【摘要】 不同的视频识别模型具备不同的时间判别模式．在迁移攻击中，视频对抗样本生成时会对白盒模型的时间判别模式产生过拟合，从而导致对抗样本的迁移性较差．针对这一现象，提出了一种有效缓解该过拟合现象的算法．该算法通过抽帧的方式生成多个增广视频，放入白盒模型，反向传播得到增广梯度，然后对这些梯度进行归位并加权求和，获得最终的梯度信息，最终将梯度信息带入基于梯度的白盒攻击方法，如FGSM,BIM等，获得最终的对抗样本．对交叉熵损失函数进行了改进，交叉熵损失函数在指导对抗样本的生成时，优先目的是快速找到能够让模型分类错误的方向，而没有考虑分类结果与其他概率较高类别在语义空间的距离．针对这一现象，对经典的交叉熵损失函数进行了改进，增加了基于KL散度的正则项，基于该损失函数生成的对抗样本迁移性更强．在Kinetics-400以及UCF-101数据集上，以ResNet50和ResNet101为主干网络，分别训练了Non-Local,SlowFast以及TPN共计6个视频识别领域常用的模型．将上述模型中的一种作为白盒模型，对其余模型进行迁移攻击，实验证明了该方法的有效性．更多还原

【Abstract】 Different video recognition models possess distinct temporal discrimination patterns.In transfer attacks,the generation of video adversarial examples can lead to overfitting to the whitebox model’s temporal discrimination pattern,resulting in poor transferability of the adversarial examples.In view of this phenomenon,an effective algorithm is proposed to alleviate the overfitting phenomenon.The algorithm generates multiple augmented videos by frame extraction,inputs them into a white-box model,and obtains augmented gradients through backpropagation.Then,it repositions these gradients and calculates a weighted sum to acquire the final gradient information.Finally,it introduces this gradient information into gradient-based white-box attack methods,such as FGSM and BIM,to obtain the final adversarial samples.The cross-entropy loss function was improved;while guiding the generation of adversarial examples,its primary goal was to quickly find a direction that causes the model to misclassify,without considering the semantic space distance between the classification result and other categories with higher probabilities.In response to this issue,a regularization term based on KL divergence was introduced.When combined with the cross-entropy function,the adversarial examples generated based on this loss function have stronger transferability.On the Kinetics-400 and UCF-101 datasets,six commonly used models in the video recognition domain were trained,specifically Non-Local,SlowFast,and TPN,with ResNet50 and ResNet101 serving as the backbone networks.One of these models was selected as the white-box model to conduct transfer attacks on the remaining models,and a large number of experiments demonstrated the effectiveness of the method.更多还原