基于深度学习的面部识别（FR）模型在过去几年中表现出最先进的性能，即使在佩戴防护医疗面罩时，面膜在Covid-19大流行期间变得普遍。鉴于这些模型的出色表现，机器学习研究界已经表明对挑战其稳健性越来越令人兴趣。最初，研究人员在数字域中呈现了对抗性攻击，后来将攻击转移到物理领域。然而，在许多情况下，物理领域的攻击是显眼的，例如，需要在脸上放置贴纸，因此可能会在真实环境中引起怀疑（例如，机场）。在本文中，我们提出了对伪装在面部面罩的最先进的FR模型的身体对抗性掩模，以仔细制作的图案的形式施加在面部面具上。在我们的实验中，我们检查了我们的对抗掩码对广泛的FR模型架构和数据集的可转移性。此外，我们通过在织物医疗面罩上印刷对抗性模式来验证了我们的对抗性面膜效果，使FR系统仅识别穿面膜的3.34％的参与者（相比最低83.34％其他评估的面具）。

To assess the vulnerability of deep learning in the physical world, recent works introduce adversarial patches and apply them on different tasks. In this paper, we propose another kind of adversarial patch: the Meaningful Adversarial Sticker, a physically feasible and stealthy attack method by using real stickers existing in our life. Unlike the previous adversarial patches by designing perturbations, our method manipulates the sticker's pasting position and rotation angle on the objects to perform physical attacks. Because the position and rotation angle are less affected by the printing loss and color distortion, adversarial stickers can keep good attacking performance in the physical world. Besides, to make adversarial stickers more practical in real scenes, we conduct attacks in the black-box setting with the limited information rather than the white-box setting with all the details of threat models. To effectively solve for the sticker's parameters, we design the Region based Heuristic Differential Evolution Algorithm, which utilizes the new-found regional aggregation of effective solutions and the adaptive adjustment strategy of the evaluation criteria. Our method is comprehensively verified in the face recognition and then extended to the image retrieval and traffic sign recognition. Extensive experiments show the proposed method is effective and efficient in complex physical conditions and has a good generalization for different tasks.

在过去的十年中，深度学习急剧改变了传统的手工艺特征方式，具有强大的功能学习能力，从而极大地改善了传统任务。然而，最近已经证明了深层神经网络容易受到对抗性例子的影响，这种恶意样本由小型设计的噪音制作，误导了DNNs做出错误的决定，同时仍然对人类无法察觉。对抗性示例可以分为数字对抗攻击和物理对抗攻击。数字对抗攻击主要是在实验室环境中进行的，重点是改善对抗性攻击算法的性能。相比之下，物理对抗性攻击集中于攻击物理世界部署的DNN系统，这是由于复杂的物理环境（即亮度，遮挡等），这是一项更具挑战性的任务。尽管数字对抗和物理对抗性示例之间的差异很小，但物理对抗示例具有特定的设计，可以克服复杂的物理环境的效果。在本文中，我们回顾了基于DNN的计算机视觉任务任务中的物理对抗攻击的开发，包括图像识别任务，对象检测任务和语义细分。为了完整的算法演化，我们将简要介绍不涉及身体对抗性攻击的作品。我们首先提出一个分类方案，以总结当前的物理对抗攻击。然后讨论现有的物理对抗攻击的优势和缺点，并专注于用于维持对抗性的技术，当应用于物理环境中时。最后，我们指出要解决的当前身体对抗攻击的问题并提供有前途的研究方向。

近年来，由于深度神经网络的发展，面部识别取得了很大的进步，但最近发现深神经网络容易受到对抗性例子的影响。这意味着基于深神经网络的面部识别模型或系统也容易受到对抗例子的影响。但是，现有的攻击面部识别模型或具有对抗性示例的系统可以有效地完成白色盒子攻击，而不是黑盒模仿攻击，物理攻击或方便的攻击，尤其是在商业面部识别系统上。在本文中，我们提出了一种攻击面部识别模型或称为RSTAM的系统的新方法，该方法可以使用由移动和紧凑型打印机打印的对抗性面膜进行有效的黑盒模仿攻击。首先，RSTAM通过我们提出的随机相似性转换策略来增强对抗性面罩的可传递性。此外，我们提出了一种随机的元优化策略，以结合几种预训练的面部模型来产生更一般的对抗性掩模。最后，我们在Celeba-HQ，LFW，化妆转移（MT）和CASIA-FACEV5数据集上进行实验。还对攻击的性能进行了最新的商业面部识别系统的评估：Face ++，Baidu，Aliyun，Tencent和Microsoft。广泛的实验表明，RSTAM可以有效地对面部识别模型或系统进行黑盒模仿攻击。

Although Deep Neural Networks (DNNs) have achieved impressive results in computer vision, their exposed vulnerability to adversarial attacks remains a serious concern. A series of works has shown that by adding elaborate perturbations to images, DNNs could have catastrophic degradation in performance metrics. And this phenomenon does not only exist in the digital space but also in the physical space. Therefore, estimating the security of these DNNs-based systems is critical for safely deploying them in the real world, especially for security-critical applications, e.g., autonomous cars, video surveillance, and medical diagnosis. In this paper, we focus on physical adversarial attacks and provide a comprehensive survey of over 150 existing papers. We first clarify the concept of the physical adversarial attack and analyze its characteristics. Then, we define the adversarial medium, essential to perform attacks in the physical world. Next, we present the physical adversarial attack methods in task order: classification, detection, and re-identification, and introduce their performance in solving the trilemma: effectiveness, stealthiness, and robustness. In the end, we discuss the current challenges and potential future directions.

深面识别（FR）在几个具有挑战性的数据集上取得了很高的准确性，并促进了成功的现实世界应用程序，甚至表现出对照明变化的高度鲁棒性，通常被认为是对FR系统的主要威胁。但是，在现实世界中，有限的面部数据集无法完全涵盖由不同的照明条件引起的照明变化。在本文中，我们从新角度（即对抗性攻击）研究对FR的照明的威胁，并确定一项新任务，即对对抗性的重视。鉴于面部图像，对抗性的重新获得旨在在欺骗最先进的深FR方法的同时产生自然重新的对应物。为此，我们首先提出了基于物理模型的对抗重新攻击（ARA），称为反照率基于反击的对抗性重新攻击（AQ-ARA）。它在物理照明模型和FR系统的指导下生成了自然的对抗光，并合成了对抗性重新重新确认的面部图像。此外，我们通过训练对抗性重新确定网络（ARNET）提出自动预测性的对抗重新攻击（AP-ARA），以根据不同的输入面自动以一步的方式自动预测对抗光，从而允许对效率敏感的应用。更重要的是，我们建议将上述数字攻击通过精确的重新确定设备将上述数字攻击转移到物理ARA（PHY-AARA）上，从而使估计的对抗照明条件在现实世界中可再现。我们在两个公共数据集上验证了三种最先进的深FR方法（即面部，街道和符号）的方法。广泛而有见地的结果表明，我们的工作可以产生逼真的对抗性重新贴心的面部图像，轻松地欺骗了fr，从而揭示了特定的光方向和优势的威胁。

Adversarial patch is an important form of real-world adversarial attack that brings serious risks to the robustness of deep neural networks. Previous methods generate adversarial patches by either optimizing their perturbation values while fixing the pasting position or manipulating the position while fixing the patch's content. This reveals that the positions and perturbations are both important to the adversarial attack. For that, in this paper, we propose a novel method to simultaneously optimize the position and perturbation for an adversarial patch, and thus obtain a high attack success rate in the black-box setting. Technically, we regard the patch's position, the pre-designed hyper-parameters to determine the patch's perturbations as the variables, and utilize the reinforcement learning framework to simultaneously solve for the optimal solution based on the rewards obtained from the target model with a small number of queries. Extensive experiments are conducted on the Face Recognition (FR) task, and results on four representative FR models show that our method can significantly improve the attack success rate and query efficiency. Besides, experiments on the commercial FR service and physical environments confirm its practical application value. We also extend our method to the traffic sign recognition task to verify its generalization ability.

The security of artificial intelligence (AI) is an important research area towards safe, reliable, and trustworthy AI systems. To accelerate the research on AI security, the Artificial Intelligence Security Competition (AISC) was organized by the Zhongguancun Laboratory, China Industrial Control Systems Cyber Emergency Response Team, Institute for Artificial Intelligence, Tsinghua University, and RealAI as part of the Zhongguancun International Frontier Technology Innovation Competition (https://www.zgc-aisc.com/en). The competition consists of three tracks, including Deepfake Security Competition, Autonomous Driving Security Competition, and Face Recognition Security Competition. This report will introduce the competition rules of these three tracks and the solutions of top-ranking teams in each track.

深度神经网络的面部识别模型已显示出容易受到对抗例子的影响。但是，过去的许多攻击都要求对手使用梯度下降来解决输入依赖性优化问题，这使该攻击实时不切实际。这些对抗性示例也与攻击模型紧密耦合，并且在转移到不同模型方面并不那么成功。在这项工作中，我们提出了Reface，这是对基于对抗性转换网络（ATN）的面部识别模型的实时，高度转移的攻击。 ATNS模型对抗性示例生成是馈送前向神经网络。我们发现，纯U-NET ATN的白盒攻击成功率大大低于基于梯度的攻击，例如大型面部识别数据集中的PGD。因此，我们为ATN提出了一个新的架构，该架构缩小了这一差距，同时维持PGD的10000倍加速。此外，我们发现在给定的扰动幅度下，与PGD相比，我们的ATN对抗扰动在转移到新的面部识别模型方面更有效。 Reface攻击可以在转移攻击环境中成功欺骗商业面部识别服务，并将面部识别精度从AWS SearchFaces API和Azure Face验证准确性从91％降低到50.1％，从而将面部识别精度从82％降低到16.4％。

深度神经网络容易受到来自对抗性投入的攻击，并且最近，特洛伊木马误解或劫持模型的决定。我们通过探索有界抗逆性示例空间和生成的对抗网络内的自然输入空间来揭示有界面的对抗性实例 - 通用自然主义侵害贴片的兴趣类 - 我们呼叫TNT。现在，一个对手可以用一个自然主义的补丁来手臂自己，不太恶意，身体上可实现，高效 - 实现高攻击成功率和普遍性。 TNT是普遍的，因为在场景中的TNT中捕获的任何输入图像都将：i）误导网络（未确定的攻击）;或ii）迫使网络进行恶意决定（有针对性的攻击）。现在，有趣的是，一个对抗性补丁攻击者有可能发挥更大的控制水平 - 选择一个独立，自然的贴片的能力，与被限制为嘈杂的扰动的触发器 - 到目前为止只有可能与特洛伊木马攻击方法有可能干扰模型建设过程，以嵌入风险发现的后门;但是，仍然意识到在物理世界中部署的补丁。通过对大型视觉分类任务的广泛实验，想象成在其整个验证集50,000张图像中进行评估，我们展示了TNT的现实威胁和攻击的稳健性。我们展示了攻击的概括，以创建比现有最先进的方法实现更高攻击成功率的补丁。我们的结果表明，攻击对不同的视觉分类任务（CIFAR-10，GTSRB，PUBFIG）和多个最先进的深神经网络，如WieredEnet50，Inception-V3和VGG-16。

对抗性示例是故意生成用于欺骗深层神经网络的输入。最近的研究提出了不受规范限制的不受限制的对抗攻击。但是，以前的不受限制攻击方法仍然存在限制在黑框设置中欺骗现实世界应用程序的局限性。在本文中，我们提出了一种新的方法，用于使用GAN生成不受限制的对抗示例，其中攻击者只能访问分类模型的前1个最终决定。我们的潜在方法有效地利用了潜在空间中基于决策的攻击的优势，并成功地操纵了潜在的向量来欺骗分类模型。通过广泛的实验，我们证明我们提出的方法有效地评估了在黑框设置中查询有限的分类模型的鲁棒性。首先，我们证明我们的目标攻击方法是有效的，可以为包含307个身份的面部身份识别模型产生不受限制的对抗示例。然后，我们证明所提出的方法还可以成功攻击现实世界的名人识别服务。

在过去的几年中，对针对基于学习的对象探测器的对抗性攻击进行了广泛的研究。提出的大多数攻击都针对模型的完整性（即导致模型做出了错误的预测），而针对模型可用性的对抗性攻击，这是安全关键领域（例如自动驾驶）的关键方面，尚未探索。机器学习研究社区。在本文中，我们提出了一种新颖的攻击，对端到端对象检测管道的决策潜伏期产生负面影响。我们制作了一种通用的对抗扰动（UAP），该扰动（UAP）针对了许多对象检测器管道中的广泛使用的技术 - 非最大抑制（NMS）。我们的实验证明了拟议的UAP通过添加“幻影”对象来增加单个帧的处理时间的能力，该对象在保留原始对象的检测时（允许攻击时间更长的时间内未检测到）。

The emergence of COVID-19 has had a global and profound impact, not only on society as a whole, but also on the lives of individuals. Various prevention measures were introduced around the world to limit the transmission of the disease, including face masks, mandates for social distancing and regular disinfection in public spaces, and the use of screening applications. These developments also triggered the need for novel and improved computer vision techniques capable of (i) providing support to the prevention measures through an automated analysis of visual data, on the one hand, and (ii) facilitating normal operation of existing vision-based services, such as biometric authentication schemes, on the other. Especially important here, are computer vision techniques that focus on the analysis of people and faces in visual data and have been affected the most by the partial occlusions introduced by the mandates for facial masks. Such computer vision based human analysis techniques include face and face-mask detection approaches, face recognition techniques, crowd counting solutions, age and expression estimation procedures, models for detecting face-hand interactions and many others, and have seen considerable attention over recent years. The goal of this survey is to provide an introduction to the problems induced by COVID-19 into such research and to present a comprehensive review of the work done in the computer vision based human analysis field. Particular attention is paid to the impact of facial masks on the performance of various methods and recent solutions to mitigate this problem. Additionally, a detailed review of existing datasets useful for the development and evaluation of methods for COVID-19 related applications is also provided. Finally, to help advance the field further, a discussion on the main open challenges and future research direction is given.

由于缺乏对AI模型的安全性和鲁棒性的信任，近年来，深度学习模型（尤其是针对安全至关重要的系统）中的对抗性攻击正在越来越受到关注。然而，更原始的对抗性攻击可能是身体上不可行的，或者需要一些难以访问的资源，例如训练数据，这激发了斑块攻击的出现。在这项调查中，我们提供了全面的概述，以涵盖现有的对抗贴片攻击技术，旨在帮助感兴趣的研究人员迅速赶上该领域的进展。我们还讨论了针对对抗贴片的检测和防御措施的现有技术，旨在帮助社区更好地了解该领域及其在现实世界中的应用。

Recent studies show that the state-of-the-art deep neural networks (DNNs) are vulnerable to adversarial examples, resulting from small-magnitude perturbations added to the input. Given that that emerging physical systems are using DNNs in safety-critical situations, adversarial examples could mislead these systems and cause dangerous situations. Therefore, understanding adversarial examples in the physical world is an important step towards developing resilient learning algorithms. We propose a general attack algorithm, Robust Physical Perturbations (RP 2 ), to generate robust visual adversarial perturbations under different physical conditions. Using the real-world case of road sign classification, we show that adversarial examples generated using RP 2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints. Due to the current lack of a standardized testing method, we propose a two-stage evaluation methodology for robust physical adversarial examples consisting of lab and field tests. Using this methodology, we evaluate the efficacy of physical adversarial manipulations on real objects. With a perturbation in the form of only black and white stickers, we attack a real stop sign, causing targeted misclassification in 100% of the images obtained in lab settings, and in 84.8% of the captured video frames obtained on a moving vehicle (field test) for the target classifier.

对抗斑块产生的标准方法导致嘈杂的显着模式，这些模式很容易被人类识别。最近的研究提出了几种使用生成对抗网络（GAN）生成自然斑块的方法，但在对象检测用例中只评估了其中的一些方法。此外，技术的状态主要集中于通过直接与补丁重叠的输入中抑制一个大边界框。补丁附近的抑制对象是一项不同的，更复杂的任务。在这项工作中，我们评估了现有的方法，以生成不起眼的补丁。我们已经针对不同的计算机视觉任务而开发的适应方法，用于Yolov3和CoCo数据集的对象检测用例。我们已经评估了两种生成自然主义斑块的方法：通过将斑块的产生纳入GAN训练过程和使用预审计的GAN。在这两种情况下，我们都评估了性能和自然主义斑块外观之间的权衡。我们的实验表明，使用预先训练的GAN有助于获得逼真的斑块，同时保留类似于常规的对抗斑块的性能。

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

Recent studies reveal that deep neural network (DNN) based object detectors are vulnerable to adversarial attacks in the form of adding the perturbation to the images, leading to the wrong output of object detectors. Most current existing works focus on generating perturbed images, also called adversarial examples, to fool object detectors. Though the generated adversarial examples themselves can remain a certain naturalness, most of them can still be easily observed by human eyes, which limits their further application in the real world. To alleviate this problem, we propose a differential evolution based dual adversarial camouflage (DE_DAC) method, composed of two stages to fool human eyes and object detectors simultaneously. Specifically, we try to obtain the camouflage texture, which can be rendered over the surface of the object. In the first stage, we optimize the global texture to minimize the discrepancy between the rendered object and the scene images, making human eyes difficult to distinguish. In the second stage, we design three loss functions to optimize the local texture, making object detectors ineffective. In addition, we introduce the differential evolution algorithm to search for the near-optimal areas of the object to attack, improving the adversarial performance under certain attack area limitations. Besides, we also study the performance of adaptive DE_DAC, which can be adapted to the environment. Experiments show that our proposed method could obtain a good trade-off between the fooling human eyes and object detectors under multiple specific scenes and objects.

基于CNN的面部识别模型带来了显着的性能改善，但它们容易受到对抗的扰动。最近的研究表明，即使只能访问模型的硬盘标签输出，对手也可以欺骗模型。然而，由于需要许多查询来寻找不可察觉的对抗性噪声，因此减少查询的数量对于这些攻击至关重要。在本文中，我们指出了现有的基于决策黑匣子攻击的两个限制。我们观察到它们浪费查询以进行背景噪声优化，并且他们不利用为其他图像产生的对抗扰动。我们利用3D面部对齐以克服这些限制，并提出了一种关于对地形识别的查询有效的黑匣子攻击的一般策略，名为几何自适应词典攻击（GADA）。我们的核心思想是在UV纹理地图中创造一个对抗扰动，并将其投影到图像中的脸上。通过将扰动搜索空间限制到面部区域并有效地回收之前的扰动来大大提高查询效率。我们将GADA策略应用于两个现有的攻击方法，并在LFW和CPLFW数据集的实验中显示出压倒性的性能改进。此外，我们还提出了一种新的攻击策略，可以规避基于类似性的有状态检测，该检测标识了基于查询的黑盒攻击过程。

对象攻击是对象检测的现实世界中可行的。然而，大多数以前的作品都试图学习应用于对象的本地“补丁”到愚蠢的探测器，这在斜视视角变得较低。为了解决这个问题，我们提出了致密的提案攻击（DPA）来学习探测器的单件，物理和针对性的对抗性伪装。伪装是一体的，因为它们是作为一个物体的整体生成的，因为当在任意观点和不同的照明条件下拍摄时，它们保持对抗性，并且由于它们可能导致探测器被定义为特定目标类别的检测器。为了使生成的伪装在物理世界中稳健，我们介绍了改造的组合来模拟物理现象。此外，为了改善攻击，DPA同时攻击固定建议中的所有分类。此外，我们使用Unity Simulation Engine构建虚拟3D场景，以公平地和可重复地评估不同的物理攻击。广泛的实验表明，DPA优于最先进的方法，并且对于任何物体而言，它是通用的，并且对现实世界的广泛性良好，对安全关键的计算机视觉系统构成潜在的威胁。