Physical adversarial attacks pose a significant practical threat as it deceives deep learning systems operating in the real world by producing prominent and maliciously designed physical perturbations. Emphasizing the evaluation of naturalness is crucial in such attacks, as humans can readily detect and eliminate unnatural manipulations. To overcome this limitation, recent work has proposed leveraging generative adversarial networks (GANs) to generate naturalistic patches, which may not catch human's attention. However, these approaches suffer from a limited latent space which leads to an inevitable trade-off between naturalness and attack efficiency. In this paper, we propose a novel approach to generate naturalistic and inconspicuous adversarial patches. Specifically, we redefine the optimization problem by introducing an additional loss term to the cost function. This term works as a semantic constraint to ensure that the generated camouflage pattern holds semantic meaning rather than arbitrary patterns. The additional term leverages similarity metrics to construct a similarity loss that we optimize within the global objective function. Our technique is based on directly manipulating the pixel values in the patch, which gives higher flexibility and larger space compared to the GAN-based techniques that are based on indirectly optimizing the patch by modifying the latent vector. Our attack achieves superior success rate of up to 91.19\% and 72\%, respectively, in the digital world and when deployed in smart cameras at the edge compared to the GAN-based technique.

翻译：物理对抗攻击通过在现实世界中生成显著且恶意设计的物理扰动，对深度学习系统构成重大实际威胁。在此类攻击中，强调自然性评估至关重要，因为人类可以轻易检测并消除非自然操作。为克服这一局限，近期研究提出利用生成对抗网络（GAN）生成不易引起人类注意的自然化补丁。然而，这些方法受限于有限的潜在空间，导致自然性与攻击效率之间不可避免的权衡。本文提出了一种生成自然且隐蔽的对抗补丁的新方法。具体而言，我们通过在成本函数中引入额外损失项重新定义了优化问题。该损失项作为语义约束，确保生成的伪装图案具有语义含义而非任意模式。该额外项利用相似度度量构建相似性损失，并在全局目标函数中进行优化。我们的技术直接操作补丁中的像素值，相比基于生成对抗网络（通过修改潜在向量间接优化补丁）的技术，具有更高的灵活性和更大的优化空间。实验表明，与基于GAN的技术相比，我们的攻击在数字世界和边缘端智能摄像头部署场景中分别实现了高达91.19%和72%的成功率。