A Differentiable Language Model Adversarial Attack on Text Classifiers

Skeleton-based action recognition models have recently been shown to be vulnerable to adversarial attacks. Compared to adversarial attacks on images, perturbations to skeletons are typically bounded to a lower dimension of approximately 100 per frame. This lower-dimensional setting makes it more difficult to generate imperceptible perturbations. Existing attacks resolve this by exploiting the temporal structure of the skeleton motion so that the perturbation dimension increases to thousands. In this paper, we show that adversarial attacks can be performed on skeleton-based action recognition models, even in a significantly low-dimensional setting without any temporal manipulation. Specifically, we restrict the perturbations to the lengths of the skeleton's bones, which allows an adversary to manipulate only approximately 30 effective dimensions. We conducted experiments on the NTU RGB+D and HDM05 datasets and demonstrate that the proposed attack successfully deceived models with sometimes greater than 90% success rate by small perturbations. Furthermore, we discovered an interesting phenomenon: in our low-dimensional setting, the adversarial training with the bone length attack shares a similar property with data augmentation, and it not only improves the adversarial robustness but also improves the classification accuracy on the original data. This is an interesting counterexample of the trade-off between adversarial robustness and clean accuracy, which has been widely observed in studies on adversarial training in the high-dimensional regime.

show abstract

Section: Introductionmentioning

confidence: 99%

Adversarial Bone Length Attack on Action Recognition

Tanaka

Kera

Kawamoto

2022

AAAI

View full text Add to dashboard Cite

show abstract

“…The transformer architecture based on attention shows impressive results in many problems related to the processing of sequential data and in particular NLP [5], [9] and computer vision [8].…”

Section: Introductionmentioning

confidence: 99%

Usage of specific attention improves change point detection

Dmitrienko¹,

Romanenkova²,

Zaytsev³

2022

Preprint

Self Cite

View full text Add to dashboard Cite

The change point is a moment of an abrupt alteration in the data distribution. Current methods for change point detection are based on recurrent neural methods suitable for sequential data. However, recent works show that transformers based on attention mechanisms perform better than standard recurrent models for many tasks. The most benefit is noticeable in the case of longer sequences. In this paper, we investigate different attentions for the change point detection task and proposed specific form of attention related to the task at hand. We show that using a special form of attention outperforms state-of-the-art results.

show abstract

“…Since then, various adversarial attack methods have been proposed in computer vision (Goodfellow, Shlens, and Szegedy 2015;Carlini and Wagner 2017;. Adversarial attacks are not limited to the image domain; they are also possible in domains such as video classification (Wei et al 2019;Chen et al 2021b), text classification (Fursov et al 2021), and speaker recognition (Chen et al 2021a). One of the reasons underlying the current success of adversarial attacks in various domains and tasks is that adversarial attacks manipulate high-dimensional data.…”

Section: Introductionmentioning

confidence: 99%

Adversarial Bone Length Attack on Action Recognition

Tanaka¹,

Kera²,

Kawamoto³

2021

Preprint

View full text Add to dashboard Cite

Skeleton-based action recognition models have recently been shown to be vulnerable to adversarial attacks. Compared to adversarial attacks on images, perturbations to skeletons are typically bounded to a lower dimension of approximately 100 per frame. This lower-dimensional setting makes it more difficult to generate imperceptible perturbations. Existing attacks resolve this by exploiting the temporal structure of the skeleton motion so that the perturbation dimension increases to thousands. In this paper, we show that adversarial attacks can be performed on skeleton-based action recognition models, even in a significantly low-dimensional setting without any temporal manipulation. Specifically, we restrict the perturbations to the lengths of the skeleton's bones, which allows an adversary to manipulate only approximately 30 effective dimensions. We conducted experiments on the NTU RGB+D and HDM05 datasets and demonstrate that the proposed attack successfully deceived models with sometimes greater than 90% success rate by small perturbations. Furthermore, we discovered an interesting phenomenon: in our lowdimensional setting, the adversarial training with the bone length attack shares a similar property with data augmentation, and it not only improves the adversarial robustness but also improves the classification accuracy on the original original data. This is an interesting counterexample of the tradeoff between adversarial robustness and clean accuracy, which has been widely observed in studies on adversarial training in the high-dimensional regime.

show abstract

A Differentiable Language Model Adversarial Attack on Text Classifiers

Cited by 3 publications

References 27 publications

Adversarial Bone Length Attack on Action Recognition

Adversarial Bone Length Attack on Action Recognition

Usage of specific attention improves change point detection

Adversarial Bone Length Attack on Action Recognition

Contact Info

Product

Resources

About