Keywords: video adversarial example, video encoding, robust adversarial example, adversarial example life cycle
Abstract: In recent years, the vulnerability of network attracts the attention of researchers. However, in these methods, the impact of video compression coding on the added adversarial perturbation, i.e., the robustness of video adversarial sample, is not considered. When an adversarial sample is just generated, its attack capability is the strongest, but with multiple video encoding and video decoding in the process of Internet transmission, the added adversarial disturbance will be continuously eliminated, eventually leading to the attack of the adversarial sample performance disappears. We define this phenomenon as the decay of the lifetime of adversarial examples. To resist this performance degradation, we propose an adversarial attack method based on optimized integer space. The robustness of anti-coding, the visual concealment and the attack success rate are all considered during the process of attack. In addition, we have also reduced the rounding loss caused by normalization in the deep neural network model process. The contributions of our methods are: 1) We show the performance degradation caused by video compression coding on existing video adversarial attack methods, which seems an effective way for detecting of defensing video adversarial examples. 2) A robust video adversarial attack method is proposed to resist video compression coding. The experiment shows that our method achieves better performance on the robustness of anti-coding, the visual concealment, and the attack success rate.
Supplementary Material: zip