Vision transformers: The threat of realistic adversarial patches

Kasper Cools; Clara Maathuis; Alexander M. Van Oers; Claudia S. Hübner; Nikos Deligiannis; Marijke Vandewal; Geert De Cubber

doi:10.1117/12.3070069

Vision transformers: The threat of realistic adversarial patches

Kasper Cools
, Clara Maathuis
, Alexander M. Van Oers
, Claudia S. Hübner
, Nikos Deligiannis
, Marijke Vandewal
, Geert De Cubber

Vrije Universiteit Brussel
Open University of the Netherlands
NLDA
Fraunhofer IOSB
Interuniversitair Micro-Electronica Centrum vzw

Résultats de recherche: Chapitre dans un livre, un rapport, des actes de conférences › Contribution à une conférence › Revue par des pairs

Résumé

The increasing reliance on machine learning systems has made their security a critical concern. Evasion attacks enable adversaries to manipulate the decision-making processes of AI systems, potentially causing security breaches or misclassification of targets. Vision Transformers (ViTs) have gained significant traction in modern machine learning due to increased 1) performance compared to Convolutional Neural Networks (CNNs) and 2) robustness against adversarial perturbations. However, ViTs remain vulnerable to evasion attacks, particularly to adversarial patches, unique patterns designed to manipulate AI classification systems. These vulnerabilities are investigated by designing realistic adversarial patches to cause misclassification in person vs. non-person classification tasks using the Creases Transformation (CT) technique, which adds subtle geometric distortions similar to those occurring naturally when wearing clothing. This study investigates the transferability of adversarial attack techniques used in CNNs when applied to ViT classification models. Experimental evaluation across four fine-tuned ViT models on a binary person classification task reveals significant vulnerability variations: attack success rates ranged from 40.04% (google/vit-base-patch16-224-in21k) to 99.97% (facebook/dino-vitb16), with google/vit-base-patch16-224 achieving 66.40% and facebook/dinov3-vitb16 reaching 65.17%. These results confirm the cross-architectural transferability of adversarial patches from CNNs to ViTs, with pre-training dataset scale and methodology strongly influencing model resilience to adversarial attacks.

langue originale	Anglais
titre	Artificial Intelligence for Security and Defence Applications III
rédacteurs en chef	Hugo J. Kuijf, Radhakrishna Prabhu, Yitzhak Yitzhaky
Editeur	Society of Photo-Optical Instrumentation Engineers
ISBN (Electronique)	9781510692978
Les DOIs	https://doi.org/10.1117/12.3070069
état	Publié - 28 oct. 2025
Evénement	3rd Artificial Intelligence for Security and Defence Applications - Madrid, Espagne Durée: 16 sept. 2025 → 18 sept. 2025

Série de publications

Nom	Proceedings of SPIE - The International Society for Optical Engineering
Volume	13679
ISSN (imprimé)	0277-786X
ISSN (Electronique)	1996-756X

Une conférence

Une conférence	3rd Artificial Intelligence for Security and Defence Applications
Pays/Territoire	Espagne
La ville	Madrid
période	16/09/25 → 18/09/25

Accès au document

10.1117/12.3070069

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Cools, K., Maathuis, C., Van Oers, A. M., Hübner, C. S., Deligiannis, N., Vandewal, M., & De Cubber, G. (2025). Vision transformers: The threat of realistic adversarial patches. Dans H. J. Kuijf, R. Prabhu, & Y. Yitzhaky (eds.), Artificial Intelligence for Security and Defence Applications III Article 136790P (Proceedings of SPIE - The International Society for Optical Engineering; Vol 13679). Society of Photo-Optical Instrumentation Engineers. https://doi.org/10.1117/12.3070069

Cools, Kasper ; Maathuis, Clara ; Van Oers, Alexander M. et al. / Vision transformers : The threat of realistic adversarial patches. Artificial Intelligence for Security and Defence Applications III. Editeur / Hugo J. Kuijf ; Radhakrishna Prabhu ; Yitzhak Yitzhaky. Society of Photo-Optical Instrumentation Engineers, 2025. (Proceedings of SPIE - The International Society for Optical Engineering).

@inproceedings{8888445645a047cd889aa24a40eb585b,

title = "Vision transformers: The threat of realistic adversarial patches",

abstract = "The increasing reliance on machine learning systems has made their security a critical concern. Evasion attacks enable adversaries to manipulate the decision-making processes of AI systems, potentially causing security breaches or misclassification of targets. Vision Transformers (ViTs) have gained significant traction in modern machine learning due to increased 1) performance compared to Convolutional Neural Networks (CNNs) and 2) robustness against adversarial perturbations. However, ViTs remain vulnerable to evasion attacks, particularly to adversarial patches, unique patterns designed to manipulate AI classification systems. These vulnerabilities are investigated by designing realistic adversarial patches to cause misclassification in person vs. non-person classification tasks using the Creases Transformation (CT) technique, which adds subtle geometric distortions similar to those occurring naturally when wearing clothing. This study investigates the transferability of adversarial attack techniques used in CNNs when applied to ViT classification models. Experimental evaluation across four fine-tuned ViT models on a binary person classification task reveals significant vulnerability variations: attack success rates ranged from 40.04\% (google/vit-base-patch16-224-in21k) to 99.97\% (facebook/dino-vitb16), with google/vit-base-patch16-224 achieving 66.40\% and facebook/dinov3-vitb16 reaching 65.17\%. These results confirm the cross-architectural transferability of adversarial patches from CNNs to ViTs, with pre-training dataset scale and methodology strongly influencing model resilience to adversarial attacks.",

keywords = "Adversarial Patches, Attack Transferability, Evasion Attacks, Vision Transformers",

author = "Kasper Cools and Clara Maathuis and \{Van Oers\}, \{Alexander M.\} and H{\"u}bner, \{Claudia S.\} and Nikos Deligiannis and Marijke Vandewal and \{De Cubber\}, Geert",

note = "Publisher Copyright: {\textcopyright} COPYRIGHT SPIE. Downloading of the abstract is permitted for personal use only.; 3rd Artificial Intelligence for Security and Defence Applications ; Conference date: 16-09-2025 Through 18-09-2025",

year = "2025",

month = oct,

day = "28",

doi = "10.1117/12.3070069",

language = "English",

series = "Proceedings of SPIE - The International Society for Optical Engineering",

publisher = "Society of Photo-Optical Instrumentation Engineers",

editor = "Kuijf, \{Hugo J.\} and Radhakrishna Prabhu and Yitzhak Yitzhaky",

booktitle = "Artificial Intelligence for Security and Defence Applications III",

}

Cools, K, Maathuis, C, Van Oers, AM, Hübner, CS, Deligiannis, N, Vandewal, M & De Cubber, G 2025, Vision transformers: The threat of realistic adversarial patches. Dans HJ Kuijf, R Prabhu & Y Yitzhaky (eds), Artificial Intelligence for Security and Defence Applications III., 136790P, Proceedings of SPIE - The International Society for Optical Engineering, VOL. 13679, Society of Photo-Optical Instrumentation Engineers, 3rd Artificial Intelligence for Security and Defence Applications, Madrid, Espagne, 16/09/25. https://doi.org/10.1117/12.3070069

Vision transformers: The threat of realistic adversarial patches. / Cools, Kasper; Maathuis, Clara; Van Oers, Alexander M. et al.
Artificial Intelligence for Security and Defence Applications III. Ed. / Hugo J. Kuijf; Radhakrishna Prabhu; Yitzhak Yitzhaky. Society of Photo-Optical Instrumentation Engineers, 2025. 136790P (Proceedings of SPIE - The International Society for Optical Engineering; Vol 13679).

Résultats de recherche: Chapitre dans un livre, un rapport, des actes de conférences › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - Vision transformers

T2 - 3rd Artificial Intelligence for Security and Defence Applications

AU - Cools, Kasper

AU - Maathuis, Clara

AU - Van Oers, Alexander M.

AU - Hübner, Claudia S.

AU - Deligiannis, Nikos

AU - Vandewal, Marijke

AU - De Cubber, Geert

PY - 2025/10/28

Y1 - 2025/10/28

N2 - The increasing reliance on machine learning systems has made their security a critical concern. Evasion attacks enable adversaries to manipulate the decision-making processes of AI systems, potentially causing security breaches or misclassification of targets. Vision Transformers (ViTs) have gained significant traction in modern machine learning due to increased 1) performance compared to Convolutional Neural Networks (CNNs) and 2) robustness against adversarial perturbations. However, ViTs remain vulnerable to evasion attacks, particularly to adversarial patches, unique patterns designed to manipulate AI classification systems. These vulnerabilities are investigated by designing realistic adversarial patches to cause misclassification in person vs. non-person classification tasks using the Creases Transformation (CT) technique, which adds subtle geometric distortions similar to those occurring naturally when wearing clothing. This study investigates the transferability of adversarial attack techniques used in CNNs when applied to ViT classification models. Experimental evaluation across four fine-tuned ViT models on a binary person classification task reveals significant vulnerability variations: attack success rates ranged from 40.04% (google/vit-base-patch16-224-in21k) to 99.97% (facebook/dino-vitb16), with google/vit-base-patch16-224 achieving 66.40% and facebook/dinov3-vitb16 reaching 65.17%. These results confirm the cross-architectural transferability of adversarial patches from CNNs to ViTs, with pre-training dataset scale and methodology strongly influencing model resilience to adversarial attacks.

AB - The increasing reliance on machine learning systems has made their security a critical concern. Evasion attacks enable adversaries to manipulate the decision-making processes of AI systems, potentially causing security breaches or misclassification of targets. Vision Transformers (ViTs) have gained significant traction in modern machine learning due to increased 1) performance compared to Convolutional Neural Networks (CNNs) and 2) robustness against adversarial perturbations. However, ViTs remain vulnerable to evasion attacks, particularly to adversarial patches, unique patterns designed to manipulate AI classification systems. These vulnerabilities are investigated by designing realistic adversarial patches to cause misclassification in person vs. non-person classification tasks using the Creases Transformation (CT) technique, which adds subtle geometric distortions similar to those occurring naturally when wearing clothing. This study investigates the transferability of adversarial attack techniques used in CNNs when applied to ViT classification models. Experimental evaluation across four fine-tuned ViT models on a binary person classification task reveals significant vulnerability variations: attack success rates ranged from 40.04% (google/vit-base-patch16-224-in21k) to 99.97% (facebook/dino-vitb16), with google/vit-base-patch16-224 achieving 66.40% and facebook/dinov3-vitb16 reaching 65.17%. These results confirm the cross-architectural transferability of adversarial patches from CNNs to ViTs, with pre-training dataset scale and methodology strongly influencing model resilience to adversarial attacks.

KW - Adversarial Patches

KW - Attack Transferability

KW - Evasion Attacks

KW - Vision Transformers

UR - https://www.scopus.com/pages/publications/105024842691

U2 - 10.1117/12.3070069

DO - 10.1117/12.3070069

M3 - Conference contribution

AN - SCOPUS:105024842691

T3 - Proceedings of SPIE - The International Society for Optical Engineering

BT - Artificial Intelligence for Security and Defence Applications III

A2 - Kuijf, Hugo J.

A2 - Prabhu, Radhakrishna

A2 - Yitzhaky, Yitzhak

PB - Society of Photo-Optical Instrumentation Engineers

Y2 - 16 September 2025 through 18 September 2025

ER -

Cools K, Maathuis C, Van Oers AM, Hübner CS, Deligiannis N, Vandewal M et al. Vision transformers: The threat of realistic adversarial patches. Dans Kuijf HJ, Prabhu R, Yitzhaky Y, rédacteurs en chef, Artificial Intelligence for Security and Defence Applications III. Society of Photo-Optical Instrumentation Engineers. 2025. 136790P. (Proceedings of SPIE - The International Society for Optical Engineering). doi: 10.1117/12.3070069

Vision transformers: The threat of realistic adversarial patches

Résumé

Série de publications

Une conférence

Accès au document

Autres fichiers et liens

Empreinte digitale

Contient cette citation