Adversarial Examples in the Physical World: A Survey
Jiakai Wang, Xianglong Liu, Jin Hu, Donghua Wang, Siyang Wu, Tingsong Jiang, Yuanfang Guo, Aishan Liu, Jiantao Zhou
TL;DR
This survey addresses the vulnerability of deep models to physical adversarial examples (PAEs) by proposing a workflow-centric taxonomy that foregrounds manufacturing and re-sampling as the core sources of physical-world attributes. It unifies PAEs under a three-tier attribute framework (basic, core, epitaxial) and formalizes a physical-world attack definition that composes digital perturbations with manufacturing and sampling via $x_{adv}^p = x + \mathcal{R}(\mathcal{M}(\delta), c)$. The work then classifies PAEs into manufacturing- and re-sampling-oriented families, discusses natural, transferable, and generalized PAEs, and surveys defenses organized into data-end and model-end strategies, along with challenges and opportunities for robustness evaluation and privacy protection. The practical impact lies in guiding robust adversarial learning for open-world deployments, informing defense design, and suggesting constructive uses of PAEs for safety, privacy, and evaluation in real systems.
Abstract
Deep neural networks (DNNs) have demonstrated high vulnerability to adversarial examples, raising broad security concerns about their applications. Besides the attacks in the digital world, the practical implications of adversarial examples in the physical world present significant challenges and safety concerns. However, current research on physical adversarial examples (PAEs) lacks a comprehensive understanding of their unique characteristics, leading to limited significance and understanding. In this paper, we address this gap by thoroughly examining the characteristics of PAEs within a practical workflow encompassing training, manufacturing, and re-sampling processes. By analyzing the links between physical adversarial attacks, we identify manufacturing and re-sampling as the primary sources of distinct attributes and particularities in PAEs. Leveraging this knowledge, we develop a comprehensive analysis and classification framework for PAEs based on their specific characteristics, covering over 100 studies on physical-world adversarial examples. Furthermore, we investigate defense strategies against PAEs and identify open challenges and opportunities for future research. We aim to provide a fresh, thorough, and systematic understanding of PAEs, thereby promoting the development of robust adversarial learning and its application in open-world scenarios to provide the community with a continuously updated list of physical world adversarial sample resources, including papers, code, \etc, within the proposed framework