Transferable Physical-World Adversarial Patches Against Object Detection in Autonomous Driving

Deep learning drives major advances in autonomous driving (AD), where object detectors are central to perception. However, adversarial attacks pose significant threats to the reliability and safety of these systems, with physical adversarial patches representing a particularly potent form of attack. Physical adversarial patch attacks pose severe risks but are usually crafted for a single model, yielding poor transferability to unseen detectors. We propose AdvAD, a transfer-based physical attack against object detection in autonomous driving. Instead of targeting a specific detector, AdvAD optimizes adversarial patches over multiple detection models in a unified framework, encouraging the learned perturbations to capture shared vulnerabilities across architectures. The optimization process adaptively balances model contributions and enforces robustness to physical variations. It further employs data augmentation and geometric transformations to maintain patch effectiveness under diverse physical conditions. Experiments in both digital and real-world settings show that AdvAD consistently outperforms state-of-the-art (SOTA) attacks in performance and transferability.

Key Contributions

Multi-model optimization framework that learns adversarial patches capturing shared vulnerabilities across detection architectures
Adaptive balancing mechanism for model contributions with robustness to physical variations
Data augmentation and geometric transformations to maintain patch effectiveness under diverse physical conditions

🛡️ Threat Analysis

Input Manipulation Attack

Designs adversarial patches that cause misclassification/detection failures in object detection models at inference time through physical perturbations.

Details

Domains

vision

Model Types

cnn

Threat Tags

black_boxinference_timeuntargetedphysical

Applications

2025 0 cit.

Input Manipulation Attack

92%