Visual Adversarial Attacks and Defenses in the Physical World: A Survey

TL;DR

This survey comprehensively reviews physical adversarial attacks and defenses in computer vision, categorizing methods and discussing challenges and future directions for improving DNN robustness in real-world scenarios.

Contribution

It provides a systematic taxonomy of physical attacks and defenses, offering a structured overview of the current state of research in physically adversarial robustness.

Findings

Physical attacks are categorized by tasks, forms, and methods.

Defenses are grouped into pre-, in-, and post-processing techniques.

The survey highlights key challenges and future research directions.

Abstract

Although Deep Neural Networks (DNNs) have been widely applied in various real-world scenarios, they remain vulnerable to adversarial examples. Adversarial attacks in computer vision can be categorized into digital attacks and physical attacks based on their different forms. Compared to digital attacks, which generate perturbations in digital pixels, physical attacks are more practical in real-world settings. Due to the serious security risks posed by physically adversarial examples, many studies have been conducted to evaluate the physically adversarial robustness of DNNs in recent years. In this paper, we provide a comprehensive survey of current physically adversarial attacks and defenses in computer vision. We establish a taxonomy by organizing physical attacks according to attack tasks, attack forms, and attack methods. This approach offers readers a systematic understanding of the topic from multiple perspectives. For physical defenses, we categorize them into pre-processing, in-processing, and post-processing for DNN models to ensure comprehensive coverage of adversarial defenses. Based on this survey, we discuss the challenges facing this research field and provide an outlook on future directions.