Research On Stealthy Physical Adversarial Attack Technology For Bimodal Visual Perception

Deep neural network-driven computer vision algorithms have achieved significant advancements and have been widely adopted across various domains,underlining their central role in the modern technological landscape.However,recent research has exposed the considerable vulnerability of deep neural networks to adversarial attacks,rendering the investigation of computer vision algorithm security paramount.In comparison to digital domain adversarial attacks,physical domain attacks emphasize the practical feasibility,stability,and stealthiness of adversarial samples in the physical world,posing a more substantial threat to the security of computer vision systems.Current challenges and limitations of physical adversarial attack techniques include visual naturality in the visible modality,multidimensional stability in the infrared modality,and black-box attack efficiency in the visible-infrared bimodality.The visual naturality issue refers to physical adversarial samples appearing unnatural and overly conspicuous; the multidimensional stability issue pertains to such samples losing their adversarial effect under varying distances and viewpoints; and the black-box attack efficiency issue concerns the inability to conduct efficient black-box attacks within a limited number of query attempts.This dissertation aims to investigate the vulnerabilities of image classification,object detection,and other computer vision algorithms,focusing on the development of stealthy physical adversarial attack technologies in the visible,infrared,and visible-infrared modalities.The study revolves around key challenges such as visual naturality,multidimensional stability,and black-box efficiency,with the goal of enhancing the stealth and effectiveness of physical adversarial attacks,validated through digital simulations and physical experiments across different modalities.(1)Addressing the insufficiency of visual naturality in visible modality physical adversarial attacks,this work proposes a single-viewpoint/multi-viewpoint physical adversarial attack technique based on lighting for the autonomous driving traffic sign recognition scenario.This method not only ensures effective adversarial attack performance but also significantly enhances the visual naturality of adversarial samples.For singleviewpoint attacks,it ingeniously utilizes common reflected light as a physical perturbation source,simulating and using genetic algorithms optimize the color,brightness,and position of the light source,integrating a transformation framework to enhance perturbation robustness.Deploying such reflected light in real-world environments to realize naturally stealthy physical adversarial attacks.To achieve multi-viewpoint attacks,high-intensity spotlight beams are employed as perturbation sources,with simulation modeling and random algorithms used to optimize spotlights,combined with a viewpoint transformation framework to boost multi-viewpoint robustness.Arranging spotlights in physical environments to simulate urban neon light effects projected onto target object surfaces enables naturally stealthy multi-viewpoint physical adversarial attacks.Experimental results demonstrate that this method can effectively execute single-viewpoint/multi-viewpoint physical adversarial attacks against advanced image classification algorithms,exhibiting distinct characteristics of visual naturality.(2)Confronting the challenge of multidimensional stability in infrared modality physical adversarial attacks,this study proposes a multi-scale/multidimensional physical adversarial attack technique based on scratches and patches for the pedestrian detection scenario.While ensuring stealthiness,this technique significantly improves the multidimensional stability of adversarial samples.Initially,it employs ice stickers as perturbation sources to induce infrared imaging differences,constructing naturally scratch-like Bézier curves as perturbation shapes,optimizing curve shapes and positions using particle swarm algorithms,and leveraging a multi-scale transformation framework to enhance perturbation robustness.In physical environments,ice stickers are discreetly attached to the inner layers of pedestrians’ clothing,enabling multi-scale infrared attacks that remain undetectable to the naked eye.To further enhance multidimensional attack effectiveness,destructively camouflaged,discretely deployable patches are used as perturbation shapes,with heat and ice stickers serving as physical perturbation sources.Differential evolution algorithms are utilized to optimize discrete patches,and a multi-scale-viewpoint transformation framework is employed for multidimensional robust optimization.In the physical world,heat and ice stickers are placed on the front,back,and sides of pedestrians,realizing robustly multidimensional infrared adversarial attacks.Experimental results show that the proposed method can consistently and stealthily execute adversarial attacks against infrared pedestrian detection algorithms across multiple scales and viewpoints.(3)In response to the limitation of black-box query attack inefficiency in the visibleinfrared bimodality,this work presents a dual-stage optimized bimodal efficient blackbox query attack technique for the vehicle detection scenario.Considering the practical feasibility and convenience of physical adversarial attacks,this method adopts an overlay approach combining visible perturbations with infrared perturbations for stealthy deployment.Specifically,it uses irregular octagonal patch as infrared perturbation,with surface-filled color QR codes serving as visible perturbation textures while concealing the infrared perturbation.In the first stage,particle swarm algorithms are employed to optimize infrared perturbation shapes,yielding the most adversarially potent irregular octagons.In the second stage,visible patch textures are optimized and combined with the shape obtained from the first stage,forming complete visible perturbation shapes and textures.Concurrently,a multi-viewpoint transformation framework is used to robustly optimize perturbations in both modalities.By printing,cropping posters,and attaching ice stickers to the backs of the cropped posters,a unified visible and infrared perturbation is created.Deploying this unified perturbation at corresponding locations on vehicles enables efficient visible-infrared bimodal stealthy adversarial attacks.Experimental results confirm that the proposed method can execute highly efficient and stealthy adversarial attacks against visible-infrared bimodal vehicle detection algorithms in physical environments.