受益于生成对抗性网络（GAN）的发展，面部操纵最近在学术界和工业中取得了重大进展。它激发了越来越多的娱乐应用，但也遭到对个人隐私甚至政治安全的严重威胁。为了减轻这种风险，已经提出了许多对策。然而，大多数方法以被动方式设计，这是为了检测它们在广泛传播之后是否篡改了面部图像或视频。这些基于检测的方法具有致命的限制，即它们仅适用于前后的取证，但不能阻止对恶意行为的发挥作用。为了解决限制，在本文中，我们提出了一种新颖的倡议防御框架，以降低恶意用户控制的面部操纵模型的性能。基本思想是在操纵之前将难以察觉的毒液纳入目标面部数据。为此，我们首先使用替代模型模仿目标操纵模型，然后设计毒药扰动发生器以获得所需的毒液。交替的培训策略进一步利用以培训代理模型和扰动发生器。两个典型的面部操纵任务：面部属性编辑和面部重新制定，在我们的倡议防御框架中考虑。广泛的实验证明了我们在不同环境中框架的有效性和稳健性。最后，我们希望这项工作能够在针对更多对抗方案的主动对策上阐明一些灯。

Adversarial patch is an important form of real-world adversarial attack that brings serious risks to the robustness of deep neural networks. Previous methods generate adversarial patches by either optimizing their perturbation values while fixing the pasting position or manipulating the position while fixing the patch's content. This reveals that the positions and perturbations are both important to the adversarial attack. For that, in this paper, we propose a novel method to simultaneously optimize the position and perturbation for an adversarial patch, and thus obtain a high attack success rate in the black-box setting. Technically, we regard the patch's position, the pre-designed hyper-parameters to determine the patch's perturbations as the variables, and utilize the reinforcement learning framework to simultaneously solve for the optimal solution based on the rewards obtained from the target model with a small number of queries. Extensive experiments are conducted on the Face Recognition (FR) task, and results on four representative FR models show that our method can significantly improve the attack success rate and query efficiency. Besides, experiments on the commercial FR service and physical environments confirm its practical application value. We also extend our method to the traffic sign recognition task to verify its generalization ability.

In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, by treating the attack on each benign example as one task, we develop a meta-learning framework by training a meta-generator to produce perturbations conditioned on benign examples. When attacking a new benign example, the meta generator can be quickly fine-tuned based on the feedback information of the new task as well as a few historical attacks to produce effective perturbations. Moreover, since the meta-train procedure consumes many queries to learn a generalizable generator, we utilize model-level adversarial transferability to train the meta-generator on a white-box surrogate model, then transfer it to help the attack against the target model. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance, which is verified by extensive experiments.

最近的研究表明，深层神经网络容易受到不同类型的攻击，例如对抗性攻击，数据中毒攻击和后门攻击。其中，后门攻击是最狡猾的攻击，几乎可以在深度学习管道的每个阶段发生。因此，后门攻击吸引了学术界和行业的许多兴趣。但是，大多数现有的后门攻击方法对于某些轻松的预处理（例如常见数据转换）都是可见的或脆弱的。为了解决这些限制，我们提出了一种强大而无形的后门攻击，称为“毒药”。具体而言，我们首先利用图像结构作为目标中毒区域，并用毒药（信息）填充它们以生成触发图案。由于图像结构可以在数据转换期间保持其语义含义，因此这种触发模式对数据转换本质上是强大的。然后，我们利用深度注射网络将这种触发模式嵌入封面图像中，以达到隐身性。与现有流行的后门攻击方法相比，毒药的墨水在隐形和健壮性方面都优于表现。通过广泛的实验，我们证明了毒药不仅是不同数据集和网络体系结构的一般性，而且对于不同的攻击场景也很灵活。此外，它对许多最先进的防御技术也具有非常强烈的抵抗力。

使用社交媒体网站和应用程序已经变得非常受欢迎，人们在这些网络上分享他们的照片。在这些网络上自动识别和标记人们的照片已经提出了隐私保存问题，用户寻求隐藏这些算法的方法。生成的对抗网络（GANS）被证明是非常强大的在高多样性中产生面部图像以及编辑面部图像。在本文中，我们提出了一种基于GAN的生成掩模引导的面部图像操纵（GMFIM）模型，以将无法察觉的编辑应用于输入面部图像以保护图像中的人的隐私。我们的模型由三个主要组件组成：a）面罩模块将面积从输入图像中切断并省略背景，b）用于操纵面部图像并隐藏身份的GaN的优化模块，并覆盖身份和c）用于组合输入图像的背景和操纵的去识别的面部图像的合并模块。在优化步骤的丢失功能中考虑了不同的标准，以产生与输入图像一样类似的高质量图像，同时不能通过AFR系统识别。不同数据集的实验结果表明，与最先进的方法相比，我们的模型可以实现对自动面部识别系统的更好的性能，并且它在大多数实验中捕获更高的攻击成功率。此外，我们提出的模型的产生图像具有最高的质量，更令人愉悦。

Face Restoration (FR) aims to restore High-Quality (HQ) faces from Low-Quality (LQ) input images, which is a domain-specific image restoration problem in the low-level computer vision area. The early face restoration methods mainly use statistic priors and degradation models, which are difficult to meet the requirements of real-world applications in practice. In recent years, face restoration has witnessed great progress after stepping into the deep learning era. However, there are few works to study deep learning-based face restoration methods systematically. Thus, this paper comprehensively surveys recent advances in deep learning techniques for face restoration. Specifically, we first summarize different problem formulations and analyze the characteristic of the face image. Second, we discuss the challenges of face restoration. Concerning these challenges, we present a comprehensive review of existing FR methods, including prior based methods and deep learning-based methods. Then, we explore developed techniques in the task of FR covering network architectures, loss functions, and benchmark datasets. We also conduct a systematic benchmark evaluation on representative methods. Finally, we discuss future directions, including network designs, metrics, benchmark datasets, applications,etc. We also provide an open-source repository for all the discussed methods, which is available at https://github.com/TaoWangzj/Awesome-Face-Restoration.

由于其语义上的理解和用户友好的可控性，通过三维引导，通过三维引导的面部图像操纵已广泛应用于各种交互式场景。然而，现有的基于3D形式模型的操作方法不可直接适用于域名面，例如非黑色素化绘画，卡通肖像，甚至是动物，主要是由于构建每个模型的强大困难具体面部域。为了克服这一挑战，据我们所知，我们建议使用人为3DMM操纵任意域名的第一种方法。这是通过两个主要步骤实现的：1）从3DMM参数解开映射到潜在的STYLEGO2的潜在空间嵌入，可确保每个语义属性的解除响应和精确的控制; 2）通过实施一致的潜空间嵌入，桥接域差异并使人类3DMM适用于域外面的人类3DMM。实验和比较展示了我们高质量的语义操作方法在各种面部域中的优越性，所有主要3D面部属性可控姿势，表达，形状，反照镜和照明。此外，我们开发了直观的编辑界面，以支持用户友好的控制和即时反馈。我们的项目页面是https://cassiepython.github.io/cddfm3d/index.html

Facial image manipulation has achieved great progress in recent years. However, previous methods either operate on a predefined set of face attributes or leave users little freedom to interactively manipulate images. To overcome these drawbacks, we propose a novel framework termed MaskGAN, enabling diverse and interactive face manipulation. Our key insight is that semantic masks serve as a suitable intermediate representation for flexible face manipulation with fidelity preservation. MaskGAN has two main components: 1) Dense Mapping Network (DMN) and 2) Editing Behavior Simulated Training (EBST). Specifically, DMN learns style mapping between a free-form user modified mask and a target image, enabling diverse generation results. EBST models the user editing behavior on the source mask, making the overall framework more robust to various manipulated inputs. Specifically, it introduces dual-editing consistency as the auxiliary supervision signal. To facilitate extensive studies, we construct a large-scale high-resolution face dataset with fine-grained mask annotations named CelebAMask-HQ. MaskGAN is comprehensively evaluated on two challenging tasks: attribute transfer and style copy, demonstrating superior performance over other state-of-the-art methods. The code, models, and dataset are available at https://github.com/switchablenorms/CelebAMask-HQ.

本文的目标是对面部素描合成（FSS）问题进行全面的研究。然而，由于获得了手绘草图数据集的高成本，因此缺乏完整的基准，用于评估过去十年的FSS算法的开发。因此，我们首先向FSS引入高质量的数据集，名为FS2K，其中包括2,104个图像素描对，跨越三种类型的草图样式，图像背景，照明条件，肤色和面部属性。 FS2K与以前的FSS数据集不同于难度，多样性和可扩展性，因此应促进FSS研究的进展。其次，我们通过调查139种古典方法，包括34个手工特征的面部素描合成方法，37个一般的神经式传输方法，43个深映像到图像翻译方法，以及35个图像 - 素描方法。此外，我们详细说明了现有的19个尖端模型的综合实验。第三，我们为FSS提供了一个简单的基准，名为FSGAN。只有两个直截了当的组件，即面部感知屏蔽和风格矢量扩展，FSGAN将超越所提出的FS2K数据集的所有先前最先进模型的性能，通过大边距。最后，我们在过去几年中汲取的经验教训，并指出了几个未解决的挑战。我们的开源代码可在https://github.com/dengpingfan/fsgan中获得。

Deepfakes的恶意应用（即，从面部图像产生目标面部属性或整个面部的技术）对个人的声誉和安全构成了巨大的威胁。为了减轻这些威胁，最近的研究已经提出了对抗DeepFake模型的对抗水印，导致它们产生扭曲的输出。尽管结果令人印象深刻，但这些对抗水印具有低的图像水平和模型级可转移性，这意味着它们可以仅保护一个特定的DeepFake模型的一个面部图像。为了解决这些问题，我们提出了一种新的解决方案，可以产生跨模型通用对抗水印（CMUA-Watermark），保护来自多个DeepFake模型的大量面部图像。具体而言，我们首先提出跨模型通用攻击管道，迭代地攻击多个DeepFake模型。然后，我们设计了一种双层扰动融合策略，以减轻不同面部图像和模型产生的对抗水印之间的冲突。此外，我们通过启发式方法解决了跨模型优化的关键问题，以自动找到不同型号的合适的攻击步骤尺寸，进一步削弱了模型级冲突。最后，我们介绍了一种更合理和全面的评估方法来完全测试所提出的方法并将其与现有的方法进行比较。广泛的实验结果表明，所提出的CMUA-Watermark可以有效地扭曲由多个DeepFake模型产生的假面部图像，同时实现比现有方法更好的性能。

To assess the vulnerability of deep learning in the physical world, recent works introduce adversarial patches and apply them on different tasks. In this paper, we propose another kind of adversarial patch: the Meaningful Adversarial Sticker, a physically feasible and stealthy attack method by using real stickers existing in our life. Unlike the previous adversarial patches by designing perturbations, our method manipulates the sticker's pasting position and rotation angle on the objects to perform physical attacks. Because the position and rotation angle are less affected by the printing loss and color distortion, adversarial stickers can keep good attacking performance in the physical world. Besides, to make adversarial stickers more practical in real scenes, we conduct attacks in the black-box setting with the limited information rather than the white-box setting with all the details of threat models. To effectively solve for the sticker's parameters, we design the Region based Heuristic Differential Evolution Algorithm, which utilizes the new-found regional aggregation of effective solutions and the adaptive adjustment strategy of the evaluation criteria. Our method is comprehensively verified in the face recognition and then extended to the image retrieval and traffic sign recognition. Extensive experiments show the proposed method is effective and efficient in complex physical conditions and has a good generalization for different tasks.

随着过去五年的快速发展，面部身份验证已成为最普遍的生物识别方法。得益于高准确的识别性能和用户友好的用法，自动面部识别（AFR）已爆炸成多次实用的应用程序，而不是设备解锁，签到和经济支付。尽管面部身份验证取得了巨大的成功，但各种面部表现攻击（FPA），例如印刷攻击，重播攻击和3D面具攻击，但仍引起了不信任的问题。除了身体上的攻击外，面部视频/图像很容易受到恶意黑客发起的各种数字攻击技术的影响，从而对整个公众造成了潜在的威胁。由于无限制地访问了巨大的数字面部图像/视频，并披露了互联网上流通的易于使用的面部操纵工具，因此没有任何先前专业技能的非专家攻击者能够轻松创建精致的假面，从而导致许多危险的应用程序例如财务欺诈，模仿和身份盗用。这项调查旨在通过提供对现有文献的彻底分析并突出需要进一步关注的问题来建立面部取证的完整性。在本文中，我们首先全面调查了物理和数字面部攻击类型和数据集。然后，我们回顾了现有的反攻击方法的最新和最先进的进度，并突出显示其当前限制。此外，我们概述了面对法医社区中现有和即将面临的挑战的未来研究指示。最后，已经讨论了联合物理和数字面部攻击检​​测的必要性，这在先前的调查中从未进行过研究。

在过去的十年中，深度学习急剧改变了传统的手工艺特征方式，具有强大的功能学习能力，从而极大地改善了传统任务。然而，最近已经证明了深层神经网络容易受到对抗性例子的影响，这种恶意样本由小型设计的噪音制作，误导了DNNs做出错误的决定，同时仍然对人类无法察觉。对抗性示例可以分为数字对抗攻击和物理对抗攻击。数字对抗攻击主要是在实验室环境中进行的，重点是改善对抗性攻击算法的性能。相比之下，物理对抗性攻击集中于攻击物理世界部署的DNN系统，这是由于复杂的物理环境（即亮度，遮挡等），这是一项更具挑战性的任务。尽管数字对抗和物理对抗性示例之间的差异很小，但物理对抗示例具有特定的设计，可以克服复杂的物理环境的效果。在本文中，我们回顾了基于DNN的计算机视觉任务任务中的物理对抗攻击的开发，包括图像识别任务，对象检测任务和语义细分。为了完整的算法演化，我们将简要介绍不涉及身体对抗性攻击的作品。我们首先提出一个分类方案，以总结当前的物理对抗攻击。然后讨论现有的物理对抗攻击的优势和缺点，并专注于用于维持对抗性的技术，当应用于物理环境中时。最后，我们指出要解决的当前身体对抗攻击的问题并提供有前途的研究方向。

人群计数已被广泛用于估计安全至关重要的场景中的人数，被证明很容易受到物理世界中对抗性例子的影响（例如，对抗性斑块）。尽管有害，但对抗性例子也很有价值，对于评估和更好地理解模型的鲁棒性也很有价值。但是，现有的对抗人群计算的对抗性示例生成方法在不同的黑盒模型之间缺乏强大的可传递性，这限制了它们对现实世界系统的实用性。本文提出了与模型不变特征正相关的事实，本文提出了感知的对抗贴片（PAP）生成框架，以使用模型共享的感知功能来定制对对抗性的扰动。具体来说，我们将一种自适应人群密度加权方法手工制作，以捕获各种模型中不变的量表感知特征，并利用密度引导的注意力来捕获模型共享的位置感知。证明它们都可以提高我们对抗斑块的攻击性转移性。广泛的实验表明，我们的PAP可以在数字世界和物理世界中实现最先进的进攻性能，并且以大幅度的优于以前的提案（最多+685.7 MAE和+699.5 MSE）。此外，我们从经验上证明，对我们的PAP进行的对抗训练可以使香草模型的性能受益，以减轻人群计数的几个实际挑战，包括跨数据集的概括（高达-376.0 MAE和-376.0 MAE和-354.9 MSE）和对复杂背景的鲁棒性（上升）至-10.3 MAE和-16.4 MSE）。

我们建议使用单个图像进行面部表达到表达翻译的简单而强大的地标引导的生成对抗网络（Landmarkgan），这在计算机视觉中是一项重要且具有挑战性的任务，因为表达到表达的翻译是非 - 线性和非对准问题。此外，由于图像中的对象可以具有任意的姿势，大小，位置，背景和自我观念，因此需要在输入图像和输出图像之间有一个高级的语义理解。为了解决这个问题，我们建议明确利用面部地标信息。由于这是一个具有挑战性的问题，我们将其分为两个子任务，（i）类别引导的地标生成，以及（ii）具有里程碑意义的指导表达式对表达的翻译。两项子任务以端到端的方式进行了培训，旨在享受产生的地标和表情的相互改善的好处。与当前的按键指导的方法相比，提议的Landmarkgan只需要单个面部图像即可产生各种表达式。四个公共数据集的广泛实验结果表明，与仅使用单个图像的最先进方法相比，所提出的Landmarkgan获得了更好的结果。该代码可从https://github.com/ha0tang/landmarkgan获得。

尽管在各种应用中取得了突出的性能，但点云识别模型经常遭受自然腐败和对抗性扰动的困扰。在本文中，我们深入研究了点云识别模型的一般鲁棒性，并提出了点云对比对抗训练（PointCat）。 PointCat的主要直觉是鼓励目标识别模型缩小清洁点云和损坏点云之间的决策差距。具体而言，我们利用有监督的对比损失来促进识别模型提取的超晶体特征的对齐和均匀性，并设计一对带有动态原型指南的集中式损失，以避免这些特征与其属于其属于其归属类别群的偏离。为了提供更具挑战性的损坏点云，我们对噪声生成器以及从头开始的识别模型进行了对手训练，而不是将基于梯度的攻击用作内部循环，例如以前的对手训练方法。全面的实验表明，在包括各种损坏的情况下，所提出的PointCat优于基线方法，并显着提高不同点云识别模型的稳健性，包括各向同性点噪声，LIDAR模拟的噪声，随机点掉落和对抗性扰动。

Facial attribute editing aims to manipulate single or multiple attributes of a face image, i.e., to generate a new face with desired attributes while preserving other details. Recently, generative adversarial net (GAN) and encoder-decoder architecture are usually incorporated to handle this task with promising results. Based on the encoder-decoder architecture, facial attribute editing is achieved by decoding the latent representation of the given face conditioned on the desired attributes. Some existing methods attempt to establish an attributeindependent latent representation for further attribute editing. However, such attribute-independent constraint on the latent representation is excessive because it restricts the capacity of the latent representation and may result in information loss, leading to over-smooth and distorted generation. Instead of imposing constraints on the latent representation, in this work we apply an attribute classification constraint to the generated image to just guarantee the correct change of desired attributes, i.e., to "change what you want". Meanwhile, the reconstruction learning is introduced to preserve attribute-excluding details, in other words, to "only change what you want". Besides, the adversarial learning is employed for visually realistic editing. These three components cooperate with each other forming an effective framework for high quality facial attribute editing, referred as AttGAN. Furthermore, our method is also directly applicable for attribute intensity control and can be naturally extended for attribute style manipulation. Experiments on CelebA dataset show that our method outperforms the state-of-the-arts on realistic attribute editing with facial details well preserved.

虽然近年来，在2D图像领域的攻击和防御中，许多努力已经探讨了3D模型的脆弱性。现有的3D攻击者通常在点云上执行点明智的扰动，从而导致变形的结构或异常值，这很容易被人类察觉。此外，它们的对抗示例是在白盒设置下产生的，当转移到攻击远程黑匣子型号时经常遭受低成功率。在本文中，我们通过提出一种新的难以察觉的转移攻击（ITA）：1）难以察觉的3D点云攻击来自两个新的和具有挑战性的观点：1）难以察觉：沿着邻域表面的正常向量限制每个点的扰动方向，导致产生具有类似几何特性的示例，从而增强了难以察觉。 2）可转移性：我们开发了一个对抗性转变模型，以产生最有害的扭曲，并强制实施对抗性示例来抵抗它，从而提高其对未知黑匣子型号的可转移性。此外，我们建议通过学习更辨别的点云表示来培训更强大的黑盒3D模型来防御此类ITA攻击。广泛的评估表明，我们的ITA攻击比最先进的人更令人无法察觉和可转让，并验证我们的国防战略的优势。

Existing integrity verification approaches for deep models are designed for private verification (i.e., assuming the service provider is honest, with white-box access to model parameters). However, private verification approaches do not allow model users to verify the model at run-time. Instead, they must trust the service provider, who may tamper with the verification results. In contrast, a public verification approach that considers the possibility of dishonest service providers can benefit a wider range of users. In this paper, we propose PublicCheck, a practical public integrity verification solution for services of run-time deep models. PublicCheck considers dishonest service providers, and overcomes public verification challenges of being lightweight, providing anti-counterfeiting protection, and having fingerprinting samples that appear smooth. To capture and fingerprint the inherent prediction behaviors of a run-time model, PublicCheck generates smoothly transformed and augmented encysted samples that are enclosed around the model's decision boundary while ensuring that the verification queries are indistinguishable from normal queries. PublicCheck is also applicable when knowledge of the target model is limited (e.g., with no knowledge of gradients or model parameters). A thorough evaluation of PublicCheck demonstrates the strong capability for model integrity breach detection (100% detection accuracy with less than 10 black-box API queries) against various model integrity attacks and model compression attacks. PublicCheck also demonstrates the smooth appearance, feasibility, and efficiency of generating a plethora of encysted samples for fingerprinting.

Although Deep Neural Networks (DNNs) have achieved impressive results in computer vision, their exposed vulnerability to adversarial attacks remains a serious concern. A series of works has shown that by adding elaborate perturbations to images, DNNs could have catastrophic degradation in performance metrics. And this phenomenon does not only exist in the digital space but also in the physical space. Therefore, estimating the security of these DNNs-based systems is critical for safely deploying them in the real world, especially for security-critical applications, e.g., autonomous cars, video surveillance, and medical diagnosis. In this paper, we focus on physical adversarial attacks and provide a comprehensive survey of over 150 existing papers. We first clarify the concept of the physical adversarial attack and analyze its characteristics. Then, we define the adversarial medium, essential to perform attacks in the physical world. Next, we present the physical adversarial attack methods in task order: classification, detection, and re-identification, and introduce their performance in solving the trilemma: effectiveness, stealthiness, and robustness. In the end, we discuss the current challenges and potential future directions.