NetFlick: Adversarial Flickering Attacks on Deep Learning based Video Compression

Video compression techniques focus on predicting the temporal relationships between frames in order to minimize the amount of data that needs to be transmitted. The encoder generates a stream of bits that conform to a specific channel standard, which is then sent to the decoder. The decoder then uses this stream of bits to reconstruct the compressed video. Over the past few decades, many video compression standards have been introduced, such as VP8 Bankoski et al. (2011), H.264 Wiegand et al. (2003) and H.265 Sullivan et al. (2012). Traditionally, techniques for reducing the spatial and temporal redundancies in video sequences relied on manually crafted algorithms. Recently, the use of DNNs in video compression frameworks, such as those proposed by Lu et al. (2019); Hu et al. (2021); Yang et al. (2020), has gained significant attention due to its superior performance. This relies on three main design components: (1) motion estimation network for predicting the temporal motion, (2) motion compensation network to generate the predicted frame, and (3) auto-encoder based network for compressing the motion and residual data into bitstream.

Several existing studies Szegedy et al. (2013); Carlini & Wagner (2017); Moosavi-Dezfooli et al. (2017); Shamsabadi et al. (2020); Qiu et al. (2020); Hussain et al. (2021); Pony et al. (2021) have demonstrated the vulnerability of DL based-image and video classification models to adversarial attacks. These attacks can be either digital Szegedy et al. (2013); Moosavi-Dezfooli et al. (2017) or physical Chen et al. (2019); Lovisotto et al. (2021) depending on their feasibility in the real world. To be specific, Chen et al. (2019) printed out perturbed traffic signs and pasted them onto victim traffic sign boards to conduct physical attacks on traffic sign recognition systems. Lovisotto et al. (2021) projected adversarially crafted physical perturbations onto real-world objects using a projector. Recently, Chang et al. (2023) demonstrated the first adversarial attacks on video compression to manipulate the R-D relationship in a digital setting. However, studies on the effectiveness of physical adversarial attacks to video compression have not yet been conducted.

To demonstrate the effectiveness of the proposed NetFlick attack on video compression, we choose state-of-the-art models that employ temporal prediction to minimize the difference between a previously decoded video frame and the current video frame. Let $X=[x_{1},\dots,x_{T}]\in\mathbb{R}^{T\times W\times H\times C}$ denote a video clip containing $T$ consecutive frames, where $x_{t}$ is the frame at a time step $t$ which has $H$ rows, $W$ columns, and $C$ color channels. The goal of a victim DL-based video compression model is to efficiently remove the spatio-temporal information within the $g$-th group of pictures (GOP), where $0\leq g\leq\lfloor\frac{T}{G}\rfloor$ and $G$ is the total number of frames in the GOP. Each frame is efficiently represented by coding a difference from a reference frame, rather than repeatedly coding each individual frame.

Accordingly, we formulate the video encoder as a function $\mathbb{E}(x_{t},\mathcal{P}_{t},\lambda)=b_{t}$ that compresses the current frame $x_{t}$ into a bitstream $b_{t}$ according to a compression rate $\lambda$ and reference frames $\mathcal{P}_{t}$ which are previously compressed. Here $\mathcal{P}_{t}=[y_{G\cdot g+1},\dots,y_{G\cdot g+G}]$ where $y_{(\cdot)}$ is the output of the decoder at a certain time step. Note that $\mathcal{P}_{1}=\emptyset$ since the first frame, dubbed the I-frame, is coded independently using DL-based image compression. Video decoder can be formulated as a function $\mathbb{D}(b_{t},\mathcal{P}_{t},\lambda)=y_{t}$ that reconstructs the decoded frame $y_{t}$ from the bitstream $b_{t}$ using the reference frames $\mathcal{P}_{t}$ at a given compression rate $\lambda$. Optionally, the downstream video classification service receives as input the decoded frames from the video compression pipeline.

Attack Goal: IoT devices such as surveillance cameras are equipped with a microprocessor for video compression. NetFlick attack aims to create physical adversarial perturbations using LED bulb flicker to target neural video compression frameworks that are optionally followed by video classification models. While prior work Pony et al. (2021) has shown adversarially crafted flickering light to be an effective attack on video classification, they do not consider any video compression framework in their threat model. We extend this work by formulating the first physically realizable attack to compromise both the video compression and video classification performance using the attack objective described in Section 3.3 and Section 3.4.

Attack Scenarios: We consider two attack scenarios- online and offline. In an offline attack setting, we assume that the adversary can arbitrarily inject perturbations into the target frame by an RGB LED bulb. In an online attack setting, the adversary performs untargeted attack using an RGB LED bulb to negatively impact the video compression performance of an IoT device located in the same room. Specifically, the attacker installs a WiFi-controlled RGB LED bulb in a room to interfere with a camera of a victim device situated in the same room, by projecting adversarially crafted light onto it when a person streams. An overview of the NetFlick framework to video compression modules is presented in Figure 1(a), along with corresponding inputs, outputs and the perturbation.

Adversary’s Capabilities: For offline attacks, we assume a white-box attack scenario where the architecture and weights of the video compression model are known to adversary. This is a realistic assumption since video compression models are standardized by various organizations, e.g., ISO/IEC and MPEG, and are open-source to the community. However, in reality, it is difficult for attackers to fully grasp the structure and all parameters of the video compression model and classification model. Thus, we consider a black-box attack scenario for online attacks, i.e. the adversary does not have knowledge about the architecture or parameters of the victim DNN models. In addition, we assume that the adversary has access to a public dataset to train the online attack.

Adversarial loss. Let $\Delta=[\delta_{1},\dots,\delta_{T}]$ $\in\mathbb{R}^{T\times 1\times 1\times C}$ denote flickering perturbations for a given video $X$. $\Delta$ is designed to be spatial-constant on the color channels, so $\delta$ can be represented by three scalars. We denote the resulting adversarial video by $\bar{X}=[\bar{x}_{1},\dots,\bar{x}_{T}]\in\mathbb{R}^{T\times W\times H\times C}$ which consists of adversarial frames $\bar{x}_{t}=x_{t}+\delta_{t}$. Upon receiving the adversarial input $\bar{x}_{t}$, the video encoder outputs an adversarial bitstream $\bar{b}_{t}$ using perturbed reference frames stored in the the buffer $\bar{\mathcal{P}}_{t}=[\bar{y}_{G\cdot g+1},\dots,\bar{y}_{G\cdot g+G)}]$. Finally, the video decoder restores the adversarial decoded frame $\bar{y}_{t}$ from the perturbed bitstream $\bar{b}_{t}$. The objective of our attack is to find $\Delta$ that can simultaneously target R and D to increase the bit rate and video distortion as follows:

where $\Delta_{g}$ is the perturbation for the $g$-th GOP.

After decoding the adversarial video, the back-end user may use a video classification as the target downstream task. Let $F(\bar{Y})$ denote a discriminant function that outputs a probability distribution over a set $K$. $F_{c}(\bar{Y})$ is the probability that $\bar{Y}$ belongs to a specific class $c\in K$. Then, the video classifier $\mathcal{C}$ maps an adversarial video $\bar{Y}$ to the class with the maximum probability. Thus, the adversarial loss $\mathcal{L}_{class}$ for the untargeted and targeted attacks can be obtained from

Undetectability Constraint. We incorporate two regularization terms ($\mathcal{R}_{thick},\mathcal{R}_{rough}$) proposed by Pony et al. (2021) to craft the imperceptible flickering perturbations, where $\mathcal{R}_{thick}$ denotes the magnitude of perturbations, and $\mathcal{R}_{rough}$ is the amount of change in flickering perturbations between adjacent frames. We obtain each regularization term as follows:

where $\displaystyle\left\|(\cdot)\right\|_{2}$ is a Tensor p-norm defined in Pony et al. (2021). $\frac{\partial{\Delta}}{\partial{t}}$ can be obtained by $\Gamma(\Delta,1)-\Gamma(\Delta,0)$, where a permutation function $\Gamma(\Delta,\tau)$ produces a cyclic temporal shift of the original perturbation $\Delta_{g}$ by an offset $\tau$. We find the second order temporal derivative from $\frac{\partial^{2}{\Delta}}{\partial{t}^{2}}=\Gamma(\Delta,-1)-2\Gamma(\Delta,0)+\Gamma(\Delta,1)$ .

Objective Function. In the offline attack scenario, injecting the adversarial perturbations is not latency bound. The adversary can therefore formulate the below adversarial function to minimize the adversarial loss:

where $\beta$ adjusts the scale of the two loss functions. $\zeta$ determines the importance of $\mathcal{R}_{thick}$ and $\mathcal{R}_{rough}$. To ensure the injected noise is imperceptible to humans, the norm of the perturbation is upper bounded by a pre-defined small value $\epsilon$.

For online attack settings, we assume that the adversary does not have access to any user data, meaning that a per-video perturbation cannot be formed. Therefore, the adversary may not be able to align the flickering perturbations with the desired video sequences. To address this challenge, we follow RoVISQ Chang et al. (2023) to craft universal perturbation that has input-invariant characteristics using the permutation function $\Gamma(\Delta,\tau)$. We also set the temporal length of the perturbation to the GOP size ($G$). Considering a black-box attack scenario, we demonstrate the extent to which our universal perturbations trained on a surrogate open-source video compression model, are transferable to unseen models and architectures. These universal perturbations are trained to minimize the adversarial loss in Equation 4 using a publicly available training dataset.

Victim Model We evaluate our attacks on the state-of-the-art video compression model DVC Lu et al. (2019). In a video compression pipeline, the first video frame is always encoded using DNN-based image compression Liu et al. (2020). Video quality is measured as peak signal-to-noise ratio (PSNR) and the bit-rate is calculated by bits per pixel (Bpp). For downstream video classification, we further extend our attack to three state-of-the-art video classification models, specifically I3D Carreira & Zisserman (2017), SlowFast Feichtenhofer et al. (2019), and TPN Yang et al. (2020).

Dataset We use the Vimeo-90K dataset for training the victim video compression model. We set the GOP size to 10 following prior work Lu et al. (2019). NetFlick is evaluated on the hand gesture recognition dataset 20BN-JESTER (Jester) Materzynska et al. (2019). We split the Jester dataset into train, validation, and test set in the ratio 8:1:1. We set our adversarial perturbation bound to $\epsilon=0.2$ by following prior attack proposed by  Pony et al. (2021).

Video Compression. Figure 2 shows the PSNR-based R-D performance evaluated on the Jester dataset. We change the values of $\epsilon$ to analyze how the attack performance is affected by the $l_{\infty}$ norm of the flickering perturbations. Each point in the Figure 2 represents the result (PSNR, Bpp) of video compression according to a total of four $\lambda$ values ($\lambda\in\{256,512,1024,2048\}$). We observe that the attack causes a larger drop in both PSNR and Bpp for smaller values of $\lambda$. This is because the compression rate decreases as $\lambda$ increases, so that the video compression model encodes less information in the current frame. Furthermore, the attack is more effective because there is less loss to the perturbations present in the frame. Specifically, our attack increases Bpp by up to 2.23$\times$ and results in distortion up to 25.81dB. In addition, we compare our attacks with uniformly sampled noise $\Delta_{U}\sim\mathcal{U}(-\epsilon,\epsilon)$. Injecting random noise to videos can only achieve -10.47dB and 1.6$\times$ on average. When applying our online perturbations to unseen models (black-box attack), the average PSNR drop and Bpp increase are -13.01dB and 2.34$\times$ on average.

Downstream Video Classification. We evaluate the performance of offline and online attacks respectively, when the back-end user queries the video classifiers for analysis. We measure the attack success rate (ASR) by counting misclassified test videos for the untargeted attack. For the targeted attack, the success rate is the portion of the sample mapped to the class the adversary wants. We summarizes the ASR of NetFlick on Jester dataset in Table 1. In the offline attack settings, we obtain over 90$\%$ ASR. We also consider an online attack scenario, where the video sequences continuously captured by a camera are classified in real-time. Even in such real-time scenarios, our online attacks that inject universal perturbations into the video are highly effective with 86.1$\%$ ASR.

Convergence Process. Figure 3 shows how our flickering perturbations converge to the optimization point considering several terms. We can see that the adversarial perturbation drastically shifts the starting point(Initial BPP, PSNR and Probability) of the optimization function to a path that significantly lowers the R-D performance and then stops to reflect the regularization terminals.

We test NetFlick in the real-world using a Kasa KL130 Smart Bulb Kasa (2023), which supports a wide array of colors and can be controlled by Wi-Fi. As shown in Figure 4 (a), we conduct an experimental design to physically test the effect of RGB bulb on video compression. Figure 4 (b) shows the visualization of the PSNR and Bpp of continuous video frames, where online attacks are performed by attackers from the 75th frame. Note that video compression encodes the first frame of each GOP to a higher Bpp than the others for the efficiency of spatio-temporal prediction. Comparing between the same frame types (e.g., I-frame, P-frame), we observe that NetFlick successfully degrades video quality and compression rates by up to 6.5dB and 1.6$\times$, respectively.