Fooling automated surveillance cameras: adversarial patches to attack person detection - 42Papers