Adversarial input image perturbation attacks have emerged as a significant threat to machine learning algorithms, particularly in image classification setting. These attacks involve subtle perturbations to input images that cause neural networks to misclassify the input images, even though the images remain easily recognizable to humans. One critical area where adversarial attacks have been demonstrated is in automotive systems where traffic sign classification and recognition is critical, and where misclassified images can cause autonomous systems to take wrong actions. This work presents a new class of adversarial attacks. Unlike existing work that has focused on adversarial perturbations that leverage human-made artifacts to cause the perturbations, such as adding stickers, paint, or shining flashlights at traffic signs, this work leverages nature-made artifacts: tree leaves. By leveraging nature-made artifacts, the new class of attacks has plausible deniability: a fall leaf stuck to a street sign could come from a near-by tree, rather than be placed there by an malicious human attacker. To evaluate the new class of the adversarial input image perturbation attacks, this work analyses how fall leaves can cause misclassification in street signs. The work evaluates various leaves from different species of trees, and considers various parameters such as size, color due to tree leaf type, and rotation. The work demonstrates high success rate for misclassification. The work also explores the correlation between successful attacks and how they affect the edge detection, which is critical in many image classification algorithms.

翻译：对抗性输入图像扰动攻击已成为机器学习算法面临的重要威胁，尤其在图像分类场景中。这类攻击通过对输入图像施加细微扰动，导致神经网络对图像进行错误分类，尽管这些图像对人类而言仍易于识别。交通标志分类与识别作为自动驾驶系统的关键环节，已成为对抗攻击的重要演示领域，图像误分类可能导致自主系统采取错误行动。本研究提出一类新型对抗攻击方法。与现有研究主要利用人造伪影（如在交通标志上添加贴纸、油漆或使用手电筒照射）引发扰动不同，本工作利用自然产生的伪影：树叶。通过借助自然形成的伪影，此类新型攻击具备合理的可否认性：附着在道路标志上的落叶可能来自附近树木，而非恶意攻击者人为放置。为评估此类新型对抗性输入图像扰动攻击，本研究系统分析了落叶如何导致交通标志误分类。实验评估了不同树种的各种落叶，并综合考虑了尺寸、叶型导致的颜色变化及旋转角度等多重参数。研究结果表明该方法具有较高的误分类成功率。此外，本文还深入探讨了成功攻击与边缘检测效果之间的关联机制，而边缘检测正是众多图像分类算法的关键环节。