Diao, Yunfeng;
Wang, He;
Shao, Tianjia;
Yang, Yongliang;
Zhou, Kun;
Hogg, David;
Wang, Meng;
(2024)
Understanding the vulnerability of skeleton-based Human Activity Recognition via black-box attack.
Pattern Recognition
, Article 110564. 10.1016/j.patcog.2024.110564.
(In press).
![[thumbnail of 1-s2.0-S0031320324003157-main.pdf]](https://discovery.ucl.ac.uk/style/images/fileicons/text.png) |
Text
1-s2.0-S0031320324003157-main.pdf - Accepted Version Access restricted to UCL open access staff until 7 March 2025. Download (1MB) |
Abstract
Human Activity Recognition (HAR) has been employed in a wide range of applications, e.g. self-driving cars, where safety and lives are at stake. Recently, the robustness of skeleton-based HAR methods have been questioned due to their vulnerability to adversarial attacks. However, the proposed attacks require the full-knowledge of the attacked classifier, which is overly restrictive. In this paper, we show such threats indeed exist, even when the attacker only has access to the input/output of the model. To this end, we propose the very first black-box adversarial attack approach in skeleton-based HAR called BASAR. BASAR explores the interplay between the classification boundary and the natural motion manifold. To our best knowledge, this is the first time data manifold is introduced in adversarial attacks on time series. Via BASAR, we find on-manifold adversarial samples are extremely deceitful and rather common in skeletal motions, in contrast to the common belief that adversarial samples only exist off-manifold. Through exhaustive evaluation, we show that BASAR can deliver successful attacks across classifiers, datasets, and attack modes. By attack, BASAR helps identify the potential causes of the model vulnerability and provides insights on possible improvements. Finally, to mitigate the newly identified threat, we propose a new adversarial training approach by leveraging the sophisticated distributions of on/off-manifold adversarial samples, called mixed manifold-based adversarial training (MMAT). MMAT can successfully help defend against adversarial attacks without compromising classification accuracy.
| Type: | Article |
|---|---|
| Title: | Understanding the vulnerability of skeleton-based Human Activity Recognition via black-box attack |
| DOI: | 10.1016/j.patcog.2024.110564 |
| Publisher version: | https://doi.org/10.1016/j.patcog.2024.110564 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| Keywords: | Black-box attack, skeletal action recognition, adversarial robustness, on-manifold adversarial samples |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10192088 |
Archive Staff Only
 |
View Item |
