Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Physical Adversarial Attack meets Computer Vision: A Decade Survey

Hui Wei, Hao Tang, Xuemei Jia, Zhixiang Wang, Hanxun Yu, Zhubo Li, Shin'ichi Satoh, Luc Van Gool, Zheng Wang

TL;DR

A comprehensive overview of physical adversarial attacks is presented and a proposed evaluation metric, hiPAA, comprises six perspectives: Effectiveness, Stealthiness, Robustness, Practicability, Aesthetics, and Economics.

Abstract

Despite the impressive achievements of Deep Neural Networks (DNNs) in computer vision, their vulnerability to adversarial attacks remains a critical concern. Extensive research has demonstrated that incorporating sophisticated perturbations into input images can lead to a catastrophic degradation in DNNs' performance. This perplexing phenomenon not only exists in the digital space but also in the physical world. Consequently, it becomes imperative to evaluate the security of DNNs-based systems to ensure their safe deployment in real-world scenarios, particularly in security-sensitive applications. To facilitate a profound understanding of this topic, this paper presents a comprehensive overview of physical adversarial attacks. Firstly, we distill four general steps for launching physical adversarial attacks. Building upon this foundation, we uncover the pervasive role of artifacts carrying adversarial perturbations in the physical world. These artifacts influence each step. To denote them, we introduce a new term: adversarial medium. Then, we take the first step to systematically evaluate the performance of physical adversarial attacks, taking the adversarial medium as a first attempt. Our proposed evaluation metric, hiPAA, comprises six perspectives: Effectiveness, Stealthiness, Robustness, Practicability, Aesthetics, and Economics. We also provide comparative results across task categories, together with insightful observations and suggestions for future research directions.

Physical Adversarial Attack meets Computer Vision: A Decade Survey

TL;DR

A comprehensive overview of physical adversarial attacks is presented and a proposed evaluation metric, hiPAA, comprises six perspectives: Effectiveness, Stealthiness, Robustness, Practicability, Aesthetics, and Economics.

Abstract

Despite the impressive achievements of Deep Neural Networks (DNNs) in computer vision, their vulnerability to adversarial attacks remains a critical concern. Extensive research has demonstrated that incorporating sophisticated perturbations into input images can lead to a catastrophic degradation in DNNs' performance. This perplexing phenomenon not only exists in the digital space but also in the physical world. Consequently, it becomes imperative to evaluate the security of DNNs-based systems to ensure their safe deployment in real-world scenarios, particularly in security-sensitive applications. To facilitate a profound understanding of this topic, this paper presents a comprehensive overview of physical adversarial attacks. Firstly, we distill four general steps for launching physical adversarial attacks. Building upon this foundation, we uncover the pervasive role of artifacts carrying adversarial perturbations in the physical world. These artifacts influence each step. To denote them, we introduce a new term: adversarial medium. Then, we take the first step to systematically evaluate the performance of physical adversarial attacks, taking the adversarial medium as a first attempt. Our proposed evaluation metric, hiPAA, comprises six perspectives: Effectiveness, Stealthiness, Robustness, Practicability, Aesthetics, and Economics. We also provide comparative results across task categories, together with insightful observations and suggestions for future research directions.
Paper Structure (38 sections, 4 equations, 12 figures, 11 tables)

This paper contains 38 sections, 4 equations, 12 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Computer Vision
  4. Adversarial Attacks
  5. Problem Formulation
  6. Distinguishing Adversarial Attacks from Backdoor Attacks and Poisoning Attacks.
  7. The Taxonomy of Adversarial Attacks
  8. Introduction to Physical Adversarial Attacks
  9. Adversarial Mediums
  10. Evaluation Metric
  11. Six Perspectives of hiPAA
  12. Evaluation Details
  13. Discussion
  14. Victim Tasks
  15. Attacks on Classification Tasks
  16. ...and 23 more sections

Figures (12)

  • Figure 1: The flow of designing a physical adversarial attack, including four main steps: 1) Adversarial perturbation generation in the digital space, 2) Adversarial medium manufacturing in the physical space, 3) Threat image capturing, and 4) Attacking.
  • Figure 2: A general overview of the scope in our survey.
  • Figure 3: An overview of the lifecycle in which the three types of attacks occur. Adversarial attacks occur only during the model deployment phase, without modifying the model and training data. Compared to backdoor attacks and poisoning attacks, adversarial attacks have weaker assumptions, focusing on the vulnerability of the model itself.
  • Figure 4: Questions and labels of the four evaluation dimensions design.
  • Figure 5: Display of the physical adversarial attack in general classification tasks. Initially, the classifier accurately labels the image as "banana". However, when an adversarial patch is placed adjacent to the banana, the classifier misclassifies the image as "toaster", despite the continued presence of the banana. Adapted from AdvPatch brown2017adversarial.
  • ...and 7 more figures