基于光学的物理域对抗攻防综述

Survey of optical-based physical domain adversarial attacks and defense

对抗攻击是指通过在原始输入中植入人眼无法察觉的微小扰动,误导深度学习模型做出错误预测的攻击。与数字域对抗攻击相比,物理域对抗攻击可实现对抗性输入被采集设备捕获并转换为视觉系统内的二值图像之前,将扰动引入输入,对基于深度学习的计算机视觉系统构成了实际安全威胁。基于光学的物理域对抗攻击技术(如使用投影照射)作为一种典型的非侵入性攻击,由于其扰动与现实世界中自然环境产生的影响非常相似,更容易被忽略,从而疏于防护。鉴于它们具有高度的不可见性和可执行性,可对实际系统构成重大甚至致命的威胁。基于现有研究工作,重点介绍和讨论了计算机视觉系统中基于光学的物理域对抗攻击技术,并对现有技术在攻击场景、攻击手段、攻击目标、攻击效果等方面展开详细分析,最后探讨了基于光学的物理域对抗攻击未来潜在研究方向。

Deep learning models are misled into making false predictions by adversarial attacks that implant tiny perturbations into the original input,which are imperceptible to the human eye.This poses a huge security threat to computer vision systems that are based on deep learning.Compared to digital-domain adversarial attacks,physical-domain adversarial attacks are enabled to introduce perturbations into the input before the adversarial input is captured by the acquisition device and converted into a binary image within the vision system,posing a real security threat to deep learning-based computer vision systems.Optical-based physical-domain adversarial attack techniques,such as those using projected irradiation as a typical example,are more likely to be overlooked and provided negligible protection due to their perturbations being very similar to effects produced by natural environments in the real world.Given their high degree of invisibility and executability,they could pose a significant or even fatal threat to real systems.Based on existing research work,the introduction and discussion of optical-based physical-domain adversarial attack techniques within computer vision systems were presented.The attack scenarios,tools,goals,and performances of these techniques were compared and analyzed.Potential future research directions for optical-based physical-domain adversarial attacks were also discussed.