MultAV: Multiplicative Adversarial Videos
This addresses a gap in adversarial machine learning for video domain, offering a novel attack type that could impact security in video-based AI systems.
The paper tackles the problem of adversarial attacks in video recognition by proposing a multiplicative attack method called MultAV, which challenges existing defenses tailored to additive attacks and shows that models trained against additive attacks are less robust to it.
The majority of adversarial machine learning research focuses on additive attacks, which add adversarial perturbation to input data. On the other hand, unlike image recognition problems, only a handful of attack approaches have been explored in the video domain. In this paper, we propose a novel attack method against video recognition models, Multiplicative Adversarial Videos (MultAV), which imposes perturbation on video data by multiplication. MultAV has different noise distributions to the additive counterparts and thus challenges the defense methods tailored to resisting additive adversarial attacks. Moreover, it can be generalized to not only Lp-norm attacks with a new adversary constraint called ratio bound, but also different types of physically realizable attacks. Experimental results show that the model adversarially trained against additive attack is less robust to MultAV.