This study evaluates the physical transferability and attack efficacy of Naturalistic Adversarial Patches (NAPs) in real-world traffic sign detection scenarios. Focusing on STOP signs, the authors construct a custom dataset, CompGTSRB, to train a YOLOv5 model and generate highly realistic adversarial patches by integrating generative adversarial networks (GANs) with latent space optimization. The attack performance is systematically assessed on the Quanser QCar embedded platform, examining the patches’ ability to suppress detection confidence across varying distances, sizes, and positions. The proposed CompGTSRB dataset and a standardized physical evaluation protocol establish a novel, reliable paradigm for evaluating localized patch-based attacks. Experimental results demonstrate that NAPs substantially reduce target detection confidence, revealing the vulnerability of current perception systems to localized perturbations.

This paper studies how well Naturalistic Adversarial Patches (NAPs) transfer to a physical traffic sign setting when the detector is trained on a customized dataset for an autonomous vehicle (AV) environment. We construct a composite dataset, CompGTSRB (which is customized dataset for AV environment), by pasting traffic sign instances from the German Traffic Sign Recognition Benchmark (GTSRB) onto undistorted backgrounds captured from the target platform. CompGTSRB is used to train a YOLOv5 model and generate patches using a Generative Adversarial Network (GAN) with latent space optimization, following existing NAP methods. We carried out a series of experiments on our Quanser QCar testbed utilizing the front CSI camera provided in QCar. Across configurations, NAPs reduce the detector's STOP class confidence. Different configurations include distance, patch sizes, and patch placement. These results along with a detailed step-by-step methodology indicate the utility of CompGTSRB dataset and the proposed systematic physical protocols for credible patch evaluation. The research further motivate researching the defenses that address localized patch corruption in embedded perception pipelines.