物体检测中的物理对抗攻击引起了越来越受到关注。然而，最先前的作品专注于通过生成单独的对抗贴片来隐藏来自探测器的物体，该贴片仅覆盖车辆表面的平面部分并且无法在物理场景中攻击多视图，长距离和部分封闭的探测器对象。为了弥合数字攻击与物理攻击之间的差距，我们利用完整的3D车辆表面来提出坚固的全面覆盖伪装攻击（FCA）到愚弄探测器。具体来说，我们首先尝试在整个车辆表面上渲染非平面伪装纹理。为了模仿现实世界的环境条件，我们将引入转换功能，将渲染的伪装车辆转移到照片现实场景中。最后，我们设计了一个有效的损失功能，以优化伪装纹理。实验表明，全面覆盖伪装攻击不仅可以在各种测试用例下优于最先进的方法，而且还可以推广到不同的环境，车辆和物体探测器。 FCA的代码可用于：https://idrl-lab.github.io/full-coverage-camouflage -Adversarial-Attack/。

Recent studies reveal that deep neural network (DNN) based object detectors are vulnerable to adversarial attacks in the form of adding the perturbation to the images, leading to the wrong output of object detectors. Most current existing works focus on generating perturbed images, also called adversarial examples, to fool object detectors. Though the generated adversarial examples themselves can remain a certain naturalness, most of them can still be easily observed by human eyes, which limits their further application in the real world. To alleviate this problem, we propose a differential evolution based dual adversarial camouflage (DE_DAC) method, composed of two stages to fool human eyes and object detectors simultaneously. Specifically, we try to obtain the camouflage texture, which can be rendered over the surface of the object. In the first stage, we optimize the global texture to minimize the discrepancy between the rendered object and the scene images, making human eyes difficult to distinguish. In the second stage, we design three loss functions to optimize the local texture, making object detectors ineffective. In addition, we introduce the differential evolution algorithm to search for the near-optimal areas of the object to attack, improving the adversarial performance under certain attack area limitations. Besides, we also study the performance of adaptive DE_DAC, which can be adapted to the environment. Experiments show that our proposed method could obtain a good trade-off between the fooling human eyes and object detectors under multiple specific scenes and objects.

在过去的十年中，深度学习急剧改变了传统的手工艺特征方式，具有强大的功能学习能力，从而极大地改善了传统任务。然而，最近已经证明了深层神经网络容易受到对抗性例子的影响，这种恶意样本由小型设计的噪音制作，误导了DNNs做出错误的决定，同时仍然对人类无法察觉。对抗性示例可以分为数字对抗攻击和物理对抗攻击。数字对抗攻击主要是在实验室环境中进行的，重点是改善对抗性攻击算法的性能。相比之下，物理对抗性攻击集中于攻击物理世界部署的DNN系统，这是由于复杂的物理环境（即亮度，遮挡等），这是一项更具挑战性的任务。尽管数字对抗和物理对抗性示例之间的差异很小，但物理对抗示例具有特定的设计，可以克服复杂的物理环境的效果。在本文中，我们回顾了基于DNN的计算机视觉任务任务中的物理对抗攻击的开发，包括图像识别任务，对象检测任务和语义细分。为了完整的算法演化，我们将简要介绍不涉及身体对抗性攻击的作品。我们首先提出一个分类方案，以总结当前的物理对抗攻击。然后讨论现有的物理对抗攻击的优势和缺点，并专注于用于维持对抗性的技术，当应用于物理环境中时。最后，我们指出要解决的当前身体对抗攻击的问题并提供有前途的研究方向。

Although Deep Neural Networks (DNNs) have achieved impressive results in computer vision, their exposed vulnerability to adversarial attacks remains a serious concern. A series of works has shown that by adding elaborate perturbations to images, DNNs could have catastrophic degradation in performance metrics. And this phenomenon does not only exist in the digital space but also in the physical space. Therefore, estimating the security of these DNNs-based systems is critical for safely deploying them in the real world, especially for security-critical applications, e.g., autonomous cars, video surveillance, and medical diagnosis. In this paper, we focus on physical adversarial attacks and provide a comprehensive survey of over 150 existing papers. We first clarify the concept of the physical adversarial attack and analyze its characteristics. Then, we define the adversarial medium, essential to perform attacks in the physical world. Next, we present the physical adversarial attack methods in task order: classification, detection, and re-identification, and introduce their performance in solving the trilemma: effectiveness, stealthiness, and robustness. In the end, we discuss the current challenges and potential future directions.

对象攻击是对象检测的现实世界中可行的。然而，大多数以前的作品都试图学习应用于对象的本地“补丁”到愚蠢的探测器，这在斜视视角变得较低。为了解决这个问题，我们提出了致密的提案攻击（DPA）来学习探测器的单件，物理和针对性的对抗性伪装。伪装是一体的，因为它们是作为一个物体的整体生成的，因为当在任意观点和不同的照明条件下拍摄时，它们保持对抗性，并且由于它们可能导致探测器被定义为特定目标类别的检测器。为了使生成的伪装在物理世界中稳健，我们介绍了改造的组合来模拟物理现象。此外，为了改善攻击，DPA同时攻击固定建议中的所有分类。此外，我们使用Unity Simulation Engine构建虚拟3D场景，以公平地和可重复地评估不同的物理攻击。广泛的实验表明，DPA优于最先进的方法，并且对于任何物体而言，它是通用的，并且对现实世界的广泛性良好，对安全关键的计算机视觉系统构成潜在的威胁。

Adversarial attacks on thermal infrared imaging expose the risk of related applications. Estimating the security of these systems is essential for safely deploying them in the real world. In many cases, realizing the attacks in the physical space requires elaborate special perturbations. These solutions are often \emph{impractical} and \emph{attention-grabbing}. To address the need for a physically practical and stealthy adversarial attack, we introduce \textsc{HotCold} Block, a novel physical attack for infrared detectors that hide persons utilizing the wearable Warming Paste and Cooling Paste. By attaching these readily available temperature-controlled materials to the body, \textsc{HotCold} Block evades human eyes efficiently. Moreover, unlike existing methods that build adversarial patches with complex texture and structure features, \textsc{HotCold} Block utilizes an SSP-oriented adversarial optimization algorithm that enables attacks with pure color blocks and explores the influence of size, shape, and position on attack performance. Extensive experimental results in both digital and physical environments demonstrate the performance of our proposed \textsc{HotCold} Block. \emph{Code is available: \textcolor{magenta}{https://github.com/weihui1308/HOTCOLDBlock}}.

Machine learning models are known to be susceptible to adversarial perturbation. One famous attack is the adversarial patch, a sticker with a particularly crafted pattern that makes the model incorrectly predict the object it is placed on. This attack presents a critical threat to cyber-physical systems that rely on cameras such as autonomous cars. Despite the significance of the problem, conducting research in this setting has been difficult; evaluating attacks and defenses in the real world is exceptionally costly while synthetic data are unrealistic. In this work, we propose the REAP (REalistic Adversarial Patch) benchmark, a digital benchmark that allows the user to evaluate patch attacks on real images, and under real-world conditions. Built on top of the Mapillary Vistas dataset, our benchmark contains over 14,000 traffic signs. Each sign is augmented with a pair of geometric and lighting transformations, which can be used to apply a digitally generated patch realistically onto the sign. Using our benchmark, we perform the first large-scale assessments of adversarial patch attacks under realistic conditions. Our experiments suggest that adversarial patch attacks may present a smaller threat than previously believed and that the success rate of an attack on simpler digital simulations is not predictive of its actual effectiveness in practice. We release our benchmark publicly at https://github.com/wagner-group/reap-benchmark.

最近的进步表明，深度神经网络（DNN）容易受到对抗性扰动的影响。因此，有必要使用对抗攻击评估高级DNN的鲁棒性。但是，将使用贴纸作为扰动的传统物理攻击比最近的基于光的物理攻击更容易受到伤害。在这项工作中，我们提出了一种基于投影仪的物理攻击，称为“对抗颜色投影（ADVCP）”，该攻击通过操纵投影光的物理参数来进行对抗攻击。实验显示了我们方法在数字和物理环境中的有效性。实验结果表明，所提出的方法具有出色的攻击传递性，它赋予了Advcp有效的BlackBox攻击。我们向ADVCP提出威胁，威胁到未来的基于视觉的系统和应用程序，并提出一些基于轻型物理攻击的想法。

To assess the vulnerability of deep learning in the physical world, recent works introduce adversarial patches and apply them on different tasks. In this paper, we propose another kind of adversarial patch: the Meaningful Adversarial Sticker, a physically feasible and stealthy attack method by using real stickers existing in our life. Unlike the previous adversarial patches by designing perturbations, our method manipulates the sticker's pasting position and rotation angle on the objects to perform physical attacks. Because the position and rotation angle are less affected by the printing loss and color distortion, adversarial stickers can keep good attacking performance in the physical world. Besides, to make adversarial stickers more practical in real scenes, we conduct attacks in the black-box setting with the limited information rather than the white-box setting with all the details of threat models. To effectively solve for the sticker's parameters, we design the Region based Heuristic Differential Evolution Algorithm, which utilizes the new-found regional aggregation of effective solutions and the adaptive adjustment strategy of the evaluation criteria. Our method is comprehensively verified in the face recognition and then extended to the image retrieval and traffic sign recognition. Extensive experiments show the proposed method is effective and efficient in complex physical conditions and has a good generalization for different tasks.

已经证明了现代自动驾驶感知系统在处理互补输入之类的利用图像时，已被证明可以改善互补投入。在孤立中，已发现2D图像非常容易受到对抗性攻击的影响。然而，有有限的研究与图像特征融合的多模态模型的对抗鲁棒性。此外，现有的作品不考虑跨输入方式一致的物理上可实现的扰动。在本文中，我们通过将对抗物体放在主车辆的顶部上展示多传感器检测的实际敏感性。我们专注于身体上可实现的和输入 - 不可行的攻击，因为它们是在实践中执行的可行性，并且表明单个通用对手可以隐藏来自最先进的多模态探测器的不同主机。我们的实验表明，成功的攻击主要是由易于损坏的图像特征引起的。此外，我们发现，在将图像特征中的现代传感器融合方法中，对抗攻击可以利用投影过程来在3D中跨越区域产生误报。朝着更强大的多模态感知系统，我们表明，具有特征剥夺的对抗训练可以显着提高对这种攻击的鲁棒性。然而，我们发现标准的对抗性防御仍然努力防止由3D LIDAR点和2D像素之间不准确的关联引起的误报。

如今，配备了AI系统的摄像机可以捕获和分析图像以自动检测人员。但是，当在现实世界（即物理对抗示例）中收到故意设计的模式时，AI系统可能会犯错误。先前的作品表明，可以在衣服上打印对抗斑块，以逃避基于DNN的人探测器。但是，当视角（即相机与物体的角度）变化时，这些对抗性示例可能会在攻击成功率中造成灾难性下降。要执行多角度攻击，我们提出了对抗纹理（Advexture）。 advtexture可以用任意形状覆盖衣服，以便穿着这样的衣服的人可以从不同的视角躲避人探测器。我们提出了一种生成方法，称为基于环形作用的可扩展生成攻击（TC-EGA），以用重复的结构来制作advexture。我们用advexure印刷了几块布，然后在物理世界中制作了T恤，裙子和连衣裙。实验表明，这些衣服可以欺骗物理世界中的人探测器。

众所周知，深神经网络（DNN）的性能容易受到微妙的干扰。到目前为止，基于摄像机的身体对抗攻击还没有引起太多关注，但这是物理攻击的空缺。在本文中，我们提出了一种简单有效的基于相机的物理攻击，称为“对抗彩色膜”（ADVCF），该攻击操纵了彩色膜的物理参数以执行攻击。精心设计的实验显示了所提出的方法在数字和物理环境中的有效性。此外，实验结果表明，ADVCF生成的对抗样本在攻击转移性方面具有出色的性能，这可以使ADVCF有效的黑盒攻击。同时，我们通过对抗训练给予对ADVCF的防御指导。最后，我们调查了ADVCF对基于视觉的系统的威胁，并为基于摄像机的物理攻击提出了一些有希望的心态。

Recent studies show that the state-of-the-art deep neural networks (DNNs) are vulnerable to adversarial examples, resulting from small-magnitude perturbations added to the input. Given that that emerging physical systems are using DNNs in safety-critical situations, adversarial examples could mislead these systems and cause dangerous situations. Therefore, understanding adversarial examples in the physical world is an important step towards developing resilient learning algorithms. We propose a general attack algorithm, Robust Physical Perturbations (RP 2 ), to generate robust visual adversarial perturbations under different physical conditions. Using the real-world case of road sign classification, we show that adversarial examples generated using RP 2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints. Due to the current lack of a standardized testing method, we propose a two-stage evaluation methodology for robust physical adversarial examples consisting of lab and field tests. Using this methodology, we evaluate the efficacy of physical adversarial manipulations on real objects. With a perturbation in the form of only black and white stickers, we attack a real stop sign, causing targeted misclassification in 100% of the images obtained in lab settings, and in 84.8% of the captured video frames obtained on a moving vehicle (field test) for the target classifier.

深度学习大大提高了单眼深度估计（MDE）的性能，这是完全基于视觉的自主驾驶（AD）系统（例如特斯拉和丰田）的关键组成部分。在这项工作中，我们对基于学习的MDE产生了攻击。特别是，我们使用基于优化的方法系统地生成隐形的物理对象贴片来攻击深度估计。我们通过面向对象的对抗设计，敏感的区域定位和自然风格的伪装来平衡攻击的隐身和有效性。使用现实世界的驾驶场景，我们评估了对并发MDE模型的攻击和AD的代表下游任务（即3D对象检测）。实验结果表明，我们的方法可以为不同的目标对象和模型生成隐形，有效和健壮的对抗贴片，并在物体检测中以1/1/的斑点检测到超过6米的平均深度估计误差和93％的攻击成功率（ASR）车辆后部9个。具有实际车辆的三个不同驾驶路线上的现场测试表明，在连续视频帧中，我们导致超过6米的平均深度估计误差，并将对象检测率从90.70％降低到5.16％。

对抗斑块攻击通过在指定的局部区域中注入对抗像素来误导神经网络。补丁攻击可以在各种任务中非常有效，并且可以通过附件（例如贴纸）在现实世界对象上实现。尽管攻击模式的多样性，但对抗斑块往往具有高质感，并且外观与自然图像不同。我们利用此属性，并在patchzero上进行patchzero，这是一种针对白色框对面补丁的任务不合时宜的防御。具体而言，我们的防御通过用平均像素值重新粉刷来检测对抗性像素和“零”斑块区域。我们将补丁检测问题作为语义分割任务提出，以便我们的模型可以推广到任何大小和形状的贴片。我们进一步设计了一个两阶段的对抗训练计划，以防止更强烈的适应性攻击。我们在图像分类（ImageNet，resisc45），对象检测（Pascal VOC）和视频分类（UCF101）数据集上彻底评估PatchZero。我们的方法可实现SOTA的稳健精度，而不会在良性表现中降解。

最近，3D深度学习模型已被证明易于对其2D对应物的对抗性攻击影响。大多数最先进的（SOTA）3D对抗性攻击对3D点云进行扰动。为了在物理场景中再现这些攻击，需要重建生成的对抗3D点云以网状，这导致其对抗效果显着下降。在本文中，我们提出了一个名为Mesh攻击的强烈的3D对抗性攻击，通过直接对3D对象的网格进行扰动来解决这个问题。为了利用最有效的基于梯度的攻击，介绍了一种可差异化的样本模块，其反向传播点云梯度以网格传播。为了进一步确保没有异常值和3D可打印的对抗性网状示例，采用了三种网格损耗。广泛的实验表明，所提出的方案优于SOTA 3D攻击，通过显着的保证金。我们还在各种防御下实现了SOTA表现。我们的代码可用于：https：//github.com/cuge1995/mesh-attack。

基于对抗斑块的攻击旨在欺骗一个有意产生的噪声的神经网络，该网络集中在输入图像的特定区域中。在这项工作中，我们对不同的贴片生成参数进行了深入的分析，包括初始化，贴剂大小，尤其是在训练过程中将贴剂放置在图像中。我们专注于对象消失的攻击，并以Yolov3作为白色盒子设置中的攻击的模型运行实验，并使用COCO数据集中的图像。我们的实验表明，在训练期间，将斑块插入大小增加的窗口内，与固定位置相比，攻击强度显着提高。当斑块在训练过程中随机定位时，获得了最佳结果，而贴片位置则在批处理中也有所不同。

最近的研究表明，深神经网络（DNN）易受对抗的对抗性斑块，这引入了对输入的可察觉而且局部化的变化。尽管如此，现有的方法都集中在图像上产生对抗性补丁，视频中的对应于视频的探索。与图像相比，攻击视频更具挑战性，因为它不仅需要考虑空间线索，而且需要考虑时间线索。为了缩短这种差距，我们在本文中介绍了一种新的对抗性攻击，子弹屏幕评论（BSC）攻击，攻击了BSC的视频识别模型。具体地，通过增强学习（RL）框架产生对抗性BSC，其中环境被设置为目标模型，并且代理商扮演选择每个BSC的位置和透明度的作用。通过不断查询目标模型和接收反馈，代理程序逐渐调整其选择策略，以实现具有非重叠BSC的高鬼速。由于BSC可以被视为一种有意义的补丁，将它添加到清洁视频不会影响人们对视频内容的理解，也不会引起人们的怀疑。我们进行广泛的实验，以验证所提出的方法的有效性。在UCF-101和HMDB-51数据集中，我们的BSC攻击方法可以在攻击三个主流视频识别模型时达到约90 \％的愚蠢速率，同时仅在视频中封闭\无文无线8 \％区域。我们的代码可在https://github.com/kay -ck/bsc-attack获得。

现实世界的对抗例（通常以补丁形式）对安全关键计算机视觉任务中的深度学习模型（如在自动驾驶中的视觉感知）中使用深度学习模型构成严重威胁。本文涉及用不同类型的对抗性斑块攻击时，对语义分割模型的稳健性进行了广泛的评价，包括数字，模拟和物理。提出了一种新的损失功能，提高攻击者在诱导像素错误分类方面的能力。此外，提出了一种新的攻击策略，提高了在场景中放置补丁的转换方法的期望。最后，首先扩展用于检测对抗性补丁的最先进的方法以应对语义分割模型，然后改进以获得实时性能，并最终在现实世界场景中进行评估。实验结果表明，尽管具有数字和真实攻击的对抗效果，其影响通常在空间上限制在补丁周围的图像区域。这将打开关于实时语义分段模型的空间稳健性的进一步疑问。

Adversarial patch is an important form of real-world adversarial attack that brings serious risks to the robustness of deep neural networks. Previous methods generate adversarial patches by either optimizing their perturbation values while fixing the pasting position or manipulating the position while fixing the patch's content. This reveals that the positions and perturbations are both important to the adversarial attack. For that, in this paper, we propose a novel method to simultaneously optimize the position and perturbation for an adversarial patch, and thus obtain a high attack success rate in the black-box setting. Technically, we regard the patch's position, the pre-designed hyper-parameters to determine the patch's perturbations as the variables, and utilize the reinforcement learning framework to simultaneously solve for the optimal solution based on the rewards obtained from the target model with a small number of queries. Extensive experiments are conducted on the Face Recognition (FR) task, and results on four representative FR models show that our method can significantly improve the attack success rate and query efficiency. Besides, experiments on the commercial FR service and physical environments confirm its practical application value. We also extend our method to the traffic sign recognition task to verify its generalization ability.