Video classification systems are vulnerable to adversarial attacks, which can create severe security problems in video verification. Current black-box attacks need a large number of queries to succeed, resulting in high computational overhead in the process of attack. On the other hand, attacks with restricted perturbations are ineffective against defenses such as denoising or adversarial training. In this paper, we focus on unrestricted perturbations and propose StyleFool, a black-box video adversarial attack via style transfer to fool the video classification system. StyleFool first utilizes color theme proximity to select the best style image, which helps avoid unnatural details in the stylized videos. Meanwhile, the target class confidence is additionally considered in targeted attacks to influence the output distribution of the classifier by moving the stylized video closer to or even across the decision boundary. A gradient-free method is then employed to further optimize the adversarial perturbations. We carry out extensive experiments to evaluate StyleFool on two standard datasets, UCF-101 and HMDB-51. The experimental results demonstrate that StyleFool outperforms the state-of-the-art adversarial attacks in terms of both the number of queries and the robustness against existing defenses. Moreover, 50% of the stylized videos in untargeted attacks do not need any query since they can already fool the video classification model. Furthermore, we evaluate the indistinguishability through a user study to show that the adversarial samples of StyleFool look imperceptible to human eyes, despite unrestricted perturbations.

翻译：摘要：视频分类系统易受对抗性攻击的影响，这可能在视频验证中造成严重的安全问题。当前的黑盒攻击需要大量查询才能成功，导致攻击过程中的计算开销较高。另一方面，具有受限扰动的攻击难以抵御去噪或对抗训练等防御措施。本文聚焦于非受限扰动，提出了一种名为StyleFool的黑盒视频对抗攻击方法，通过风格迁移来欺骗视频分类系统。StyleFool首先利用色彩主题邻近性选取最佳风格图像，这有助于避免风格化视频中出现不自然的细节。同时，在目标攻击中额外考虑目标类别的置信度，通过使风格化视频更接近甚至跨越决策边界，从而影响分类器的输出分布。随后采用无梯度方法进一步优化对抗扰动。我们在两个标准数据集UCF-101和HMDB-51上进行了大量实验来评估StyleFool。实验结果表明，StyleFool在查询次数和对现有防御的鲁棒性方面均优于最先进的对抗攻击方法。此外，非目标攻击中50%的风格化视频无需任何查询即可成功欺骗视频分类模型。最后，我们通过用户研究评估了不可分辨性，表明尽管StyleFool的对抗样本使用了非受限扰动，但其对人眼而言几乎不可察觉。