StyleFool: Fooling Video Classification Systems via Style Transfer

• URL: http://arxiv.org/abs/2203.16000v4
• Date: Mon, 1 Apr 2024 05:51:31 GMT
• Title: StyleFool: Fooling Video Classification Systems via Style Transfer
• Authors: Yuxin Cao, Xi Xiao, Ruoxi Sun, Derui Wang, Minhui Xue, Sheng Wen,
• Abstract summary: StyleFool is a black-box video adversarial attack via style transfer to fool the video classification system. StyleFool outperforms the state-of-the-art adversarial attacks in terms of the number of queries and the robustness against existing defenses.
• Score: 28.19682215735232
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Video classification systems are vulnerable to adversarial attacks, which can create severe security problems in video verification. Current black-box attacks need a large number of queries to succeed, resulting in high computational overhead in the process of attack. On the other hand, attacks with restricted perturbations are ineffective against defenses such as denoising or adversarial training. In this paper, we focus on unrestricted perturbations and propose StyleFool, a black-box video adversarial attack via style transfer to fool the video classification system. StyleFool first utilizes color theme proximity to select the best style image, which helps avoid unnatural details in the stylized videos. Meanwhile, the target class confidence is additionally considered in targeted attacks to influence the output distribution of the classifier by moving the stylized video closer to or even across the decision boundary. A gradient-free method is then employed to further optimize the adversarial perturbations. We carry out extensive experiments to evaluate StyleFool on two standard datasets, UCF-101 and HMDB-51. The experimental results demonstrate that StyleFool outperforms the state-of-the-art adversarial attacks in terms of both the number of queries and the robustness against existing defenses. Moreover, 50% of the stylized videos in untargeted attacks do not need any query since they can already fool the video classification model. Furthermore, we evaluate the indistinguishability through a user study to show that the adversarial samples of StyleFool look imperceptible to human eyes, despite unrestricted perturbations.

Related papers

• Query-Efficient Video Adversarial Attack with Stylized Logo [17.268709979991996]
  Video classification systems based on Deep Neural Networks (DNNs) are highly vulnerable to adversarial examples. We propose a novel black-box video attack framework, called Stylized Logo Attack (SLA) SLA is conducted through three steps. The first step involves building a style references set for logos, which can not only make the generated examples more natural, but also carry more target class features in the targeted attacks.
  arXiv  Detail & Related papers  (2024-08-22T03:19:09Z)
• LogoStyleFool: Vitiating Video Recognition Systems via Logo Style Transfer [17.191978308873814]
  We propose a novel attack framework named LogoStyleFool by adding a stylized logo to the clean video. We separate the attack into three stages: style reference selection, reinforcement-learning-based logo style transfer, and perturbation optimization. Experimental results substantiate the overall superiority of LogoStyleFool over three state-of-the-art patch-based attacks in terms of attack performance and semantic preservation.
  arXiv  Detail & Related papers  (2023-12-15T16:44:38Z)
• Inter-frame Accelerate Attack against Video Interpolation Models [73.28751441626754]
  We apply adversarial attacks to VIF models and find that the VIF models are very vulnerable to adversarial examples. We propose a novel attack method named Inter-frame Accelerate Attack (IAA) thats the iterations as the perturbation for the previous adjacent frame. It is shown that our method can improve attack efficiency greatly while achieving comparable attack performance with traditional methods.
  arXiv  Detail & Related papers  (2023-05-11T03:08:48Z)
• Adversarial Attacks on Deep Learning-based Video Compression and Classification Systems [23.305818640220554]
  We conduct the first systematic study for adversarial attacks on deep learning based video compression and downstream classification systems. We propose an adaptive adversarial attack that can manipulate the Rate-Distortion relationship of a video compression model to achieve two adversarial goals. We also devise novel objectives for targeted and untargeted attacks to a downstream video classification service.
  arXiv  Detail & Related papers  (2022-03-18T22:42:20Z)
• Attacking Video Recognition Models with Bullet-Screen Comments [79.53159486470858]
  We introduce a novel adversarial attack, which attacks video recognition models with bullet-screen comment (BSC) attacks. BSCs can be regarded as a kind of meaningful patch, adding it to a clean video will not affect people' s understanding of the video content, nor will arouse people' s suspicion.
  arXiv  Detail & Related papers  (2021-10-29T08:55:50Z)
• Boosting the Transferability of Video Adversarial Examples via Temporal Translation [82.0745476838865]
  adversarial examples are transferable, which makes them feasible for black-box attacks in real-world applications. We introduce a temporal translation attack method, which optimize the adversarial perturbations over a set of temporal translated video clips. Experiments on the Kinetics-400 dataset and the UCF-101 dataset demonstrate that our method can significantly boost the transferability of video adversarial examples.
  arXiv  Detail & Related papers  (2021-10-18T07:52:17Z)
• Practical Relative Order Attack in Deep Ranking [99.332629807873]
  We formulate a new adversarial attack against deep ranking systems, i.e., the Order Attack. The Order Attack covertly alters the relative order among a selected set of candidates according to an attacker-specified permutation. It is successfully implemented on a major e-commerce platform.
  arXiv  Detail & Related papers  (2021-03-09T06:41:18Z)
• Local Black-box Adversarial Attacks: A Query Efficient Approach [64.98246858117476]
  Adrial attacks have threatened the application of deep neural networks in security-sensitive scenarios. We propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks. We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate.
  arXiv  Detail & Related papers  (2021-01-04T15:32:16Z)
• MultAV: Multiplicative Adversarial Videos [71.94264837503135]
  We propose a novel attack method against video recognition models, Multiplicative Adversarial Videos (MultAV) MultAV imposes perturbation on video data by multiplication. Experimental results show that the model adversarially trained against additive attack is less robust to MultAV.
  arXiv  Detail & Related papers  (2020-09-17T04:34:39Z)
• Sparse Black-box Video Attack with Reinforcement Learning [14.624074868199287]
  We formulate the black-box video attacks into a Reinforcement Learning framework. The environment in RL is set as the recognition model, and the agent in RL plays the role of frame selecting. We conduct a series of experiments with two mainstream video recognition models.
  arXiv  Detail & Related papers  (2020-01-11T14:09:49Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.