TUM Logo

Physical Adversarial Attacks for Multi-Camera Systems

Physical Adversarial Attacks for Multi-Camera Systems

Supervisor(s): Philip Sperl, Jan-Philipp Schulze
Status: finished
Topic: Others
Author: Ana Radutoiu
Submission: 2023-06-05
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Description

There is an increasing number of intelligent software platforms that employ an ensemble of cameras to perform vision tasks. One example is autonomous cars, which use a multi-camera setup to capture information from their surroundings. While physical adversarial attacks against object detectors have been widely studied in monocular vision systems, little to no research has been conducted to evaluate the threats of adversarial machine learning against a multi-camera setup. Therefore, in this work, we evaluate how robust adversarial patches are against a group of object detectors jointly running in a vision system. We propose a novel method, Transcender, which is based on ShapeShifter and includes 3D rendering and perspective projections in the training pipeline to elevate the robustness of a two dimensional patch and make it effective in a 3D real-life setting. We also develop a new training data augmentation technique tailored for multi-camera scenarios, then present a comparative evaluation of ShapeShifter and Transcender in an evaluation setup with multiple cameras. To assess the performance of the patches, we propose new evaluation metrics for examining the robustness of adversarial patches in the above mentioned scenario. From our research, we draw several conclusions. First, we discover that a multi-camera setup is not resilient against adversarial attacks and up to 30\% of the optimized patches are able to fool all cameras in our setup. However, we empirically show that up to 30\% of the attacks managed to fool at least a camera, but not all of them, which means that the given setup provides better protection against attacks compared to a monocular detection system. Furthermore, we find out that, by printing the attack on different objects and including out-of-plane camera rotations during training, the optimized attacks are more robust in the specified setting and have an effectiveness rate increased by 4\% compared to attacks optimized with ShapeShifter. At the same time, by also including the data augmentation technique, the increase of attack effectiveness reaches 11\%. Our findings offer valuable insights regarding the resilience of object detection in a setup with multiple cameras and motivate the need of developing adequate defense mechanisms against them.