Skeletal motion plays a pivotal role in human activity recognition (HAR). Recently, attack methods have been proposed to identify the universal vulnerability of skeleton-based HAR(S-HAR). However, the research of adversarial transferability on S-HAR is largely missing. More importantly, existing attacks all struggle in transfer across unknown S-HAR models. We observed that the key reason is that the loss landscape of the action recognizers is rugged and sharp. Given the established correlation in prior studies~\cite{qin2022boosting,wu2020towards} between loss landscape and adversarial transferability, we assume and empirically validate that smoothing the loss landscape could potentially improve adversarial transferability on S-HAR. This is achieved by proposing a new post-train Dual Bayesian strategy, which can effectively explore the model posterior space for a collection of surrogates without the need for re-training. Furthermore, to craft adversarial examples along the motion manifold, we incorporate the attack gradient with information of the motion dynamics in a Bayesian manner. Evaluated on benchmark datasets, e.g. HDM05 and NTU 60, the average transfer success rate can reach as high as 35.9\% and 45.5\% respectively. In comparison, current state-of-the-art skeletal attacks achieve only 3.6\% and 9.8\%. The high adversarial transferability remains consistent across various surrogate, victim, and even defense models. Through a comprehensive analysis of the results, we provide insights on what surrogates are more likely to exhibit transferability, to shed light on future research.

翻译：骨架运动在人类活动识别(HAR)中起着关键作用。近期已有攻击方法被提出，用于识别基于骨架的HAR(S-HAR)的普遍脆弱性。然而，针对S-HAR的对抗迁移性研究仍存在较大空白。更重要的是，现有攻击方法在跨未知S-HAR模型迁移时均面临困难。我们观察到，其关键原因在于动作识别器的损失函数景观崎岖且尖锐。鉴于先前研究~\cite{qin2022boosting,wu2020towards}已建立损失函数景观与对抗迁移性之间的关联，我们假设并实证验证：平滑损失函数景观可能提升S-HAR的对抗迁移性。为此，我们提出一种新的后训练双重贝叶斯策略，该策略能有效探索模型后验空间以获得一组替代模型，且无需重新训练。此外，为沿着运动流形生成对抗样本，我们以贝叶斯方式将攻击梯度与运动动力学信息相结合。在基准数据集（如HDM05和NTU 60）上的评估表明，平均迁移成功率分别可达35.9%和45.5%。相比之下，当前最先进的骨架攻击方法仅能达到3.6%和9.8%。这种高对抗迁移性在不同替代模型、受害模型乃至防御模型中均保持稳定。通过对结果的综合分析，我们深入探讨了哪些替代模型更可能展现迁移性，以期为未来研究提供启示。