PNNL

Abstract

This work demonstrates a physical attack on a deep learning image classification system using projected light onto a physical scene. Prior work is dominated by techniques for creating adversarial examples which directly manipulate the digital input of the classifier. Such an attack is limited to scenarios where the adversary can directly update the inputs to the classifier such as Clarifai or Cloud Vision. Such limitations have led to a vein of research around physical attacks where objects are constructed to be inherently adversarial or adversarial modifications are added to cause misclassification. Our work differs from other physical attacks in that we can cause misclassification dynamically without altering physical objects in a permanent way. We construct a test setup which includes a light projection source, an object for classification, and a camera to capture the scene. Experiments are conducted against 2D and 3D objects. For the 2D demonstration, a CIFAR-10 image is printed and attacked with light. In this 2D presentation, the classifier confidence of the target class drops from 98% probability to 22%. The 3D presentation places a toy car in the camera frame, attacks the car with projected light, and recaptures the scene for verification of attack success. The classifier confidence the image is a car drops from 89% probability to 43%