One Patch to Rule Them All: Transforming Static Patches into Dynamic Attacks in the Physical World

• URL: http://arxiv.org/abs/2506.08482v1
• Date: Tue, 10 Jun 2025 06:12:21 GMT
• Title: One Patch to Rule Them All: Transforming Static Patches into Dynamic Attacks in the Physical World
• Authors: Xingshuo Han, Chen Ling, Shiyi Yao, Haozhao Wang, Hangcheng Liu, Yutong Wu, Shengmin Xu, Changhai Ou, Xinyi Huang, Tianwei Zhang,
• Abstract summary: SwitchPatch is a static adversarial patch (PAP) that enables dynamic and controllable attack outcomes based on real-time scenarios.<n>We evaluate SwitchPatch on two key tasks: traffic sign recognition (classification and detection) and depth estimation.<n>Overall, SwitchPatch introduces a flexible and practical adversarial strategy that can be adapted to diverse tasks and real-world conditions.
• Score: 23.418630708124457
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Numerous methods have been proposed to generate physical adversarial patches (PAPs) against real-world machine learning systems. However, each existing PAP typically supports only a single, fixed attack goal, and switching to a different objective requires re-generating and re-deploying a new PAP. This rigidity limits their practicality in dynamic environments like autonomous driving, where traffic conditions and attack goals can change rapidly. For example, if no obstacles are present around the target vehicle, the attack may fail to cause meaningful consequences. To overcome this limitation, we propose SwitchPatch, a novel PAP that is static yet enables dynamic and controllable attack outcomes based on real-time scenarios. Attackers can alter pre-defined conditions, e.g., by projecting different natural-color lights onto SwitchPatch to seamlessly switch between attack goals. Unlike prior work, SwitchPatch does not require re-generation or re-deployment for different objectives, significantly reducing cost and complexity. Furthermore, SwitchPatch remains benign when the enabling conditions are absent, enhancing its stealth. We evaluate SwitchPatch on two key tasks: traffic sign recognition (classification and detection) and depth estimation. First, we conduct theoretical analysis and empirical studies to demonstrate the feasibility of SwitchPatch and explore how many goals it can support using techniques like color light projection and occlusion. Second, we perform simulation-based experiments and ablation studies to verify its effectiveness and transferability. Third, we conduct outdoor tests using a Unmanned Ground Vehicle (UGV) to confirm its robustness in the physical world. Overall, SwitchPatch introduces a flexible and practical adversarial strategy that can be adapted to diverse tasks and real-world conditions.

Related papers

• Optimization-Free Patch Attack on Stereo Depth Estimation [51.792201754821804]
  We present PatchHunter, the first adversarial patch attack against Stereo Depth Estimation (SDE)<n>PatchHunter formulates patch generation as a reinforcement learning-driven search over a structured space of visual patterns crafted to disrupt SDE assumptions.<n>We validate PatchHunter across three levels: the KITTI dataset, the CARLA simulator, and real-world vehicle deployment.
  arXiv  Detail & Related papers  (2025-06-21T08:23:02Z)
• DiffPatch: Generating Customizable Adversarial Patches using Diffusion Models [89.39483815957236]
  We propose DiffPatch, a novel diffusion-based framework for generating naturalistic adversarial patches.<n>Our approach allows users to start from a reference image and incorporates masks to create patches of various shapes, not limited to squares.<n>Our method achieves attack performance comparable to state-of-the-art non-naturalistic patches while maintaining a natural appearance.
  arXiv  Detail & Related papers  (2024-12-02T12:30:35Z)
• DePatch: Towards Robust Adversarial Patch for Evading Person Detectors in the Real World [13.030804897732185]
  We introduce the Decoupled adversarial Patch (DePatch) attack to address the self-coupling issue of adversarial patches. Specifically, we divide the adversarial patch into block-wise segments, and reduce the inter-dependency among these segments. We further introduce a border shifting operation and a progressive decoupling strategy to improve the overall attack capabilities.
  arXiv  Detail & Related papers  (2024-08-13T04:25:13Z)
• Unified Adversarial Patch for Visible-Infrared Cross-modal Attacks in the Physical World [11.24237636482709]
  We design a unified adversarial patch that can perform cross-modal physical attacks, achieving evasion in both modalities simultaneously with a single patch. We propose a novel boundary-limited shape optimization approach that aims to achieve compact and smooth shapes for the adversarial patch. Our method is evaluated against several state-of-the-art object detectors, achieving an Attack Success Rate (ASR) of over 80%.
  arXiv  Detail & Related papers  (2023-07-27T08:14:22Z)
• Random Position Adversarial Patch for Vision Transformers [0.0]
  This paper proposes a novel method for generating an adversarial patch (G-Patch) Instead of directly optimizing the patch using gradients, we employ a GAN-like structure to generate the adversarial patch. Experiments show the effectiveness of the adversarial patch in achieving universal attacks on vision transformers, both in digital and physical-world scenarios.
  arXiv  Detail & Related papers  (2023-07-09T00:08:34Z)
• Benchmarking Adversarial Patch Against Aerial Detection [11.591143898488312]
  A novel adaptive-patch-based physical attack (AP-PA) framework is proposed. AP-PA generates adversarial patches that are adaptive in both physical dynamics and varying scales. We establish one of the first comprehensive, coherent, and rigorous benchmarks to evaluate the attack efficacy of adversarial patches on aerial detection tasks.
  arXiv  Detail & Related papers  (2022-10-30T07:55:59Z)
• Versatile Weight Attack via Flipping Limited Bits [68.45224286690932]
  We study a novel attack paradigm, which modifies model parameters in the deployment stage. Considering the effectiveness and stealthiness goals, we provide a general formulation to perform the bit-flip based weight attack. We present two cases of the general formulation with different malicious purposes, i.e., single sample attack (SSA) and triggered samples attack (TSA)
  arXiv  Detail & Related papers  (2022-07-25T03:24:58Z)
• Shadows can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Natural Phenomenon [79.33449311057088]
  We study a new type of optical adversarial examples, in which the perturbations are generated by a very common natural phenomenon, shadow. We extensively evaluate the effectiveness of this new attack on both simulated and real-world environments.
  arXiv  Detail & Related papers  (2022-03-08T02:40:18Z)
• Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection [142.24869736769432]
  Adversarial patch attacks pose a serious threat to state-of-the-art object detectors. We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
  arXiv  Detail & Related papers  (2021-12-08T19:18:48Z)
• Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks [62.87459235819762]
  In a real-world scenario like autonomous driving, more attention should be devoted to real-world adversarial examples (RWAEs) This paper presents an in-depth evaluation of the robustness of popular SS models by testing the effects of both digital and real-world adversarial patches.
  arXiv  Detail & Related papers  (2021-08-13T11:49:09Z)
• SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations [19.14079118174123]
  Short-Lived Adrial Perturbations (SLAP) is a novel technique that allows adversaries to realize physically robust real-world AE by using a light projector. SLAP allows the adversary greater control over the attack compared to adversarial patches. We study the feasibility of SLAP in the self-driving scenario, targeting both object detector and traffic sign recognition tasks.
  arXiv  Detail & Related papers  (2020-07-08T14:11:21Z)
• Bias-based Universal Adversarial Patch Attack for Automatic Check-out [59.355948824578434]
  Adversarial examples are inputs with imperceptible perturbations that easily misleading deep neural networks(DNNs) Existing strategies failed to generate adversarial patches with strong generalization ability. This paper proposes a bias-based framework to generate class-agnostic universal adversarial patches with strong generalization ability.
  arXiv  Detail & Related papers  (2020-05-19T07:38:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.