Recent research has demonstrated that deep neural networks (DNNs) are vulnerable to adversarial perturbations. Therefore, it is imperative to evaluate the resilience of advanced DNNs to adversarial attacks. However, traditional methods that use stickers as physical perturbations to deceive classifiers face challenges in achieving stealthiness and are susceptible to printing loss. Recently, advancements in physical attacks have utilized light beams, such as lasers, to perform attacks, where the optical patterns generated are artificial rather than natural. In this work, we propose a black-box projector-based physical attack, referred to as adversarial color projection (AdvCP), which manipulates the physical parameters of color projection to perform an adversarial attack. We evaluate our approach on three crucial criteria: effectiveness, stealthiness, and robustness. In the digital environment, we achieve an attack success rate of 97.60% on a subset of ImageNet, while in the physical environment, we attain an attack success rate of 100% in the indoor test and 82.14% in the outdoor test. The adversarial samples generated by AdvCP are compared with baseline samples to demonstrate the stealthiness of our approach. When attacking advanced DNNs, experimental results show that our method can achieve more than 85% attack success rate in all cases, which verifies the robustness of AdvCP. Finally, we consider the potential threats posed by AdvCP to future vision-based systems and applications and suggest some ideas for light-based physical attacks.

翻译：近期研究表明，深度神经网络容易受到对抗性扰动的影响。因此，评估先进深度神经网络对对抗性攻击的鲁棒性至关重要。传统方法使用贴纸作为物理扰动来欺骗分类器，但难以实现隐蔽性且易受打印损耗影响。近年来，物理攻击方法借助激光等光束进行攻击，其产生的光学模式具有人为性而非自然性。本文提出一种黑盒投影仪物理攻击方法——对抗性颜色投影（AdvCP），通过操控颜色投影的物理参数实施攻击。我们从有效性、隐蔽性和鲁棒性三个关键维度评估该方法：在数字环境下，对ImageNet子集实现97.60%的攻击成功率；物理环境下室内测试达100%，室外测试达82.14%。通过将AdvCP生成的对抗样本与基线样本对比，验证了方法的隐蔽性。在攻击先进深度神经网络时，实验结果显示该方法在所有情况下均能取得超过85%的攻击成功率，证实了AdvCP的鲁棒性。最后，我们探讨了AdvCP对未来视觉系统与应用的潜在威胁，并提出了基于光的物理攻击的若干思路。