Breaking Barriers in Physical-World Adversarial Examples: Improving Robustness and Transferability via Robust Feature

Authors

  • Yichen Wang National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Engineering Research Center on Big Data Security Hubei Key Laboratory of Distributed System Security School of Cyber Science and Engineering, Huazhong University of Science and Technology
  • Yuxuan Chou School of Cyber Science and Engineering, Huazhong University of Science and Technology
  • Ziqi Zhou National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science and Technology, Huazhong University of Science and Technology
  • Hangtao Zhang School of Cyber Science and Engineering, Huazhong University of Science and Technology
  • Wei Wan National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Engineering Research Center on Big Data Security Hubei Key Laboratory of Distributed System Security School of Cyber Science and Engineering, Huazhong University of Science and Technology
  • Shengshan Hu National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Engineering Research Center on Big Data Security Hubei Key Laboratory of Distributed System Security School of Cyber Science and Engineering, Huazhong University of Science and Technology
  • Minghui Li School of Software Engineering, Huazhong University of Science and Technology

DOI:

https://doi.org/10.1609/aaai.v39i8.32870

Abstract

As deep neural networks (DNNs) are widely applied in the physical world, many researches are focusing on physical-world adversarial examples (PAEs), which introduce perturbations to inputs and cause the model's incorrect outputs. However, existing PAEs face two challenges: unsatisfactory attack performance (i.e., poor transferability and insufficient robustness to environment conditions), and difficulty in balancing attack effectiveness with stealthiness, where better attack effectiveness often makes PAEs more perceptible. In this paper, we explore a novel perturbation-based method to overcome the challenges. For the first challenge, we introduce a strategy Deceptive RF injection based on robust features (RFs) that are predictive, robust to perturbations, and consistent across different models. Specifically, it improves the transferability and robustness of PAEs by covering RFs of other classes onto the predictive features in clean images. For the second challenge, we introduce another strategy Adversarial Semantic Pattern Minimization, which removes most perturbations and retains only essential adversarial patterns in AEs. Based on the two strategies, we design our method Robust Feature Coverage Attack (RFCoA), comprising Robust Feature Disentanglement and Adversarial Feature Fusion. In the first stage, we extract target class RFs in feature space. In the second stage, we use attention-based feature fusion to overlay these RFs onto predictive features of clean images and remove unnecessary perturbations. Experiments show our method's superior transferability, robustness, and stealthiness compared to existing state-of-the-art methods. Additionally, our method's effectiveness can extend to Large Vision-Language Models (LVLMs), indicating its potential applicability to more complex tasks.
AAAI-25 / IAAI-25 / EAAI-25 Proceedings Cover

Downloads

Published

2025-04-11

How to Cite

Wang, Y., Chou, Y., Zhou, Z., Zhang, H., Wan, W., Hu, S., & Li, M. (2025). Breaking Barriers in Physical-World Adversarial Examples: Improving Robustness and Transferability via Robust Feature. Proceedings of the AAAI Conference on Artificial Intelligence, 39(8), 8069-8077. https://doi.org/10.1609/aaai.v39i8.32870

Issue

Vol. 39 No. 8: AAAI-25 Technical Tracks 8

Section

AAAI Technical Track on Computer Vision VII