“Adversarial Patch” was submitted to arXiv on December 27, 2017 by Tom B. Brown, Dandelion Mane, Aurko Roy, Martin Abadi, and Justin Gilmer at Google. It moved adversarial attacks out of the digital domain and into the physical world in a particularly practical form.
Most adversarial examples are small, image-wide perturbations tailored to one specific photo. The patch is different: it is a single, conspicuous image region, optimized to be universal (it works regardless of the rest of the scene), robust (it survives changes in lighting, angle, and position), and targeted (it forces a chosen class). Because it can simply be printed and placed in front of a camera, an attacker does not need to alter the digital pixels at all. The authors showed that placing the patch in a scene reliably caused classifiers to report the patch’s target class, for example “toaster,” even when the actual object was something entirely different.
The trade-off compared with traditional adversarial examples is that the patch is visible rather than imperceptible. But that visibility is also its strength: it is a real-world, reusable object that an attacker can deploy without any digital access to the target system.
For a business reader, the adversarial patch shows that AI vision systems can be attacked by anyone with a printer. Wherever a camera-driven model makes consequential decisions, the possibility that a physical object in the scene was crafted to hijack its judgment is a concrete security concern, not a laboratory curiosity.