Machine learning models trained on small data sets for security applications are especially vulnerable to adversarial attacks. Person identification from LiDAR based skeleton data requires time consuming and expensive data acquisition for each subject identity. Recently, Assessment and Augmented Identity Recognition for Skeletons (AAIRS) has been used to train Hierarchical Co-occurrence Networks for Person Identification (HCN-ID) with small LiDAR based skeleton data sets. However, AAIRS does not evaluate robustness of HCN-ID to adversarial attacks or inoculate the model to defend against such attacks. Popular perturbation-based approaches to generating adversarial attacks are constrained to targeted perturbations added to real training samples, which is not ideal for inoculating models with small training sets. Thus, we propose Attack-AAIRS, a novel addition to the AAIRS framework. Attack-AAIRS leverages a small real data set and a GAN generated synthetic data set to assess and improve model robustness against unseen adversarial attacks. Rather than being constrained to perturbations of limited real training samples, the GAN learns the distribution of adversarial attack samples that exploit weaknesses in HCN-ID. Attack samples drawn from this distribution augment training for inoculation of the HCN-ID to improve robustness. Ten-fold cross validation of Attack-AAIRS yields increased robustness to unseen attacks- including FGSM, PGD, Additive Gaussian Noise, MI-FGSM, and BIM. The HCN-ID Synthetic Data Quality Score for Attack-AAIRS indicates that generated attack samples are of similar quality to the original benign synthetic samples generated by AAIRS. Furthermore, inoculated models show consistent final test accuracy with the original model trained on real data, demonstrating that our method improves robustness to adversarial attacks without reducing test performance on real data.

翻译：针对安全应用的小数据集训练的机器学习模型尤其容易受到对抗性攻击。基于LiDAR骨架数据的人员身份识别需要对每个主体身份进行耗时且昂贵的数据采集。近年来，骨架评估与增强身份识别（AAIRS）已被用于训练层级共现网络进行人员身份识别（HCN-ID），该网络使用基于LiDAR的小骨架数据集。然而，AAIRS并未评估HCN-ID对对抗性攻击的鲁棒性，也未对模型进行防御此类攻击的免疫接种。流行的基于扰动的对抗性攻击生成方法局限于对真实训练样本添加定向扰动，这对于使用小训练集进行模型免疫接种并不理想。因此，我们提出Attack-AAIRS，作为AAIRS框架的一个新颖扩展。Attack-AAIRS利用小规模真实数据集和GAN生成的合成数据集，评估并提升模型对未知对抗性攻击的鲁棒性。GAN并非局限于有限真实训练样本的扰动，而是学习利用HCN-ID弱点的对抗性攻击样本的分布。从该分布中抽取的攻击样本增强了HCN-ID免疫接种的训练，从而提升鲁棒性。对Attack-AAIRS的十折交叉验证表明，其对未知攻击（包括FGSM、PGD、加性高斯噪声、MI-FGSM和BIM）的鲁棒性有所提升。Attack-AAIRS的HCN-ID合成数据质量评分表明，生成的攻击样本与AAIRS生成的原始良性合成样本质量相似。此外，免疫接种后的模型在与原始真实数据训练模型进行最终测试时，准确率保持一致，证明我们的方法在提升对对抗性攻击鲁棒性的同时，不会降低在真实数据上的测试性能。