基于CNN的面部识别模型带来了显着的性能改善，但它们容易受到对抗的扰动。最近的研究表明，即使只能访问模型的硬盘标签输出，对手也可以欺骗模型。然而，由于需要许多查询来寻找不可察觉的对抗性噪声，因此减少查询的数量对于这些攻击至关重要。在本文中，我们指出了现有的基于决策黑匣子攻击的两个限制。我们观察到它们浪费查询以进行背景噪声优化，并且他们不利用为其他图像产生的对抗扰动。我们利用3D面部对齐以克服这些限制，并提出了一种关于对地形识别的查询有效的黑匣子攻击的一般策略，名为几何自适应词典攻击（GADA）。我们的核心思想是在UV纹理地图中创造一个对抗扰动，并将其投影到图像中的脸上。通过将扰动搜索空间限制到面部区域并有效地回收之前的扰动来大大提高查询效率。我们将GADA策略应用于两个现有的攻击方法，并在LFW和CPLFW数据集的实验中显示出压倒性的性能改进。此外，我们还提出了一种新的攻击策略，可以规避基于类似性的有状态检测，该检测标识了基于查询的黑盒攻击过程。

虽然深度神经网络在各种任务中表现出前所未有的性能，但对对抗性示例的脆弱性阻碍了他们在安全关键系统中的部署。许多研究表明，即使在黑盒设置中也可能攻击，其中攻击者无法访问目标模型的内部信息。大多数黑匣子攻击基于查询，每个都可以获得目标模型的输入输出，并且许多研究侧重于减少所需查询的数量。在本文中，我们注意了目标模型的输出完全对应于查询输入的隐含假设。如果将某些随机性引入模型中，它可以打破假设，因此，基于查询的攻击可能在梯度估计和本地搜索中具有巨大的困难，这是其攻击过程的核心。从这种动机来看，我们甚至观察到一个小的添加剂输入噪声可以中和大多数基于查询的攻击和名称这个简单但有效的方法小噪声防御（SND）。我们分析了SND如何防御基于查询的黑匣子攻击，并展示其与CIFAR-10和ImageNet数据集的八种最先进的攻击有效性。即使具有强大的防御能力，SND几乎保持了原始的分类准确性和计算速度。通过在推断下仅添加一行代码，SND很容易适用于预先训练的模型。

对抗性示例是故意生成用于欺骗深层神经网络的输入。最近的研究提出了不受规范限制的不受限制的对抗攻击。但是，以前的不受限制攻击方法仍然存在限制在黑框设置中欺骗现实世界应用程序的局限性。在本文中，我们提出了一种新的方法，用于使用GAN生成不受限制的对抗示例，其中攻击者只能访问分类模型的前1个最终决定。我们的潜在方法有效地利用了潜在空间中基于决策的攻击的优势，并成功地操纵了潜在的向量来欺骗分类模型。通过广泛的实验，我们证明我们提出的方法有效地评估了在黑框设置中查询有限的分类模型的鲁棒性。首先，我们证明我们的目标攻击方法是有效的，可以为包含307个身份的面部身份识别模型产生不受限制的对抗示例。然后，我们证明所提出的方法还可以成功攻击现实世界的名人识别服务。

最近成功的对抗性攻击面部识别表明，尽管面部识别模型取得了显着进展，但它们仍然远远落后于人类的感知和认可。它揭示了深度卷积神经网络（CNN）作为面部识别模型的最先进的构建模型的脆弱性，这可能会对安全系统造成一定的后果。以前对基于梯度的对抗攻击进行了广泛的研究，并证明对面部识别模型取得了成功。但是，找到每张面部的优化扰动需要将大量查询数量提交目标模型。在本文中，我们提出了使用自动面部扭曲对面部识别的递归对抗攻击，该面部扭曲需要极有限的查询才能欺骗目标模型。翘曲功能不是随机的面部翘曲程序，而是应用于眉毛，鼻子，嘴唇等的特定脸部检测区域。我们在基于决策的黑盒攻击环境中评估了拟议方法的鲁棒性，攻击者有攻击者有无法访问模型参数和梯度，但是目标模型提供了硬标签的预测和置信分数。

To assess the vulnerability of deep learning in the physical world, recent works introduce adversarial patches and apply them on different tasks. In this paper, we propose another kind of adversarial patch: the Meaningful Adversarial Sticker, a physically feasible and stealthy attack method by using real stickers existing in our life. Unlike the previous adversarial patches by designing perturbations, our method manipulates the sticker's pasting position and rotation angle on the objects to perform physical attacks. Because the position and rotation angle are less affected by the printing loss and color distortion, adversarial stickers can keep good attacking performance in the physical world. Besides, to make adversarial stickers more practical in real scenes, we conduct attacks in the black-box setting with the limited information rather than the white-box setting with all the details of threat models. To effectively solve for the sticker's parameters, we design the Region based Heuristic Differential Evolution Algorithm, which utilizes the new-found regional aggregation of effective solutions and the adaptive adjustment strategy of the evaluation criteria. Our method is comprehensively verified in the face recognition and then extended to the image retrieval and traffic sign recognition. Extensive experiments show the proposed method is effective and efficient in complex physical conditions and has a good generalization for different tasks.

Adversarial patch is an important form of real-world adversarial attack that brings serious risks to the robustness of deep neural networks. Previous methods generate adversarial patches by either optimizing their perturbation values while fixing the pasting position or manipulating the position while fixing the patch's content. This reveals that the positions and perturbations are both important to the adversarial attack. For that, in this paper, we propose a novel method to simultaneously optimize the position and perturbation for an adversarial patch, and thus obtain a high attack success rate in the black-box setting. Technically, we regard the patch's position, the pre-designed hyper-parameters to determine the patch's perturbations as the variables, and utilize the reinforcement learning framework to simultaneously solve for the optimal solution based on the rewards obtained from the target model with a small number of queries. Extensive experiments are conducted on the Face Recognition (FR) task, and results on four representative FR models show that our method can significantly improve the attack success rate and query efficiency. Besides, experiments on the commercial FR service and physical environments confirm its practical application value. We also extend our method to the traffic sign recognition task to verify its generalization ability.

深度神经网络的面部识别模型已显示出容易受到对抗例子的影响。但是，过去的许多攻击都要求对手使用梯度下降来解决输入依赖性优化问题，这使该攻击实时不切实际。这些对抗性示例也与攻击模型紧密耦合，并且在转移到不同模型方面并不那么成功。在这项工作中，我们提出了Reface，这是对基于对抗性转换网络（ATN）的面部识别模型的实时，高度转移的攻击。 ATNS模型对抗性示例生成是馈送前向神经网络。我们发现，纯U-NET ATN的白盒攻击成功率大大低于基于梯度的攻击，例如大型面部识别数据集中的PGD。因此，我们为ATN提出了一个新的架构，该架构缩小了这一差距，同时维持PGD的10000倍加速。此外，我们发现在给定的扰动幅度下，与PGD相比，我们的ATN对抗扰动在转移到新的面部识别模型方面更有效。 Reface攻击可以在转移攻击环境中成功欺骗商业面部识别服务，并将面部识别精度从AWS SearchFaces API和Azure Face验证准确性从91％降低到50.1％，从而将面部识别精度从82％降低到16.4％。

在过去的十年中，深度学习急剧改变了传统的手工艺特征方式，具有强大的功能学习能力，从而极大地改善了传统任务。然而，最近已经证明了深层神经网络容易受到对抗性例子的影响，这种恶意样本由小型设计的噪音制作，误导了DNNs做出错误的决定，同时仍然对人类无法察觉。对抗性示例可以分为数字对抗攻击和物理对抗攻击。数字对抗攻击主要是在实验室环境中进行的，重点是改善对抗性攻击算法的性能。相比之下，物理对抗性攻击集中于攻击物理世界部署的DNN系统，这是由于复杂的物理环境（即亮度，遮挡等），这是一项更具挑战性的任务。尽管数字对抗和物理对抗性示例之间的差异很小，但物理对抗示例具有特定的设计，可以克服复杂的物理环境的效果。在本文中，我们回顾了基于DNN的计算机视觉任务任务中的物理对抗攻击的开发，包括图像识别任务，对象检测任务和语义细分。为了完整的算法演化，我们将简要介绍不涉及身体对抗性攻击的作品。我们首先提出一个分类方案，以总结当前的物理对抗攻击。然后讨论现有的物理对抗攻击的优势和缺点，并专注于用于维持对抗性的技术，当应用于物理环境中时。最后，我们指出要解决的当前身体对抗攻击的问题并提供有前途的研究方向。

近年来，由于深度神经网络的发展，面部识别取得了很大的进步，但最近发现深神经网络容易受到对抗性例子的影响。这意味着基于深神经网络的面部识别模型或系统也容易受到对抗例子的影响。但是，现有的攻击面部识别模型或具有对抗性示例的系统可以有效地完成白色盒子攻击，而不是黑盒模仿攻击，物理攻击或方便的攻击，尤其是在商业面部识别系统上。在本文中，我们提出了一种攻击面部识别模型或称为RSTAM的系统的新方法，该方法可以使用由移动和紧凑型打印机打印的对抗性面膜进行有效的黑盒模仿攻击。首先，RSTAM通过我们提出的随机相似性转换策略来增强对抗性面罩的可传递性。此外，我们提出了一种随机的元优化策略，以结合几种预训练的面部模型来产生更一般的对抗性掩模。最后，我们在Celeba-HQ，LFW，化妆转移（MT）和CASIA-FACEV5数据集上进行实验。还对攻击的性能进行了最新的商业面部识别系统的评估：Face ++，Baidu，Aliyun，Tencent和Microsoft。广泛的实验表明，RSTAM可以有效地对面部识别模型或系统进行黑盒模仿攻击。

Although Deep Neural Networks (DNNs) have achieved impressive results in computer vision, their exposed vulnerability to adversarial attacks remains a serious concern. A series of works has shown that by adding elaborate perturbations to images, DNNs could have catastrophic degradation in performance metrics. And this phenomenon does not only exist in the digital space but also in the physical space. Therefore, estimating the security of these DNNs-based systems is critical for safely deploying them in the real world, especially for security-critical applications, e.g., autonomous cars, video surveillance, and medical diagnosis. In this paper, we focus on physical adversarial attacks and provide a comprehensive survey of over 150 existing papers. We first clarify the concept of the physical adversarial attack and analyze its characteristics. Then, we define the adversarial medium, essential to perform attacks in the physical world. Next, we present the physical adversarial attack methods in task order: classification, detection, and re-identification, and introduce their performance in solving the trilemma: effectiveness, stealthiness, and robustness. In the end, we discuss the current challenges and potential future directions.

基于深度学习的面部识别（FR）模型在过去几年中表现出最先进的性能，即使在佩戴防护医疗面罩时，面膜在Covid-19大流行期间变得普遍。鉴于这些模型的出色表现，机器学习研究界已经表明对挑战其稳健性越来越令人兴趣。最初，研究人员在数字域中呈现了对抗性攻击，后来将攻击转移到物理领域。然而，在许多情况下，物理领域的攻击是显眼的，例如，需要在脸上放置贴纸，因此可能会在真实环境中引起怀疑（例如，机场）。在本文中，我们提出了对伪装在面部面罩的最先进的FR模型的身体对抗性掩模，以仔细制作的图案的形式施加在面部面具上。在我们的实验中，我们检查了我们的对抗掩码对广泛的FR模型架构和数据集的可转移性。此外，我们通过在织物医疗面罩上印刷对抗性模式来验证了我们的对抗性面膜效果，使FR系统仅识别穿面膜的3.34％的参与者（相比最低83.34％其他评估的面具）。

Video classification systems are vulnerable to adversarial attacks, which can create severe security problems in video verification. Current black-box attacks need a large number of queries to succeed, resulting in high computational overhead in the process of attack. On the other hand, attacks with restricted perturbations are ineffective against defenses such as denoising or adversarial training. In this paper, we focus on unrestricted perturbations and propose StyleFool, a black-box video adversarial attack via style transfer to fool the video classification system. StyleFool first utilizes color theme proximity to select the best style image, which helps avoid unnatural details in the stylized videos. Meanwhile, the target class confidence is additionally considered in targeted attacks to influence the output distribution of the classifier by moving the stylized video closer to or even across the decision boundary. A gradient-free method is then employed to further optimize the adversarial perturbations. We carry out extensive experiments to evaluate StyleFool on two standard datasets, UCF-101 and HMDB-51. The experimental results demonstrate that StyleFool outperforms the state-of-the-art adversarial attacks in terms of both the number of queries and the robustness against existing defenses. Moreover, 50% of the stylized videos in untargeted attacks do not need any query since they can already fool the video classification model. Furthermore, we evaluate the indistinguishability through a user study to show that the adversarial samples of StyleFool look imperceptible to human eyes, despite unrestricted perturbations.

随着现实世界图像的大小不同，机器学习模型是包括上游图像缩放算法的较大系统的一部分。在本文中，我们研究了基于决策的黑框设置中图像缩放过程的漏洞与机器学习模型之间的相互作用。我们提出了一种新颖的采样策略，以端到端的方式使黑框攻击利用漏洞在缩放算法，缩放防御和最终的机器学习模型中。基于这种缩放感知的攻击，我们揭示了大多数现有的缩放防御能力在下游模型的威胁下无效。此外，我们从经验上观察到，标准的黑盒攻击可以通过利用脆弱的缩放程序来显着提高其性能。我们进一步在具有基于决策的黑盒攻击的商业图像分析API上证明了这个问题。

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

与深度卷积神经网络（CNNS）相比，视觉变压器（VITS）表现出令人印象深刻的性能和更强的对抗性鲁棒性。一方面，VITS对各个补丁之间的全局交互的关注降低了图像的局部噪声灵敏度。另一方面，CNN的现有决策攻击忽略了图像的不同区域之间的噪声灵敏度的差异，这影响了噪声压缩的效率。因此，只有查询目标模型仍然可以验证VITS的黑匣子对抗鲁棒性仍然是一个具有挑战性的问题。在本文中，我们提出了一种新的决策黑匣子攻击，反对VITS称为PACK-WISE对抗（PAR）。将图像分为粗细的搜索过程，并分别压缩每个补丁上的噪声。 PAR记录每个补丁的噪声幅度和噪声灵敏度，并选择具有最高查询值的补丁以进行噪声压缩。此外，PAR可以用作噪声初始化方法，用于其他基于判决的攻击，以提高VITS和CNNS上的噪声压缩效率而不引入额外的计算。关于Imagenet-21K，ILSVRC-2012和微型想象的数据集的大量实验表明，平均疑问的平均扰动程度降低了。

With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks have been recently found vulnerable to well-designed input samples, called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool deep neural networks in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying deep neural networks in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for deep neural networks, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

机器学习模型严重易于来自对抗性示例的逃避攻击。通常，对逆势示例的修改输入类似于原始输入的修改输入，在WhiteBox设置下由对手的WhiteBox设置构成，完全访问模型。然而，最近的攻击已经显示出使用BlackBox攻击的对逆势示例的查询号显着减少。特别是，警报是从越来越多的机器学习提供的经过培训的模型的访问界面中利用分类决定作为包括Google，Microsoft，IBM的服务提供商，并由包含这些模型的多种应用程序使用的服务提供商来利用培训的模型。对手仅利用来自模型的预测标签的能力被区别为基于决策的攻击。在我们的研究中，我们首先深入潜入最近的ICLR和SP的最先进的决策攻击，以突出发现低失真对抗采用梯度估计方法的昂贵性质。我们开发了一种强大的查询高效攻击，能够避免在梯度估计方法中看到的嘈杂渐变中的局部最小和误导中的截留。我们提出的攻击方法，ramboattack利用随机块坐标下降的概念来探索隐藏的分类器歧管，针对扰动来操纵局部输入功能以解决梯度估计方法的问题。重要的是，ramboattack对对对手和目标类别可用的不同样本输入更加强大。总的来说，对于给定的目标类，ramboattack被证明在实现给定查询预算的较低失真时更加强大。我们使用大规模的高分辨率ImageNet数据集来策划我们的广泛结果，并在GitHub上开源我们的攻击，测试样本和伪影。

Current neural network-based classifiers are susceptible to adversarial examples even in the black-box setting, where the attacker only has query access to the model. In practice, the threat model for real-world systems is often more restrictive than the typical black-box model where the adversary can observe the full output of the network on arbitrarily many chosen inputs. We define three realistic threat models that more accurately characterize many real-world classifiers: the query-limited setting, the partialinformation setting, and the label-only setting. We develop new attacks that fool classifiers under these more restrictive threat models, where previous methods would be impractical or ineffective. We demonstrate that our methods are effective against an ImageNet classifier under our proposed threat models. We also demonstrate a targeted black-box attack against a commercial classifier, overcoming the challenges of limited query access, partial information, and other practical issues to break the Google Cloud Vision API.

Recent studies reveal that deep neural network (DNN) based object detectors are vulnerable to adversarial attacks in the form of adding the perturbation to the images, leading to the wrong output of object detectors. Most current existing works focus on generating perturbed images, also called adversarial examples, to fool object detectors. Though the generated adversarial examples themselves can remain a certain naturalness, most of them can still be easily observed by human eyes, which limits their further application in the real world. To alleviate this problem, we propose a differential evolution based dual adversarial camouflage (DE_DAC) method, composed of two stages to fool human eyes and object detectors simultaneously. Specifically, we try to obtain the camouflage texture, which can be rendered over the surface of the object. In the first stage, we optimize the global texture to minimize the discrepancy between the rendered object and the scene images, making human eyes difficult to distinguish. In the second stage, we design three loss functions to optimize the local texture, making object detectors ineffective. In addition, we introduce the differential evolution algorithm to search for the near-optimal areas of the object to attack, improving the adversarial performance under certain attack area limitations. Besides, we also study the performance of adaptive DE_DAC, which can be adapted to the environment. Experiments show that our proposed method could obtain a good trade-off between the fooling human eyes and object detectors under multiple specific scenes and objects.