HE-DMDeception: Adversarial Attack Network for 3D Object Detection Based on Human Eye and Deep Learning Model Deception

Abstract

This paper presents HE-DMDeception, a novel adversarial attack network that integrates human visual deception with deep model deception to enhance the security of 3D object detection. Existing patch-based and camouflage methods can mislead deep learning models but struggle to generate visually imperceptible, high-quality textures. Our framework employs a CycleGAN-based camouflage network to generate highly camouflaged background textures, while a dedicated deception module disrupts non-maximum suppression (NMS) and attention mechanisms through optimized constraints that balance attack efficacy and visual fidelity. To overcome the scarcity of annotated vehicle data, an image segmentation module based on the pre-trained Segment Anything (SAM) model is introduced, leveraging a two-stage training strategy combining semi-supervised self-training and supervised fine-tuning. Experimental results show that the minimum P@0.5 values (50%, 55%, 20%, 25%, 25%) were achieved by HE-DMDeception across You Only Look Once version 8 (YOLOv8), Real-Time Detection Transformer (RT-DETR), Fast Region-based Convolutional Neural Network (Faster-RCNN), Single Shot MultiBox Detector (SSD), and MaskRegion-based Convolutional Neural Network (Mask RCNN) detection models, while maintaining high visual consistency with the original camouflage. These findings demonstrate the robustness and practicality of HE-DMDeception, offering new insights into 3D object detection adversarial attacks.

1. Introduction

The rapid advancement of artificial intelligence (AI) has established 3D object detection as a critical technology in areas such as autonomous driving, robotics, and virtual reality. Despite substantial performance improvements achieved by deep learning models, these models remain susceptible to adversarial attacks. Such attacks involve introducing imperceptible perturbations to the input data, resulting in incorrect predictions. These subtle alterations can cause misclassification or even prevent object detection, significantly affecting decision-making processes, despite being nearly imperceptible to the human eye.

Currently, adversarial sample generation methods for 3D object detection are classified into patch-based and camouflage-based approaches. The patch-based method generates attacks by adding adversarial patches to the target object. The central idea is to concentrate noise within a localized patch area without applying disturbance constraints. However, this approach is limited to the local region of the object and is easily affected by factors such as occlusion [1]. In real-world applications, the patch is typically placed on the surface of a planar object, in front of the object, or in the background.

Camouflage-based methods directly modify the shape, texture, color, and other attributes of the target object. In 3D object camouflage, a differentiable neural renderer is employed to optimize the texture or shape of the 3D vehicle [2,3]. For instance, altering the texture patterns on the vehicle’s surface introduces visual changes that affect the detection system’s ability to recognize the vehicle. Additionally, the adversarial model continuously refines the camouflage and applies it repeatedly to the surface of the target object. A physically non-differentiable renderer is used to map it onto the vehicle’s surface [4,5]. In contrast, some studies employ differentiable neural renderers to directly optimize the texture of the 3D vehicle. Since most real-world target objects are three-dimensional with non-planar surfaces, camouflage-based methods must account for this complex geo-metric structure. When camouflaging a 3D vehicle, it is crucial to ensure that the camouflage adapts to the vehicle’s curved surface and effectively interferes with detection from various viewpoints. Through techniques such as differentiable neural renderers, the camouflage texture is accurately mapped to the 3D object’s surface, ensuring its effectiveness from all angles and preventing failure due to viewpoint changes.

However, both of the aforementioned methods lack robustness in handling multi-view scenarios and partially occluded objects, and they also face limitations in generating high-quality textures [6]. On one hand, patch-based methods are prone to having patches adhere to planar objects, which makes them unsuitable for attacking target detectors of 3D models. On the other hand, prior camouflage-based methods apply adversarial camouflage only to specific areas of the 3D vehicle model (e.g., the roof or side doors), significantly reducing the attack’s effectiveness from multiple viewpoints. Once the camouflaged region becomes obscured, the attack’s effectiveness declines sharply.

Table 1. Overview of advantages and disadvantages of adversarial sample generation methods.

Category	Methods	Key Idea	Advantages	Disadvantages
Patch-based methods	Dual Attention Suppression (DAS) [1]	Generate localized adversarial patches by concentrating noise on target objects.	Easy to implement with strong local attacks.	limited to local regions, sensitive to occlusion and patch placement, and performs poorly in multi-view scenarios.
Camouflage-based methods with differentiable renderer	Attacks Beyond the Image Space [2], MeshAdv [3]	Optimize texture of 3D object via differentiable renderer.	Alters visual attributes of entire object; texture optimized for 3D surfaces; effective in single-view attacks.	Computationally intensive; may produce low-quality textures; limited robustness under partial occlusion; effectiveness decreases if camouflaged region is obscured.
Camouflage-based methods with non-differentiable renderer	CAMOU [4], Universal Physical Camouflage Attack (UPC) [5]	Apply optimized camouflage to 3D object via non-differentiable renderer.	Enables real-world application; allows multiple refinements on surface.	Hard to optimize globally; limited texture quality; less effective in multi-view scenarios; sensitive to surface geometry.
Full-Coverage methods	FCA [6]	Combines full-coverage camouflage generation network and deep model deception module.	Generates high-fidelity, visually subtle textures that remain effective across multi-view, partially occluded, and viewpoint-agnostic scenarios, achieving a balance between texture quality and adversarial potency.	Slightly more computationally complex than patch-based methods; requires neural renderer for texture mapping.

provides the advantages and limitations of the aforementioned methods.

To address challenges such as insufficient robustness in multi-view and partially occluded objects, poor texture quality, and the limited effectiveness of multi-view attacks, this paper proposes an improved full-coverage method by designing a novel adversarial texture generation and optimization network. This network enhances the quality and stability of generated textures, ensuring that the adversarial textures are visually imperceptible while effectively misleading deep learning models. This dual objective of deceiving both human vision and detection models increases the stealthiness and practicality of adversarial examples in real-world applications.

To achieve this, the proposed network combines a camouflage generation network and a deep model deception module. The camouflage generation network is responsible for generating background textures with a camouflage style, while the deep model deception module targets the attention mechanisms of deep learning models to achieve adversarial effects. During this process, specific constraints are optimized to ensure that the generated textures are distortion-free and effective at deceiving models. This optimization strategy balances texture visual quality with adversarial effectiveness, enabling the generated full-coverage textures to excel in both attack performance and visual naturalness.

The contributions of this work are summarized as follows:

(1)

A novel framework, HE-DMDeception, is proposed to jointly optimize human visual deception and deep model deception for generating stealthy and effective adversarial camouflage;

(2)

For human visual deception, a CycleGAN-based camouflage network is employed to generate highly camouflaged background textures, which serve as the initial input for subsequent deep model deception.

(3)

A SAM-based segmentation pipeline with semi-supervised fine-tuning is introduced to mitigate the scarcity of annotated vehicle masks;

(4)

NMS-targeted and attention-dispersion loss terms are designed to explicitly disrupt detection pipelines while preserving camouflage fidelity;

Building upon these improvements, HE-DMDeception integrates high-fidelity texture synthesis with model-specific deception mechanisms to produce stable adversarial textures within a full-coverage framework. Experimental results validate the effectiveness of these enhancements, showing that the generated adversarial samples not only exhibit strong attack capabilities in 3D object detection tasks but also maintain a high degree of visual consistency with the original camouflage patterns.

2. Network Architecture

The network architecture, depicted in Figure 1, consists of two main components: human visual deception and deep model deception. The human visual deception module is based on the CycleGAN network, which comprises two generators ($G$,$F$) and two discriminators ($D_X$,$D_Y$). This module operates across two distinct image domains: camouflaged images ($X$) and background images ($Y$). These datasets are used for training, ultimately generating an initial background texture with a camouflage pattern ($T_0$), which serves as the adversarial texture for the 3D vehicle in the deep model deception module.

The deep model deception module employs a neural renderer ($R$) to generate adversarial textures through model-based adversarial training, thereby mitigating significant texture distortion. For a vehicle training set $\left(B,\omega \right)$, where B represents images of the target vehicle with true labels, and $\omega$ represents the corresponding camera parameters, 2D vehicle images are rendered from the 3D vehicle model that includes the mesh $M$ and texture $T$, using the camera parameters and the renderer $R$. Finally, the rendered vehicle image $T_{adv}$ is merged with the background image to produce the final adversarial sample image $I_{adv}$.

This framework attacks the deep model through non-maximum suppression and attention mechanisms, specifically by dispersing attention weights, which reduces the model’s focus on the target.

2.1. Human Vision Deception Module

The camouflage generation network used for human vision deception is built upon a generative adversarial network (GAN). Like a GAN, it requires a large dataset for training the network model, which simultaneously improves the performance of both the generator and discriminator sub-networks. Ultimately, this allows the generator to learn a vast amount of background feature information, enabling it to generate highly realistic patterns.

2.1.1. Camouflage-Style Background Dataset

Background images were collected from both field photography and computer generation, encompassing diverse environments such as snow, forest, desert, sand, and grassland. The real background dataset contains a total of 518 images, including 117 snow, 103 forest, 98 desert, 90 sand, and 110 grassland samples. In addition, 200 camouflage images were gathered from multiple camouflage patterns. To further enrich the dataset, CycleGAN-based style transfer was applied to generate camouflage-style backgrounds from these real and camouflage images, followed by a series of data augmentation techniques. This process produced 1600 synthetic images across the five environments. Such integration of real and generated data provides a viable solution for implementing high-fusion camouflage disguise. All datasets were split into 80% training, 10% validation, and 10% testing, with proportional representation of each class in every split. Representative examples of the background dataset and camouflage styles are shown in Figure 2.

2.1.2. Cycle-Consistent Generative Adversarial Network

CycleGAN is an unsupervised image-to-image translation model that generates high-fidelity camouflage patterns without requiring paired training data [7]. It utilizes unpaired background and camouflage samples, simplifying data collection in scenarios where matched pairs are unavailable. The cycle consistency loss ensures faithful color and texture transformation, mitigating common GAN artifacts such as color distortion and structural instability. Consequently, it produces seamless camouflage patterns that blend effectively into background environments, significantly enhancing concealment.

CycleGAN involves two generators and two discriminators for two image domains, $X$ and $Y$. Generator $G\left(·\right)$ transforms camouflage images from $X$ to background images in $Y$, aiming to fool discriminator $D_Y\left(·\right)$. Generator $F\left(·\right)$ does the reverse, converting background images from $Y$ to $X$ to fool discriminator $D_X\left(·\right)$.

$${\mathcal{L}}_{\mathrm{cyc}}(G,F,D_X,D_Y)=E_{x~p_{\mathrm{data}}(x)}\left[{‖F(G(x))-x‖}_1\right]+E_{y~p_{\mathrm{data}}(y)}\left[‖\left[{‖G(F(y))-y‖}_1\right]‖\right]$$

(1)

The Formula (1) consists of two cycle consistency losses: forward and backward. The forward loss $E_{x~p_{\mathrm{data}}(x)}\left[{‖F(G(x))-x‖}_1\right]$ ensures that after transforming an image $x$ in domain $\begin{array}{c}X\end{array}$ to $G(x)$ in domain $\begin{array}{c}Y\end{array}$ and then back to $F(G(x))$ in domain $\begin{array}{c}X\end{array}$, the $L_1$ distance between $F(G(x))$ and $x$ is minimized. Similarly, the backward cycle consistency loss ${\mathrm{E}}_{y~p_{\mathrm{data}}(y)}\left[{‖G(F(y))-y‖}_1\right]$ minimizes the distance between $G(F(y))$ and $y$ in domain $\begin{array}{c}Y\end{array}$. Together, these losses guarantee that the image can be approximately restored after two-way transformation, preventing unreasonable mappings in the generator.

$$\mathcal{L}(G,F,D_X,D_Y)={\mathcal{L}}_{\mathrm{GAN}}(G,D_Y,X,Y)+{\mathcal{L}}_{\mathrm{GAN}}(F,D_X,Y,X)+\alpha {\mathcal{L}}_{\mathrm{cyc}}(G,F)$$

(2)

$$G^{*},F^{*},D_X,D_Y=\arg \min \hspace{1em}\mathrm{ma}\mathcal{L}(G,F,D_X,D_Y)$$

(3)

The objective function Equation (2) combines adversarial loss and cycle consistency loss, with $\alpha$ controlling the importance of the cycle consistency. The goal is to optimize generators $G$ and $F$ such that, when confronted with discriminators $\begin{array}{c}{D}_X\end{array}$ and $\begin{array}{c}{D}_Y\end{array}$, the generated images are both similar to target domain images (via adversarial loss) and maintain cycle consistency (via cycle consistency loss). The optimization problem shown in Equation (3) seeks to balance adversarial training by minimizing with respect to the generators and maximizing with respect to the discriminators. Note that the adversarial loss contains two terms: ${\mathcal{L}}_{\mathrm{GAN}}(G,D_Y,X,Y)$ and ${\mathcal{L}}_{\mathrm{GAN}}(F,D_X,Y,X)$, which can be written as follows:

$$\left\{\begin{array}{l}{\mathcal{L}}_{\mathrm{GAN}}(G,D_Y,X,Y)=E_{y~p_{\mathrm{data}}(y)}\left[\log D_Y(y)\right]+E_{x~p_{\mathrm{data}}(x)}\left[\log (1-D_Y(G(x)))\right]\\ {\mathcal{L}}_{\mathrm{GAN}}(F,D_X,X,Y)=E_{x~p_{\mathrm{data}}(x)}\left[\log D_X(x)\right]+E_{y~p_{\mathrm{data}}(y)}\left[\log (1-D_X(F(y)))\right]\end{array}\right.$$

(4)

2.1.3. Neural Renderer

The Neural 3D Mesh Renderer (NMR) is a deep learning-based method designed to generate high-quality 2D images from 3D mesh data [8]. It emulates the traditional rendering pipeline using a neural network comprising a rendering network and a view transformation module. The rendering network produces images based on factors such as lighting, viewpoint, and material properties, while the view transformation module simulates variations in perspective. During training, NMR fine-tunes the network by comparing the generated images with real ones, thereby enhancing realism.

A key advantage of NMR is its capacity to produce 2D images directly from 3D models, effectively overcoming challenges in lighting, viewpoint, and material properties.

In the context of physical world attacks, neural renderers are used to convert 3D objects into input images required by deep learning systems. A 3D object is represented by a mesh tensor $M$, a texture tensor $T$, and a ground truth label $y$, denoted as $(M,T)$. Given environmental conditions $\omega$ (such as camera view, object distance, lighting, etc.), the neural renderer $R$ can generate the input image $I\in R^{H\times W\times 3}$, i.e., $I=R((M,T),\omega )$. This process indicates that the neural renderer plays an important role in physical world attacks, connecting the real object with the input image of the deep learning system, and providing the necessary image data for subsequent generation of adversarial camouflage.

In generating adversarial camouflage in the physical world, the original texture tensor $T$ is replaced with the adversarial texture tensor $T_{adv}$, which is then processed by the neural renderer to produce the adversarial image $I_{adv}$, i.e., $I_{adv}=R((M,T_{adv}),\omega )$. This adversarial image is then used to attack the deep learning model.

2.2. Deep Model Deception Module

Adversarial attacks can be categorized into black-box and white-box attacks. Black-box attacks exhibit better transferability but weaker performance, while white-box attacks demonstrate stronger performance but may suffer from overfitting. To balance adversarial effectiveness and transferability, white-box attacks are designed to target the non-maximum suppression (NMS) and attention mechanisms of deep learning models during training, thereby generating adversarial samples with strong transferability. NMS is a critical step in object detection, used to eliminate redundant candidate boxes, whereas attention mechanisms are common feature extraction methods shared across object detectors. By attacking these shared features, the effectiveness and transferability of adversarial samples can be significantly enhanced.

2.2.1. NMS Mechanism Attack

The NMS mechanism attack disrupts the process by increasing the confidence scores of candidate boxes and reducing the intersection-over-union (IoU) values between boxes, which results in retaining redundant boxes and causing the mechanism to fail, leading to model detection errors. The attack strategy involves raising confidence scores, decreasing IoU values, and reducing the size of candidate boxes to lower computational resource demands, thereby achieving an effective attack on the NMS mechanism. The loss function for this attack is as follows:

$${\mathcal{L}}_{adv}^{\mathrm{IoU}}={\displaystyle {\sum }_i^N\mathrm{IoU}\left(b^i,b_{gt}^i\right)}$$

(5)

where N represents the multi-scale outputs of the object detection model, while $b^i$ and $b_{gt}^i$ denote the predicted result at the i-th scale and the corresponding ground truth box, respectively.

2.2.2. Attention Mechanism Attack

The attention mechanism attack disperses the model’s focus on target regions, weakening its feature extraction capability and resulting in erroneous detection and classification. To achieve this, we reduce pixel values in the attention map and expand the edges of zero-pixel regions to shift the hotspot areas. An attention dispersion loss function is designed to target the model’s feature extraction capability. The loss function is as follows:

$${\mathcal{L}}_a={‖(\gamma \cdot E+1)\odot \left(T_{adv}-T_0\right)‖}_2^2$$

(6)

where $\gamma \cdot E+1$ represents the attention tensor; $1$ is a tensor where all elements are 1, with the same dimensions as $E$; ⊙ denotes element-wise multiplication; $T_0$ and $T_{adv}$ represent the initial and generated adversarial texture tensors, respectively.

2.2.3. Adversarial Camouflage Texture Constraints

The adversarial camouflage texture constraints aim to avoid conspicuous visual features, ensuring that the generated textures remain difficult to detect in real-world scenarios. By constraining the Euclidean distance between the generated texture and the original texture, the adversarial patterns are prevented from excessive distortion during training. A similarity loss function is designed to minimize image differences, preserving the original camouflage characteristics. Additionally, smoothing techniques are introduced to reduce pixel-to-pixel gaps, enhancing the stealthiness of the camouflage. The loss function is as follows:

$${\mathcal{L}}_s={\displaystyle {\sum }_{i,j}{\left(x_{i,j}-x_{i+1,j}\right)}^2+{\left(x_{i,j}-x_{i,j+1}\right)}^2}$$

(7)

where $x_{i,j}$ represents the pixel value at coordinate $\left(i,j\right)$ of the rendered image covered with the adversarial texture.

2.2.4. The Overall Loss Function

In addition to the three loss functions mentioned above, the classification loss in object detection (representing the classification probability of the target class) also needs to be considered. Specifically, for the detection results, the probability of the target class t at the i-th scale is denoted as $b_{cl{s}^t}^i$. The classification loss is given by the following formula:

$${\mathcal{L}}_{adv}^{cls}={\displaystyle {\sum }_i^N{b}_{cl{s}^t}^i}$$

(8)

The overall loss function of the deep model deception module can be expressed as follow:

$${\mathcal{L}}_{adv}={\lambda }_1{\mathcal{L}}_{adv}^{iou}+{\lambda }_2{\mathcal{L}}_a+{\lambda }_3{\mathcal{L}}_{adv}^{cls}+{\lambda }_4{\mathcal{L}}_s$$

(9)

where the fourth term denotes the traditional classification loss. Note that the first three loss terms ${\mathcal{L}}_{adv}^{\mathrm{IoU}}$, ${\mathcal{L}}_a$ and ${\mathcal{L}}_{adv}^{cls}$ are given equal weights.

Table 2. Summary of each of the four individual loss terms in the overall loss function.

Loss Term	Purpose/Mechanism	Weight
NMS Mechanism Attack Loss ${\mathcal{L}}_{adv}^{iou}$	This attack disrupts NMS by inflating confidence scores and lowering IoU to prevent proper duplicate filtering, resulting in cluttered false positives.	${\lambda }_1=1$
Attention Mechanism Attack Loss ${\mathcal{L}}_a$	This attack weakens the model’s feature extraction by dispersing its attention, leading to misclassification and missed detections.	${\lambda }_2=1$
Camouflage Similarity Loss ${\mathcal{L}}_{adv}^{cls}$	This constraint ensures the adversarial texture remains stealthy and visually plausible in real-world scenarios by minimizing its distortion from the original pattern.	${\lambda }_3=1$
Classification Loss ${\mathcal{L}}_s$	This core loss function minimizes the model’s probability score for the correct class, driving the adversarial misclassification.	${\lambda }_4=0.5$

summarizes each loss term, including its purpose and relative weight.

2.3. Image Segmentation Module

Acquiring large-scale annotated data for automotive image segmentation is challenging, which limits model performance. To address this, we propose a two-stage training strategy utilizing the pre-trained Segment Anything (SAM) model, which leverages unlabeled data to improve performance [9]. The process consists of semi-supervised self-training followed by supervised fine-tuning.

In the data processing stage, the automotive image data $X\in R^{l\times w\times h}$ (where l, w, and h represent the length, width, and number of channels of the image, respectively) and its corresponding segmentation labels $Y_{seg}\in R^{l\times w\times h}$ are divided into a series of sub-images $\{x_1,x_2,\dots ,x_n\}\in R^{c\times w\times h}$ and $\{y_1,y_2,\dots ,y_n\}\in R^{c\times w\times h}$ according to specific rules (where c is a relevant parameter such as the number of channels set according to the image division requirements). This division process can be represented by the following mathematical formula:

$$x_i=X[i, :, :] \mathrm{and} y_i=Y_{\mathrm{seg}}[i, :, :] \mathrm{for} i=1,2,\cdots ,n$$

(10)

Entering the semi-supervised self-training stage, the unlabeled automotive image dataset $X_u=\{x_{n+1},x_{n+2},\dots ,x_{n+m}\}\in R^{c\times w\times h}$ (m represents the number of unlabeled images) is input into the SAM model f. The SAM model will extract features from these unlabeled data, learn their feature representations, and then predict pseudo-labels ${\widehat{Y}}_u=\{{\widehat{y}}_{n+1},{\widehat{y}}_{n+2},\dots ,{\widehat{y}}_{n+m}\}$. The specific processes of feature extraction and pseudo-label generation can be described by the following formulas:

$$z_j={\mathit{f}}_{\mathrm{encoder}}(x_j;{\mathit{\theta }}_{\mathrm{encoder}})$$

(11)

$${\widehat{y}}_j={\mathit{f}}_{\mathrm{decoder}}(z_j;{\mathit{\theta }}_{\mathrm{decoder}})$$

(12)

In the formulas, $z_j$ represents the feature representation of the sub-image, ${\widehat{y}}_j$ is the pseudo-label generated by the SAM model, and ${\mathit{\theta }}_{\mathrm{encoder}}$ and ${\mathit{\theta }}_{\mathrm{decoder}}$ are the model parameters of ${\mathit{f}}_{\mathrm{encoder}}$ and ${\mathit{f}}_{\mathrm{encoder}}$, respectively.

By introducing a large number of unlabeled data, the generalization ability of the model is significantly enhanced, and the dependence on labeled data is reduced accordingly. Next, the pseudo-labeled dataset $\left(X_u,{\widehat{Y}}_u\right)=\{(x_j,{\widehat{y}}_j)\}(j=n+1,\dots ,n+m)$ is combined with the existing actual labeled dataset $\left(X_l,Y_l\right)=\{(x_i,y_{i)}\}(i=1,\dots ,n)$ to construct an extended training set. The Unet model is trained using this extended training set. During the training process, the Binary Cross Entropy with Logits Loss is used as the loss function, and the AMAD optimizer is used to adjust the model parameters.

Following the semi-supervised self-training phase, the Unet model is fine-tuned with labeled data to correct deviations from pseudo-labels and further enhance model performance. This two-stage approach effectively exploits the feature extraction capabilities of the SAM model, leading to improved segmentation performance in automotive image tasks. It offers a viable solution to the challenge of limited labeled data. The detailed process is illustrated in Figure 3.

3. Experimental Setup

3.1. Datasets

This study employs the CARLA platform, an established open-source simulator grounded in Unreal Engine 4, to replicate physical world attacks within a 3D virtual environment [10,11]. CARLA is equipped with a diverse set of high-resolution digital assets, enabling the simulation of realistic urban settings for autonomous driving research. A range of high-fidelity digital environments, such as modern urban layouts, are provided by the CARLA (v0.9.14) simulator, which is developed using Unreal Engine 4. For fair comparison with previous work, the datasets from DAS [1] and FCA [6] are directly employed. The training set consists of 12,500 images at 1920 × 1080 resolution, with an additional 3000 images retained for testing. Within the simulation environment, 155 locations were randomly chosen for vehicle positioning. At each location, 100 images were acquired using a virtual camera configured with varying distances (5, 10, 15, 20 m), pitch angles (22.5°, 45°, 67.5°, 90°), and yaw angle (south, north, east, west, southeast, southwest, northeast, and northwest).

3.2. Evaluation Metrics

To evaluate adversarial attack performance, four image classification models (ResNet-152, DenseNet-201, Inception-V3, VGG-19) and five object detection models (YOLOv8, RT-DETR, SSD, Faster R-CNN, Mask R-CNN) were tested [12,13,14,15,16,17,18,19,20]. Accuracy was used for image classification, and P@0.5 (percentage of correct detections with an IOU threshold of 0.5) for object detection [21,22].

$$\mathrm{Accuracy}={\displaystyle \frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{FN}+\mathrm{FP}+\mathrm{TN}}}$$

(13)

where TP (True Positive) denotes the number of positive samples correctly identified; TN (True Negative) refers to the number of negative samples correctly identified; FN (False Negative) indicates the number of positive samples incorrectly classified as negative; and FP (False Positive) represents the number of negative samples incorrectly classified as positive.

This study evaluates the impact of various adversarial camouflage methods on the accuracy of four classification models: Inception-V3, VGG-19, ResNet-152, and DenseNet. Experimental results indicate that the proposed method significantly outperforms existing approaches.

4. Analysis and Discussion

Without adversarial camouflage, as shown in

Table 3. The comparison results of adversarial attacks on the classification task.

Method	Accuracy (%) 1
	Inception-V3	VGG-19	ResNet-152	DenseNet
Raw	58.33	40.28	41.67	46.53
MeshAdv	40.28	34.03	38.89	36.11
CAMOU	40.28	29.17	31.25	45.14
UPC	35.41	33.33	33.33	41.67
DAS	31.94	27.78	29.86	41.67
HE-DMDeception	30	24.4	23	32

¹ The percentage of correctly classified predictions out of all predictions made.

, Inception-V3 achieved the highest accuracy (58.33%), while VGG-19 performed the worst (40.28%). ResNet-152 and DenseNet yielded accuracies of 41.67% and 46.53%, respectively, suggesting that Inception-V3 possesses the strongest classification capability, whereas VGG-19 is the most susceptible to errors. Upon applying adversarial camouflage, all evaluated methods—MeshAdv, CAMOU, UPC, and Dual Attention Suppression (DAS)—decreased model accuracy, with particularly pronounced effects on VGG-19 and ResNet-152. MeshAdv reduced accuracy by 18.05% for Inception-V3, 6.25% for VGG-19, 2.78% for ResNet-152, and 10.42% for DenseNet. CAMOU exhibited the strongest attack, especially on VGG-19, where accuracy declined by 11.11%. In contrast, UPC and DAS demonstrated weaker effects, with DAS affecting DenseNet the least (a reduction of only 4.86%). The proposed method had the most substantial impact, reducing accuracy by 18.67% for ResNet-152 and 13.86% for DenseNet. While Inception-V3 and VGG-19 retained higher accuracy (53.73% and 24.4%, respectively), the proposed approach still outperformed all other methods. Notably, DenseNet’s accuracy dropped to 32%, underscoring the effectiveness of the attack. Overall, despite variations among models, the proposed method consistently reduces classification accuracy, particularly for ResNet-152 and DenseNet, demonstrating its strong potential to impair the recognition capabilities of state-of-the-art classification models.

In this experiment, six adversarial camouflage methods (MeshAdv, CAMOU, UPC, DAS, FCA and HE-DMDeception) were evaluated on five object detection models—YOLOv8, RT-DETR, Faster R-CNN, SSD, and Mask R-CNN—using the P@0.5 metric, as summarized in

Table 4. The comparison results of adversarial attacks on the detection task.

Method	P@0.5 (%) 1
	YOLOv8	RT-DETR	Faster-RCNN	SSD	MaskRCNN
Raw	100	100	86.04	81.54	89.24
MeshAdv	100	100	71.84	66.44	80.84
CAMOU	99.31	98	69.64	73.81	76.44
UPC	100	100	76.94	74.58	81.97
DAS	92.36	91	62.11	68.81	70.21
FCA	65.28	66	24.31	29.17	29.17
HE-DMDeception	50	55	20	25	25

¹ The percentage of detections with an IoU ≥ 0.5 relative to ground-truth boxes.

. MeshAdv had minimal effects on YOLOv8 and RT-DETR, maintaining P@0.5 at 100%, while causing more notable degradation on Faster R-CNN (71.84%), SSD (66.44%), and Mask R-CNN (80.84%). CAMOU reduced P@0.5 to 69.64% for Faster R-CNN and 76.44% for Mask R-CNN, showing stronger effects on these models. UPC maintained P@0.5 at 100% for YOLOv8 and RT-DETR but caused declines in Faster R-CNN (76.94%), SSD (74.58%), and Mask R-CNN (81.97%). DAS produced the weakest attack, with small decreases for YOLOv8 (92.36%) and RT-DETR (91%) and a larger drop for Faster R-CNN (62.11%). FCA achieved more substantial attacks, reducing P@0.5 to 65.28% for YOLOv8 and 66% for RT-DETR, and further decreasing accuracy for Faster R-CNN (24.31%), SSD (29.17%), and Mask R-CNN (29.17%).

The proposed HE-DMDeception method achieved the most significant attacks overall, particularly on Faster R-CNN, SSD, and Mask R-CNN, where P@0.5 dropped to 20%, 25%, and 25%, respectively. While the attack effects on YOLOv8 and RT-DETR were milder (50% and 55%), detection accuracy was still reduced. This milder effect can be explained by the architectural characteristics of these models. YOLOv8 employs a one-stage detection architecture with strong feature pyramids, extensive multi-scale feature aggregation, and a robust spatial attention mechanism, which collectively enhance its resilience to localized and global texture perturbations. Similarly, RT-DETR integrates transformer-based attention with NMS adaptations, enabling the model to effectively focus on salient object features while mitigating the influence of adversarial textures. These mechanisms reduce the impact of subtle adversarial camouflage, making YOLOv8 and RT-DETR less sensitive to the attacks compared to two-stage detectors like Faster R-CNN or region-based methods in SSD and Mask R-CNN.

Table 4 shows that HE-DMDeception reduces P@0.5 to 20% for Faster R-CNN and to 50% for YOLOv8, indicating variable transferability across architectures. This suggests our method more strongly disrupts region-proposal and multi-stage pipelines; transfer to other unseen detectors is therefore partially effective but not uniform. Future work will explore ensemble-based optimization and feature-space regularization to improve cross-model transferability.

Overall, HE-DMDeception outperformed all other camouflage-based techniques in reducing P@0.5, demonstrating strong adversarial capability across diverse detection architectures and confirming the robustness and generality of the proposed method.

To examine the impact of our generated adversarial samples on the model’s feature extraction, we used Grad-CAM to generate attention maps during vehicle detection. Grad-CAM visualizes the model’s focus by calculating the gradient information at each network layer, highlighting the regions on which the model relies for decision-making [23,24]. By comparing the attention maps of initial camouflage and adversarial samples, we gain insights into how adversarial camouflage alters the model’s attention distribution and affects feature extraction.

In the experiment, we first generated camouflage images of vehicles and obtained the corresponding Grad-CAM attention maps, shown in Figure 4, the model concentrated on key vehicle features, indicating a strong focus on these areas. However, after applying adversarial camouflage, the attention maps revealed a significant shift in attention, with the model focusing on irrelevant background or camouflage textures instead of the vehicle regions. This suggests that adversarial samples successfully interfered with the feature ex-traction process, preventing the model from extracting useful information from the in-tended regions. Further analysis revealed that, under HE-DMDeception attacks, detectors such as YOLOv8 and Faster R-CNN exhibited significant suppression of key vehicle features in the attention maps, and in certain test cases failed to localize the vehicle correctly. Compared to traditional features, adversarial samples significantly degraded the model’s performance, affecting both accuracy and feature extraction. The Grad-CAM results clearly demonstrate how adversarial camouflage disrupts attention allocation, leading to a re-duction in performance for object detection tasks. These findings suggest that generating adversarial samples can effectively weaken the feature extraction ability of the target mod-el, thus achieving the objective of counteracting intelligent reconnaissance.

5. Conclusions

Despite extensive studies on adversarial samples for 3D object detection, patch-based and camouflage methods still face methodological challenges, often producing visually unnatural textures with limited generalizability across detectors. To address this, we propose HE-DMDeception—an integrated framework combining human-visual and deep model deception via a CycleGAN network and a module that perturbs non-maximum suppression and attention mechanisms under perceptual constraints. A two-stage training strategy using semi-supervised learning and fine-tuning with the SAM model reduces reliance on annotated data. Experiments show the method achieves significantly reduced precision across YOLOv8, RT-DETR, Faster-RCNN, SSD, and Mask R-CNN, while maintaining high visual fidelity. This work bridges perceptual camouflage and adversarial machine learning, offering a dual capability to mislead models and evade human detection, thus enhancing real-world applicability. It represents an advance in generating stealthy adversarial examples, with implications for model reliability evaluation. The core novelty is the unified integration of visual realism and algorithmic deception.

6. Limitations and Future Work

Despite its strong performance, HE-DMDeception is limited by poor transferability to unseen architectures, high computational demand—requiring approximately 12 h per vehicle texture on an RTX 3090 GPU—and a reality gap caused by reliance on simulated data. Additionally, segmentation errors can be propagated to the camouflage module. Although advances have been made in texture generation, further improvements in complexity, diversity, and efficiency are still required. Future work will be focused on refining adversarial examples through more efficient optimization, cross-simulator validation, and enhanced texture generation. To bridge the simulation-to-real gap, small-scale physical tests will be conducted, in which printed camouflage patterns are applied to vehicle prototypes and evaluated under real-world conditions.