Over the past decade, deep learning has revolutionized conventional tasks that rely on hand-craft feature extraction with its strong feature learning capability, leading to substantial enhancements in traditional tasks. However, deep neural networks (DNNs) have been demonstrated to be vulnerable to adversarial examples crafted by malicious tiny noise, which is imperceptible to human observers but can make DNNs output the wrong result. Existing adversarial attacks can be categorized into digital and physical adversarial attacks. The former is designed to pursue strong attack performance in lab environments while hardly remaining effective when applied to the physical world. In contrast, the latter focus on developing physical deployable attacks, thus exhibiting more robustness in complex physical environmental conditions. Recently, with the increasing deployment of the DNN-based system in the real world, strengthening the robustness of these systems is an emergency, while exploring physical adversarial attacks exhaustively is the precondition. To this end, this paper reviews the evolution of physical adversarial attacks against DNN-based computer vision tasks, expecting to provide beneficial information for developing stronger physical adversarial attacks. Specifically, we first proposed a taxonomy to categorize the current physical adversarial attacks and grouped them. Then, we discuss the existing physical attacks and focus on the technique for improving the robustness of physical attacks under complex physical environmental conditions. Finally, we discuss the issues of the current physical adversarial attacks to be solved and give promising directions.

翻译：过去十年，深度学习凭借其强大的特征学习能力，彻底改变了依赖手工特征提取的传统任务，显著提升了各类经典任务的性能。然而，深度神经网络已被证实易受恶意微小噪声生成的对抗样本攻击，这类噪声对人眼不可见，却能使深度神经网络输出错误结果。现有对抗攻击可分为数字攻击和物理攻击两类：前者旨在实验室环境下追求强攻击性能，但应用于物理世界时难以保持有效性；后者则侧重于开发可物理部署的攻击方式，因此对复杂物理环境条件表现出更强的鲁棒性。近年来，随着基于深度神经网络的系统在现实世界中的部署日益广泛，加强这些系统的鲁棒性已成为当务之急，而全面探索物理对抗攻击则是先决条件。为此，本文系统回顾了针对基于深度神经网络的计算机视觉任务的物理对抗攻击的演进历程，期望为开发更强的物理对抗攻击提供有益参考。具体而言，我们首先提出了一种分类体系，对现有物理对抗攻击进行归纳与分组。随后，我们讨论了现有物理攻击方法，重点关注在复杂物理环境条件下提升物理攻击鲁棒性的技术。最后，我们探讨了当前物理对抗攻击有待解决的问题，并展望了有前景的研究方向。