Adversarial Attacks for Optical Flow-Based Action Recognition Classifiers
This addresses security risks in video-based AI systems, but it is incremental as it builds on existing image classifier attacks.
The paper tackles the vulnerability of action recognition systems to adversarial attacks by developing a new untargeted attack that targets the temporal dimension, achieving state-of-the-art success rates on a two-stream classifier trained on UCF-101 and demonstrating transferability to black-box systems.
The success of deep learning research has catapulted deep models into production systems that our society is becoming increasingly dependent on, especially in the image and video domains. However, recent work has shown that these largely uninterpretable models exhibit glaring security vulnerabilities in the presence of an adversary. In this work, we develop a powerful untargeted adversarial attack for action recognition systems in both white-box and black-box settings. Action recognition models differ from image-classification models in that their inputs contain a temporal dimension, which we explicitly target in the attack. Drawing inspiration from image classifier attacks, we create new attacks which achieve state-of-the-art success rates on a two-stream classifier trained on the UCF-101 dataset. We find that our attacks can significantly degrade a model's performance with sparsely and imperceptibly perturbed examples. We also demonstrate the transferability of our attacks to black-box action recognition systems.