Physical Adversarial Attacks on AI Surveillance Systems: Detection, Tracking, and Visible–Infrared Evasion
Summary: arXiv:2604.06865v1 Announce Type: cross
Abstract
Physical adversarial attacks are gaining attention in the realm of artificial intelligence, particularly in the context of surveillance systems. Unlike traditional settings that focus on isolated image benchmarks, these attacks are being studied in environments that closely mimic real-world applications. In these practical scenarios, several factors come into play, including person detection, multi-object tracking, visible-infrared sensing, and the nature of the attack carrier.
The Importance of Context
The effectiveness of a perturbation designed to suppress a detection system in one frame may differ significantly when considering the entire surveillance context. For instance:
- A perturbation that works well in a single frame may fail if identity recovery is maintained over time.
- Results derived from RGB-only evaluations may not be applicable to night-time systems that utilize both visible and thermal inputs.
- The design of a visible patch can lead to a different threat model compared to a wearable or selectively activated attack carrier.
Taxonomy of Physical Attacks
This paper takes a surveillance-oriented perspective to review physical attacks, moving beyond a mere catalog of existing methods. It emphasizes essential technical questions that arise in the surveillance context:
- Temporal Persistence: How long do adversarial effects last in a dynamic environment?
- Sensing Modality: How do different sensing technologies (visible vs. infrared) interact with attacks?
- Carrier Realism: How believable is the attack carrier in a real-world scenario?
- System-Level Objective: What overarching goals does the attack aim to achieve in the surveillance system?
Recent Advances in the Field
The paper also discusses recent advancements in multi-object tracking, dual-modal visible-infrared evasion, and controllable clothing designs. These innovations reflect a significant shift in how researchers are approaching the challenges posed by surveillance systems.
Evaluation Practices and Gaps
To understand the robustness of surveillance systems against adversarial attacks, the paper summarizes current evaluation practices and highlights unresolved issues, including:
- Distance robustness: How effective are attacks at varying distances?
- Camera-pipeline variation: How do different camera systems impact attack effectiveness?
- Identity-level metrics: What metrics should be used to evaluate the success of an attack at the identity level?
- Activation-aware testing: How can testing methods incorporate the activation state of the attack carrier?
Conclusion
The findings of this research indicate that evaluating surveillance robustness cannot rely solely on isolated per-frame benchmarks. Instead, it must be examined as a complex system problem that unfolds over time, across various sensors, and within realistic physical deployment constraints. This holistic approach is essential for understanding and improving the resilience of AI surveillance systems against physical adversarial attacks.