Can't Fool Me: Adversarially Robust Transformer for Video Understanding

TL;DR

This paper introduces A-ART, a Transformer-based model with temporal attention regularization that significantly enhances adversarial robustness in video understanding, achieving near non-adversarial performance on YouTube-8M.

Contribution

It proposes a novel temporal attention regularization scheme for Transformers, improving adversarial robustness in video understanding tasks.

Findings

A-ART achieves 91% GAP on adversarial examples.

Simple extensions of image-based models slightly improve robustness.

A-ART outperforms baseline Transformer and simple adversarial extensions.

Abstract

Deep neural networks have been shown to perform poorly on adversarial examples. To address this, several techniques have been proposed to increase robustness of a model for image classification tasks. However, in video understanding tasks, developing adversarially robust models is still unexplored. In this paper, we aim to bridge this gap. We first show that simple extensions of image based adversarially robust models slightly improve the worst-case performance. Further, we propose a temporal attention regularization scheme in Transformer to improve the robustness of attention modules to adversarial examples. We illustrate using a large-scale video data set YouTube-8M that the final model (A-ART) achieves close to non-adversarial performance on its adversarial example set. We achieve 91% GAP on adversarial examples, whereas baseline Transformer and simple adversarial extensions achieve 72.9% and 82% respectively, showing significant improvement in robustness over the state-of-the-art.