Flying Adversarial Patches: Manipulating the Behavior of Deep Learning-based Autonomous Multirotors
This addresses security vulnerabilities in autonomous flying robots, which is an incremental but critical domain-specific issue.
The paper tackles the problem of adversarial attacks on deep learning-based autonomous multirotors by introducing flying adversarial patches mounted on another robot, comparing three optimization methods to manipulate the victim's behavior, and achieving full control over its motions in empirical validation.
Autonomous flying robots, e.g. multirotors, often rely on a neural network that makes predictions based on a camera image. These deep learning (DL) models can compute surprising results if applied to input images outside the training domain. Adversarial attacks exploit this fault, for example, by computing small images, so-called adversarial patches, that can be placed in the environment to manipulate the neural network's prediction. We introduce flying adversarial patches, where an image is mounted on another flying robot and therefore can be placed anywhere in the field of view of a victim multirotor. For an effective attack, we compare three methods that simultaneously optimize the adversarial patch and its position in the input image. We perform an empirical validation on a publicly available DL model and dataset for autonomous multirotors. Ultimately, our attacking multirotor would be able to gain full control over the motions of the victim multirotor.