TL;DR
FrameShield introduces a novel method for improving adversarial robustness in weakly supervised video anomaly detection by generating synthetic anomalies and combining them with pseudo-labels for effective adversarial training.
Contribution
The paper proposes Spatiotemporal Region Distortion (SRD), a new technique for creating synthetic anomalies, and demonstrates its effectiveness in enhancing robustness against adversarial attacks.
Findings
Significantly improves robustness of WSVAD models against adversarial attacks.
Outperforms state-of-the-art methods by an average of 71.0% in AUROC.
Effective integration of synthetic anomalies with pseudo-labels reduces label noise.
Abstract
Weakly Supervised Video Anomaly Detection (WSVAD) has achieved notable advancements, yet existing models remain vulnerable to adversarial attacks, limiting their reliability. Due to the inherent constraints of weak supervision, where only video-level labels are provided despite the need for frame-level predictions, traditional adversarial defense mechanisms, such as adversarial training, are not effective since video-level adversarial perturbations are typically weak and inadequate. To address this limitation, pseudo-labels generated directly from the model can enable frame-level adversarial training; however, these pseudo-labels are inherently noisy, significantly degrading performance. We therefore introduce a novel Pseudo-Anomaly Generation method called Spatiotemporal Region Distortion (SRD), which creates synthetic anomalies by applying severe augmentations to localized regions in…
Peer Reviews
Decision·NeurIPS 2025 poster
Strengths: The paper's main strength is that it tackles a novel and very important problem: the adversarial robustness of WSVAD models, which is often ignored. The proposed FrameShield method is well-designed, particularly the clever SRD module that generates synthetic data to overcome the noisy pseudo-label issue. The experimental evaluation is another major strength; it is very thorough, using multiple strong attacks (PGD, AutoAttack, A³) and datasets, with detailed ablation studies that stron
Strengths: 1. The work provides a practical solution to the vulnerability of WSVAD models to adversarial attacks, which is of real-world significance. 2. The SRD pseudo-anomaly generation method cleverly utilizes strong local perturbations and motion simulation in normal frames, addressing the challenge of label noise in adversarial training. Weaknesses and Questions: 1. Ped2 is not a weakly-supervised VAD dataset. How were the results of weakly-supervised methods like VADclip obtained on Ped
The paper is interesting in several aspects: 1) It discusses the adversarial robustness issue in VAD and demonstrates that existing approaches are not robust against adversary. 2) It proposed a pseudo anomaly detection approach that addresses this issue. Despite its strengths, the paper has several weaknesses: 1) The clean performance of the proposed approach is quite low. 2) The paper lacks motivation in the sense that adversarial attacks on anomaly detection approaches are only expected in b
Videos
