Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks (2404.00924v3)

Published 1 Apr 2024 in cs.CV

Abstract: Pixel-wise regression tasks (e.g., monocular depth estimation (MDE) and optical flow estimation (OFE)) have been widely involved in our daily life in applications like autonomous driving, augmented reality and video composition. Although certain applications are security-critical or bear societal significance, the adversarial robustness of such models are not sufficiently studied, especially in the black-box scenario. In this work, we introduce the first unified black-box adversarial patch attack framework against pixel-wise regression tasks, aiming to identify the vulnerabilities of these models under query-based black-box attacks. We propose a novel square-based adversarial patch optimization framework and employ probabilistic square sampling and score-based gradient estimation techniques to generate the patch effectively and efficiently, overcoming the scalability problem of previous black-box patch attacks. Our attack prototype, named BadPart, is evaluated on both MDE and OFE tasks, utilizing a total of 7 models. BadPart surpasses 3 baseline methods in terms of both attack performance and efficiency. We also apply BadPart on the Google online service for portrait depth estimation, causing 43.5% relative distance error with 50K queries. State-of-the-art (SOTA) countermeasures cannot defend our attack effectively.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (50)
  1. Genattack: Practical black-box attacks with gradient-free optimization. In Proceedings of the genetic and evolutionary computation conference, pp.  1111–1119, 2019.
  2. Square attack: a query-efficient black-box adversarial attack via random search. In European conference on computer vision, pp.  484–501. Springer, 2020.
  3. Estimating and exploiting the aleatoric uncertainty in surface normal estimation. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  13137–13146, 2021.
  4. Camera pose estimation using optical flow and orb descriptor in slam-based mobile ar game. In 2017 International Conference on Platform Technology and Service (PlatCon), pp.  1–4. IEEE, 2017.
  5. Hopskipjumpattack: A query-efficient decision-based attack. In 2020 ieee symposium on security and privacy (sp), pp.  1277–1294. IEEE, 2020.
  6. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM workshop on artificial intelligence and security, pp.  15–26, 2017.
  7. Zo-adamm: Zeroth-order adaptive momentum method for black-box optimization. Advances in neural information processing systems, 32, 2019.
  8. Physical attack on monocular depth estimation with optimal adversarial patches. In European Conference on Computer Vision, pp.  514–532. Springer, 2022.
  9. Fusion is not enough: Single-modal attacks to compromise fusion models in autonomous driving. arXiv preprint arXiv:2304.14614, 2023.
  10. Sentinet: Detecting localized universal attacks against deep learning systems. In 2020 IEEE Security and Privacy Workshops (SPW), pp.  48–54. IEEE, 2020.
  11. Clipdrop. Portrait Depth Estimation. https://clipdrop.co/apis/docs/portrait-depth-estimation.
  12. Sparse-rs: a versatile framework for query-efficient sparse black-box adversarial attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pp.  6437–6445, 2022.
  13. Flownet: Learning optical flow with convolutional networks. In Proceedings of the IEEE international conference on computer vision, pp.  2758–2766, 2015.
  14. Adversarial laser beam: Effective physical-world attack to dnns in a blink. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  16062–16071, 2021.
  15. Boosting black-box attack with partially transferred conditional adversarial distribution. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  15095–15104, 2022.
  16. Patch-wise attack for fooling deep neural network. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XXVIII 16, pp.  307–322. Springer, 2020.
  17. Digging into self-supervised monocular depth estimation. In Proceedings of the IEEE/CVF international conference on computer vision, pp.  3828–3838, 2019.
  18. Google3DPortrait. 3D Portrait. https://storage.googleapis.com/tfjs-models/demos/3dphoto/index.html.
  19. {{\{{DRMI}}\}}: A dataset reduction technology based on mutual information for black-box attacks. In 30th USENIX Security Symposium (USENIX Security 21), pp.  1901–1918, 2021.
  20. Flownet 2.0: Evolution of optical flow estimation with deep networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  2462–2470, 2017.
  21. Evoba: An evolution strategy as a strong baseline for black-box adversarial attacks. In International Conference on Neural Information Processing, pp.  188–200. Springer, 2021.
  22. Black-box adversarial attacks with limited queries and information. In International conference on machine learning, pp.  2137–2146. PMLR, 2018.
  23. Karpathy, A. Tesla use per-pixel depth estimation with self-supervised learning, 2020. https://youtu.be/hx7BXih7zx8?t=1334.
  24. Lambert, F. Hacker shows what Tesla Full Self-Driving’s vision depth perception neural net can see, 2021. https://electrek.co/2021/07/07/hacker-tesla-full-self-drivings-vision-depth-perception-neural-net-can-see/.
  25. Deep iterative surface normal estimation. In Proceedings of the ieee/cvf conference on computer vision and pattern recognition, pp.  11247–11256, 2020.
  26. Qeba: Query-efficient boundary-based blackbox attack. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp.  1221–1230, 2020.
  27. Blacklight: Scalable defense for neural networks against {{\{{Query-Based}}\}}{{\{{Black-Box}}\}} attacks. In 31st USENIX Security Symposium (USENIX Security 22), pp.  2117–2134, 2022.
  28. Magicedit: High-fidelity and temporally coherent video editing. In arXiv, 2023.
  29. Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770, 2016.
  30. Joint 3d estimation of vehicles and scene flow. In ISPRS Workshop on Image Sequence Analysis (ISA), 2015.
  31. Parsimonious black-box adversarial attacks via efficient combinatorial optimization. In International conference on machine learning, pp.  4636–4645. PMLR, 2019.
  32. Attacking optical flow. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  2404–2413, 2019.
  33. Pwc-net: Cnns for optical flow using pyramid, warping, and cost volume. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  8934–8943, 2018.
  34. Hard-label black-box universal adversarial patch attack. In 32nd USENIX Security Symposium (USENIX Security 23), pp.  697–714, 2023.
  35. Raft: Recurrent all-pairs field transforms for optical flow. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part II 16, pp.  402–419. Springer, 2020.
  36. Tesla. Tesla Autopilot. https://www.tesla.com/autopilot.
  37. Sparsity invariant cnns. In International Conference on 3D Vision (3DV), 2017.
  38. Planedepth: Self-supervised depth estimation via orthogonal planes. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  21425–21434, 2023a.
  39. Enhancing the transferability of adversarial attacks through variance tuning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  1924–1933, 2021.
  40. Sqldepth: Generalizable self-supervised fine-structured monocular depth estimation. arXiv preprint arXiv:2309.00526, 2023b.
  41. Feature importance-aware transferable adversarial attacks. In Proceedings of the IEEE/CVF international conference on computer vision, pp.  7639–7648, 2021.
  42. Self-supervised monocular depth hints. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  2162–2171, 2019.
  43. Monorec: Semi-supervised dense reconstruction in dynamic environments from a single moving camera. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  6112–6122, 2021.
  44. Skip connections matter: On the transferability of adversarial examples generated with resnets. arXiv preprint arXiv:2002.05990, 2020.
  45. {{\{{PatchCleanser}}\}}: Certifiably robust defense against adversarial patches for any image classifier. In 31st USENIX Security Symposium (USENIX Security 22), pp.  2065–2082, 2022.
  46. Policy-driven attack: learning to query for hard-label black-box adversarial examples. In International Conference on Learning Representations, 2020.
  47. Bisenet: Bilateral segmentation network for real-time semantic segmentation. In Proceedings of the European conference on computer vision (ECCV), pp.  325–341, 2018.
  48. Deep surface normal estimation with hierarchical rgb-d fusion. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp.  6153–6162, 2019.
  49. Progressive-scale boundary blackbox attack via projective gradient estimation. In International Conference on Machine Learning, pp.  12479–12490. PMLR, 2021.
  50. Rethinking semantic segmentation: A prototype view. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  2582–2593, 2022.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now