Query Efficient Cross-Dataset Transferable Black-Box Attack on Action Recognition

TL;DR

This paper introduces a query-efficient black-box attack on action recognition that combines transferability and query-based strategies, using a substitute model trained on a different dataset to improve attack transferability and reduce queries.

Contribution

The proposed method generates perturbations by disrupting features of a pre-trained substitute model trained on a different dataset, enhancing transferability and query efficiency in black-box attacks.

Findings

Achieves 8% higher deception rate than state-of-the-art query-based attacks.

Achieves 12% higher deception rate than transfer-based attacks.

Demonstrates high query efficiency in extensive experiments.

Abstract

Black-box adversarial attacks present a realistic threat to action recognition systems. Existing black-box attacks follow either a query-based approach where an attack is optimized by querying the target model, or a transfer-based approach where attacks are generated using a substitute model. While these methods can achieve decent fooling rates, the former tends to be highly query-inefficient while the latter assumes extensive knowledge of the black-box model's training data. In this paper, we propose a new attack on action recognition that addresses these shortcomings by generating perturbations to disrupt the features learned by a pre-trained substitute model to reduce the number of queries. By using a nearly disjoint dataset to train the substitute model, our method removes the requirement that the substitute model be trained using the same dataset as the target model, and leverages queries to the target model to retain the fooling rate benefits provided by query-based methods. This ultimately results in attacks which are more transferable than conventional black-box attacks. Through extensive experiments, we demonstrate highly query-efficient black-box attacks with the proposed framework. Our method achieves 8% and 12% higher deception rates compared to state-of-the-art query-based and transfer-based attacks, respectively.