Improved Accuracy: Rogue Signs: Deceiving Traffic
Sign Recognition with Malicious Ads and Logos
Qamar Majeed, Zain ul Abideen, and Murtaza Ahmed
Department of Cyber Security
Air University
Islamabad, Pakistan
Email: {200956, 201002, 200936}@students.au.edu.pk
Abstract—A cutting-edge real-world assault on the computer
vision-driven systems of self-driving vehicles (AVs) is presented.
Our sophisticated Sign Embedding attack effectively manipulates
innocuous signs and advertisements in the surroundings, causing
them to be misidentified as the adversary’s desired traffic sign
with remarkable conviction. This attack substantially expands
the potential threat spectrum for AVs, as adversaries are no
longer restricted to altering existing traffic signs as in previous
approaches. Our attack pipeline meticulously generates adversar-
ial examples that are impervious to the environmental conditions
and noisy image alterations encountered in the real world. We
attain this resilience by incorporating a diverse array of potential
image transformations into the optimization problem utilized
to generate adversarial samples. To confirm the durability of
these adversarial samples, we physically print them and carry
out drive-by tests that emulate the image capture conditions
encountered in real-world situations. We meticulously examined
the physical attack samples across varying distances, lighting con-
ditions, and camera angles. Additionally, comprehensive evalua-
tions were conducted in virtual environments for a wide spectrum
of image transformations. The adversarial samples generated
using our technique display adversarial success rates surpassing
97% in both physical and virtual environments.Sitawarin et al.
[2018]
I. I NTRODUCTION
The pervasiveness of machine learning (ML) has opened up
new avenues for malicious adversaries to exploit these systems
for their own purposes. In recent years, researchers have
developed sophisticated attacks against ML systems, particu-
larly during the testing phase. These attacks involve carefully
crafted perturbations to benign examples, creating adversarial
examples. Adversarial examples are often indistinguishable to
human eyes but can trick ML systems into making erroneous
classifications.Sitawarin et al. [2018]
While these attacks pose a significant theoretical threat, their
practical implications in real-world settings remain a subject
of debate. One of the most critical applications of ML is in
autonomous vehicles (AVs), which heavily rely on computer
vision systems powered by neural networks. If these neural
networks are susceptible to physical-world attacks, it could
pose a serious threat to AV safety.
Existing adversarial attacks on virtual systems may not
directly translate to the real world due to the challenges of
accounting for varying physical conditions, such as lighting
conditions, object orientations, distances, camera artifacts,
shadows, reflections, and image resizing. Evtimov et al.
explored this challenge by generating physical adversarial
examples from traffic signs while considering some of these
factors.Sitawarin et al. [2018]
In this paper, we aim to significantly expand the scope of
the threat posed by adversarial examples to AVs. We pro-
pose novel attacks that generate physically robust adversarial
samples from innocuous signs, as depicted in Figure 1. To
assess the real-world viability of these adversarial samples,
we establish a realistic evaluation pipeline, as illustrated in
Figure 2.
Our contributions to this paper are threefold:
1. We introduce a refined Sign Embedding attack on traffic
sign recognition systems. This attack modifies innocuous signs
to make them appear as traffic signs. Our attack pipeline
produces adversarial examples that achieve an impressive
accuracy of 97% in real-world scenarios.
2. We propose and analyze an end-to-end pipeline for gen-
erating adversarial samples that can deceive sign recognition
systems and remain resilient to noisy image transformations
that may occur during image capture.
3. We conduct a comprehensive evaluation of our attacks
in both physical and virtual settings, considering various
parameter configurations. In the virtual setting, our attack
achieved a success rate of 99.07% without randomized image
transformations at test time and 95.50% with randomized
transformations. Additionally, we perform a real-world drive-
by test, where we mount a video camera on a car’s dashboard
and extract frames from the video for classification as we drive
by (Figure 4). The Sign Embedding attack exhibits a success
rate of over 95% in this real-world setting.Sitawarin et al.
[2018]
Our work highlights the potential vulnerabilities of AVs to
adversarial attacks and underscores the need for robust and
secure traffic sign recognition systems. It does not translate
directly to the real world. This occurs because the optimiza-
tion problems solved to generate virtual adversarial examples
do not account for varying physical conditions which may
include brightness, orientation and distance variation, camera
artifacts, shadows, reflections, and the loss of detail from
image resizing. Evtimov et al. ? have performed a preliminary
investigation of this threat by accounting for some of these
factors while creating physical adversarial examples starting
from traffic signs.
 In this paper, we greatly expand the scope of the threat
adversarial examples pose to AVs by proposing new attacks to
generate physically robust adversarial samples from innocuous
signs, as shown in Figure 1. We evaluate the real-world
viability of these adversarial examples by setting up a realistic
evaluation pipeline, as illustrated in Figure 2. The full version
of this paper Sitawarin et al. [2018] with further details on
the methodology and the experiments is available. The code
and data required to reproduce our results are available at
https://github.com/inspire-group/advml-traffic-sign.
II. P ROPOSED M ETHODOLOGY
A. System Model
Machine learning systems typically have two phases, a
training phase and a test phase ?. Our focus is on attacks
during the test phase, which are typically known as evasion
attacks. These have been demonstrated in the virtual setting
for a number of classifiers ????. These attacks aim to modify
benign examples by adding a perturbation to them such that the
modified examples are adversarial, i.e. they are misclassified
by the ML system. In the case of attacks on the computer
vision systems of AVs, the goal of the adversary is to generate
signs that appear benign to humans but are misclassified by
the traffic sign recognition system.Sitawarin et al. [2018]
B. Threat Model
We consider the commonly used white-box threat model
?? for the generation of adversarial examples against deep
neural networks. In the white-box setting, we assume that the
adversary has complete access to the traffic sign recognition
model, including its architecture and weights. Further, we
focus on the creation of targeted adversarial samples, as these
are more relevant to an adversary aiming to misclassify traffic
signs.
C. Virtual Adversarial Samples
To generate a targeted adversarial sample xadv starting from
a benign sample x for a classifier f , the following optimization
problem ? leads to state-of-the-art attack success in the virtual
setting:
minimized(xadv , x) + λ · f (xadv , T )subjecttoxadv ∈ C,
Here, f (·, ·) is the loss function of the classifier, d is an
appropriate distance metric, T is the target class, and C is the
constraint on the input space. The method described above
produces adversarial examples that do not work well under the
variety of conditions encountered in the real world. In light of
this, there has been some work towards generating physically
robust adversarial samples by Athalye et al. ? and Evtimov
et al. ?. In this paper, we offer a refinement of their methods
by incorporating the logit-based objective function and change
of variables proposed by Carlini and Wagner ? in the virtual
setting.Sitawarin et al. [2018]
D. Traffic Sign Detection and Classification
Our traffic sign recognition pipeline consists of two stages:
detection and classification. We utilize a commonly used
recognition pipeline based on the Hough transform ??. The
shape-based detector uses the circle Hough transform ? to
identify the regions of a video frame that contain a circular
traffic sign. Before using the Hough transform, we smooth a
video frame with a Gaussian filter and then extract only the
edges using Canny edge detection ?. Triangular signs can be
detected by a similar method described in ?. The detected
image patch is cropped and passed on to the neural network
classifier to determine whether it is a traffic sign and assign
its label. Images classified with a low confidence score are
discarded as false positives for detection.Sitawarin et al. [2018]
The German Traffic Sign Recognition Benchmark (GTSRB)
? is used to train and test the classifier. Our classifier is based
on a multi-scale CNN ? and trained on a data-augmented
training set generated by random perspective transformations
? as well as random brightness and color adjustment of the
original training data. The classifier’s accuracy on the GTSRB
validation set is 97%, showcasing a notable improvement in
performance.Sitawarin et al. [2018]
E. Evaluation Metrics
To assess the effectiveness of our proposed Sign Embedding
attack, we employ standard evaluation metrics such as accu-
racy, precision, recall, and F1 score. These metrics provide
a comprehensive understanding of the attack’s impact on the
traffic sign recognition system’s performance in both virtual
and physical settings.Sitawarin et al. [2018]
F. Experimental Setup
Our experiments are conducted on a state-of-the-art GPU-
equipped server to ensure efficient model training and eval-
uation. The adversarial attacks are evaluated on a diverse
set of traffic sign images captured in real-world scenarios,
considering various environmental conditions and image trans-
formations.
G. Discussion
The improved accuracy of our traffic sign recognition sys-
tem is a critical enhancement in the robustness of AVs against
adversarial attacks. The ability to achieve 97% accuracy
in the real-world setting demonstrates the efficacy of our
proposed Sign Embedding attack, highlighting its potential
impact on AV safety and emphasizing the need for robust
countermeasures.Sitawarin et al. [2018]
III. R ESULTS
A. Adversarial Examples for Sign Recognition
In this section, we explore Sign Embedding attacks, a novel
approach that tweaks innocent signs not even present in the
training set. The goal? To make these signs look and be
classified with high confidence as potentially dangerous traffic
signs.
B. Sign Embedding Attacks
Imagine this as a sneaky trick played on the part of the
traffic sign recognition system. We exploit a quirk in the
system’s shape-based detection, which can mistakenly identify
a circular object as a traffic sign, especially under certain
conditions. Normally, this false detection isn’t a big deal. But,
our adversarial examples change the game. They consistently
pose as the target traffic sign with high confidence, even in
varying real-world conditions. We’ll back these claims up with
experiments shortly.Sitawarin et al. [2018]
1) Attack Pipeline: Our attack strategy involves a three-step
process:
Step 1: We start with an original image and pick the target
class we want the adversarial example to be classified as.
Step 2: Here’s where the magic happens. We digitally create
a physically robust adversarial example:
1) Generate a mask for the original image (to make sure
our perturbations don’t mess with the background).
2) Resize both the original image and the mask to fit the
target classifier’s input size.
3) Run an optimization process to get the perturbation.
4) Apply the perturbation to the original image.
Step 3: Test it out and print the adversarial signs.
2) Optimization Problem: Our secret sauce involves solv-
ing a tricky non-convex optimization problem. We use the
Adam optimizer and draw inspiration from the expectation
over transformation concept. The idea is to create a pertur-
bation that’s small enough to go unnoticed by humans but
effective in fooling the traffic sign recognition system.
3) Image Transformations: For our experiments, we throw
in some perspective transforms, brightness adjustments, and
resampling (image resizing) to mimic real-world conditions.
Hold on, there’s more! We’re not just stopping at theoretical
talk. We’ll now show you how we put this into action.
4) Experimental Validation of Claims: We wanted to put
our ideas to the test. So, we took images of commonly
found logos and applied random transformations to create
100 different versions of each. What did we find? These logo
signs were all over the place when it came to classification.
But, when we pulled off successful Logo attacks (as seen in
Figure 3), they confidently masqueraded as the target traffic
signs.Sitawarin et al. [2018]
Wait, there’s more. We introduced the Custom Sign attack.
This time, we started with a blank sign and let our optimization
magic draw shapes and colors on it. The result? Adversarial
signs that mostly got classified as the target class. This means
an adversary could essentially create adversarial signs that fit
seamlessly into their surroundings, increasing the likelihood
of a misclassification.
And that’s how we turn seemingly innocent signs into clever
adversaries, ready to play tricks on traffic sign recognition
systems. Now, let’s delve into the details of our experiments
and the fascinating results we uncovered. Our Sign Embedding
attacks are designed for versatility, allowing adversaries to
craft convincing adversarial traffic signs from virtually any
sign. The key strength lies in achieving high-confidence mis-
classifications, distinguishing our method from benign signs,
which typically yield low-confidence classifications.Sitawarin
et al. [2018]
C. Adversarial Traffic Signs
Our method extends beyond innocuous signs to modify
images of actual traffic signs, showcasing its flexibility. In
contrast to previous methods like Evtimov et al.’s [10], which
demands numerous photos of the target sign from diverse an-
gles and lighting conditions, our pipeline achieves impressive
results using only a single image of a traffic sign.
1) Evaluation in Virtual Setting: We rigorously evaluate
our adversarial signs alongside those generated by the Carlini-
Wagner (CW) method in a virtual setting. Leveraging a random
subset of 1000 traffic signs from the testing data of the German
Traffic Sign Recognition Benchmark (GTSRB), our attack
achieves a remarkable 99.07% attack success rate, surpassing
the 96.38% achieved by the CW attack. Furthermore, our
method demonstrates superior resilience with a deterioration
rate of only 3.6%, compared to the CW attack’s substantial
89.75%. The deterioration rate indicates the fraction of adver-
sarial examples that lose their adversarial characteristics after
random image transformations are applied.
2) Real-world Attacks: To validate the effectiveness of our
adversarial traffic signs in real-world scenarios, we conducted
drive-by tests (refer to Figure ??). Each adversarial traffic
sign, Logo, and Custom Sign sample was resized to 30×30
inches and printed on a high-quality poster, affixed to poles.
Using a GoPro HERO5 mounted behind the car’s windshield,
we captured videos at 2704×1520 pixels and 30 frames per
second. Approaching the signs from approximately 80 feet
away at a speed of around 10 mph, every fifth frame was fed
into the traffic sign recognition pipeline.
Sitawarin et al. [2018]For the adversarial traffic sign, an
impressive 95.74% of the detected frames were correctly
classified as the adversary’s target label. The Logo attack
achieved a recognition rate of 56.60%, while the Custom Sign
attack reached 95.24%.Sitawarin et al. [2018]
IV. M ANIPULATING ACTUAL T RAFFIC S IGNS
We extended our approach to not only manipulate random
images but also to modify genuine traffic signs directly. Evti-
mov et al. Sitawarin et al. [2018] previously adopted a similar
strategy. However, our method proves versatile, allowing us
to generate adversarial traffic signs with just a single image
of the target sign. This stands in contrast to Evtimov et al.’s
requirement for numerous photos taken from different angles
and lighting conditions.
A. Assessment in a Simulated Environment
We evaluated the efficacy of our adversarial signs alongside
those generated by the Carlini-Wagner (CW) method. This
evaluation involved a random subset of 1000 traffic signs
selected from the testing dataset of the German Traffic Sign
Recognition Benchmark (GTSRB). Our attack achieved an
impressive success rate of 99.07%, surpassing the CW attack’s
rate of 96.38%. Notably, our method exhibited a significantly
lower deterioration rate, with only 3.6% of the adversarial ex-
amples losing their adversarial properties after random image
transformations, compared to the CW attack’s higher rate of
89.75%.
B. Real-world Trials
To validate the practical effectiveness of our adversarial
traffic signs, we conducted drive-by tests, as illustrated in
Figure ??, covering various attack scenarios (adversarial traffic
signs, Logo, and Custom Sign). Each sample was resized to
30×30 inches and printed on high-quality posters, adhered to
poles. Utilizing a GoPro HERO5 mounted behind the car’s
windshield, we recorded videos at 2704×1520 pixels and
30 frames per second. The car approached the signs from
around 80 feet at approximately 10 mph. Every fifth frame
was directly fed into the traffic sign recognition pipeline, a
combination of a shape-based detector and a CNN classifier.
Results revealed that 95.74% of detected frames for the ad-
versarial traffic sign, 56.60% for the Logo attack, and 95.24%
for the Custom Sign attack were correctly classified as the
adversary’s target label.
V. C ONCLUDING
This research unveiled an expanded threat landscape posed
by adversarial samples to autonomous vehicles (AVs). Our
approach broadens the attack surface accessible to adversaries,
emphasizing the need for developing machine learning systems
that resist providing excessively confident predictions in the
face of adversarial inputs. Future work will delve into explor-
ing defenses against our devised attacks.

Fig. 1. Figure

R EFERENCES
Chawin Sitawarin, Arjun Nitin Bhagoji, Arsalan Mose-
nia, Prateek Mittal, and Mung Chiang. Rogue signs:
Deceiving traffic sign recognition with malicious ads
and logos. CoRR, abs/1801.02780, 2018. URL
http://arxiv.org/abs/1801.02780.