Invisibility Cloak: Disappearance under Human Pose Estimation via Backdoor Attacks
Minxing Zhang, Wenshu Fan, Wenbo Jiang, Shui Yu, Michael Backes, Xiao Zhang
TL;DR
The paper addresses a critical risk in human pose estimation (HPE): disappearance attacks via backdoors that cause a person to be unseen in HPE outputs. It introduces IntC, a general framework that links triggers to non-human HPE labels, with three main designs—IntC-S, IntC-E, and IntC-L—plus a baseline IntC-B, and demonstrates their effectiveness across regression- and heatmap-based HPE methods. Through extensive experiments on COCO, MPII, and CrowdPose with multiple HPE techniques (DeepPose, CP, HRNet, DEKR), the work shows high attack success rates while preserving model utility, and analyzes generalization to multi-person scenarios and potential defenses. The findings reveal notable security risks for HPE in real-world systems (e.g., autonomous driving) and motivate the development of robust defenses and safer deployment practices for pose-estimation pipelines.
Abstract
Despite being significant in autonomous systems, Human Pose Estimation (HPE)'s potential risks to adversarial attacks have not received comparable attention with image classification or segmentation tasks. In this paper, we study the vulnerability of HPE systems to disappearance attacks, where the attacker aims to subtly alter the HPE training process via backdoor techniques so that any input image with some specific trigger will not be recognized as involving any human pose. As humans are typically at the center of HPE systems, a successful attack will severely threaten pedestrians' lives if a self-driving car incorrectly understands the front scene. To achieve the adversarial goal of disappearance, we propose \emph{IntC}, a general framework to craft an invisibility cloak in the HPE domain. By designing target HPE labels that do not represent any human pose, we propose three specific backdoor attacks based on our IntC framework. IntC-S and IntC-E, respectively designed for regression- and heatmap-based HPE techniques, concentrate the keypoints of triggered images in a tiny, imperceptible region. Further, to improve the attack's stealthiness, IntC-L designs the target poisons to capture the label outputs of typical landscape images without a human involved, achieving disappearance and reducing detectability simultaneously. Extensive experiments demonstrate the effectiveness and generalizability of our IntC methods in achieving the disappearance goal. By revealing the vulnerability of HPE to disappearance and backdoor attacks, we hope our work can raise awareness of the potential risks when HPE models are deployed in real-world applications.