Adversarial T-shirt!
Evading Person Detectors in A Physical World

Most of the existing physical adversarial attacks are generated against image classifiers and object detectors. In [28], a face recognition system is fooled by a real eyeglass frame designed under a crafted adversarial pattern. In [13], a stop sign is misclassified by adding black or white stickers on it against the image classification system. In [21], an image classifier is fooled by placing a crafted sticker at the lens of a camera. In [1], a so-called Expectation over Transformation (EoT) framework was proposed to synthesize adversarial examples robust to a set of physical transformations such as rotation, translation, contrast, brightness, and random noise. Compared to attacking image classifiers, generating physical adversarial attacks against object detectors is more involved. For example, the adversary is required to mislead the bounding box detector of an object when attacking YOLOv2 [26] and SSD [24]. A well-known success of such attacks in the physical world is the generation of adversarial stop sign [14], which deceives state-of-the-art object detectors such as YOLOv2 and Faster R-CNN [27].

The most relevant approach to ours is the work of [30], which demonstrates that a person can evade a detector by holding a cardboard with an adversarial patch. However, such a physical attack restricts the adversarial patch to be attached to a rigid carrier (namely, cardboard), and is different from our setting here where the generated adversarial pattern is directly printed on a T-shirt. We show that the attack proposed by [30] becomes ineffective when the adversarial patch is attached to a T-shirt (rather than a cardboard) and worn by a moving person (see the fourth row of Fig. 1). At the technical side, different from [30] we propose a thin plate spline (TPS) based transformer to model deformation of non-rigid objects, and develop an ensemble physical attack that fools object detectors YOLOv2 and Faster R-CNN simultaneously. We highlight that our proposed adversarial T-shirt is not just a T-shirt with printed adversarial patch for clothing fashion, it is a physical adversarial wearable designed for evading person detectors in the real world.

Our work is also motivated by the importance of person detection on intelligent surveillance. DNN-based surveillance systems have significantly advanced the field of object detection [17, 16]. Efficient object detectors such as faster R-CNN [27], SSD [24], and YOLOv2 [26] have been deployed for human detection. Thus, one may wonder whether or not there exists a security risk for intelligent surveillance systems caused by adversarial human wearables, e.g., adversarial T-shirts. However, paralyzing a person detector in the physical world requires substantially more challenges such as low resolution, pose changes and occlusions. The success of our adversarial T-shirt against real-time person detectors offers new insights for designing practical physical-world adversarial human wearables.

We summarize our contributions as follows:

• •

  We develop a TPS-based transformer to model the temporal deformation of an adversarial T-shirt caused by pose changes of a moving person. We also show the importance of such non-rigid transformation to ensuring the effectiveness of adversarial T-shirts in the physical world.

• •

  We propose a general optimization framework for design of adversarial T-shirts in both single-detector and multiple-detector settings.

• •

  We conduct experiments in both digital and physical worlds and show that the proposed adversarial T-shirt achieves 74% and 57% attack success rates respectively when attacking YOLOv2. By contrast, the physical adversarial patch [30] printed on a T-shirt only achieves 18% attack success rate. Some of our results are highlighted in Fig. 1.

In [1], the parametric transformers include scaling, translation, rotation, brightness and additive Gaussian noise; see details in [1, Appendix D]. In [23], the geometry and lighting transformations are studied via parametric models. Other transformations including perspective transformation, brightness adjustment, resampling (or image resizing), smoothing and saturation are considered in [29, 9]. All the existing transformations are included in our library of physical transformations. However, they are not sufficient to model the cloth deformation caused by pose change of a moving person. For example, the second and third rows of Fig. 1 show that adversarial T-shirts designed against only existing physical transformations yield low attack success rates.

A person’s movement can result in significantly and constantly changing wrinkles (aka deformations) in her clothes. This makes it challenging to develop an adversarial T-shirt effectively in the real world. To circumvent this challenge, we employ TPS mapping [4] to model the cloth deformation caused by human body movement. TPS has been widely used as the non-rigid transformation model in image alignment and shape matching [19]. It consists of an affine component and a non-affine warping component. We will show that the non-linear warping part in TPS can provide an effective means of modeling cloth deformation for learning adversarial patterns of non-rigid objects.

TPS learns a parametric deformation mapping from an original image $𝐱$ to a target image $𝐳$ through a set of control points with given positions. Let $𝐩:=(\varphi ,\psi )$ denote the 2D location of an image pixel. The deformation from $𝐱$ to $𝐳$ is then characterized by the displacement of every pixel, namely, how a pixel at ${𝐩}^{(x)}$ on image $𝐱$ changes to the pixel on image $𝐳$ at ${𝐩}^{(z)}$, where ${\varphi }^{(z)}={\varphi }^{(x)}+{\mathrm{\Delta }}_{\varphi }$ and ${\psi }^{(z)}={\psi }^{(x)}+{\mathrm{\Delta }}_{\psi }$, and ${\mathrm{\Delta }}_{\varphi }$ and ${\mathrm{\Delta }}_{\psi }$ denote the pixel displacement on image $𝐱$ along $\varphi$ direction and $\psi$ direction, respectively.

Given a set of $n$ control points with locations ${\{{\widehat{𝐩}}_i^{(x)}:=({\widehat{\varphi }}_i^{(x)},{\widehat{\psi }}_i^{(x)})\}}_{i=1}^n$ on image $𝐱$, TPS provides a parametric model of pixel displacement when mapping ${𝐩}^{(x)}$ to ${𝐩}^{(z)}$ [8]

where $U(r)=r^2\log (r)$ and $𝜽=[𝐜;𝐚]$ are the TPS parameters, and $\mathrm{\Delta }({𝐩}^{(x)};𝜽)$ represents the displacement along either $\varphi$ or $\psi$ direction.

Moreover, given the locations of control points on the transformed image $𝐳$ (namely, ${\{{\widehat{𝐩}}_i^{(z)}\}}_{i=1}^n$), TPS resorts to a regression problem to determine the parameters $𝜽$ in (2). The regression objective is to minimize the distance between ${\{{\mathrm{\Delta }}_{\varphi }({𝐩}_i^{(x)};{𝜽}_{\varphi })\}}_{i=1}^n$ and ${\{{\widehat{\mathrm{\Delta }}}_{\varphi ,i}:={\widehat{\varphi }}_i^{(z)}-{\widehat{\varphi }}_i^{(x)}\}}_{i=1}^n$ along the $\varphi$ direction, and the distance between ${\{{\mathrm{\Delta }}_{\psi }({𝐩}_i^{(x)};{𝜽}_{\psi })\}}_{i=1}^n$ and ${\{{\widehat{\mathrm{\Delta }}}_{\psi ,i}:={\widehat{\psi }}_i^{(z)}-{\widehat{\psi }}_i^{(x)}\}}_{i=1}^n$ along the $\psi$ direction, respectively. Thus, TPS (2) is applied to coordinate $\varphi$ and $\psi$ separately (corresponding to parameters ${𝜽}_{\varphi }$ and ${𝜽}_{\psi }$). The regression problem can be solved by the following linear system of equations [10]

where the $(i,j)$th element of $𝐊\in {ℝ}^{n\times n}$ is given by $K_{ij}=U({\Vert {\widehat{𝐩}}_i^{(x)}-{\widehat{𝐩}}_j^{(x)}\Vert }_2)$, the $i$th row of $𝐏\in {ℝ}^{n\times 3}$ is given by $P_i=[1,{\widehat{\varphi }}_i^{(x)},{\widehat{\psi }}_i^{(x)}]$, and the $i$th elements of ${\widehat{𝚫}}_{\varphi }\in {ℝ}^n$ and ${\widehat{𝚫}}_{\psi }\in {ℝ}^n$ are given by ${\widehat{\mathrm{\Delta }}}_{\varphi ,i}$ and ${\widehat{\mathrm{\Delta }}}_{\psi ,i}$, respectively.

The difficulty of implementing TPS for design of adversarial T-shirts exists from two aspects: 1) How to determine the set of control points? And 2) how to obtain positions $\{{\widehat{𝐩}}_i^{(x)}\}$ and $\{{\widehat{𝐩}}_i^{(z)}\}$ of control points aligned between a pair of video frames $𝐱$ and $𝐳$?

To address the first question, we print a checkerboard on a T-shirt and use the camera calibration algorithm [15, 34] to detect points at the intersection between every two checkerboard grid regions. These successfully detected points are considered as the control points of one frame. Fig. 2-(a) shows the checkerboard-printed T-shirt, together with the detected intersection points. Since TPS requires a set of control points aligned between two frames, the second question on point matching arises. The challenge lies in the fact that the control points detected at one video frame are different from those at another video frame (e.g., due to missing detection). Fig. 2-(a) v.s. (b) provides an example of point mismatch. To address this issue, we adopt a 2-stage procedure, coordinate system alignment followed by point aliment, where the former refers to conducting a perspective transformation from one frame to the other, and the latter finds the matched points at two frames through the nearest-neighbor method. We provide an illustrative example in Fig. 2-(c). We refer readers to Appendix A for more details about our method.

We generalize the Expectation over Transformation (EoT) method in [3] for design of adversarial T-shirts. Note that different from the conventional EoT, a transformers’ composition is required for generating an adversarial T-shirt. For example, a perspective transformation on the bounding box of the T-shirt is composited with an TPS transformation applied to the cloth region.

Let us begin by considering two video frames, an anchor image ${𝐱}_0$ (e.g., the first frame in the video) and a target image ${𝐱}_i$ for $i\in [M]$¹¹1$[M]$ denotes the integer set $\{1,2,\mathrm{\dots },M\}$.. Given the bounding boxes of the person ($M_{p,0}\in {\{0,1\}}^d$) and the T-shirt ($M_{c,0}\in {\{0,1\}}^d$) at ${𝐱}_0$, we apply the perspective transformation from ${𝐱}_0$ to ${𝐱}_i$ to obtain the bounding boxes $M_{p,i}$ and $M_{c,i}$ at image ${𝐱}_i$. In the absence of physical transformations, the perturbed image ${𝐱}_i^{\prime }$ with respect to (w.r.t.) ${𝐱}_i$ is given by

where the term $A$ denotes the background region outside the bouding box of the person, the term $B$ is the person-bounded region, the term $C$ erases the pixel values within the bounding box of the T-shirt, and the term $D$ is the newly introduced additive perturbation. In (4), the prior knowledge on $M_{p,i}$ and $M_{c,i}$ is acquired by person detector and manual annotation, respectively. Without taking into account physical transformations, Eq. (4) simply reduces to the conventional formulation of adversarial example $(1-M_{c,i})\circ {𝐱}_i+M_{c,i}\circ 𝜹$.

Next, we consider three main types of physical transformations: a) TPS transformation $t_{\mathrm{TPS}}\in {𝒯}_{\mathrm{TPS}}$ applying to the adversarial perturbation $𝜹$ for modeling the effect of cloth deformation, b) physical color transformation $t_{\mathrm{color}}$ which converts digital colors to those printed and visualized in the physical world, and c) conventional physical transformation $t\in 𝒯$ applying to the region within the person’s bounding box, namely, $(M_{p,i}\circ {𝐱}_i-M_{c,i}\circ {𝐱}_i+M_{c,i}\circ 𝜹)$. Here ${𝒯}_{\mathrm{TPS}}$ denotes the set of possible non-rigid transformations, $t_{\mathrm{color}}$ is given by a regression model learnt from the color spectrum in the digital space to its printed counterpart, and $𝒯$ denotes the set of commonly-used physical transformations, e.g., scaling, translation, rotation, brightness, blurring and contrast. A modification of (4) under different sources of transformations is then given by

for $t\in 𝒯$, $t_{\mathrm{TPS}}\in {𝒯}_{\mathrm{TPS}}$, and $𝐯\sim 𝒩(0,1)$. In (5), the terms A, B and C have been defined in (4), and $t_{\mathrm{env}}$ denotes a brightness transformation to model the environmental brightness condition. In (5), $\mu 𝐯$ is an additive Gaussian noise that allows the variation of pixel values, where $\mu$ is a given smoothing parameter and we set it as $0.03$ in our experiments such that the noise realization falls into the range $[-0.1,0.1]$. The randomized noise injection is also known as Gaussian smoothing [11], which makes the final objective function smoother and benefits the gradient computation during optimization.

The prior work, e.g., [28, 12], established a non-printability score (NPS) to measure the distance between the designed perturbation vector and a library of printable colors acquired from the physical world. The commonly-used approach is to incorporate NPS into the attack loss through regularization. However, irt becomes non-trivial to find a proper regularization parameter, and the nonsmoothness of NPS makes optimization for the adversarial T-shirt difficult. To circumvent these challenges, we propose to model the color transformer $t_{\mathrm{color}}$ using a quadratic polynomial regression. The detailed color mapping is showed in Appendix B.

With the aid of (5), the EoT formulation to fool a single object detector is cast as

where $f$ denotes an attack loss for misdetection, $g$ is the total-variation norm that enhances perturbations’ smoothness [14], and $\lambda >0$ is a regularization parameter. We further elaborate on our attack loss $f$ in problem (7). In YOLOv2, a probability score associated with a bounding box indicates whether or not an object is present within this box. Thus, we specify the attack loss as the largest bounding-box probability over all bounding boxes belonging to the ‘person’ class. For Faster R-CNN, we attack all bounding boxes towards the class ‘background’. The more detailed derivation on the attack loss is provided in Appendix C. Fig. 3 presents an overview of our approach to generate adversarial T-shirts.

Unlike digital space, the transferability of adversarial attacks largely drops in the physical environment, thus we consider a physical ensemble attack against multiple object detectors. It was recently shown in [31] that the ensemble attack can be designed from the perspective of min-max optimization, and yields much higher worst-case attack success rate than the averaging strategy over multiple models. Given $N$ object detectors associated with attack loss functions ${\{f_i\}}_{i=1}^N$, the physical ensemble attack is cast as

where $𝐰$ are known as domain weights that adjust the importance of each object detector during the attack generation, $𝒫$ is a probabilistic simplex given by $𝒫=\{𝐰|{\mathrm{𝟏}}^T𝐰=1,𝐰\ge \mathrm{𝟎}\}$, $\gamma >0$ is a regularization parameter, and ${\varphi }_i(𝜹):=\frac{1}{M}{\sum }_{i=1}^M{𝔼}_{t\in 𝒯,t_{\mathrm{TPS}}\in {𝒯}_{\mathrm{TPS}}}\left[f({𝐱}_i^{\prime })\right]$ following (7). In (9), if $\gamma =0$, then the adversarial perturbation $𝜹$ is designed over the maximum attack loss (worst-case attack scenario) since ${\text{maximize}}_{𝐰\in 𝒫}{\sum }_{i=1}^N{w}_i{\varphi }_i(𝜹)={\varphi }_{i^{\ast }}(𝜹)$, where $i^{\ast }=argma{x}_i{\varphi }_i(𝜹)$ at a fixed $𝜹$. Moreover, if $\gamma \to \mathrm{\infty }$, then the inner maximization of problem (9) implies $𝐰\to \mathrm{𝟏}/N$, namely, an averaging scheme over $M$ attack losses. Thus, the regularization parameter $\gamma$ in (9) strikes a balance between the max-strategy and the average-strategy.