Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Query-Efficient Video Adversarial Attack with Stylized Logo

Duoxun Tang, Yuxin Cao, Xi Xiao, Derui Wang, Sheng Wen, Tianqing Zhu

TL;DR

This work proposes a novel black-box video attack framework, called Stylized Logo Attack (SLA), which can achieve better performance than state-of-the-art methods and still maintain good deception effects when facing various defense methods.

Abstract

Video classification systems based on Deep Neural Networks (DNNs) have demonstrated excellent performance in accurately verifying video content. However, recent studies have shown that DNNs are highly vulnerable to adversarial examples. Therefore, a deep understanding of adversarial attacks can better respond to emergency situations. In order to improve attack performance, many style-transfer-based attacks and patch-based attacks have been proposed. However, the global perturbation of the former will bring unnatural global color, while the latter is difficult to achieve success in targeted attacks due to the limited perturbation space. Moreover, compared to a plethora of methods targeting image classifiers, video adversarial attacks are still not that popular. Therefore, to generate adversarial examples with a low budget and to provide them with a higher verisimilitude, we propose a novel black-box video attack framework, called Stylized Logo Attack (SLA). SLA is conducted through three steps. The first step involves building a style references set for logos, which can not only make the generated examples more natural, but also carry more target class features in the targeted attacks. Then, reinforcement learning (RL) is employed to determine the style reference and position parameters of the logo within the video, which ensures that the stylized logo is placed in the video with optimal attributes. Finally, perturbation optimization is designed to optimize perturbations to improve the fooling rate in a step-by-step manner. Sufficient experimental results indicate that, SLA can achieve better performance than state-of-the-art methods and still maintain good deception effects when facing various defense methods.

Query-Efficient Video Adversarial Attack with Stylized Logo

TL;DR

This work proposes a novel black-box video attack framework, called Stylized Logo Attack (SLA), which can achieve better performance than state-of-the-art methods and still maintain good deception effects when facing various defense methods.

Abstract

Video classification systems based on Deep Neural Networks (DNNs) have demonstrated excellent performance in accurately verifying video content. However, recent studies have shown that DNNs are highly vulnerable to adversarial examples. Therefore, a deep understanding of adversarial attacks can better respond to emergency situations. In order to improve attack performance, many style-transfer-based attacks and patch-based attacks have been proposed. However, the global perturbation of the former will bring unnatural global color, while the latter is difficult to achieve success in targeted attacks due to the limited perturbation space. Moreover, compared to a plethora of methods targeting image classifiers, video adversarial attacks are still not that popular. Therefore, to generate adversarial examples with a low budget and to provide them with a higher verisimilitude, we propose a novel black-box video attack framework, called Stylized Logo Attack (SLA). SLA is conducted through three steps. The first step involves building a style references set for logos, which can not only make the generated examples more natural, but also carry more target class features in the targeted attacks. Then, reinforcement learning (RL) is employed to determine the style reference and position parameters of the logo within the video, which ensures that the stylized logo is placed in the video with optimal attributes. Finally, perturbation optimization is designed to optimize perturbations to improve the fooling rate in a step-by-step manner. Sufficient experimental results indicate that, SLA can achieve better performance than state-of-the-art methods and still maintain good deception effects when facing various defense methods.
Paper Structure (37 sections, 16 equations, 11 figures, 8 tables, 2 algorithms)

This paper contains 37 sections, 16 equations, 11 figures, 8 tables, 2 algorithms.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. Restricted Attacks
  4. Style-transfer-based Attacks
  5. Patch-based Attacks
  6. Defense against Patch-based Attacks
  7. PRELIMINARY
  8. DNN-based Video Classifier
  9. Problem Definition
  10. Threat Model
  11. METHOD
  12. Style Reference Selection
  13. Purpose of Selection
  14. Simple Square Attack
  15. RL-based Logo Style Transfer
  16. ...and 22 more sections

Figures (11)

  • Figure 1: Architecture of SLA.
  • Figure 2: Some examples of logo references.
  • Figure 3: Examples of different attacks.
  • Figure 4: Adversarial examples in targeted attacks on UCF-101, HMDB-51 and Kinetics-400.
  • Figure 5: Adversarial examples in untargeted attacks on UCF-101, HMDB-51 and Kinetics-400.
  • ...and 6 more figures