ML Security PapersTowards Powerful and Practical Patch Attacks for 2D Object Detection in Autonomous Driving
Yuxin Cao 1,2, Yedi Zhang 2, Wentao He 3, Yifan Liao 2, Yan Xiao 4, Chang Li 1, Zhiyong Huang 2, Jin Song Dong 2
Published on arXiv
2508.10600
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
P³A achieves up to 52% PASR for model transferability and 54% for data transferability, outperforming state-of-the-art on 11 object detectors and 9 datasets including 7 high-resolution autonomous driving datasets
P³A
Novel technique introduced
Learning-based autonomous driving systems remain critically vulnerable to adversarial patches, posing serious safety and security risks in their real-world deployment. Black-box attacks, notable for their high attack success rate without model knowledge, are especially concerning, with their transferability extensively studied to reduce computational costs compared to query-based attacks. Previous transferability-based black-box attacks typically adopt mean Average Precision (mAP) as the evaluation metric and design training loss accordingly. However, due to the presence of multiple detected bounding boxes and the relatively lenient Intersection over Union (IoU) thresholds, the attack effectiveness of these approaches is often overestimated, resulting in reduced success rates in practical attacking scenarios. Furthermore, patches trained on low-resolution data often fail to maintain effectiveness on high-resolution images, limiting their transferability to autonomous driving datasets. To fill this gap, we propose P$^3$A, a Powerful and Practical Patch Attack framework for 2D object detection in autonomous driving, specifically optimized for high-resolution datasets. First, we introduce a novel metric, Practical Attack Success Rate (PASR), to more accurately quantify attack effectiveness with greater relevance for pedestrian safety. Second, we present a tailored Localization-Confidence Suppression Loss (LCSL) to improve attack transferability under PASR. Finally, to maintain the transferability for high-resolution datasets, we further incorporate the Probabilistic Scale-Preserving Padding (PSPP) into the patch attack pipeline as a data preprocessing step. Extensive experiments show that P$^3$A outperforms state-of-the-art attacks on unseen models and unseen high-resolution datasets, both under the proposed practical IoU-based evaluation metric and the previous mAP-based metrics.
Key Contributions
- PASR (Practical Attack Success Rate): a new metric that flags an attack as successful only when no detection box overlaps the GT pedestrian, fixing overestimation in mAP-based metrics
- LCSL (Localization-Confidence Suppression Loss): jointly suppresses IoU and confidence scores to boost patch transferability, unlike prior work that ignores IoU
- PSPP (Probabilistic Scale-Preserving Padding): a data preprocessing step that preserves absolute pedestrian size when training patches on low-resolution data for deployment on high-resolution autonomous driving datasets
🛡️ Threat Analysis
Proposes adversarial patch attacks that cause 2D object detectors to fail to detect pedestrians at inference time. Core contributions are a novel loss function (LCSL combining IoU and confidence suppression) and a data preprocessing technique (PSPP) to improve patch transferability across detectors and high-resolution datasets — these are adversarial patch attack methodology advances.