Skeletal motion plays a vital role in human activity recognition as either an independent data source or a complement. The robustness of skeleton-based activity recognizers has been questioned recently, which shows that they are vulnerable to adversarial attacks when the full-knowledge of the recognizer is accessible to the attacker. However, this white-box requirement is overly restrictive in most scenarios and the attack is not truly threatening. In this paper, we show that such threats do exist under black-box settings too. To this end, we propose the first black-box adversarial attack method BASAR. Through BASAR, we show that adversarial attack is not only truly a threat but also can be extremely deceitful, because on-manifold adversarial samples are rather common in skeletal motions, in contrast to the common belief that adversarial samples only exist off-manifold. Through exhaustive evaluation and comparison, we show that BASAR can deliver successful attacks across models, data, and attack modes. Through harsh perceptual studies, we show that it achieves effective yet imperceptible attacks. By analyzing the attack on different activity recognizers, BASAR helps identify the potential causes of their vulnerability and provides insights on what classifiers are likely to be more robust against attack.
翻译:骨骼运动作为独立的数据源或补充物在人类活动的识别中发挥着关键作用。 骨骼活动识别器的强健性最近受到质疑, 这表明当攻击者完全了解识别器的完全知识时,他们很容易受到对抗性攻击。 然而, 白箱要求在多数情况下过于严格, 攻击并不真正具有威胁性。 在本文中, 我们显示这种威胁也存在于黑箱设置之下。 为此, 我们提议了第一种黑箱对抗性攻击方法 。 我们通过巴萨尔, 我们表明对抗性攻击不仅真正是一种威胁, 而且可能极具有欺骗性, 因为使用对称式的对称式对抗性样品在骨骼运动中相当常见, 与关于对抗性样品只存在于非自觉的通常看法相反, 我们通过详尽的评估和比较, 表明巴萨尔能够通过黑箱式的设置, 成功地在各种模型、 数据和攻击模式下进行攻击。 我们通过严谨的感知觉的研究, 显示它能够实现有效但无法察觉的攻击。 通过分析对不同活动识别器的攻击, 巴萨尔协助查明其潜在的攻击原因。
相关内容
微信扫码咨询专知VIP会员