Temporal Consistency Constrained Transferable Adversarial Attacks with Background Mixup for Action Recognition

TL;DR

This paper introduces a novel transfer attack method for action recognition that uses background mixup and temporal consistency to improve adversarial transferability across models, reducing reliance on surrogate-target similarity.

Contribution

The proposed BMTC attack employs background mixup and temporal gradient consistency to enhance transferability and attack stability in action recognition models.

Findings

Significantly improves transferability of adversarial examples across models.

Effective on multiple datasets including UCF101, Kinetics-400, and ImageNet.

Reduces dependency on surrogate-target model similarity.

Abstract

Action recognition models using deep learning are vulnerable to adversarial examples, which are transferable across other models trained on the same data modality. Existing transferable attack methods face two major challenges: 1) they heavily rely on the assumption that the decision boundaries of the surrogate (a.k.a., source) model and the target model are similar, which limits the adversarial transferability; and 2) their decision boundary difference makes the attack direction uncertain, which may result in the gradient oscillation, weakening the adversarial attack. This motivates us to propose a Background Mixup-induced Temporal Consistency (BMTC) attack method for action recognition. From the input transformation perspective, we design a model-agnostic background adversarial mixup module to reduce the surrogate-target model dependency. In particular, we randomly sample one video from each category and make its background frame, while selecting the background frame with the top attack ability for mixup with the clean frame by reinforcement learning. Moreover, to ensure an explicit attack direction, we leverage the background category as guidance for updating the gradient of adversarial example, and design a temporal gradient consistency loss, which strengthens the stability of the attack direction on subsequent frames. Empirical studies on two video datasets, i.e., UCF101 and Kinetics-400, and one image dataset, i.e., ImageNet, demonstrate that our method significantly boosts the transferability of adversarial examples across several action/image recognition models. Our code is available at https://github.com/mlvccn/BMTC_TransferAttackVid.