物理世界视觉对抗攻防：双环协同框架与研究综述

宋建华; 梁分平; 张 龑; 刘帅男

引用本文：

宋建华,梁分平,张龑,刘帅男.物理世界视觉对抗攻防：双环协同框架与研究综述[J].信息安全学报,已采用 [点击复制]
SONG Jianhua,LIANG Fenping,ZHANG Yan,LIU Shuainan.Physical world visual adversarial attack and defense: dual loop collaborative framework and research review[J].Journal of Cyber Security,Accept [点击复制]

本文已被：浏览 13次下载 0次
物理世界视觉对抗攻防：双环协同框架与研究综述
宋建华¹, 梁分平¹, 张龑², 刘帅男²
0 字体:加大+\|默认\|缩小-
(1.湖北大学网络空间安全学院;2.湖北大学计算机学院)

摘要:

深度神经网络在计算机视觉领域的广泛应用伴随着严重的安全隐患。相较于数字空间中单一的像素级扰动，物理世界对抗样本（PAEs）的生成路径更为丰富多样。PAEs通过物理载体与成像过程介入模型决策，需在光照、视角及设备噪声等复杂现实因素下保持攻击有效性，因而具有更强的可实施性与现实威胁。然而，现有研究多聚焦单一生成算法或特定攻击场景，忽略了对抗信号跨越物理空间进入数字感知模型的全过程。引入攻击链路视角不仅能与传统基于算法属性或场景分类的研究形成互补，更能从全局揭示物理攻击的底层传播机理。为此，本文提出物理对抗攻防“双环协同框架”：在攻击侧，构建“数字优化内核—物理媒介构造—任务场景实现”的三层递进体系，系统解析多样化对抗信号从算法生成、物理实例化到传感成像的全链路演进规律；在防御侧，建立与之逻辑映射的“源头对抗鲁棒化—载体检测去噪—多视角系统互证”三层防线，构筑从模型内生安全到多模态系统防御的闭环机制。此外，本文构建了任务驱动的多维评价指标体系，为安全关键视觉系统的风险评估提供量化参考，最后展望了该领域在具身智能与大模型时代的未来发展方向。

关键词: 物理对抗样本深度神经网络攻击与防御计算机视觉

DOI：

投稿时间：2026-03-10修订日期：2026-06-16

基金项目:国家自然科学基金,国家自然科学基金项目（面上项目，重点项目，重大项目）

Physical world visual adversarial attack and defense: dual loop collaborative framework and research review

SONG Jianhua¹, LIANG Fenping¹, ZHANG Yan², LIU Shuainan²

(1.湖北大学网络空间安全学院;2.湖北大学计算机学院)

Abstract:

The widespread application of deep neural networks (DNNs) in computer vision is accompanied by severe security vulnerabilities. Compared to the singular pixel-level perturbations in the digital domain, the generation pathways of physical adversarial examples (PAEs) are significantly more diverse. By intervening in model decision-making through physical carriers and imaging processes, PAEs must maintain their attack effectiveness under complex re-al-world factors such as varying lighting, viewpoints, and device noise, thus presenting higher feasibility and more severe realistic threats. However, existing research largely focuses on isolated generation algorithms or specific attack scenarios, neglecting the full process by which adversarial signals traverse physical space to enter digital perception models. Introducing an "attack chain" perspective not only complements traditional research based on algorithmic properties or scenario classification but also reveals the underlying propagation mechanisms of physical attacks from a global standpoint. To this end, this paper proposes a "Dual-Loop Collaborative Framework" for physical adver-sarial attacks and defenses. On the attack side, we construct a three-layer progressive architecture: "Digital Optimi-zation Kernel - Physical Medium Construction - Task Scenario Implementation," which systematically elucidates the full-chain evolutionary laws of diverse adversarial signals from algorithmic generation and physical instantiation to sensory imaging. Symmetrically, on the defense side, we establish a strictly mapped three-layer defense line: "Source Adversarial Robustness - Carrier Detection & Denoising - Multi-View System Cross-Verification," forging a closed-loop protection mechanism ranging from intrinsic model security to multi-modal system defense. Furthermore, we construct a task-driven multi-dimensional evaluation metric system to provide quantitative references for risk assessment in safety-critical vision systems. Finally, this paper outlines future research directions for this field in the era of Embodied AI and Large Models.

Key words: words Physical adversarial samples Deep neural network Attack and Defense Computer vision