Physical adversarial patches suffer from degraded attack performance under scale transformations—such as varying imaging distances or image resampling—due to interpolation-induced high-frequency pattern degradation and color bleeding. To address this scale-robustness challenge, we propose, for the first time, a differentiable dynamic superpixel clustering regularization method: building upon SLIC, it constructs structure-aware pixel groupings, and leverages the implicit function theorem to enable end-to-end gradient propagation, jointly optimizing patch scale robustness and printability during adversarial training. Our method effectively suppresses scaling-induced texture distortion. Extensive digital and physical experiments demonstrate significantly improved attack success rates, with consistent performance across diverse display media and multi-view conditions. It outperforms state-of-the-art patch generation techniques in both robustness and practical deployability.

Physical adversarial attacks on deep learning systems is concerning due to the ease of deploying such attacks, usually by placing an adversarial patch in a scene to manipulate the outcomes of a deep learning model. Training such patches typically requires regularization that improves physical realizability (e.g., printability, smoothness) and/or robustness to real-world variability (e.g. deformations, viewing angle, noise). One type of variability that has received little attention is scale variability. When a patch is rescaled, either digitally through downsampling/upsampling or physically through changing imaging distances, interpolation-induced color mixing occurs. This smooths out pixel values, resulting in a loss of high-frequency patterns and degrading the adversarial signal. To address this, we present a novel superpixel-based regularization method that guides patch optimization to scale-resilient structures. Our ap proach employs the Simple Linear Iterative Clustering (SLIC) algorithm to dynamically cluster pixels in an adversarial patch during optimization. The Implicit Function Theorem is used to backpropagate gradients through SLIC to update the superpixel boundaries and color. This produces patches that maintain their structure over scale and are less susceptible to interpolation losses. Our method achieves greater performance in the digital domain, and when realized physically, these performance gains are preserved, leading to improved physical performance. Real-world performance was objectively assessed using a novel physical evaluation protocol that utilizes screens and cardboard cut-outs to systematically vary real-world conditions.