Skeleton Action Recognition (SAR) has attracted significant interest for its efficient representation of the human skeletal structure. Despite its advancements, recent studies have raised security concerns in SAR models, particularly their vulnerability to adversarial attacks. However, such strategies are limited to digital scenarios and ineffective in physical attacks, limiting their real-world applicability. To investigate the vulnerabilities of SAR in the physical world, we introduce the Physical Skeleton Backdoor Attacks (PSBA), the first exploration of physical backdoor attacks against SAR. Considering the practicalities of physical execution, we introduce a novel trigger implantation method that integrates infrequent and imperceivable actions as triggers into the original skeleton data. By incorporating a minimal amount of this manipulated data into the training set, PSBA enables the system misclassify any skeleton sequences into the target class when the trigger action is present. We examine the resilience of PSBA in both poisoned and clean-label scenarios, demonstrating its efficacy across a range of datasets, poisoning ratios, and model architectures. Additionally, we introduce a trigger-enhancing strategy to strengthen attack performance in the clean label setting. The robustness of PSBA is tested against three distinct backdoor defenses, and the stealthiness of PSBA is evaluated using two quantitative metrics. Furthermore, by employing a Kinect V2 camera, we compile a dataset of human actions from the real world to mimic physical attack situations, with our findings confirming the effectiveness of our proposed attacks. Our project website can be found at https://qichenzheng.github.io/psba-website.

翻译：骨架动作识别因其对人体骨骼结构的高效表示而受到广泛关注。尽管该领域取得了显著进展，但近期研究揭示了骨架动作识别模型存在的安全隐患，特别是其对对抗性攻击的脆弱性。然而，现有攻击策略多局限于数字场景，在物理攻击中效果有限，制约了其实际应用价值。为探究骨架动作识别在物理世界中的脆弱性，本文首次提出物理骨架后门攻击，这是针对骨架动作识别的物理后门攻击的首次探索。考虑到物理执行的实际条件，我们设计了一种新颖的触发器植入方法，将低频且难以察觉的动作作为触发器融入原始骨架数据。通过在训练集中注入少量篡改数据，当触发动作出现时，PSBA 能使系统将任意骨架序列误分类为目标类别。我们在毒化标签和干净标签两种场景下检验了 PSBA 的鲁棒性，并在多种数据集、投毒比例和模型架构上验证了其有效性。此外，我们提出了一种触发器增强策略以提升干净标签设置下的攻击性能。PSBA 的鲁棒性经过三种不同后门防御方法的测试，其隐蔽性通过两个量化指标进行评估。进一步地，我们使用 Kinect V2 相机采集真实世界人体动作数据集以模拟物理攻击场景，实验结果证实了所提攻击方法的有效性。项目网站详见 https://qichenzheng.github.io/psba-website。