Analysis and Extensions of Adversarial Training for Video Classification

TL;DR

This paper investigates adversarial training for video classification, revealing how attack parameters affect robustness and proposing adaptive strategies to enhance defense against variable attack budgets.

Contribution

It introduces new insights into attack parameter tuning for videos and proposes three novel defenses: Adaptive AT, Curriculum AT, and Generative AT.

Findings

Optimal attack step size varies linearly with attack budget.

Using smaller attack budgets during training improves robustness.

Proposed methods outperform baseline defenses on UCF101 dataset.

Abstract

Adversarial training (AT) is a simple yet effective defense against adversarial attacks to image classification systems, which is based on augmenting the training set with attacks that maximize the loss. However, the effectiveness of AT as a defense for video classification has not been thoroughly studied. Our first contribution is to show that generating optimal attacks for video requires carefully tuning the attack parameters, especially the step size. Notably, we show that the optimal step size varies linearly with the attack budget. Our second contribution is to show that using a smaller (sub-optimal) attack budget at training time leads to a more robust performance at test time. Based on these findings, we propose three defenses against attacks with variable attack budgets. The first one, Adaptive AT, is a technique where the attack budget is drawn from a distribution that is adapted as training iterations proceed. The second, Curriculum AT, is a technique where the attack budget is increased as training iterations proceed. The third, Generative AT, further couples AT with a denoising generative adversarial network to boost robust performance. Experiments on the UCF101 dataset demonstrate that the proposed methods improve adversarial robustness against multiple attack types.