AdversarialQR: An adversarial patch in QR code format

In this paper, we present a method to camouflage an attack on image recognition system by using an adversarial patch embedded on a scan-ready QR code. Adversarial patch refers to a class of a real-world attack on a machine learning system that adds a ‘patch’ onto the image. However, unlike existing methods, they are highly conspicuous to human perception. As these attacks are performed in the real world, they require users to manipulate the scene. However, not only the patch catches the attention of the classification system but also bystanders' attention as well. We believe that forcing the adversarial patch into the form of a scan-ready QR code can conceal its primary reason to exist in the scene. The main challenge of the research is the process of forcing an adversarial patch into a scan-ready QR code while trying to retain as much information for the patch to work as a real-world adversarial example. The experiments had been done to investigate trade-off compared to training the patch in different shapes.