TY - JOUR
T1 - Investigating the significance of adversarial attacks and their relation to interpretability for radar-based human activity recognition systems
AU - Ozbulak, Utku
AU - Vandersmissen, Baptist
AU - Jalalvand, Azarakhsh
AU - Couckuyt, Ivo
AU - Van Messem, Arnout
AU - De Neve, Wesley
N1 - Publisher Copyright:
© 2020 The Authors
PY - 2021/1
Y1 - 2021/1
N2 - Given their substantial success in addressing a wide range of computer vision challenges, Convolutional Neural Networks (CNNs) are increasingly being used in smart home applications, with many of these applications relying on the automatic recognition of human activities. In this context, low-power radar devices have recently gained in popularity as recording sensors, given that the usage of these devices allows mitigating a number of privacy concerns, a key issue when making use of conventional video cameras. Another concern that is often cited when designing smart home applications is the resilience of these applications against cyberattacks. It is, for instance, well-known that the combination of images and CNNs is vulnerable against adversarial examples, mischievous data points that force machine learning models to generate wrong classifications during testing time. In this paper, we investigate the vulnerability of radar-based CNNs to adversarial attacks, and where these radar-based CNNs have been designed to recognize human gestures. Through experiments with four unique threat models, we show that radar-based CNNs are susceptible to both white- and black-box adversarial attacks. We also expose the existence of an extreme adversarial attack case, where it is possible to change the prediction made by the radar-based CNNs by only perturbing the padding of the inputs, without touching the frames where the action itself occurs. Moreover, we observe that gradient-based attacks exercise perturbation not randomly, but on important features of the input data. We highlight these important features by making use of Grad-CAM, a popular neural network interpretability method, hereby showing the connection between adversarial perturbation and prediction interpretability.
AB - Given their substantial success in addressing a wide range of computer vision challenges, Convolutional Neural Networks (CNNs) are increasingly being used in smart home applications, with many of these applications relying on the automatic recognition of human activities. In this context, low-power radar devices have recently gained in popularity as recording sensors, given that the usage of these devices allows mitigating a number of privacy concerns, a key issue when making use of conventional video cameras. Another concern that is often cited when designing smart home applications is the resilience of these applications against cyberattacks. It is, for instance, well-known that the combination of images and CNNs is vulnerable against adversarial examples, mischievous data points that force machine learning models to generate wrong classifications during testing time. In this paper, we investigate the vulnerability of radar-based CNNs to adversarial attacks, and where these radar-based CNNs have been designed to recognize human gestures. Through experiments with four unique threat models, we show that radar-based CNNs are susceptible to both white- and black-box adversarial attacks. We also expose the existence of an extreme adversarial attack case, where it is possible to change the prediction made by the radar-based CNNs by only perturbing the padding of the inputs, without touching the frames where the action itself occurs. Moreover, we observe that gradient-based attacks exercise perturbation not randomly, but on important features of the input data. We highlight these important features by making use of Grad-CAM, a popular neural network interpretability method, hereby showing the connection between adversarial perturbation and prediction interpretability.
KW - Activity recognition
KW - Adversarial examples
KW - Deep convolutional neural networks
KW - Neural network interpretability
KW - Radar data
UR - http://www.scopus.com/inward/record.url?scp=85092423756&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85092423756&partnerID=8YFLogxK
U2 - 10.1016/j.cviu.2020.103111
DO - 10.1016/j.cviu.2020.103111
M3 - Article
AN - SCOPUS:85092423756
SN - 1077-3142
VL - 202
JO - Computer Vision and Image Understanding
JF - Computer Vision and Image Understanding
M1 - 103111
ER -