Cross-Modal Transferable Adversarial Attacks from Images to Videos
- URL: http://arxiv.org/abs/2112.05379v1
- Date: Fri, 10 Dec 2021 08:19:03 GMT
- Title: Cross-Modal Transferable Adversarial Attacks from Images to Videos
- Authors: Zhipeng Wei, Jingjing Chen, Zuxuan Wu, Yu-Gang Jiang
- Abstract summary: Recent studies have shown that adversarial examples hand-crafted on one white-box model can be used to attack other black-box models.
We propose a simple yet effective cross-modal attack method, named as Image To Video (I2V) attack.
I2V generates adversarial frames by minimizing the cosine similarity between features of pre-trained image models from adversarial and benign examples.
- Score: 82.0745476838865
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Recent studies have shown that adversarial examples hand-crafted on one
white-box model can be used to attack other black-box models. Such cross-model
transferability makes it feasible to perform black-box attacks, which has
raised security concerns for real-world DNNs applications. Nevertheless,
existing works mostly focus on investigating the adversarial transferability
across different deep models that share the same modality of input data. The
cross-modal transferability of adversarial perturbation has never been
explored. This paper investigates the transferability of adversarial
perturbation across different modalities, i.e., leveraging adversarial
perturbation generated on white-box image models to attack black-box video
models. Specifically, motivated by the observation that the low-level feature
space between images and video frames are similar, we propose a simple yet
effective cross-modal attack method, named as Image To Video (I2V) attack. I2V
generates adversarial frames by minimizing the cosine similarity between
features of pre-trained image models from adversarial and benign examples, then
combines the generated adversarial frames to perform black-box attacks on video
recognition models. Extensive experiments demonstrate that I2V can achieve high
attack success rates on different black-box video recognition models. On
Kinetics-400 and UCF-101, I2V achieves an average attack success rate of 77.88%
and 65.68%, respectively, which sheds light on the feasibility of cross-modal
adversarial attacks.
Related papers
- Inter-frame Accelerate Attack against Video Interpolation Models [73.28751441626754]
We apply adversarial attacks to VIF models and find that the VIF models are very vulnerable to adversarial examples.
We propose a novel attack method named Inter-frame Accelerate Attack (IAA) thats the iterations as the perturbation for the previous adjacent frame.
It is shown that our method can improve attack efficiency greatly while achieving comparable attack performance with traditional methods.
arXiv Detail & Related papers (2023-05-11T03:08:48Z) - Rethinking Model Ensemble in Transfer-based Adversarial Attacks [46.82830479910875]
An effective strategy to improve the transferability is attacking an ensemble of models.
Previous works simply average the outputs of different models.
We propose a Common Weakness Attack (CWA) to generate more transferable adversarial examples.
arXiv Detail & Related papers (2023-03-16T06:37:16Z) - Boosting Adversarial Transferability using Dynamic Cues [15.194437322391558]
We introduce spatial (image) and temporal (video) cues within the same source model through task-specific prompts.
Our attack results indicate that the attacker does not need specialized architectures.
Image models are effective surrogates to optimize an adversarial attack to fool black-box models in a changing environment.
arXiv Detail & Related papers (2023-02-23T18:59:56Z) - Frequency Domain Model Augmentation for Adversarial Attack [91.36850162147678]
For black-box attacks, the gap between the substitute model and the victim model is usually large.
We propose a novel spectrum simulation attack to craft more transferable adversarial examples against both normally trained and defense models.
arXiv Detail & Related papers (2022-07-12T08:26:21Z) - Boosting the Transferability of Video Adversarial Examples via Temporal
Translation [82.0745476838865]
adversarial examples are transferable, which makes them feasible for black-box attacks in real-world applications.
We introduce a temporal translation attack method, which optimize the adversarial perturbations over a set of temporal translated video clips.
Experiments on the Kinetics-400 dataset and the UCF-101 dataset demonstrate that our method can significantly boost the transferability of video adversarial examples.
arXiv Detail & Related papers (2021-10-18T07:52:17Z) - Meta Gradient Adversarial Attack [64.5070788261061]
This paper proposes a novel architecture called Metaversa Gradient Adrial Attack (MGAA), which is plug-and-play and can be integrated with any existing gradient-based attack method.
Specifically, we randomly sample multiple models from a model zoo to compose different tasks and iteratively simulate a white-box attack and a black-box attack in each task.
By narrowing the gap between the gradient directions in white-box and black-box attacks, the transferability of adversarial examples on the black-box setting can be improved.
arXiv Detail & Related papers (2021-08-09T17:44:19Z) - Two Sides of the Same Coin: White-box and Black-box Attacks for Transfer
Learning [60.784641458579124]
We show that fine-tuning effectively enhances model robustness under white-box FGSM attacks.
We also propose a black-box attack method for transfer learning models which attacks the target model with the adversarial examples produced by its source model.
To systematically measure the effect of both white-box and black-box attacks, we propose a new metric to evaluate how transferable are the adversarial examples produced by a source model to a target model.
arXiv Detail & Related papers (2020-08-25T15:04:32Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.