TL;DR
This paper introduces TASAR, the first transfer-based adversarial attack on skeletal action recognition, improving transferability by smoothing the loss function and incorporating motion dynamics, and provides a large-scale benchmark for robustness evaluation.
Contribution
It proposes TASAR, a novel transfer-based attack method for skeletal action recognition that enhances transferability through loss smoothing and motion dynamics, and establishes a comprehensive robustness benchmark.
Findings
TASAR outperforms existing attack methods in transferability.
Loss function smoothness correlates with attack transferability.
The benchmark facilitates future robustness research in S-HAR.
Abstract
Skeletal sequence data, as a widely employed representation of human actions, are crucial in Human Activity Recognition (HAR). Recently, adversarial attacks have been proposed in this area, which exposes potential security concerns, and more importantly provides a good tool for model robustness test. Within this research, transfer-based attack is an important tool as it mimics the real-world scenario where an attacker has no knowledge of the target model, but is under-explored in Skeleton-based HAR (S-HAR). Consequently, existing S-HAR attacks exhibit weak adversarial transferability and the reason remains largely unknown. In this paper, we investigate this phenomenon via the characterization of the loss function. We find that one prominent indicator of poor transferability is the low smoothness of the loss function. Led by this observation, we improve the transferability by properly…
Peer Reviews
Decision·ICLR 2025 Poster
1) The paper is well-written with clear motivations of each step 2) The proposed approch is easy to apply on existing methods since only a few layers are needed at the end of the networ. 3) Thorough experiments and ablation studies
1) As the pretrained models are frozen, modeling p(\theta’|D, \theta) is not as good as modeling p(\theta, \theta’|D). If trainable, it would be better to justify the performance difference on a small subset of data. 2) Besides the visualization of loss surfaces, quantitative evaluation of the surface smoothess can be added.
1. Extensive experiments. 2. The post-train Dual Bayesian Motion attack method is reasonable in general.
1. Although it is reasonable to assume that a smoother loss landscape benefits transfer attacks, exploring the reasons for poor transferability in S-HAR tasks and comparing the differences among surrogate models may reveal various factors. Therefore, directly concluding that smoothing the loss landscape is the sole solution may not be entirely logical. 2. In this method, an MLP is primarily added after the original model. However, the consideration of first-order velocity and second-order accel
+ Overall this paper explores an interesting research problem. + The authors conduct large-scale evaluations to show that the proposed model achieves good performance on several benchmarks. + Some of the figures presented in the paper are quite nice and provide some insights to readers.
Major: - One of the major issues of this paper is that some of the concepts presented in the paper are not properly and clearly explained. For example, in abstract section, what is "white-box scenarios". Also what does it mean by saying "its sharpness contributes to the weak transferability in S-HAR"? - Fig. 1 is not being introduced and explained clearly. For example, what is spatial attack, spatial-temporal attack, why frozen, trainable, being lightweight and demanding? What are appended mo
Code & Models
Videos
Taxonomy
TopicsGait Recognition and Analysis · Anomaly Detection Techniques and Applications
