## 2.5 Attacks on ML models

Especially image classification models have shown to be susceptible to attacks which leads to wrong classifications. This could lead to

• Traffic sign misclassification
• targeted attack $$\implies$$ force a certain prediction
• untargeted attack $$\implies$$ force misclassification, but not a particular predcition
• Avoiding face detection

How a attack can be performed is described by Goodfellow et al. in

### 2.5.2 But what about attacks on human perception?

Which statement is correct?

• Top line longer

• Bottom line longer
• Both are same length

Is this a picture of a real person?

Look at the picture below, is it a real person or an animation?

The image is create using a generative adversarial network (GAN), see below for the principle, for detailed description see https://medium.com/ai-society/gans-from-scratch-1-a-deep-introduction-with-code-in-pytorch-and-tensorflow-cb03cdcdba0f

### 2.5.3 Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles

A McAfee Advanced Threat Research (ATR) hack which caused cars to drive 50 miles faster than the speed limit by tricking the camera using a piece of tape on the traffic sign. This simple attack tricked the Advanced Driver Assist Systems (ADAS) to drive the car at 85mph instead of 35mph. A detailed description of the hack can be found at https://www.mcafee.com/blogs/other-blogs/mcafee-labs/model-hacking-adas-to-pave-safer-roads-for-autonomous-vehicles/

• McAfee Advanced Threat Research (ATR)
• MobilEye camera system
• utilized by over 40Mio vehicles (incl. Tesla Harware Pack 1)
• MobileEye reads a 35mph sign as 85mph sign

As a look forward Steve Povolny, Head of McAfee Advanced Threat Research wrote:

In order to drive success in this key industry and shift the perception that machine learning systems are secure, we need to accelerate discussions and awareness of the problems and steer the direction and development of next-generation technologies. Puns intended.