{"611783":{"#nid":"611783","#data":{"type":"news","title":"Erasing Stop Signs: ShapeShifter Shows Self-Driving Cars Can Still Be Manipulated ","body":[{"value":"\u003Cp\u003EGeorgia Tech researchers have confirmed that state-of-the-art image detection systems used in self-driving cars are vulnerable to attack.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAccording to new research, these systems are particularly vulnerable to a type of attack known as adversarial perturbation. In this type of attack, an object in the real world \u0026ndash; like a stop sign \u0026ndash; is intentionally altered to trick a machine learning system into identifying it as something else entirely different.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe vulnerability was confirmed using\u0026nbsp;\u003Cem\u003EShapeShifter\u003C\/em\u003E, an attack tool developed by\u0026nbsp;\u003Cstrong\u003EShang-Tse Chen\u003C\/strong\u003E, a Ph.D. student in the\u0026nbsp;\u003Ca href=\u0022https:\/\/www.cse.gatech.edu\/\u0022\u003ESchool of Computational Science and Engineering\u003C\/a\u003E\u0026nbsp;(CSE), and fellow researchers from CSE and Intel.\u0026nbsp;\u003Cem\u003EShapeShifter\u003C\/em\u003Eis the first targeted physical adversarial attack on Faster R-CNN object detectors.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Our motivation comes from vandalism on traffic signs. Despite real vandalism not affecting DNNs (deep neural networks) greatly, in our work we show that we can craft adversarial perturbations that look like normal vandalism. But these perturbations can drastically change the output of a DNN model causing it to malfunction and identify things incorrectly,\u0026rdquo; said Chen.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe goal in creating this attack system is to reveal the weaknesses within image recognition systems using object detectors, and figuring out how to defend against real attacks in the future.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;\u003Cem\u003EShapeShifter\u0026nbsp;\u003C\/em\u003Etells us that self-driving cars that depend purely on vision-based input are not safe until we can defend this kind of attack,\u0026rdquo; said Chen. \u0026ldquo;\u003Cem\u003EShapeShifter\u0026nbsp;\u003C\/em\u003Ewas created to, and has succeeded in, attacking self-driving cars that use the state-of-the-art Faster R-CNN object detection algorithm.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThere are many different types of object detectors, and it just happens that the current leading edge object detectors use deep neural networks (DNNs) internally. These detectors are able to recognize what objects are in an image and where they are located \u0026ndash; much different than their simpler counterpart, image classifiers, that output a single label for an image.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;For example, for an input image of a park, an image classifier will say it\u0026rsquo;s a park. But, an object detector will tell us there are trees, people, and benches, and use bounding boxes to show their locations,\u0026rdquo; explained Chen.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;In our work, we only consider manipulating things that are outside of the computer vision system. Which, in this case, is the physical environment. Therefore, we craft physical adversarial objects that, after the image is captured by a camera, goes through a sequence of pre-processing, is fed to the DNN model, and ultimately tells the system makes an incorrect decision,\u0026rdquo; said Chen.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAn example of this can be seen in a\u0026nbsp;video\u0026nbsp;posted online. It shows\u0026nbsp;\u003Cem\u003EShapeShifter\u0026nbsp;\u003C\/em\u003Efeeding false inputs to the system, causing it to misclassify a stop sign as a person.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EChen presented his\u0026nbsp;\u003Cem\u003EShapeShifter\u003C\/em\u003Eresearch at the\u0026nbsp;\u003Ca href=\u0022http:\/\/www.ecmlpkdd2018.org\/\u0022\u003EEuropean Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases\u003C\/a\u003E\u0026nbsp;(ECML-PKDD 2018) in Dublin, Ireland on Sept. 13.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe code repository for the paper can be found\u0026nbsp;\u003Ca href=\u0022https:\/\/github.com\/shangtse\/robust-physical-attack\u0022\u003Ehere\u003C\/a\u003E.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"CSE Ph.D. student presents an adversarial attack method that is able to manipulate object detectors."}],"uid":"34540","created_gmt":"2018-09-21 13:37:35","changed_gmt":"2018-09-21 14:52:05","author":"Kristen Perez","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2018-09-21T00:00:00-04:00","iso_date":"2018-09-21T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"611781":{"id":"611781","type":"image","title":"ShapeShifter still image of a stop sign being read incorrectly by a machine learning system","body":null,"created":"1537535981","gmt_created":"2018-09-21 13:19:41","changed":"1537535981","gmt_changed":"2018-09-21 13:19:41","alt":"","file":{"fid":"232910","name":"ShapeShifterIMG.png","image_path":"\/sites\/default\/files\/images\/ShapeShifterIMG.png","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/ShapeShifterIMG.png","mime":"image\/png","size":396337,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/ShapeShifterIMG.png?itok=uSQYJDyB"}}},"media_ids":["611781"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50877","name":"School of Computational Science and Engineering"}],"categories":[],"keywords":[{"id":"179180","name":"object detectors"},{"id":"4305","name":"cse"},{"id":"83261","name":"Polo Chau"},{"id":"179178","name":"Shang-Tse Chen"}],"core_research_areas":[{"id":"39431","name":"Data Engineering and Science"},{"id":"39541","name":"Systems"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Cstrong\u003EKristen Perez\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003ECommunications Officer I\u003C\/p\u003E\r\n\r\n\u003Cp\u003ECollege of Computing - School of Computational Science and Engineering\u003C\/p\u003E\r\n","format":"limited_html"}],"email":["kristen.perez@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}