README.md

Awesome Real-world Adversarial Examples

A curated list of awesome real-world adversarial examples resources.

It is worth noticing that this repository only lists the mechanism which can be realized in the real-world, in other words, the physical attack or defense. For the digital one, please refer to another awesome repository awesome-adversarial-machine-learning.

Table of Contents

• Attack
• Defense
• Detection
• ToolBox

Attack

Classification

• Adversarial Patch, T. B. Brown, D. Mané et al., NIPS 2017.
• Adversarial Examples in the Physical World, A. Kurakin et al., ICLR workshop 2017. [video]
• Robust Physical-World Attacks on Machine Learning Models, I. Evtimov, K. Eykholt, E. Fernandes, T. Kohno, B. Li, A. Prakash, A. Rahmati, D. Song, arXiv 2017.
• Robust Physical-World Attacks on Deep Learning Visual Classification, K. Eykholt, I. Evtimov et al., CVPR 2018. [code]
• LaVAN: Localized and Visible Adversarial Noise, D. Karmon et al., ICML 2018.
• Synthesizing Robust Adversarial Examples, A. Athalye, L. Engstrom, A. Ilyas et al., ICML 2018. [video]
• DARTS: Deceiving Autonomous Cars with Toxic Signs, C. Sitawarin, A. N. Bhagoji et al. arXiv 2018.
• Adversarial camera stickers: A physical camera-based attack on deep learning systems, J. B. Li et al., ICML 2019.
• Adversarial Attacks Beyond the Image Space, X. Zeng et al., CVPR 2019.
• Simple Physical Adversarial Examples against End-to-End Autonomous Driving Models, A. Boloor et al., IEEE ICESS 2019.
• Perceptual-Sensitive GAN for Generating Adversarial Patches, A. Liu et al., AAAI 2019.
• Adversarial Camouflage: Hiding Physical-World Attacks with Natural Styles, R. Duan et al., CVPR 2020.

Face Recognition

• Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition, M. Sharif et al., ACM CCS 2016. [code, talk]
• A General Framework for Adversarial Examples with Objectives, M. Sharif et al., ACM TOPS 2019. [code, talk]
• AdvHat: Real-world adversarial attack on ArcFace Face ID system, S. Komkov et al. arXiv 2019. [code, video]

Object Detection

• ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector, S. T. Chen et al., ECML-PKDD 2018. [code]
• Physical Adversarial Examples for Object Detectors, K. Eykholt et al., WOOT 2018.
• Fooling automated surveillance cameras: adversarial patches to attack person detection, S. Thys, W. V. Ranst et al., CVPR workshop 2019. [video]
• DPATCH: An Adversarial Patch Attack on Object Detectors, X Liu et al., AAAI workshop 2019.
• On Physical Adversarial Patches for Object Detection, M. Lee et al., ICML workshop 2019. [video]
• CAMOU: Learning Physical Vehicle Camouflages to Adversarially Attack Detectors in the Wild, Y. Zhang et al., ICLR 2019.
• Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors, Z. Wu et al, arXiv 2019. [blog]
• Adversarial T-shirt! Evading Person Detectors in A Physical World, K. Xu et al, arXiv 2019. [blog]
• Design and Interpretation of Universal Adversarial Patches in Face Detection, X. Yang, F. Wei, H. Zhang et al., arXiv 2019.

Visual Tracking

• Physical Adversarial Textures That Fool Visual Object Tracking, R. R. Wiyatno et al., ICCV 2019.

Defense

Classification

• On Visible Adversarial Perturbations & Digital Watermarking, J. Hayes, CVPR workshop 2018.
• Local Gradients Smoothing: Defense against localized adversarial attacks, M. Naseer et al., IEEE WACV 2019.
• DoPa: A Comprehensive CNN Detection Methodology against Physical Adversarial Attacks, Z. Xu et al., arXiv 2019.
• Connecting the Digital and Physical World: Improving the Robustness of Adversarial Attacks, S. T.K. Jan et al., AAAI 2019. [code]
• Certified Defenses for Adversarial Patches, P. Chiang, R. Ni et al., ICLR 2020. [code]
• (De)Randomized Smoothing for Certifiable Defense against Patch Attacks, A. Levine et al., arXiv 2020.
• Defending against Physically Realizable Attacks on Image Classification, T. Wu et al., ICLR 2020. [code]
• LanCe: A Comprehensive and Lightweight CNN Defense Methodology against Physical Adversarial Attacks on Embedded Multimedia Applications, Z. Xu et al., IEEE ASP-DAC 2020.
• Universal Adversarial Training, A. Shafahi, M. Najibi, Z. Xu et al., AAAI 2020.
• Minority Reports Defense: Defending Against Adversarial Patches, M. McCoyd et al., arXiv 2020.
• PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields, C. Xiang et al., arXiv 2020. [code]
• Adversarial Training against Location-Optimized Adversarial Patches, S. Rao et al., arXiv 2020.
• Clipped BagNet: Defending Against Sticker Attacks with Clipped Bag-of-features, Z. Zhang et al., IEEE DLS 2020.

Object Detection

• Role of Spatial Context in Adversarial Robustness for Object Detection, A. Saha and A. Subramanya et al., CVPR Workshop 2020. [code]
• Information Distribution Based Defense Against Physical Attacks on Object Detection, G. Zhou et al., IEEE ICMEW 2020.

Detection

Classification

• SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems, E. Chou et al., arXiv 2020.

ToolBox

• CleverHans
• AdverTorch
• AdvBox
• Adversarial Robustness Toolbox
• Adversarial-Face-Attack

License

To the extent possible under law, Chia-Hung Yuan has waived all copyright and related or neighboring rights to this work.