Effectiveness

In this experiment, we aim to explore the effectiveness of RoLMA in digital space, i.e., the generated adversarial images are directly passed to HyperLPR for performance assessment. More specifically, we conduct two types of attacks: Targeted adversarial attack. For each license plate, we aim to receive a specific wrong license number from HyperLPR. We employ random algorithms first to identify which character to be disturbed, and then decide which else character to be pretended. One attack is terminated once the target is accomplished or the iteration exceeds 5,000 times; Non-targeted adversarial attack. Target is not necessarily designated in a nontargeted adversarial attack. Therefore, we will not specify a target for each license plate. One attack is terminated once an adversarial example is obtained or it exceeds the maximal iterations. The result is shown as Table 1.