Hard No-Box Adversarial Attack on Skeleton-Based Human Action Recognition with Skeleton-Motion-Informed Gradient

TL;DR

This paper introduces a novel hard no-box adversarial attack on skeleton-based human action recognition that leverages a skeleton-motion-informed gradient, demonstrating increased transferability and imperceptibility without requiring model access or training data.

Contribution

The paper proposes a new attack method using a skeleton-motion-informed gradient that operates without model or data access, expanding the scope of adversarial attacks in this domain.

Findings

The attack method effectively compromises existing classifiers.

The SMI gradient improves transferability of adversarial samples.

The method enhances imperceptibility of attacks.

Abstract

Recently, methods for skeleton-based human activity recognition have been shown to be vulnerable to adversarial attacks. However, these attack methods require either the full knowledge of the victim (i.e. white-box attacks), access to training data (i.e. transfer-based attacks) or frequent model queries (i.e. black-box attacks). All their requirements are highly restrictive, raising the question of how detrimental the vulnerability is. In this paper, we show that the vulnerability indeed exists. To this end, we consider a new attack task: the attacker has no access to the victim model or the training data or labels, where we coin the term hard no-box attack. Specifically, we first learn a motion manifold where we define an adversarial loss to compute a new gradient for the attack, named skeleton-motion-informed (SMI) gradient. Our gradient contains information of the motion dynamics, which is different from existing gradient-based attack methods that compute the loss gradient assuming each dimension in the data is independent. The SMI gradient can augment many gradient-based attack methods, leading to a new family of no-box attack methods. Extensive evaluation and comparison show that our method imposes a real threat to existing classifiers. They also show that the SMI gradient improves the transferability and imperceptibility of adversarial samples in both no-box and transfer-based black-box settings.