Adversarial Human Context Recognition: Evasion Attacks and Defenses

Human Context Recognition (HCR) from smartphone sensor data is a crucial task for Context-Aware (CA) systems, such as those targeting the healthcare and security domains. HCR models deployed in the wild are susceptible to adversarial attacks, wherein an adversary perturbs input sensor values to cause malicious mis-classifications. In this study, we demonstrate evasion attacks that can be perpetuated during model inference, particularly input perturbations that are adversarially calibrated to fool classifiers. In contrast to white-box methods that require impractical levels of system access, black-box evasion attacks merely require the ability to query the model with arbitrary inputs. Specifically, we generate adversarial perturbations using only class confidence scores, as in the Zoo attack, or only class decisions, as in the HopSkipJump (HSJ) attack that correspond with plausible scenarios of possible adversarial attacks. We empirically demonstrate that sophisticated adversarial evasion attacks can significantly impair the accuracy of HCR models, resulting in a performance drop of up to 60% in f1-score. We also propose RobustHCR, an innovative framework for demonstrating and defending against black box evasion threats using a provable defense based on a duality-based network. RobustHCR is able to make reliable predictions regardless of whether its input is under attack or not, effectively mitigating the potential negative impacts caused by adversarial attacks. Rigorous evaluation on both scripted and in-the-wild smartphone HCR datasets demonstrates that RobustHCR can significantly improve the HCR model’s robustness and protect it from possible evasion attacks while maintaining acceptable performance on "clean" inputs. In particular, an HCR model with integrated RobustHCR defenses experienced an f1-score reduction of about 3% as opposed to a reduction of over 50% for an HCR model without a defense.