ML Security PapersPhysical Adversarial Attacks on AI Surveillance Systems:Detection, Tracking, and Visible--Infrared Evasion
Miguel A.DelaCruz 1, Patricia Mae Santos 2, Rafael T.Navarro 3
Published on arXiv
2604.06865
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Demonstrates that surveillance robustness cannot be judged from isolated per-frame benchmarks and must be examined as a system-level problem across time, sensors, and deployment constraints
Physical adversarial attacks are increasingly studied in settings that resemble deployed surveillance systems rather than isolated image benchmarks. In these settings, person detection, multi-object tracking, visible--infrared sensing, and the practical form of the attack carrier all matter at once. This changes how the literature should be read. A perturbation that suppresses a detector in one frame may have limited practical effect if identity is recovered over time; an RGB-only result may say little about night-time systems that rely on visible and thermal inputs together; and a conspicuous patch can imply a different threat model from a wearable or selectively activated carrier. This paper reviews physical attacks from that surveillance-oriented viewpoint. Rather than attempting a complete catalogue of all physical attacks in computer vision, we focus on the technical questions that become central in surveillance: temporal persistence, sensing modality, carrier realism, and system-level objective. We organize prior work through a four-part taxonomy and discuss how recent results on multi-object tracking, dual-modal visible--infrared evasion, and controllable clothing reflect a broader change in the field. We also summarize evaluation practices and unresolved gaps, including distance robustness, camera-pipeline variation, identity-level metrics, and activation-aware testing. The resulting picture is that surveillance robustness cannot be judged reliably from isolated per-frame benchmarks alone; it has to be examined as a system problem unfolding over time, across sensors, and under realistic physical deployment constraints.
Key Contributions
- Four-part taxonomy organizing physical adversarial attacks from a surveillance-system perspective
- Analysis of temporal persistence, multimodal evasion (visible-infrared), and realistic carrier constraints
- Identifies evaluation gaps including distance robustness, identity-level metrics, and activation-aware testing
🛡️ Threat Analysis
Core focus on physical adversarial attacks that cause misclassification and evasion in person detection and tracking systems at inference time — includes adversarial patches, wearable perturbations, and visible-infrared evasion techniques.