This work addresses the adversarial robustness of traffic sign recognition models by proposing a “visibility-prioritized” localized adversarial attack. Instead of imperceptible pixel-wise perturbations, it synthesizes semantically aware salient occlusion patches—e.g., snowball-shaped regions—that drastically degrade model accuracy while remaining nearly imperceptible to human observers. The method exploits the inherent gap between human visual robustness to local occlusions and deep models’ vulnerability, integrating multi-scale object localization with a cross-model robustness evaluation framework. Evaluated on multiple mainstream traffic sign datasets, the attack achieves an average success rate exceeding 92% against state-of-the-art models, while preserving human recognition accuracy at ≥98%. It thus breaks the traditional trade-off between stealthiness and effectiveness inherent in conventional perturbation-based attacks. This work establishes a new paradigm for interpretable adversarial attacks and defense-aware robust model design.

Adversarial attacks on machine learning models often rely on small, imperceptible perturbations to mislead classifiers. Such strategy focuses on minimizing the visual perturbation for humans so they are not confused, and also maximizing the misclassification for machine learning algorithms. An orthogonal strategy for adversarial attacks is to create perturbations that are clearly visible but do not confuse humans, yet still maximize misclassification for machine learning algorithms. This work follows the later strategy, and demonstrates instance of it through the Snowball Adversarial Attack in the context of traffic sign recognition. The attack leverages the human brain's superior ability to recognize objects despite various occlusions, while machine learning algorithms are easily confused. The evaluation shows that the Snowball Adversarial Attack is robust across various images and is able to confuse state-of-the-art traffic sign recognition algorithm. The findings reveal that Snowball Adversarial Attack can significantly degrade model performance with minimal effort, raising important concerns about the vulnerabilities of deep neural networks and highlighting the necessity for improved defenses for image recognition machine learning models.