StyleFool: Fooling Video Classification Systems via Style Transfer. (arXiv:2203.16000v1 [cs.CV])

Video classification systems are vulnerable to adversarial attacks, which can
create severe security problems in video verification. Current black-box
attacks need a large number of queries to succeed, resulting in high
computational overhead in the process of attack. On the other hand, attacks
with restricted perturbations are ineffective against defenses such as
denoising or adversarial training. In this paper, we focus on unrestricted
perturbations and propose StyleFool, a black-box video adversarial attack via
style transfer to fool the video classification system. StyleFool first
utilizes color theme proximity to select the best style image, which helps
avoid unnatural details in the stylized videos. Meanwhile, the target class
confidence is additionally considered in targeted attack to influence the
output distribution of the classifier by moving the stylized video closer to or
even across the decision boundary. A gradient-free method is then employed to
further optimize the adversarial perturbation. We carry out extensive
experiments to evaluate StyleFool on two standard datasets, UCF-101 and
HMDB-51. The experimental results suggest that StyleFool outperforms the
state-of-the-art adversarial attacks in terms of both number of queries and
robustness against existing defenses. We identify that 50% of the stylized
videos in untargeted attack do not need any query since they can already fool
the video classification model. Furthermore, we evaluate the
indistinguishability through a user study to show that the adversarial samples
of StyleFool look imperceptible to human eyes, despite unrestricted
perturbations.