Boosting Adversarial Transferability for Skeleton-based Action Recognition via Exploring the Model Posterior Space
0
Sign in to get full access
Overview
- This paper explores ways to improve the transferability of adversarial attacks on skeleton-based action recognition models.
- The researchers use Bayesian deep learning techniques to generate diverse adversarial examples that can reliably fool multiple models.
- The proposed approach outperforms previous state-of-the-art methods for transferring adversarial attacks across models.
Plain English Explanation
Adversarial attacks are a type of attack on AI systems where small, carefully crafted changes are made to input data to trick the model into making incorrect predictions. In the context of skeleton-based action recognition, these attacks can be used to fool models that analyze the movements of the human body to recognize actions like walking, jumping, or waving.
The key insight of this paper is that by using Bayesian deep learning techniques, the researchers were able to generate a diverse set of adversarial examples that could reliably fool multiple action recognition models. This is important because a major challenge with adversarial attacks is making them transferable - meaning the same adversarial example can fool different models, not just the one it was designed for.
The proposed approach outperformed previous methods for transferring adversarial attacks across models, suggesting it could be a useful tool for evaluating the robustness of skeleton-based action recognition systems. This could help researchers and developers make these systems more secure against malicious attacks.
Technical Explanation
The researchers used a Bayesian deep learning framework to generate a diverse set of adversarial examples that can effectively fool multiple skeleton-based action recognition models. Specifically, they trained a Bayesian neural network (BNN) as the target model and then used Monte Carlo sampling to explore the model's posterior parameter space. This allowed them to generate a wide range of adversarial perturbations that could reliably transfer to other action recognition models.
In their experiments, the proposed Bayesian approach outperformed previous state-of-the-art transfer-based adversarial attack methods, achieving higher success rates when transferring adversarial examples across different model architectures and datasets. The researchers attribute this improved transferability to the diverse set of adversarial examples generated by exploring the model's posterior parameter space.
Critical Analysis
The paper provides a compelling approach for boosting the transferability of adversarial attacks on skeleton-based action recognition models. However, the researchers acknowledge that their method has some limitations. For example, the Bayesian framework can be computationally expensive, which may limit its scalability to larger models or datasets.
Additionally, the paper does not address the broader implications of this research, such as the potential misuse of adversarial attacks or the need for developing more robust and secure AI systems. Further research is needed to understand the long-term societal impact of this type of work and to explore ways to mitigate the risks associated with adversarial attacks.
Conclusion
This paper presents a novel Bayesian deep learning approach for generating diverse and transferable adversarial examples that can effectively fool multiple skeleton-based action recognition models. The proposed method outperforms previous state-of-the-art transfer-based attack techniques, demonstrating the potential of Bayesian techniques for enhancing the transferability of adversarial attacks.
While the research contributes to our understanding of the vulnerabilities of skeleton-based action recognition systems, it also highlights the importance of developing more robust and secure AI models that can withstand such malicious attacks. Continued work in this area could lead to improved defenses against adversarial threats and more trustworthy AI systems.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
0
Boosting Adversarial Transferability for Skeleton-based Action Recognition via Exploring the Model Posterior Space
Yunfeng Diao, Baiqi Wu, Ruixuan Zhang, Xun Yang, Meng Wang, He Wang
Skeletal motion plays a pivotal role in human activity recognition (HAR). Recently, attack methods have been proposed to identify the universal vulnerability of skeleton-based HAR(S-HAR). However, the research of adversarial transferability on S-HAR is largely missing. More importantly, existing attacks all struggle in transfer across unknown S-HAR models. We observed that the key reason is that the loss landscape of the action recognizers is rugged and sharp. Given the established correlation in prior studies~cite{qin2022boosting,wu2020towards} between loss landscape and adversarial transferability, we assume and empirically validate that smoothing the loss landscape could potentially improve adversarial transferability on S-HAR. This is achieved by proposing a new post-train Dual Bayesian strategy, which can effectively explore the model posterior space for a collection of surrogates without the need for re-training. Furthermore, to craft adversarial examples along the motion manifold, we incorporate the attack gradient with information of the motion dynamics in a Bayesian manner. Evaluated on benchmark datasets, e.g. HDM05 and NTU 60, the average transfer success rate can reach as high as 35.9% and 45.5% respectively. In comparison, current state-of-the-art skeletal attacks achieve only 3.6% and 9.8%. The high adversarial transferability remains consistent across various surrogate, victim, and even defense models. Through a comprehensive analysis of the results, we provide insights on what surrogates are more likely to exhibit transferability, to shed light on future research.
Read more9/6/2024
0
TASAR: Transferable Attack on Skeletal Action Recognition
Yunfeng Diao, Baiqi Wu, Ruixuan Zhang, Ajian Liu, Xingxing Wei, Meng Wang, He Wang
Skeletal sequences, as well-structured representations of human behaviors, are crucial in Human Activity Recognition (HAR). The transferability of adversarial skeletal sequences enables attacks in real-world HAR scenarios, such as autonomous driving, intelligent surveillance, and human-computer interactions. However, existing Skeleton-based HAR (S-HAR) attacks exhibit weak adversarial transferability and, therefore, cannot be considered true transfer-based S-HAR attacks. More importantly, the reason for this failure remains unclear. In this paper, we study this phenomenon through the lens of loss surface, and find that its sharpness contributes to the poor transferability in S-HAR. Inspired by this observation, we assume and empirically validate that smoothening the rugged loss landscape could potentially improve adversarial transferability in S-HAR. To this end, we propose the first Transfer-based Attack on Skeletal Action Recognition, TASAR. TASAR explores the smoothed model posterior without re-training the pre-trained surrogates, which is achieved by a new post-train Dual Bayesian optimization strategy. Furthermore, unlike previous transfer-based attacks that treat each frame independently and overlook temporal coherence within sequences, TASAR incorporates motion dynamics into the Bayesian attack gradient, effectively disrupting the spatial-temporal coherence of S-HARs. To exhaustively evaluate the effectiveness of existing methods and our method, we build the first large-scale robust S-HAR benchmark, comprising 7 S-HAR models, 10 attack methods, 3 S-HAR datasets and 2 defense models. Extensive results demonstrate the superiority of TASAR. Our benchmark enables easy comparisons for future studies, with the code available in the supplementary material.
Read more9/5/2024
🤔
0
Understanding the Vulnerability of Skeleton-based Human Activity Recognition via Black-box Attack
Yunfeng Diao, He Wang, Tianjia Shao, Yong-Liang Yang, Kun Zhou, David Hogg, Meng Wang
Human Activity Recognition (HAR) has been employed in a wide range of applications, e.g. self-driving cars, where safety and lives are at stake. Recently, the robustness of skeleton-based HAR methods have been questioned due to their vulnerability to adversarial attacks. However, the proposed attacks require the full-knowledge of the attacked classifier, which is overly restrictive. In this paper, we show such threats indeed exist, even when the attacker only has access to the input/output of the model. To this end, we propose the very first black-box adversarial attack approach in skeleton-based HAR called BASAR. BASAR explores the interplay between the classification boundary and the natural motion manifold. To our best knowledge, this is the first time data manifold is introduced in adversarial attacks on time series. Via BASAR, we find on-manifold adversarial samples are extremely deceitful and rather common in skeletal motions, in contrast to the common belief that adversarial samples only exist off-manifold. Through exhaustive evaluation, we show that BASAR can deliver successful attacks across classifiers, datasets, and attack modes. By attack, BASAR helps identify the potential causes of the model vulnerability and provides insights on possible improvements. Finally, to mitigate the newly identified threat, we propose a new adversarial training approach by leveraging the sophisticated distributions of on/off-manifold adversarial samples, called mixed manifold-based adversarial training (MMAT). MMAT can successfully help defend against adversarial attacks without compromising classification accuracy.
Read more5/7/2024
0
Emotion Loss Attacking: Adversarial Attack Perception for Skeleton based on Multi-dimensional Features
Feng Liu, Qing Xu, Qijian Zheng
Adversarial attack on skeletal motion is a hot topic. However, existing researches only consider part of dynamic features when measuring distance between skeleton graph sequences, which results in poor imperceptibility. To this end, we propose a novel adversarial attack method to attack action recognizers for skeletal motions. Firstly, our method systematically proposes a dynamic distance function to measure the difference between skeletal motions. Meanwhile, we innovatively introduce emotional features for complementary information. In addition, we use Alternating Direction Method of Multipliers(ADMM) to solve the constrained optimization problem, which generates adversarial samples with better imperceptibility to deceive the classifiers. Experiments show that our method is effective on multiple action classifiers and datasets. When the perturbation magnitude measured by l norms is the same, the dynamic perturbations generated by our method are much lower than that of other methods. What's more, we are the first to prove the effectiveness of emotional features, and provide a new idea for measuring the distance between skeletal motions.
Read more7/1/2024