| 引用本文: |
-
邓欢,黄敏桓,李 虎,王 彤,况晓辉.物理对抗补丁攻击与防御技术研究综述[J].信息安全学报,已采用 [点击复制]
- DENG Huan,HUANG Minhuan,LI Hu,WANG Tong,KUANG Xiaohui.A Review on Physical Adversarial Patch Attacks and Defenses Techniques[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 以深度神经网络为代表的人工智能技术在经济、社会各领域中的应用越来越广泛,但与之相伴的安全性问题也逐渐凸显。深度神经网络作为概率模型所具备的不确定性,以及参数量大所带来的黑盒性质,使其容易受到对抗样本的攻击,这给基于深度神经网络的现实世界应用带来了严重的安全威胁。因此,对抗样本研究成为人工智能安全领域的一个热门方向。其中,对抗样本攻击主要指对深度神经网络模型的输入数据添加一些微小的扰动,使得模型对输入数据的预测产生错误。而物理对抗补丁攻击则是一种在物理世界中添加对抗性图像贴纸的攻击方式,可以通过将物理对抗补丁手动贴在实际场景中的目标物体上,使得深度神经网络在图像识别、目标检测等计算机视觉任务中无法正确识别目标物体,出现错误判断。早期研究主要聚焦于数字空间中对抗样本的构造,通过对数字化样本特征的局部或全局修改来实现扰动的添加,后研究人员利用数字空间中生成的对抗样本映射到物理世界中进行攻击。随着人工智能技术在现实世界的广泛应用,物理空间中的对抗样本攻击与防御技术渐受关注。以计算机视觉任务为基础,聚焦物理空间,围绕对样本特征进行局部修改的物理对抗补丁生成技术,对物理对抗补丁攻击与防御技术进行综述。本文从不同维度梳理分析物理对抗补丁攻击的类型,详细对比分析物理对抗补丁在图像识别、目标检测和其他计算机视觉任务中的攻击方法,并总结了针对物理对抗补丁攻击的防御方法,后对未来的研究方向进行展望。 |
| 关键词: 对抗样本 深度神经网络 物理对抗补丁 人工智能安全 |
| DOI: |
| 投稿时间:2023-03-15修订日期:2023-06-02 |
| 基金项目:重点实验室基金(6142111220501),智强基金 |
|
| A Review on Physical Adversarial Patch Attacks and Defenses Techniques |
|
DENG Huan, HUANG Minhuan, LI Hu, WANG Tong, KUANG Xiaohui
|
| (National Key Laboratory of Science and Technology on Information System Security) |
| Abstract: |
| Artificial intelligence technology, represented by deep neural networks, is being increasingly applied across various economic and social sectors. However, the concomitant security issues are also becoming prominent. The inherent un-certainty of deep neural networks as probabilistic models, coupled with their black-box nature due to the large amount of parameters, make them susceptible to adversarial example attacks, posing severe security threats to real-world applica-tions based on deep neural networks. Therefore, research on adversarial examples has become a hot topic in the field of AI security. Specifically, adversarial example attacks mainly involve adding minute perturbations to the input data of the deep neural network models, leading to incorrect predictions. Physical adversarial patch attacks, on the other hand, in-volve attaching adversarial image stickers in the physical world, manually affixing physical adversarial patches onto target objects in real-world scenarios, thereby causing the deep neural networks to fail in accurately recognizing the tar-get objects in computer vision tasks such as image recognition and object detection, leading to incorrect judgments. Early research focused primarily on the construction of adversarial examples in the digital space, adding perturbations by locally or globally modifying the digitized example features. Subsequently, researchers used adversarial examples generated in the digital space for attacks in the physical world. With the widespread application of AI technology in the real world, the focus is gradually shifting towards the attack and defense techniques of adversarial examples in the phys-ical space. Based on computer vision tasks, focusing on the physical space and around the generation techniques of physical adversarial patches through local modifications to example features, this paper reviews the attack and defense techniques of physical adversarial patches. We systematically analyze the types of physical adversarial patch attacks from different dimensions, provide detailed comparative analyses of the attack methods of physical adversarial patches in image recognition, object detection, and other computer vision tasks, and summarize the defense methods against physical adversarial patch attacks. We then provide a perspective on the future research directions. |
| Key words: adversarial examples deep neural network physical adversarial patch artificial intelligence security |
