基于色彩感知约束的物理对抗性伪装生成方法

doi:10.19678/j.issn.1000-3428.0252310

摘要/Abstract

摘要： 深度学习模型在实际应用中越来越广泛，但容易受到对抗性示例的攻击，近年来，物理对抗性示例成为研究热点。现有的研究方法多专注于提高对抗性示例的攻击性和针对性，但对于不同模型之间的共性研究仍有不足，忽略了对抗性样本的通用性与视觉自然性。为此，本文提出一种基于色彩感知约束的物理对抗性伪装生成方法，提升伪装的转移性和自然性。具体来说，首先对给定的3D汽车模型进行预处理生成多层注意力图，然后利用求得的二进制掩码来分离多层目标注意力，对于给定的连通子图，提取其在纹理中的像素集合，计算其与可打印颜色空间的映射，接着优化注意力和颜色联合损失来获得最佳的对抗性伪装，在处理完所有连通子图后，进行全局一致性优化，避免各个子图间出现突兀的边界或颜色不平滑现象，从而提升视觉上的舒适度。本方法不依赖特定模型结构，具备良好的跨模型迁移能力和实际应用潜力。大量实验表明，基于色彩感知约束的物理对抗性伪装生成方法在数字世界和物理世界中都超过了基线方法。

Abstract: Deep learning models have become increasingly prevalent in practical applications, but they remain vulnerable to adversarial examples. In recent years, physical adversarial examples have emerged as a research hotspot. Most existing approaches focus on enhancing the attack strength and specificity of adversarial examples, yet they often overlook the commonalities across different models, as well as the generalizability and visual naturalness of adversarial samples. To address these limitations, this paper proposes a physical adversarial camouflage generation method based on color perception constraints, aiming to improve the transferability and naturalness of the camouflage. Specifically, the method first preprocesses a given 3D car model to generate multi-layer attention maps. Then, using derived binary masks, it separates attention regions across layers. For each connected subgraph, the corresponding pixel set is extracted from the texture and mapped to the printable color space. Subsequently, a joint loss combining attention and color constraints is optimized to generate the optimal adversarial camouflage. After processing all subgraphs, global consistency optimization is performed to eliminate abrupt boundaries and color discontinuities between subgraphs, thereby enhancing visual comfort. The proposed method is independent of specific model architectures, demonstrating strong cross-model transferability and practical potential. Extensive experiments show that the color-constrained physical adversarial camouflage method outperforms baseline approaches in both digital and physical environments.

蒋欢, 韩华, 黄丽, A. A. M. MUZAHID. 基于色彩感知约束的物理对抗性伪装生成方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252310.

JIANG Huan, HAN Hua, HUANG Li, A. A. M. MUZAHID. Physical Adversarial Camouflage Generation Method Based on Color Perception Constraints[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252310.

参考文献

[1]张肇鑫, 黄世泽, 张兵杰, 等. 面向交通场景的运动模糊伪装对抗样本生成方法[J]. 计算机工程, 2025, 51(3): 45-53. ZHANG Z X, HUANG S Z, ZHANG B J, et al. Camouflaged Adversarial Example Generation Method for the Form of Motion Blur in Traffic Scenes[J]. Computer Engineering, 2025, 51(3): 45-53. (in Chinese)
[2]SONG Z, ZHANG Z, ZHANG K, et al. Robust single image reflection removal against adversarial attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2023: 24688-24698.
[3]KIM J, LEE B K, RO Y M. Demystifying causal features on adversarial examples and causal inoculation for robust network by adversarial instrumental variable regression[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2023: 12302-12312.
[4]刘帅威, 李智, 王国美, 等. 基于Transformer和GAN的对抗样本生成算法[J]. 计算机工程, 2024, 50(2): 180-187. LIU S W, LI Z, WANG G M, et al. Adversarial Example Generation Algorithm Based on Transformer and GAN[J]. Computer Engineering, 2024, 50(2): 180-187. (in Chinese)
[5]LIU A, WANG J, LIU X, et al. Bias-based universal adversarial patch attack for automatic check-out[C]//Computer Vision-ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XIII 16. Springer International Publishing, 2020: 395-410.
[6]QIN H, GONG R, LIU X, et al. Forward and backward information retention for accurate binary neural networks[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020: 2250-2259.
[7]Yang X, Liu C, Xu L, et al. Towards effective adversarial textured 3d meshes on physical face recognition[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2023: 4119-4128.
[8]DUAN R, MA X, WANG Y, et al. Adversarial camouflage: Hiding physical-world attacks with natural styles[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020: 1000-1008.
[9]Wang X F, Mei S H, Lian J W, et al. Fooling aerial detectors by background attack via dual-adversarial-induced error identification[J]. IEEE Transactions on Geoscience and Remote Sensing, 2024, 62: 1–16.
[10]赵宏, 宋馥荣, 李文改. 基于SE-AdvGAN的图像对抗样本生成方法研究[J]. 计算机工程, 2025, 51(2): 300-311. ZHAO H, SONG F R, LI W G. Research on Image Adversarial Example Generation Method Based on SE-AdvGAN[J]. Computer Engineering, 2025, 51(2): 300-311. (in Chinese)
[11]张学军, 席阿友, 加小红, 等. 基于深度学习的指纹室内定位对抗样本攻击研究[J]. 计算机工程, 2024, 50(10): 228-239. ZHANG X J, XI A Y, JIA X H, 等. Study on Adversarial Sample Attacks on Deep Learning Based Fingerprinting Indoor Localization[J]. Computer Engineering, 2024, 50(10): 228-239. (in Chinese)
[12]Pan Y S, Wang H P. ShipCamou: adversarial camouflage against optical remote sensing image ship detector[C]//First Aerospace Frontiers Conference (AFC 2024). SPIE, 2024, 13218: 933-943.
[13]SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[C]. International Conference on Learning Representations, 2014, 1-10.
[14]KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial examples in the physical world[M]//Artificial intelligence safety and security. Chapman and Hall/CRC, 2018: 99-112.
[15]CHENG M, LE T, CHEN P Y, et al. Query-efficient hard-label black-box attack: An optimization-based approach[C]. International Conference on Learning Representations, 2018, 13(4): 1065-1077.
[16]HUANG L, GAO C, ZHOU Y, et al. Universal physical camouflage attacks on object detectors[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020: 720-729.
[17]SURYANTO N, KIM Y, KANG H, et al. Dta: Physical camouflage attacks using differentiable transformation network[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 15305-15314.
[18]EYKHOLT K, EVTIMOV I, FERNANDES E, et al. Robust physical-world attacks on deep learning visual classification[C]//Proceedings of the IEEE conference on computer vision and pattern recognition. 2018: 1625-1634.
[19]ATHALYE A, ENGSTROM L, ILYAS A, et al. Synthesizing robust adversarial examples[C]//International conference on machine learning. PMLR, 2018: 284-293.
[20]WANG J, LIU A, YIN Z, et al. Dual attention suppression attack: Generate adversarial camouflage in physical world[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2021: 8565-8574.
[21]CHEN G, ZHAO Z, SONG F, et al. AS2T: Arbitrary source-to-target adversarial attack on speaker recognition systems[J]. IEEE Transactions on Dependable and Secure Computing, 2022 :1-19.
[22]徐宇晖, 潘志松, 徐堃. 面向三种形态图像的对抗攻击研究综述[J]. 计算机科学与探索, 2024, 18(12): 3080-3099. XU Y H, PAN Z S, XU K. Review of Research on Adversarial Attack in Three Kinds of Images[J]. Journal of Frontiers of Computer Science and Technology, 2024, 18(12): 3080-3099. (in Chinese)
[23]戴磊, 曹林, 郭亚男, 等. 基于生成对抗网络的深度伪造跨模型防御方法[J]. 计算机工程, 2024, 50(10): 100-109. DAI L, CAO L, GUO Y N, et al. Deepfake Cross-Model Defense Method Based on Generative Adversarial Network[J]. Computer Engineering, 2024, 50(10): 100-109. (in Chinese)
[24]WU W, SU Y, CHEN X, et al. Boosting the transferability of adversarial samples via attention[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020: 1161-1170.
[25]WANG D, JIANG T, SUN J, et al. Fca: Learning a 3d full-coverage vehicle camouflage for multi-view physical adversarial attack[C]//Proceedings of the AAAI conference on artificial intelligence. 2022, 36(2): 2414-2422.
[26]ZHANG Y, WANG L, ZHANG C, et al. Adversarial examples in visual object tracking in satellite videos: Cross-frame momentum accumulation for adversarial examples generation[J]. Remote Sensing, 2023, 15(13): 3240-3261.

选择文件类型/文献管理软件名称

选择包含的内容