Recently, methods for skeleton-based human activity recognition have been shown to be vulnerable to adversarial attacks. However, these attack methods require either the full knowledge of the victim (i.e. white-box attacks), access to training data (i.e. transfer-based attacks) or frequent model queries (i.e. black-box attacks). All their requirements are highly restrictive, raising the question of how detrimental the vulnerability is. In this paper, we show that the vulnerability indeed exists. To this end, we consider a new attack task: the attacker has no access to the victim model or the training data or labels, where we coin the term hard no-box attack. Specifically, we first learn a motion manifold where we define an adversarial loss to compute a new gradient for the attack, named skeleton-motion-informed (SMI) gradient. Our gradient contains information of the motion dynamics, which is different from existing gradient-based attack methods that compute the loss gradient assuming each dimension in the data is independent. The SMI gradient can augment many gradient-based attack methods, leading to a new family of no-box attack methods. Extensive evaluation and comparison show that our method imposes a real threat to existing classifiers. They also show that the SMI gradient improves the transferability and imperceptibility of adversarial samples in both no-box and transfer-based black-box settings.

翻译：近期研究表明，基于骨架的人体动作识别方法易受对抗攻击影响。然而，现有攻击方法要么需要完全掌握受害者模型（即白盒攻击），要么需要访问训练数据（即迁移攻击），要么需要频繁查询模型（即黑盒攻击）。这些严格的前提条件引发疑问：该脆弱性究竟会造成多大危害？本文证明该脆弱性真实存在。为此，我们提出一种新型攻击任务：攻击者无法获取受害者模型、训练数据或标签，我们将此定义为硬无盒攻击。具体而言，我们首先学习一个运动流形，并在此流形上定义对抗损失以计算新型攻击梯度——即骨骼-运动信息（SMI）梯度。该梯度包含运动动力学信息，区别于现有基于梯度的攻击方法中假设数据各维度独立的损失梯度计算方式。SMI梯度可增强多种基于梯度的攻击方法，从而衍生出新型无盒攻击方法族。大量评估与对比表明，我们的方法对现有分类器构成真实威胁，同时证明SMI梯度能提升无盒攻击与基于迁移的黑盒攻击中对抗样本的可迁移性与隐蔽性。