attack 2025

Distillation-Enhanced Physical Adversarial Attacks

Wei Liu 1, Yonglin Wu 1, Chaoqun Li 1, Zhuodong Liu 1, Huanqian Yan 2

1 Tsinghua University

2 Beihang University

1 citations · arXiv
α

Published on arXiv

2501.02232

Input Manipulation Attack

OWASP ML Top 10 — ML01

Key Finding

Improves physical adversarial patch attack performance by 20% compared to baseline stealthy methods while satisfying visual stealth constraints.

Distillation-Enhanced Physical Adversarial Attack (DEPA)

Novel technique introduced

The study of physical adversarial patches is crucial for identifying vulnerabilities in AI-based recognition systems and developing more robust deep learning models. While recent research has focused on improving patch stealthiness for greater practical applicability, achieving an effective balance between stealth and attack performance remains a significant challenge. To address this issue, we propose a novel physical adversarial attack method that leverages knowledge distillation. Specifically, we first define a stealthy color space tailored to the target environment to ensure smooth blending. Then, we optimize an adversarial patch in an unconstrained color space, which serves as the 'teacher' patch. Finally, we use an adversarial knowledge distillation module to transfer the teacher patch's knowledge to the 'student' patch, guiding the optimization of the stealthy patch. Experimental results show that our approach improves attack performance by 20%, while maintaining stealth, highlighting its practical value.

Key Contributions

  • Defines a stealthy color space tailored to the target environment to ensure smooth blending of adversarial patches
  • Proposes an adversarial knowledge distillation module that transfers attack effectiveness from an unconstrained 'teacher' patch to a stealthy 'student' patch
  • Achieves 20% improvement in attack performance over prior stealthy patch methods while maintaining stealth constraints

🛡️ Threat Analysis

Input Manipulation Attack

Proposes physical adversarial patches that cause misclassification in object detection models at inference time — a direct input manipulation attack. Knowledge distillation is used as an optimization technique to transfer attack effectiveness from an unconstrained 'teacher' patch to a visually stealthy 'student' patch, not as a model-theft mechanism.

Details

Domains
vision
Model Types
cnn
Threat Tags
white_boxphysicalinference_timetargeteddigital
Applications
object detectionai-based recognition systems
Read PDF arXiv DOI

Similar Papers

attack

IPG: Incremental Patch Generation for Generalized Adversarial Patch Training

2025 0 cit.
Input Manipulation Attack
100%
attack

A Single Set of Adversarial Clothes Breaks Multiple Defense Methods in the Physical World

2025 0 cit.
Input Manipulation Attack
92%
attack

Dummy-Aware Weighted Attack (DAWA): Breaking the Safe Sink in Dummy Class Defenses

2026 0 cit.
Input Manipulation Attack
92%
attack

Adversarial Patch Attacks on Vision-Based Cargo Occupancy Estimation via Differentiable 3D Simulation

2025 0 cit.
Input Manipulation Attack
92%
attack

A Versatile Framework for Designing Group-Sparse Adversarial Attacks

2025 1 cit.
Input Manipulation Attack
92%
attack

A New Type of Adversarial Examples

2025 0 cit.
Input Manipulation Attack
92%
attack

Physically Realistic Sequence-Level Adversarial Clothing for Robust Human-Detection Evasion

2025 0 cit.
Input Manipulation Attack
86%
attack

Guided Diffusion-based Generation of Adversarial Objects for Real-World Monocular Depth Estimation Attacks

2025 1 cit.
Input Manipulation Attack
86%