面向人体姿态估计的不可察局部对抗攻击
Imperceptible Local Adversarial Attacks on Human Pose Estimation
-
摘要: 尽管深度神经网络在很多任务上取得了良好的结果, 但是它们对于微小的对抗扰动却很容易出现预测错误. 然而在人体姿态估计的对抗攻击任务中,通常需要添加较大的扰动噪声才能攻击成功, 这使得其不可察性变差; 减少扰动噪声又会削弱攻击效果. 为了克服该矛盾, 提出一种面向人体姿态估计的两阶段局部对抗攻击方法. 方法首先通过预攻击估计出扰动关键区域, 然后利用不可察性约束在关键区域内生成扰动. 方法不仅可以对人体姿态进行有效攻击, 而且还能确保最终扰动区域具有低可察性. 采用COCO2017作为对抗扰动实验数据集并使用PCK作为评价指标, 比较在人体姿态估计模型中IGSM和C&W方法的攻击效果, 其攻击效果分别提高15.4%与2.8%. 实验结果表明方法在保证攻击的低可察的同时, 取得较好的攻击效果.Abstract: Though deep neural networks have achieved state-of-the-art performance in many tasks, they have recently been shown to be unstable to slight adversarial perturbations of data samples. In the task of adversarial attack on human pose estimation, large perturbations are usually required to achieve an attack, which degrades the imperceptibility. If, on the other hand, small perturbations preserve the imperceptibility, which weakens the adversary attack effect. To solve this issue, this paper proposes a two-stage local adversarial attack method for human pose estimation. The proposed method first estimates critical perturbation regions by pre-attack, and then generates adversarial perturbations within each critical region under the imperceptibility constraint. The proposed method improves the attack success rate on human pose estimation and retains imperceptibility as well. We validate the effectiveness of our method on COCO2017 dataset in terms of PCK metric and compare the results with existing methods including IGSM and C&W. Our proposed method outperforms existing methods, and improves the attack success rate by 15.4% and 2.8% respectively. The experiments show that our method achieves higher attack success rates while keeping the imperceptibility of the attack.