direction of the adversarial patch, where the text guidance can restrict the color of the patch. To better match the environment, the contrast and brightness of the patch are appropriately adjusted. Instead of optimizing the adversarial patch itself, we optimize an adversarial perturbation patch which initializes to zero so that the model can better trade off attacking performance and naturalness. Experiments conducted on the DroneVehicle and Carpk datasets have shown that our work can reach nearly the same attack performance in the digital attack(no greater than 2 in mAP$\%$), surpass the baseline method in the physical specific scenarios, and exhibit a significant advantage in terms of naturalness in visualization and color difference with the environment.

翻译：无人机目标检测技术依赖深度神经网络（DNN），而DNN容易受到对抗性攻击的影响。然而，现有算法在无人机领域生成的对抗性补丁很少关注其自然性。此外，直接在对抗性补丁上施加约束，难以生成既在视觉上自然又能保持高攻击成功率的补丁。我们注意到，当补丁的整体颜色与环境一致时，其外观显得自然。因此，我们提出了一种名为环境匹配攻击（EMA）的新方法，以解决在颜色约束下优化对抗性补丁的问题。据我们所知，本文是首个在无人机领域考虑自然补丁的研究。EMA方法利用预训练稳定扩散模型的强先验知识来引导对抗性补丁的优化方向，其中文本引导可限制补丁的颜色。为了更好地匹配环境，我们适当调整了补丁的对比度和亮度。与直接优化对抗性补丁不同，我们优化了一个初始化为零的对抗性扰动补丁，从而使模型能够更好地权衡攻击性能与自然性。在DroneVehicle和Carpk数据集上的实验表明，我们的工作在数字攻击中能达到几乎相同的攻击性能（mAP百分比差异不超过2），在物理特定场景中优于基线方法，并且在可视化的自然性以及与环境的颜色差异方面展现出显著优势。