- [pdf] [supp]
Can Optical Trojans Assist Adversarial Perturbations?
Recent work has demonstrated how physically realizable attacks on neural network vision pipelines can consistently produce misclassifications of a given target object. A smaller body of work has also produced modifications that can be applied directly to the neural network to generate incorrect predictions. However, although these perturbations are difficult to detect from examining the resulting images themselves, they are obvious if any testing is done on the network to check its accuracy. Here, we combine methods from both these lines of work to generate attacks that can be switched on or off. Specifically, we simulate a physically realizable Trojaned lens to attach to a camera that only causes the neural network vision pipeline to produce incorrect classifications if a specific adversarial patch is present in the scene. This novel Optical Trojan is used to amplify the effect of the adversarial patch so that we can achieve similar attack performance with smaller and less noticeable patches. To improve the robustness of our proposed method, we take into account the fabrication process with quantized lens parameters, deal with lens defocus using kernel scaling, and make it resilient against noise caused by the camera sensor readouts and test in various simulated settings. Finally, we propose a simple yet effective approach to detect such Trojaned lenses by analyzing the distributions of benign and Trojaned kernels.