A Review of Adversarial Attacks in Computer Vision
Authors: Yutong Zhang, Yao Li, Yin Li, Zhichang Guo
What
This paper presents a comprehensive review of adversarial attacks in computer vision, focusing on their application in image classification, object detection, and semantic segmentation.
Why
This review is important because it highlights the vulnerability of deep learning models to adversarial attacks, especially in safety-critical applications like autonomous driving where robustness is paramount. It provides insights into various attack methods and their impact on different computer vision tasks, aiding researchers in developing more robust models and defense mechanisms.
How
The authors conduct a literature review, categorizing attack methods based on various factors such as the attacker’s knowledge (white-box vs. black-box), attack goals (targeted vs. non-targeted), query efficiency, and perturbation generation techniques. They analyze each category, discuss seminal works, and explain the principles behind them. Furthermore, they delve into the application of these attack methods in object detection and semantic segmentation, highlighting specific challenges and advancements in these domains.
Result
The paper reveals that deep neural networks, even those achieving high accuracy, are surprisingly susceptible to adversarial attacks. Key findings include the effectiveness of both white-box and black-box attacks, the existence of transferable adversarial examples that can fool multiple models, and the feasibility of universal adversarial perturbations effective across a wide range of inputs. Moreover, the paper emphasizes the increased vulnerability of object detection and semantic segmentation models due to their reliance on both classification and localization or pixel-level prediction.
LF
The paper acknowledges the ongoing arms race between attackers and defenders, indicating that existing defense mechanisms are often bypassed by new attack strategies. It suggests future work should focus on developing more robust models, possibly incorporating insights from the human visual system, and exploring certified defenses with provable robustness guarantees. Additionally, the paper encourages research on attacks and defenses in more complex real-world scenarios, moving beyond simplified assumptions.
Abstract
Deep neural networks have been widely used in various downstream tasks, especially those safety-critical scenario such as autonomous driving, but deep networks are often threatened by adversarial samples. Such adversarial attacks can be invisible to human eyes, but can lead to DNN misclassification, and often exhibits transferability between deep learning and machine learning models and real-world achievability. Adversarial attacks can be divided into white-box attacks, for which the attacker knows the parameters and gradient of the model, and black-box attacks, for the latter, the attacker can only obtain the input and output of the model. In terms of the attacker’s purpose, it can be divided into targeted attacks and non-targeted attacks, which means that the attacker wants the model to misclassify the original sample into the specified class, which is more practical, while the non-targeted attack just needs to make the model misclassify the sample. The black box setting is a scenario we will encounter in practice.