Stealthy and efficient adversarial example attack on video retrieval systems.

Massive videos are released every day particularly through video-focused social media apps like TikTok. This trend has fostered the quick emergence of video retrieval systems, which provide video retrieval services using machine learning techniques. Adversarial example (AE) attacks have been shown to be effective on such systems by perturbing an unaltered video subtly to induce false retrieval results. Such AE attacks can be easily detected because the adversarial perturbations are all over pixels and frames. In this paper, we propose DUO, a stealthy targeted black-box AE attack which uses DUal search Over frame-pixel to generate sparse perturbations and improve stealthiness and query efficiency. DUO is driven by three observations: only "key video frames" decide the model predictions, and different pixels and frames contribute far differently to AEs, and pixels in a frame exhibit locality. Subsequently we propose two AE attacks: DUO featuring pixel sparsity and DUO featuring group sparsity. Our sequential attack pipeline consists of two components, i.e., SparseTransfer and SparseQuery. In effect, DUO utilizes SparseTransfer to generate initial perturbations and then SparseQuery to further rectify them. Meanwhile, DUO focuses on individual pixels, whereas DUO targets groups of pixels. Extensive evaluations on two popular datasets confirm the improved stealthiness and efficacy of DUO over existing AE attacks on video retrieval systems. Particularly, DUO can achieve higher precision while significantly reducing adversarial perturbations by more than ×100 than state-of-the-art, and DUO is with more than ×10 fewer queries.