Invisibility Cloak: Disappearance under Human Pose Estimation via Backdoor Attacks

Despite being significant in autonomous systems, Human Pose Estimation (HPE)'s potential risks to adversarial attacks have not received comparable attention with image classification or segmentation tasks. In this paper, we study the vulnerability of HPE systems to disappearance attacks, where the attacker aims to subtly alter the HPE training process via backdoor techniques so that any input image with some specific trigger will not be recognized as involving any human pose. As humans are typically at the center of HPE systems, a successful attack will severely threaten pedestrians' lives if a self-driving car incorrectly understands the front scene. To achieve the adversarial goal of disappearance, we propose \emph{IntC}, a general framework to craft an invisibility cloak in the HPE domain. By designing target HPE labels that do not represent any human pose, we propose three specific backdoor attacks based on our IntC framework. IntC-S and IntC-E, respectively designed for regression- and heatmap-based HPE techniques, concentrate the keypoints of triggered images in a tiny, imperceptible region. Further, to improve the attack's stealthiness, IntC-L designs the target poisons to capture the label outputs of typical landscape images without a human involved, achieving disappearance and reducing detectability simultaneously. Extensive experiments demonstrate the effectiveness and generalizability of our IntC methods in achieving the disappearance goal. By revealing the vulnerability of HPE to disappearance and backdoor attacks, we hope our work can raise awareness of the potential risks when HPE models are deployed in real-world applications.