Video recognition systems are vulnerable to adversarial examples. Recent studies show that style transfer-based and patch-based unrestricted perturbations can effectively improve attack efficiency. These attacks, however, face two main challenges: 1) Adding large stylized perturbations to all pixels reduces the naturalness of the video and such perturbations can be easily detected. 2) Patch-based video attacks are not extensible to targeted attacks due to the limited search space of reinforcement learning that has been widely used in video attacks recently. In this paper, we focus on the video black-box setting and propose a novel attack framework named LogoStyleFool by adding a stylized logo to the clean video. We separate the attack into three stages: style reference selection, reinforcement-learning-based logo style transfer, and perturbation optimization. We solve the first challenge by scaling down the perturbation range to a regional logo, while the second challenge is addressed by complementing an optimization stage after reinforcement learning. Experimental results substantiate the overall superiority of LogoStyleFool over three state-of-the-art patch-based attacks in terms of attack performance and semantic preservation. Meanwhile, LogoStyleFool still maintains its performance against two existing patch-based defense methods. We believe that our research is beneficial in increasing the attention of the security community to such subregional style transfer attacks.

翻译：视频识别系统易受对抗样本攻击。近期研究表明，基于风格迁移和基于补丁的无限制扰动可以有效提升攻击效率。然而，这些攻击面临两大挑战：1) 对所有像素添加大型风格化扰动会降低视频的自然性，此类扰动易被检测；2) 由于近期视频攻击中广泛使用的强化学习搜索空间有限，基于补丁的视频攻击无法扩展至定向攻击。本文聚焦于视频黑盒场景，提出名为LogoStyleFool的新型攻击框架，通过向原始视频添加风格化Logo实现攻击。我们将攻击分为三个阶段：风格参考选择、基于强化学习的Logo风格迁移以及扰动优化。通过将扰动范围缩小至区域Logo解决第一个挑战，通过在强化学习后补充优化阶段解决第二个挑战。实验结果表明，在攻击性能与语义保持方面，LogoStyleFool整体上优于三种最先进的基于补丁的攻击方法。同时，LogoStyleFool在面对两种现有基于补丁的防御方法时仍保持有效。我们相信，本研究有助于提升安全社区对此类子区域风格迁移攻击的关注度。