A Survey of Adversarial Examples in Computer Vision: Attack, Defense, and Beyond | Wuhan University Journal of Natural Sciences

Open Access

Review

Table 2

Representative adversarial attack methods

Attack method	Year	Venue	Adv. target	Adv. knowledge	Perturb. structure	Adv. bounds	Applicable DNNs	Description
FGSM^[4]	2015	ICLR	Untargeted	White-box	Noise-based	$l_{\infty}$ -norm	CNN	Fast gradient sign method
BIM^[7]	2017	ICLR	Untargeted	White-box	Noise-based	$l_{\infty}$ -norm	Inception-v3	Iterative FGSM
JSMA^[34]	2016	EuroS&P	Targeted	White-box	Noise-based	$l_{0}$ -norm	LeNet-5	$l_{0}$ -norm bounded greedy algorithm
DeepFool^[38]	2016	CVPR	Untargeted	White-box	Noise-based	$l_{1} / l_{2} / l_{\infty}$ -norm	CaffeNet and GoogLeNet	Boundary distance estimation
C&W^[5]	2017	S&P	Untargeted	White-box	Noise-based	$l_{2}$ -norm	Inception-v3	Minimal perturbations within $l_{2}$ -norm bound
UAP^[39]	2017	CVPR	Untargeted	White-box	Noise-based	$l_{1} / l_{\infty}$ -norm	CaffeNet, VGG, GoogLeNet and ResNet-50	Universal adversarial perturbation
AdvPatch^[30]	2017	ArXiv	Targeted	White-box	Patch-based	$l_{\infty}$ -norm	Inception-v3, ResNet-50, VGG-16 and VGG-19	Adversarial patch to fool image classification
Boundary^[40]	2017	ICLR	Both	Black-box	Noise-based	$l_{0}$ -norm	VGG-19, ResNet-50	Query-based random walk attack
PGD^[6]	2018	ICLR	Untargeted	White-box	Noise-based	$l_{\infty}$ -norm	CNN, ResNet	Projected gradient descent
stAdv^[29]	2018	ICLR	Targeted	White-box	Transformation	Perceptual	CNN, ResNet-32 and ResNet-34	Perturbation by flow field
AC-GAN^[37]	2018	NeurIPS	Both	White-box	Semantic	Unrestricted	ResNet	Unrestricted attacks from scratch using GANs
RP₂^[24]	2018	CVPR	Targeted	White-box	Patch-based	Unrestricted	Inception-v3, LISA-CNN and GTSRB-CNN	Physical adversarial patches in the real world
SparseFool^[41]	2019	CVPR	Untargeted	White-box	Noise-based	$l_{1}$ -norm	LeNet, VGG-19 and ResNet-18	Projected $l_{1}$ -norm DeepFool
AdvSticker^[31]	2019	ICML	Targeted	White-box	Patch-based	Unrestricted	ResNet-50	Adversarial camera stickers
DIM^[42]	2019	CVPR	Targeted	Black-box	Noise-based	$l_{\infty}$ -norm	Inception-v3, Inception-v4, ResNetv2-152 and InceptionResNet-v2	Diverse input method
TIM^[43]	2019	CVPR	Untargeted	White-box	Transformation	$l_{\infty}$ -norm	Inception-v3, Inception-v4, Inception ResNet-v2 and ResNetv2-152	Translation-invariant method
SIM^[44]	2020	ICLR	Targeted	White-box	Noise-based	$l_{\infty}$ -norm	Incv3ens3,Incv3ens4 and IncRes-v2ens	Scale-invariant method
One-shot^[45]	2020	CVPR	Both	White-box	Noise-based	$l_{\infty}$ -norm	ResNet-50, MobileNet-v2	Optimizing objectives using dual attention mechanism
PerC-AL^[28]	2020	CVPR	Untargeted	White-box	Transformation	Perceptual	Inception-v3	Bounded by perceptual color distance
Square^[27]	2020	ECCV	Both	Black-box	Noise-based	$l_{2} / l_{\infty}$ -norm	Inception-v3, ResNet-50 and VGG-16-BN	Query-based attack using shrinking squares
AutoAttack^[46]	2020	ICML	Both	White-/Black-box	Noise-based	$l_{2} / l_{\infty}$ -norm	General	Ensemble of APGD, Square and FAB attack
SemAdv^[47]	2020	ECCV	Targeted	White-/Black-box	Semantic	Unrestricted	ResNet-50, ResNet-101	Modifying visual attribute
Rays^[48]	2020	ICM	Both	Black-box	Noise-based	$l_{2} / l_{\infty}$ -norm	Transformers	Hard label attack for transformer
Adaptive black-box attack^[49]	2020	ArXiv	Both	Black-box	Noise-based	$l_{2} / l_{\infty}$ -norm	Transformers	Attacking trained synthetic models
AOA^[50]	2020	ArXiv	Targeted	White-box	Semantic	Unrestricted	VGG-19, ResNet-50, DenseNet-121 and Inception-v3	Attack on attention
ATA^[51]	2020	CVPR	Untargeted	White-/Black-box	Noise-based	Unrestricted	ResNet-v2, Inception-v3, Inception-v4 and Inception-ResNet-v2	Attention-guided transfer attack
SAGA^[52]	2021	ICCV	Both	White-box	Noise-based	$l_{2} / l_{\infty}$ -norm	Transformers	Attack self-attention mechanism of the visual transformer
FilterFool^[53]	2021	TIP	Untargeted	White-box	Semantic	Perceptual	ResNet-50, ResNet-18 and Alex	Attack with mimic filter
TTA^[54]	2021	NeurIPS	Targeted	Black-box	Noise-based	$l_{\infty}$ -norm	ResNet-50, Dense-121, VGG-16 and Inception-v3	Simple targeted transfer-based attack
SparseGAN^[33]	2022	CVPR	Untargeted	White-box	Semantic	$l_{0}$ -norm	Inception-v3, ResNet-50, VGG-16 and Densenet-161	Perturbation decoupling
AMT-GAN^[55]	2022	CVPR	Untargeted	White-box	Semantic	Unrestricted	IR-152, IRSE-50, Facenet and Mobileface	Make-up transfer attack
NAA^[56]	2022	CVPR	Untargeted	Black-box	Noise-based	$l_{\infty}$ -norm	Inception-v3, Inception-v4, Inception-ResNet-v2 and ResNetv2-152	Neuron Attribution-based attack
NP-Attack^[57]	2023	PR	Both	Black-box	Noise-based	$l_{\infty}$ -norm	Inception-v3	Query-based attack with tiling tricks
ACA^[58]	2023	NeurIPS	Untargeted	White-box	Semantic	Unrestricted	CNN, ViT	Content-based unrestricted adversarial attack
DAS^[59]	2023	CVPR	Untargeted	White-box	Noise-based	$l_{\infty}$ -norm	Inception-v3, VGG-19, ResNet-152, DenseNet, Yolo-V5, SSD, Faster R-CNN, and Mask R-CNN	Generating adversarial examples by suppressing model and human attention
MMIA^[60]	2024	CVPR	Untargeted	White-box	Noise-based	$l_{\infty}$ -norm	ResNet-50, VGG-16, Inception-v3, DenseNet, MobileNet and GoogleNet	Improving the stealthiness of adversarial examples
AAS-AT^[61]	2024	CVPR	Both	White-box	Transformation	Unrestricted	ViT	Adaptive attention scaling attack
SASD-WS^[62]	2024	CVPR	Targeted	Black-box	Noise-based	$l_{\infty}$ -norm	General	Attacks with sharpness-aware self-distillation and weight scaling

Continued on next page

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.