Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

State-of-the-art optical-based physical adversarial attacks for deep learning computer vision systems

Junbin Fang, You Jiang, Canjian Jiang, Zoe L. Jiang, Siu-Ming Yiu, Chuanyi Liu

TL;DR

This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical- based physical adversaria attack techniques.

Abstract

Adversarial attacks can mislead deep learning models to make false predictions by implanting small perturbations to the original input that are imperceptible to the human eye, which poses a huge security threat to the computer vision systems based on deep learning. Physical adversarial attacks, which is more realistic, as the perturbation is introduced to the input before it is being captured and converted to a binary image inside the vision system, when compared to digital adversarial attacks. In this paper, we focus on physical adversarial attacks and further classify them into invasive and non-invasive. Optical-based physical adversarial attack techniques (e.g. using light irradiation) belong to the non-invasive category. As the perturbations can be easily ignored by humans as the perturbations are very similar to the effects generated by a natural environment in the real world. They are highly invisibility and executable and can pose a significant or even lethal threats to real systems. This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical-based physical adversarial attack techniques.

State-of-the-art optical-based physical adversarial attacks for deep learning computer vision systems

TL;DR

This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical- based physical adversaria attack techniques.

Abstract

Adversarial attacks can mislead deep learning models to make false predictions by implanting small perturbations to the original input that are imperceptible to the human eye, which poses a huge security threat to the computer vision systems based on deep learning. Physical adversarial attacks, which is more realistic, as the perturbation is introduced to the input before it is being captured and converted to a binary image inside the vision system, when compared to digital adversarial attacks. In this paper, we focus on physical adversarial attacks and further classify them into invasive and non-invasive. Optical-based physical adversarial attack techniques (e.g. using light irradiation) belong to the non-invasive category. As the perturbations can be easily ignored by humans as the perturbations are very similar to the effects generated by a natural environment in the real world. They are highly invisibility and executable and can pose a significant or even lethal threats to real systems. This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical-based physical adversarial attack techniques.
Paper Structure (9 sections, 1 equation, 15 figures, 1 table)

This paper contains 9 sections, 1 equation, 15 figures, 1 table.

Table of Contents

  1. Introduction
  2. Some basic concepts of adversarial attacks
  3. Judgment conditions and classification of adversarial attacks
  4. Reasons for adversarial perturbations
  5. Digital adversarial attack VS physical adversarial attack
  6. Optical adversarial attack techniques
  7. Optical-based physical adversarial attacks based on light irradiation
  8. Optical-based physical adversarial attacks based on imaging device manipulation
  9. Discuss and conclusion

Figures (15)

  • Figure 1: Conditions satisfied by the adversarial example.
  • Figure 2: Deep learning process.
  • Figure 3: Minimal perturbations are scaled up in the high-dimensional linear classifier. Before the perturbation, the classifier classified the original image into class "1" with a probability of 5%; by adding or subtracting 0.5 to each pixel of the original image to obtain the adversarial example , the classifier classified the adversarial example into class "1 "class with 88% confidence (Image Credit: Zhang et al. bib31).
  • Figure 4: When the training dataset contains insufficient target features, it will cause the decision boundary of the target depth model to stop prematurely. Where ${Set}_{or}$ denotes the set of target features in the original dataset and ${Set}_{tr}$ denotes the set of target features in the training dataset.
  • Figure 5: Non-robust features in the dataset are present in the classifier, resulting in inaccurate decision boundaries from the training.
  • ...and 10 more figures