ML Security PapersRobust Physical Adversarial Patches Using Dynamically Optimized Clusters
Harrison Bagley 1, Will Meakin 1,2, Simon Lucey 1, Yee Wei Law 3, Tat-Jun Chin 1,2
Published on arXiv
2511.18656
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Superpixel-regularized patches outperform unclustered baselines in the digital domain, and those gains are preserved under physical deployment including scale variability induced by varying imaging distance.
SPAP (Superpixel Adversarial Patches)
Novel technique introduced
Physical adversarial attacks on deep learning systems is concerning due to the ease of deploying such attacks, usually by placing an adversarial patch in a scene to manipulate the outcomes of a deep learning model. Training such patches typically requires regularization that improves physical realizability (e.g., printability, smoothness) and/or robustness to real-world variability (e.g. deformations, viewing angle, noise). One type of variability that has received little attention is scale variability. When a patch is rescaled, either digitally through downsampling/upsampling or physically through changing imaging distances, interpolation-induced color mixing occurs. This smooths out pixel values, resulting in a loss of high-frequency patterns and degrading the adversarial signal. To address this, we present a novel superpixel-based regularization method that guides patch optimization to scale-resilient structures. Our ap proach employs the Simple Linear Iterative Clustering (SLIC) algorithm to dynamically cluster pixels in an adversarial patch during optimization. The Implicit Function Theorem is used to backpropagate gradients through SLIC to update the superpixel boundaries and color. This produces patches that maintain their structure over scale and are less susceptible to interpolation losses. Our method achieves greater performance in the digital domain, and when realized physically, these performance gains are preserved, leading to improved physical performance. Real-world performance was objectively assessed using a novel physical evaluation protocol that utilizes screens and cardboard cut-outs to systematically vary real-world conditions.
Key Contributions
- Superpixel-based regularization using SLIC that dynamically clusters adversarial patch pixels during optimization to produce scale-resilient structures
- Differentiable backpropagation through SLIC via the Implicit Function Theorem, enabling gradient-based optimization of superpixel boundaries and colors
- Novel physical evaluation protocol using screens and cardboard cut-outs to systematically vary real-world conditions (scale, pose, viewing angle) for rigorous physical adversarial patch assessment
🛡️ Threat Analysis
Core contribution is a novel physical adversarial patch optimization method that improves evasion attack effectiveness — gradient-based input manipulation causing misclassification/evasion at inference time, demonstrated both digitally and physically.