论文标题
查询有效的跨数据库可转移的黑框攻击动作识别
Query Efficient Cross-Dataset Transferable Black-Box Attack on Action Recognition
论文作者
论文摘要
黑框对抗攻击对行动识别系统构成了现实的威胁。现有的黑框攻击遵循一种基于查询的方法,该方法通过查询目标模型来优化攻击,或者是使用替代模型生成攻击的基于转移的方法。尽管这些方法可以达到不错的愚蠢率,但前者往往是高度查询的,而后者对黑箱模型的训练数据具有广泛的了解。在本文中,我们提出了对行动识别的新攻击,该攻击通过产生扰动来解决这些缺点,以破坏预先训练的替代模型所学的功能以减少查询数量。通过使用几乎不相关的数据集来训练替代模型,我们的方法消除了使用与目标模型相同的数据集训练替代模型的要求,并利用对目标模型的查询来保留基于查询方法提供的愚弄率益处。这最终导致攻击比传统的黑盒攻击更可转移。通过广泛的实验,我们通过提出的框架展示了高度查询的黑盒攻击。与基于查询和基于转移的最新攻击相比,我们的方法分别达到8%和12%的欺骗率。
Black-box adversarial attacks present a realistic threat to action recognition systems. Existing black-box attacks follow either a query-based approach where an attack is optimized by querying the target model, or a transfer-based approach where attacks are generated using a substitute model. While these methods can achieve decent fooling rates, the former tends to be highly query-inefficient while the latter assumes extensive knowledge of the black-box model's training data. In this paper, we propose a new attack on action recognition that addresses these shortcomings by generating perturbations to disrupt the features learned by a pre-trained substitute model to reduce the number of queries. By using a nearly disjoint dataset to train the substitute model, our method removes the requirement that the substitute model be trained using the same dataset as the target model, and leverages queries to the target model to retain the fooling rate benefits provided by query-based methods. This ultimately results in attacks which are more transferable than conventional black-box attacks. Through extensive experiments, we demonstrate highly query-efficient black-box attacks with the proposed framework. Our method achieves 8% and 12% higher deception rates compared to state-of-the-art query-based and transfer-based attacks, respectively.
