FeatureFool: Zero-Query Fooling of Video Models via Feature Map

The vulnerability of deep neural networks (DNNs) has been preliminarily verified. Existing black-box adversarial attacks usually require multi-round interaction with the model and consume numerous queries, which is impractical in the real-world and hard to scale to recently emerged Video-LLMs. Moreover, no attack in the video domain directly leverages feature maps to shift the clean-video feature space. We therefore propose FeatureFool, a stealthy, video-domain, zero-query black-box attack that utilizes information extracted from a DNN to alter the feature space of clean videos. Unlike query-based methods that rely on iterative interaction, FeatureFool performs a zero-query attack by directly exploiting DNN-extracted information. This efficient approach is unprecedented in the video domain. Experiments show that FeatureFool achieves an attack success rate above 70\% against traditional video classifiers without any queries. Benefiting from the transferability of the feature map, it can also craft harmful content and bypass Video-LLM recognition. Additionally, adversarial videos generated by FeatureFool exhibit high quality in terms of SSIM, PSNR, and Temporal-Inconsistency, making the attack barely perceptible. This paper may contain violent or explicit content.

Key Contributions

• First zero-query black-box adversarial attack in the video domain that exploits feature maps from Guided Back-propagation without any model interaction.
• Novel pipeline coupling Maximum-Optical-Flow frame selection with Guided Back-propagation to extract semantically strong feature-map perturbations broadcast across all frames.
• Demonstrated >70% ASR against traditional video classifiers (C3D, I3D) and >70% bypass rate against Video-LLMs on harmful content with high visual quality (SSIM > 0.87, PSNR > 28 dB).

🛡️ Threat Analysis

Details

Similar Papers