ML Security PapersFrameShield: Adversarially Robust Video Anomaly Detection
Mojtaba Nafez 1, Mobina Poulaei 1, Nikan Vasei 1, Bardia Soltani Moakhar 1, Mohammad Sabokrou 2, MohammadHossein Rohban 1
Published on arXiv
2510.21532
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
FrameShield outperforms state-of-the-art WSVAD methods by an average of 71.0% in AUROC under adversarial attacks across three benchmarks.
FrameShield / Spatiotemporal Region Distortion (SRD)
Novel technique introduced
Weakly Supervised Video Anomaly Detection (WSVAD) has achieved notable advancements, yet existing models remain vulnerable to adversarial attacks, limiting their reliability. Due to the inherent constraints of weak supervision, where only video-level labels are provided despite the need for frame-level predictions, traditional adversarial defense mechanisms, such as adversarial training, are not effective since video-level adversarial perturbations are typically weak and inadequate. To address this limitation, pseudo-labels generated directly from the model can enable frame-level adversarial training; however, these pseudo-labels are inherently noisy, significantly degrading performance. We therefore introduce a novel Pseudo-Anomaly Generation method called Spatiotemporal Region Distortion (SRD), which creates synthetic anomalies by applying severe augmentations to localized regions in normal videos while preserving temporal consistency. Integrating these precisely annotated synthetic anomalies with the noisy pseudo-labels substantially reduces label noise, enabling effective adversarial training. Extensive experiments demonstrate that our method significantly enhances the robustness of WSVAD models against adversarial attacks, outperforming state-of-the-art methods by an average of 71.0\% in overall AUROC performance across multiple benchmarks. The implementation and code are publicly available at https://github.com/rohban-lab/FrameShield.
Key Contributions
- Theoretical analysis showing MIL-based (max-pooling) adversarial training produces weaker perturbations because gradients only flow through aggregator-selected frames, leaving other frames unprotected at inference
- Spatiotemporal Region Distortion (SRD): a pseudo-anomaly generation method applying severe localized augmentations to normal videos to produce precisely annotated synthetic anomalies
- FrameShield pipeline integrating SRD-generated annotations with noisy pseudo-labels to reduce label noise and enable effective frame-level adversarial training for WSVAD
🛡️ Threat Analysis
Paper proposes a defense (FrameShield/SRD) against adversarial input perturbations that cause misclassification in video anomaly detection models at inference time. Core contribution is enabling effective adversarial training in the weakly supervised MIL setting where standard AT fails.