The repository is dedicated to tracking the latest advances in the field of Physical-Adversarial-Attack. The maintainer will continue to update it.
If you find any omitted literature, please feel free to submit issues for addition. Many thanks!
Table of Contents:
[2022/10/01] We have submitted our Physical-Adversarial-Attack survey on arXiv: Physical Adversarial Attack meets Computer Vision: A Decade Survey. We will continue to polish this work.
🔈🔈🔈 Notice: Updated to 2024.01.19⏰
| No. | Method | Title | Paper | Code | Venue | Year |
|---|---|---|---|---|---|---|
| 1 | Adversarial Patch | Adversarial Patch | link | link | NIPS | 2017 |
| 2 | RP2 | Robust Physical-World Attacks on Deep Learning Visual Classification | link | link | CVPR | 2018 |
| 3 | PAE | Adversarial examples in the physical world | link | link | AISS | 2018 |
| 4 | EOT | Synthesizing robust adversarial examples | link | link | PMLR | 2018 |
| 5 | ACS | Adversarial camera stickers: A physical camera-based attack on deep learning systems | link | link | PMLR | 2019 |
| 6 | PS-GAN | Perceptual-sensitive gan for generating adversarial patches | link | --- | AAAI | 2019 |
| 7 | Adversarial ACO | Bias-based universal adversarial patch attack for automatic check-out | link | --- | ECCV | 2020 |
| 8 | AdvCam | Adversarial camouflage: Hiding physical-world attacks with natural styles | link | link | CVPR | 2020 |
| 9 | PhysGAN | Physgan: Generating physical-world-resilient adversarial examples for autonomous driving | link | --- | CVPR | 2020 |
| 10 | Invisible Perturbations | Invisible Perturbations: Physical Adversarial Examples Exploiting the Rolling Shutter Effect | link | link | CVPR | 2021 |
| 11 | Adversarial ISP | Adversarial imaging pipelines | link | --- | CVPR | 2021 |
| 12 | Meta-Attack | Meta-Attack: Class-agnostic and Model-agnostic Physical Adversarial Attack | link | --- | ICCV | 2021 |
| 13 | OPAD | Optical Adversarial Attack | link | --- | ICCV | 2021 |
| 14 | AdvLB | Adversarial Laser Beam: Effective Physical-World Attack to DNNs in a Blink | link | link | CVPR | 2021 |
| 15 | Adversarial Shadow | Shadows can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Natural Phenomenon | link | link | CVPR | 2022 |
| 16 | AdvCF | Adversarial Color Film: Effective Physical-World Attack to DNNs | link | --- | Arxiv | 2022 |
| No. | Method | Title | Paper | Code | Venue | Year |
|---|---|---|---|---|---|---|
| 1 | CAMOU | CAMOU: Learning physical vehicle camouflages to adversarially attack detectors in the wild | link | --- | ICLR | 2018 |
| 2 | ShapeShifter | ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector | link | link | ECML PKDD | 2018 |
| 3 | Disappearance Attack | Physical Adversarial Examples for Object Detectors | link | --- | USENIX Workshop | 2018 |
| 4 | Adversarial YOLO | Fooling automated surveillance cameras: adversarial patches to attack person detection | link | link | CVPRW | 2019 |
| 5 | ER Attack | Physical adversarial attack on vehicle detector in the carla simulator | link | --- | Arxiv | 2020 |
| 6 | Adversarial T-shirt | Adversarial T-shirt! Evading Person Detectors in A Physical World | link | link | ECCV | 2020 |
| 7 | UPC | Universal Physical Camouflage Attacks on Object Detectors | link | link | CVPR | 2020 |
| 8 | Adversarial Cloak | Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors | link | link | ECCV | 2020 |
| 9 | Translucent Patch | The Translucent Patch: A Physical and Universal Attack on Object Detectors | link | --- | CVPR | 2021 |
| 10 | TGBS | Too Good to Be Safe: Tricking Lane Detection in Autonomous Driving with Crafted Perturbations | link | --- | USENIX Security | 2021 |
| 11 | NAP | Naturalistic Physical Adversarial Patch for Object Detectors | link | link | ICCV | 2021 |
| 12 | LAP | Legitimate Adversarial Patches: Evading Human Eyes and Detection Models in the Physical World | link | --- | ACM MM | 2021 |
| 13 | SLAP | SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations | link | link | USENIX SECURITY | 2021 |
| 14 | Adversarial Bulbs | Fooling Thermal Infrared Pedestrian Detectors in Real World Using Small Bulbs | link | --- | AAAI | 2021 |
| 15 | Poltergeist | Poltergeist: Acoustic Adversarial Machine Learning against Cameras and Computer Vision | link | link | IEEE SP | 2021 |
| 16 | FCA | FCA: Learning a 3D Full-coverage Vehicle Camouflage for Multi-view Physical Adversarial Attack | link | link | AAAI | 2022 |
| 17 | DTA | DTA: Physical Camouflage Attacks using Differentiable Transformation Network | link | --- | CVPR | 2022 |
| 18 | TC-EGA | Adversarial Texture for Fooling Person Detectors in the Physical World | link | link | CVPR | 2022 |
| 19 | Infrared Invisible Clothing | Infrared Invisible Clothing: Hiding From Infrared Detectors at Multiple Angles in Real World | link | --- | CVPR | 2022 |
| 20 | CAC | Learning Coated Adversarial Camouflages for Object Detectors | link | --- | IJCAI | 2022 |
| 21 | RobustAE | Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems | link | --- | NDSS | 2022 |
| 22 | TPatch | TPatch: A Triggered Physical Adversarial Patch | link | link | USENIX Security | 2023 |
| 23 | HOTCOLD Block | HOTCOLD Block: Fooling Thermal Infrared Detectors with a Novel Wearable Design | link | link | AAAI | 2023 |
| 24 | AdvInfrared | Infrared Adversarial Patches with Learnable Shapes and Locations in the Physical World | link | link | IJCV | 2023 |
| 25 | T-SEA | T-SEA: Transfer-based Self-Ensemble Attack on Object Detection | link | link | CVPR | 2023 |
| 26 | AdvCaT | Physically Realizable Natural-Looking Clothing Textures Evade Person Detectors via 3D Modeling | link | link | CVPR | 2023 |
| 27 | CMPatch | Unified Adversarial Patch for Cross-modal Attacks in the Physical World | link | link | ICCV | 2023 |
| No. | Method | Title | Paper | Code | Venue | Year |
|---|---|---|---|---|---|---|
| 1 | AdvEyeglass | Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition | link | link | ACM SIGSAC | 2016 |
| 2 | AdvPattern | AdvPattern: physical-world attacks on deep person re-identification via adversarially transformable patterns | link | link | ICCV | 2019 |
| 3 | OAP | On Adversarial Patches: Real-World Attack on ArcFace-100 Face Recognition System | link | --- | SIBIRCON | 2019 |
| 4 | ALPA | Adversarial Light Projection Attacks on Face Recognition Systems: A Feasibility Study | link | --- | CVPRW | 2020 |
| 5 | Advhat | Advhat: Real-world adversarial attack on arcface face id system | link | link | ICPR | 2020 |
| 6 | Adv-Makeup | Adv-Makeup: A New Imperceptible and Transferable Attack on Face Recognition | link | link | IJCAI | 2021 |
| 7 | PP Attack | Simultaneously Optimizing Perturbations and Positions for Black-box Adversarial Patch Attacks | link | link | TPAMI | 2022 |
| No. | Method | Title | Victim Task | Paper | Code | Venue | Year |
|---|---|---|---|---|---|---|---|
| 1 | Flow Attack | Attacking Optical Flow | Optical Flow Estimation | link | link | ICCV | 2019 |
| 2 | SS Attack | Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks | Semantic Segmentation | link | link | WACV | 2022 |
| 3 | PAP | Harnessing Perceptual Adversarial Patches for Crowd Counting | Crowd Counting | link | link | ACM CCS | 2022 |
| 4 | MDE Patch | Physical Attack on Monocular Depth Estimation with Optimal Adversarial Patches | Depth Estimation | link | --- | ECCV | 2022 |
| 5 |
|
Isometric 3D Adversarial Examples in the Physical World | 3D Point Cloud Recognition | link | --- | NIPS | 2022 |