Enhancing robustness in video recognition models: Sparse adversarial attacks and beyond

• Published in: Neural networks Vol. 171; pp. 127 - 143
• Main Authors: Mu, Ronghui, Marcolino, Leandro, Ni, Qiang, Ruan, Wenjie
• Format: Journal Article
• Language: English
• Published: United States Elsevier Ltd 01.03.2024
• Subjects: Action recognition; Adversarial robustness; Adversarial training; Algorithms; Bayes Theorem; Deep learning; Humans; Neural Networks, Computer; Recognition, Psychology; Time Factors; Video classification; Deep learning; Action recognition; Adversarial robustness; Adversarial training; Video classification
• ISSN: 0893-6080; 1879-2782
• DOI: 10.1016/j.neunet.2023.11.056

Recent years have witnessed increasing interest in adversarial attacks on images, while adversarial video attacks have seldom been explored. In this paper, we propose a sparse adversarial attack strategy on videos (DeepSAVA). Our model aims to add a small human-imperceptible perturbation to the key frame of the input video to fool the classifiers. To carry out an effective attack that mirrors real-world scenarios, our algorithm integrates spatial transformation perturbations into the frame. Instead of using the lp norm to gauge the disparity between the perturbed frame and the original frame, we employ the structural similarity index (SSIM), which has been established as a more suitable metric for quantifying image alterations resulting from spatial perturbations. We employ a unified optimisation framework to combine spatial transformation with additive perturbation, thereby attaining a more potent attack. We design an effective and novel optimisation scheme that alternatively utilises Bayesian Optimisation (BO) to identify the most critical frame in a video and stochastic gradient descent (SGD) based optimisation to produce both additive and spatial-transformed perturbations. Doing so enables DeepSAVA to perform a very sparse attack on videos for maintaining human imperceptibility while still achieving state-of-the-art performance in terms of both attack success rate and adversarial transferability. Furthermore, built upon the strong perturbations produced by DeepSAVA, we design a novel adversarial training framework to improve the robustness of video classification models. Our intensive experiments on various types of deep neural networks and video datasets confirm the superiority of DeepSAVA in terms of attacking performance and efficiency. When compared to the baseline techniques, DeepSAVA exhibits the highest level of performance in generating adversarial videos for three distinct video classifiers. Remarkably, it achieves an impressive fooling rate ranging from 99.5% to 100% for the I3D model, with the perturbation of just a single frame. Additionally, DeepSAVA demonstrates favourable transferability across various time series models. The proposed adversarial training strategy is also empirically demonstrated with better performance on training robust video classifiers compared with the state-of-the-art adversarial training with projected gradient descent (PGD) adversary. •Sparse attacks on video models: perturb fewer frames to gain high fooling rate.•Combining additive and spatial perturbations to enhance attacking performance.•Using SSIM instead of lp-norm to maintain the human perception.•Applying Bayesian Optimisation to identify the most critical frame to perturb.•A new adversarial training method based on combination of diverse perturbations.