Existing physical adversarial patch attacks typically target a single object detection model, exhibiting poor transferability and limited real-world threat potential. To address this limitation, this work proposes AdvAD, a novel method that jointly optimizes adversarial patches across multiple heterogeneous detection models within a unified framework. AdvAD employs an adaptive weighting mechanism to balance the contribution of each model and integrates data augmentation with geometric transformations to enhance robustness against variations in lighting, viewpoint, and distance. As the first approach to achieve high transferability in autonomous driving scenarios, AdvAD significantly outperforms existing methods in both digital simulations and real-world road tests, demonstrating substantial improvements in attack success rate and cross-model transferability.

Deep learning drives major advances in autonomous driving (AD), where object detectors are central to perception. However, adversarial attacks pose significant threats to the reliability and safety of these systems, with physical adversarial patches representing a particularly potent form of attack. Physical adversarial patch attacks pose severe risks but are usually crafted for a single model, yielding poor transferability to unseen detectors. We propose AdvAD, a transfer-based physical attack against object detection in autonomous driving. Instead of targeting a specific detector, AdvAD optimizes adversarial patches over multiple detection models in a unified framework, encouraging the learned perturbations to capture shared vulnerabilities across architectures. The optimization process adaptively balances model contributions and enforces robustness to physical variations. It further employs data augmentation and geometric transformations to maintain patch effectiveness under diverse physical conditions. Experiments in both digital and real-world settings show that AdvAD consistently outperforms state-of-the-art (SOTA) attacks in performance and transferability.