Although Deep Neural Networks (DNNs) have achieved impressive results in
computer vision, their exposed vulnerability to adversarial attacks remains a
serious concern. A series of works has shown that by adding elaborate
perturbations to images, DNNs could have catastrophic degradation in
performance metrics. And this phenomenon does not only exist in the digital
space but also in the physical space. Therefore, estimating the security of
these DNNs-based systems is critical for safely deploying them in the real
world, especially for security-critical applications, e.g., autonomous cars,
video surveillance, and medical diagnosis. In this paper, we focus on physical
adversarial attacks and provide a comprehensive survey of over 150 existing
papers. We first clarify the concept of the physical adversarial attack and
analyze its characteristics. Then, we define the adversarial medium, essential
to perform attacks in the physical world. Next, we present the physical
adversarial attack methods in task order: classification, detection, and
re-identification, and introduce their performance in solving the trilemma:
effectiveness, stealthiness, and robustness. In the end, we discuss the current
challenges and potential future directions.

对于深度神经网络 (DNNs) 的安全性问题，本文重点关注于物理对抗攻击，总结了 150 篇现有的物理对抗攻击的论文，详细分析了物理对抗攻击的特征、媒介、方法及其效果，并探讨了当前的挑战和未来方向。

物理对抗攻击遇见计算机视觉：十年调查

Physical Adversarial Attack meets Computer Vision: A Decade Survey

One intriguing property of deep neural networks (DNNs) is their inherent
vulnerability to backdoor attacks -- a trojan model responds to
trigger-embedded inputs in a highly predictable manner while functioning
normally otherwise. Despite the plethora of prior work on DNNs for continuous
data (e.g., images), the vulnerability of graph neural networks (GNNs) for
discrete-structured data (e.g., graphs) is largely unexplored, which is highly
concerning given their increasing use in security-sensitive domains. To bridge
this gap, we present GTA, the first backdoor attack on GNNs. Compared with
prior work, GTA departs in significant ways: graph-oriented -- it defines
triggers as specific subgraphs, including both topological structures and
descriptive features, entailing a large design spectrum for the adversary;
input-tailored -- it dynamically adapts triggers to individual graphs, thereby
optimizing both attack effectiveness and evasiveness; downstream model-agnostic
-- it can be readily launched without knowledge regarding downstream models or
fine-tuning strategies; and attack-extensible -- it can be instantiated for
both transductive (e.g., node classification) and inductive (e.g., graph
classification) tasks, constituting severe threats for a range of
security-critical applications. Through extensive evaluation using benchmark
datasets and state-of-the-art models, we demonstrate the effectiveness of GTA.
We further provide analytical justification for its effectiveness and discuss
potential countermeasures, pointing to several promising research directions.

研究探讨了 GNN 中的防后门攻击，提出了一种新的攻击方法 GTA，可以在各类安全应用中袭击任何实验中的模型；该攻击方法是基于子图，能够在不了解下游模型或微调策略的情况下立即启动，并在基准数据集和最先进的模型上进行了广泛的评估。