POSTER: Not All Pixels are Born Equal: An Analysis of Evasion Attacks under Locality Constraints

Vikash Sehwag, Chawin Sitawarin, Arjun Nitin Bhagoji, Arsalan Mosenia, Mung Chiang, Prateek Mittal

Research output: Contribution to journalConference articlepeer-review

5 Scopus citations


Deep neural networks (DNNs) have enabled success in learning tasks such as image classification, semantic image segmentation and steering angle prediction which can be key components of the computer vision pipeline of safety-critical systems such as autonomous vehicles. However, previous work has demonstrated the feasibility of using physical adversarial examples to attack image classification systems. In this work, we argue that the success of realistic adversarial examples is highly dependent on both the structure of the training data and the learning objective. In particular, realistic, physicalworld attacks on semantic segmentation and steering angle prediction constrain the adversary to add localized perturbations, since it is very difficult to add perturbations in the entire field of view of input sensors such as cameras for applications like autonomous vehicles. We empirically study the effectiveness of adversarial examples generated under strict locality constraints imposed by the aforementioned applications. Even with image classification, we observe that the success of the adversary under locality constraints depends on the training dataset. With steering angle prediction, we observe that adversarial perturbations localized to an off-road patch are significantly less successful compared to those on-road. For semantic segmentation, we observe that perturbations localized to small patches are only effective at changing the label in and around those patches, making non-local attacks difficult for an adversary. We further provide a comparative evaluation of these localized attacks over various datasets and deep learning models for each task.

Original languageEnglish (US)
Pages (from-to)2285-2287
Number of pages3
JournalProceedings of the ACM Conference on Computer and Communications Security
StatePublished - 2018
Event25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada
Duration: Oct 15 2018 → …

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications


  • Adversarial examples
  • Computer vision
  • Deep learning


Dive into the research topics of 'POSTER: Not All Pixels are Born Equal: An Analysis of Evasion Attacks under Locality Constraints'. Together they form a unique fingerprint.

Cite this