|
| Author | Solution | Cores | Shortcomings |
|
| Sharif et al. 2016 [50] | Mahmood Sharif et al. propose a class of attack that allows an attacker to avoid identifying or impersonating another individual. In addition, they described a method of automatically generating attacks and achieved it by printing a pair of glasses frames. | (1) Three DNNs were used
(2) Use gradient descent algorithm to optimize and find appropriate disturbance
(3) Facilitate physical realizability by using facial accessories and adjusting the mathematical formula of the attacker’s target. | Their attacks need to be improved in the face of black-box face recognition systems and the most advanced face detection systems. |
|
| Nicolas Papernot et al. 2017 [51] | Nicolas Papernot et al. propose a practical black-box attack based on a new substitute training algorithm which is using synthetic data generation to produce adversarial examples misclassified by black-box DNNs. | (1) Obtain the training set of the substitute detector
(2) Select the appropriate substitute detector model structure
(3) Iteratively train the substitute detector
(4) Attack the substitute detector to generate adversarial example. | Adversarial training can effectively defend against this black-box attack algorithm. |
|
| Shafahi et al. 2018 [52] | Ali Shafahi et al. introduce “clean-label” poisoning attacks, which do not require attackers to have any control over the labeling of training data. Moreover, in order to optimize the poisoning attack, a “watermark” strategy is proposed. | (1) Crafting poisoning data through feature conflict
(2) The optimization algorithm uses the forward-backward-splitting iterative procedure
(3) Add a low opaque watermark of the target instance to the poisoning instance to enhance the effect of poisoning attack. | The attack method they proposed will cause the unchanged target instance to be misclassified as a basic, and the side effects of adversarial training are worthy of further study. |
|
| Mirsky et al. 2019 [53] | Yisroel Mirsky et al. construct a framework (CT-GAN) based on deep learning. In their strategies, attackers can use the framework to automatically tamper with 3D medical images, injecting/removing lung cancer into/from CT scans. | (1) Capture data using attack vectors
(2) Select the location of injecting/removing cancer
(3) Use 3D spline interpolation to scale
(4) Equalization and standardization are achieved by means of histogram and formula
(5) Create samples → reverse preprocessing → add Gaussian noise → gain the complete slice → repeat steps/return data. | Medical scans are different from camera images, and further research on how to apply these techniques to detect attacks such as CT-GAN is needed. |
|
| Chen et al. 2019 [54] | Shang-Tse Chen et al. propose ShapeShifter, which uses physical perturbations to fool image-based target detectors like Faster R-CNN. | (1) In their strategies, by studying the Faster R-CNN algorithm, the nondifferentiability of the model was overcome, and gradient descent and backpropagation were successfully used to perform optimization-based attacks
(2) ShapeShifter can generate adversarial perturbed stop signs, which are consistently misdetected by Faster R-CNN as other targets, posing a potential threat to computer vision systems. | A series of experiments show that their attacks fail to transfer, and further research is needed in the future. |
|
| Xiao et al. 2019 [55] | Qixue Xiao et al. propose an attack to automatically generate camouflage images against image-scaling algorithms. Both white-box and black-box scenarios can be applied. | (1) The surjective function is applied to generate the attack image from the target image
(2) Automatic scaling attack: get coefficient matrix; find the perturbation matrix
(3) Disturbance is obtained through concave-convex optimization. | Several defense strategies need further research and implementation. |
|
| Wang et al. 2020 [56] | Yajie Wang et al. describe a black-box attack method based on DNN object detection models, which is called evaporate attack. Moreover, experimental results show that their approach is superior to boundary attack on both 1-stage and 2-stage detectors. | (1) In their research, the GA-PSO algorithm is designed to resolve the issue of attacking black-box object detector with only position and label information
(2) Add pixel optimal position guidance and random Gaussian noise to the velocity iteration formula. | If the model owner performs some processing on the output of the model (such as only provides the label of the object), the attack could be affected. |
|
| Solano et al. 2020 [57] | Jesús Solano et al. propose an intuitive attack method for mouse-based behavioral biometrics and compare it to black-box adversarial attack. | (1) Feature engineering: angle feature, dynamic feature
(2) Authentication system: a set of binary classification model is designed to recognize a specific user’s MBB (mouse-based behavioral biometric recognition)
(3) Attacks: provides SCRAP and adversarial machine learning black-box attack. | An automated procedure for inverse feature calculation is needed to make the effectiveness of the comparative adversarial method more accurate. |
|
