Adversarial Attacks on Black Box Video Classifiers: Leveraging the Power of Geometric Transformations NeurIPS 2021
- Shasha Li* UC Riverside
- Abhishek Aich* UC Riverside
- Shitong Zhu UC Riverside
- M. Salman Asif UC Riverside
- Chengyu Song UC Riverside
- Amit K. Roy-Chowdhury UC Riverside
- Srikanth V. Krishnamurthy UC Riverside
-
(* joint first authors)
Abstract
When compared to the image classification models, black-box adversarial attacks against video classification models have been largely understudied. This could be possible because, with video, the temporal dimension poses significant additional challenges in gradient estimation. Query-efficient black-box attacks rely on effectively estimated gradients towards maximizing the probability of misclassifying the target video. In this work, we demonstrate that such effective gradients can be searched for by parameterizing the temporal structure of the search space with geometric transformations. Specifically, we design a novel iterative algorithm Geometric TRAnsformed Perturbations (GEO-TRAP), for attacking video classification models. GEO-TRAP employs standard geometric transformation operations to reduce the search space for effective gradients by searching for a small group of parameters that define these operations. This group of parameters describes the geometric progression of gradients, resulting in a reduced and structured search space. Our algorithm inherently leads to successful perturbations with surprisingly few queries. For example, adversarial examples generated from GEO-TRAP have better attack success rates with ~73.55% fewer queries compared to the state-of-the-art method for video adversarial attacks on the widely used Jester dataset. Overall, our algorithm exposes vulnerabilities of diverse video classification models and achieves new state-of-the-art results under black-box settings on two large datasets.
Paper
Slides
Code
BibTeX
@InProceedings{li2021adversarial, title={Adversarial Attacks on Black Box Video Classifiers: Leveraging the Power of Geometric Transformations}, author={Li, Shasha and Aich, Abhishek and Zhu, Shitong and Asif, Salman and Song, Chengyu and Roy-Chowdhury, Amit and Krishnamurthy, Srikanth}, booktitle = {Thirty-Fifth Conference on Neural Information Processing Systems}, year={2021} }
Acknowledgements
The authors would like to thank Dr. Cliff Wang of US Army Research Office for his extensive comments and input on this work. This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Agreement No. HR00112090096. Approved for public release; distribution is unlimited.