Heuristic Black-Box Adversarial Attacks On Video Recognition Models

In recent years,the construction of the safe city in China and the booming mobile internet industry have caused a huge increase in the amount of video data.Processing and research on video data are facing huge challenges.Also,with the continuous development of deep learning,deep learning models are being widely used in the field of video data,such as surveillance video recognition,pedestrian re-identification,and autonomous driving.However,recent research shows that deep learning models are vulnerable to the adversarial example,which makes deep learning models predict incorrect results.The adversarial example is the video with small perturbations that are imperceptible to human eyes,but can fool deep learning models.The existence of the adversarial example has become one of the main risks of the deployment of deep learning.Besides,the research on the generation of adversarial examples can help us understand the internal working mechanism of deep learning and further improve the robustness of deep learning models.We study the problem of attacking video recognition models in the black-box setting,where the model information is unknown and the adversary can only make queries to detect the predicted top-1 class and its probability.Compared with the black-box attack on images,attacking videos is more challenging as the computation cost for searching the adversarial perturbations on a video is much higher due to its high dimensionality.To overcome this challenge,we propose a heuristic black-box attack model that generates adversarial perturbations only on the selected frames and regions.More specifically,a heuristic-based algorithm is proposed to measure the importance of each frame in the video towards generating the adversarial examples.Based on the frames' importance,the proposed algorithm heuristically searches a subset of frames where the generated adversarial example has strong adversarial attack ability while keeps the perturbations lower than the given bound.Besides,to further boost the attack efficiency,we propose to generate the perturbations only on the salient regions of the selected frames.In this way,the generated perturbations are sparse in both temporal and spatial domains.Experimental results of attacking two mainstream video recognition methods on the UCF-101 dataset and the HMDB-51 dataset demonstrate that the proposed heuristic black-box adversarial attack method can significantly reduce the computation cost and lead to more than 28% reduction in query numbers for the untargeted attack on both datasets.