Rethinking Audio-Visual Adversarial Vulnerability from Temporal and Modality Perspectives

TL;DR

This paper investigates adversarial vulnerabilities in audio-visual models from temporal and modality perspectives. It introduces two targeted attacks, the Temporal Invariance-based Attack and the Modality Misalignment-based Attack, and an integrated attack (TMA) to comprehensively probe robustness, along with an efficient audio-visual adversarial training framework that uses perturbation crafting and curriculum learning. Extensive experiments on Kinetics-Sounds and MIT-MUSIC demonstrate state-of-the-art attack performance and substantial improvements in adversarial robustness and training efficiency. The work provides actionable benchmarks and insights into temporal consistency, cross-modal alignment, and fusion-layer effects, informing secure design of multi-modal systems.

Abstract

While audio-visual learning equips models with a richer understanding of the real world by leveraging multiple sensory modalities, this integration also introduces new vulnerabilities to adversarial attacks. In this paper, we present a comprehensive study of the adversarial robustness of audio-visual models, considering both temporal and modality-specific vulnerabilities. We propose two powerful adversarial attacks: 1) a temporal invariance attack that exploits the inherent temporal redundancy across consecutive time segments and 2) a modality misalignment attack that introduces incongruence between the audio and visual modalities. These attacks are designed to thoroughly assess the robustness of audio-visual models against diverse threats. Furthermore, to defend against such attacks, we introduce a novel audio-visual adversarial training framework. This framework addresses key challenges in vanilla adversarial training by incorporating efficient adversarial perturbation crafting tailored to multi-modal data and an adversarial curriculum strategy. Extensive experiments in the Kinetics-Sounds dataset demonstrate that our proposed temporal and modality-based attacks in degrading model performance can achieve state-of-the-art performance, while our adversarial training defense largely improves the adversarial robustness as well as the adversarial training efficiency.

Figures (13)

• Figure 1: Classification accuracy of the model when masking the audio and visual data with a ratio of $\rho$.
• Figure 2: Average black-box attack success rate ($\%$) against $7$ black-box models.
• Figure 3: The average black-box attack success rate (A.S.R.) and cosine similarity (C.S.) of the audio-visual adversarial examples generated by different attacks.
• Figure 4: Overview of the adversarial perturbation crafting in the adversarial training process. Given an audio-visual data, we randomly segment it into different parts (green and yellow) and sample frames from each of the segments with ratio $\alpha$ (red). Then, we diversify each sampled frame by $N_{\hat{T}}$ copies and employ TIA and MMA to craft the adversarial perturbation. Finally, we map the generated adversarial perturbation to corresponding segments, creating adversarial examples for adversarial training.
• Figure 5: Attack success rates (%) of eight deep models, where the adversarial examples are generated on the white-box surrogate model and attack all models (one white-box model and seven black-box models). TIA, MMA, and TMA are our proposed attack methods.