System and method for high-resolution blackbox patch attack with Bayesian optimization

What is claimed is: 1 . A computer-implemented method for attacking a machine-learning model, comprising: generate a patch utilizing Bayesian optimization and for use at the machine-learning model, wherein the patch includes adversarial patterns to attack the machine-learning model; output the patch at a display at a scene and determine if the patch does not meet a success criteria of the machine-learning model; in response to the patch not meeting the success criteria, upscaling the patch utilizing a scaling factor (K) to generate an upscaled patch; decomposing the upscaled patch into one or more components associated with either (1) regions of pixels or (2) regions of spectrums associated with the upscaled patch; for each of the one or more components of the upscaled patch, utilizing Bayesian optimization to update one of the components of the upscaled patch and freezing the other components of the upscaled patch to generate an updated upscaled patch including adversarial patterns; in response to the updated upscaled patch meeting the success criteria, output the updated upscaled patch; in response to the updated upscaled patch not meeting the success criteria, iteratively update the unfrozen component of the updated upscaled patch and determine if the success criteria is met and if not met, unfreeze the frozen components and iteratively update the unfrozen components until the success criteria is met and outputting a final upscaled patch at the display. 2 . The computer-implemented method of claim 1 , wherein the scaling factor input is 5×5. 3 . The computer-implemented method of claim 1 , wherein decomposing the upscaled patch into one or more components associated with regions of spectrums includes decomposing in the frequency domain. 4 . The computer-implemented method of claim 3 , wherein the method includes creating a set of band-pass filters that span over a whole frequency band of the frequency domain. 5 . The computer-implemented method of claim 1 , wherein the scaling factor is predetermined. 6 . The computer-implemented method of claim 1 , wherein the patch is a low-resolution patch with a dimension less than 50 pixels. 7 . The computer-implemented method of claim 6 , wherein decomposing in the spatial domain groups pixels into sub-regions divided vertically or horizontally in the patch. 8 . The computer-implemented method of claim 1 , wherein decomposing the upscaled patch into one or more components associated with regions of pixels includes decomposing in the spatial domain. 9 . The computer-implemented method of claim 1 , wherein the method includes initializing and updating the adversarial pattern with Bayesian optimization utilizing the objective function. 10 . The computer-implemented method of claim 1 , wherein method includes applying the patch to input data that includes video information obtained from the camera. 11 . A computer-implemented method for attacking a machine-learning model, comprising: generate a low-resolution patch utilizing Bayesian optimization and for use at the machine-learning model; output the patch at a display at a scene and determine if the low-resolution patch does not meet a success criteria of the machine-learning model; in response to the low-resolution patch not meeting the success criteria, upscaling the low-resolution patch utilizing a scaling factor to generate an upscaled patch; decomposing the upscaled patch into one or more components associated with either regions of pixels or regions of spectrums associated with the upscaled patch; for each of the one or more components of the upscaled patch, utilize Bayesian optimization to update one of the components of the upscaled patch and freezing the other components of the upscaled patch to generate an updated upscaled patch including adversarial patterns; in response to the updated upscaled patch not meeting the success criteria, iteratively update the unfrozen component of the updated upscaled patch and determine if the success criteria is met and if not met, unfreeze the frozen components and iteratively update each of the unfrozen components until the success criteria is met and output a final upscaled patch at the display in response to the unfrozen components meeting the success criteria. 12 . The method of claim 11 , wherein decomposing the upscaled patch includes decomposing utilizing spatial domain decomposition. 13 . The method of claim 11 , wherein decomposing the upscaled patch includes decomposing utilizing frequency domain decomposition. 14 . The method of claim 11 , wherein the final upscaled patch is greater than 50 pixels. 15 . The method of claim 11 , wherein the low-resolution patch is 50 pixels. 16 . The method of claim 11 , wherein the scaling factor is predetermined. 17 . A system comprising: a controller configured to: generate an original patch utilizing Bayesian optimization and based on an objective function of the machine-learning model; output the original patch at a display at a scene and determine if the original patch does not meet a success criteria of the machine-learning model; in response to the original patch not meeting the success criteria, upscaling the patch to generate an upscaled patch; decomposing the upscaled patch into one or more components associated with either regions of pixels or regions of spectrums associated with the upscaled patch; for each of the one or more components of the upscaled patch, utilize Bayesian optimization to update one of the components of the upscaled patch and freezing the other components of the upscaled patch to generate an updated upscaled patch containing frozen and unfrozen components; in response to the updated upscaled patch meeting the success criteria, output the updated upscaled patch; in response to the updated upscaled patch not meeting the success criteria, iteratively update the unfrozen component of the updated upscaled patch and determine if the success criteria is met and if not met, unfreeze the frozen components and iteratively update the unfrozen components until the success criteria is met. 18 . The apparatus of claim 17 , wherein the upscaling is conducting by upscaling to a scaling factor, wherein the scaling factor increases the resolution of the upscaled patch compared to the original patch. 19 . The apparatus of claim 17 , the upscaled patch into one or more components associated with regions of spectrums includes decomposing in the frequency domain. 20 . The apparatus of claim 19 , wherein the controller is further configured to create a set of band-pass filters that span over a whole frequency band of the frequency domain.