Intent obfuscation is a common tactic in adversarial situations, enabling the attacker to both manipulate the target system and avoid culpability. Surprisingly, it has rarely been implemented in adversarial attacks on machine learning systems. We are the first to propose using intent obfuscation to generate adversarial examples for object detectors: by perturbing another non-overlapping object to disrupt the target object, the attacker hides their intended target. We conduct a randomized experiment on 5 prominent detectors -- YOLOv3, SSD, RetinaNet, Faster R-CNN, and Cascade R-CNN -- using both targeted and untargeted attacks and achieve success on all models and attacks. We analyze the success factors characterizing intent obfuscating attacks, including target object confidence and perturb object sizes. We then demonstrate that the attacker can exploit these success factors to increase success rates for all models and attacks. Finally, we discuss main takeaways and legal repercussions.
翻译:意图混淆是对抗情境中的常见策略,使攻击者既能操纵目标系统又可规避罪责。令人惊讶的是,该策略在针对机器学习系统的对抗攻击中鲜有应用。我们首次提出利用意图混淆为物体检测器生成对抗样本:通过扰动另一个非重叠物体来干扰目标物体,攻击者借此隐藏其真实意图。我们在5个主流检测器——YOLOv3、SSD、RetinaNet、Faster R-CNN和Cascade R-CNN——上开展随机化实验,采用定向与非定向攻击策略,在所有模型和攻击类型中均取得成功。我们解析了决定意图混淆攻击成功的关键因素,包括目标物体置信度与扰动物体尺寸。随后证明攻击者可利用这些成功要素提升所有模型和攻击类型的成功率。最后,我们探讨了核心结论与法律影响。