ML Security PapersThe Outline of Deception: Physical Adversarial Attacks on Traffic Signs Using Edge Patches
Haojie Ji 1,2, Te Hu 1, Haowen Li 2, Long Jin 1, Chongshi Xin 1, Yuchi Yao 1, Jiarui Xiao 1
Published on arXiv
2512.00765
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves over 90% attack success rate under limited query budgets with strong cross-model transferability and stable real-world performance under varying angles and distances
TESP-Attack
Novel technique introduced
Intelligent driving systems are vulnerable to physical adversarial attacks on traffic signs. These attacks can cause misclassification, leading to erroneous driving decisions that compromise road safety. Moreover, within V2X networks, such misinterpretations can propagate, inducing cascading failures that disrupt overall traffic flow and system stability. However, a key limitation of current physical attacks is their lack of stealth. Most methods apply perturbations to central regions of the sign, resulting in visually salient patterns that are easily detectable by human observers, thereby limiting their real-world practicality. This study proposes TESP-Attack, a novel stealth-aware adversarial patch method for traffic sign classification. Based on the observation that human visual attention primarily focuses on the central regions of traffic signs, we employ instance segmentation to generate edge-aligned masks that conform to the shape characteristics of the signs. A U-Net generator is utilized to craft adversarial patches, which are then optimized through color and texture constraints along with frequency domain analysis to achieve seamless integration with the background environment, resulting in highly effective visual concealment. The proposed method demonstrates outstanding attack success rates across traffic sign classification models with varied architectures, achieving over 90% under limited query budgets. It also exhibits strong cross-model transferability and maintains robust real-world performance that remains stable under varying angles and distances.
Key Contributions
- Edge-aligned adversarial patch generation using instance segmentation masks that exploit human visual attention bias toward sign centers for improved stealth
- U-Net-based patch generator optimized with color/texture constraints and frequency domain analysis to achieve seamless background integration
- Demonstrates >90% attack success rate with strong cross-model transferability and robustness across physical viewing angles and distances
🛡️ Threat Analysis
Designs physical adversarial patches that cause misclassification of traffic signs at inference time — edge-aligned masks, U-Net patch generation, and frequency-domain concealment are novel adversarial example/patch contributions targeting vision-based classifiers.