Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Black-box Adversarial Attacks on Monocular Depth Estimation Using Evolutionary Multi-objective Optimization

Renya Daimo, Satoshi Ono, Takahiro Suzuki

TL;DR

This paper tackles the security of monocular depth estimation by addressing black-box adversarial vulnerabilities in DNNs. It introduces a black-box global optimization framework based on Evolutionary Multi-objective Optimization (EMO) that perturbs only the texture of a target object, optimizing two objectives $f_1$ (depth error) and $f_2$ (perturbation magnitude) without a substitute model or training data, and formulates the problem with a block-wise texture perturbation pattern using MOEA/D. The approach yields scene-specific, targeted adversarial examples that can cause depth maps to misrepresent targeted objects (often as if they disappeared) on both indoor and outdoor models, demonstrated on NYU Depth v2 and KITTI-based networks. The work highlights practical implications for the vulnerabilities of proprietary depth-estimation services and outlines future directions for reducing computation and enabling physical attacks via hybridization with boundary-based methods.

Abstract

This paper proposes an adversarial attack method to deep neural networks (DNNs) for monocular depth estimation, i.e., estimating the depth from a single image. Single image depth estimation has improved drastically in recent years due to the development of DNNs. However, vulnerabilities of DNNs for image classification have been revealed by adversarial attacks, and DNNs for monocular depth estimation could contain similar vulnerabilities. Therefore, research on vulnerabilities of DNNs for monocular depth estimation has spread rapidly, but many of them assume white-box conditions where inside information of DNNs is available, or are transferability-based black-box attacks that require a substitute DNN model and a training dataset. Utilizing Evolutionary Multi-objective Optimization, the proposed method in this paper analyzes DNNs under the black-box condition where only output depth maps are available. In addition, the proposed method does not require a substitute DNN that has a similar architecture to the target DNN nor any knowledge about training data used to train the target model. Experimental results showed that the proposed method succeeded in attacking two DNN-based methods that were trained with indoor and outdoor scenes respectively.

Black-box Adversarial Attacks on Monocular Depth Estimation Using Evolutionary Multi-objective Optimization

TL;DR

This paper tackles the security of monocular depth estimation by addressing black-box adversarial vulnerabilities in DNNs. It introduces a black-box global optimization framework based on Evolutionary Multi-objective Optimization (EMO) that perturbs only the texture of a target object, optimizing two objectives (depth error) and (perturbation magnitude) without a substitute model or training data, and formulates the problem with a block-wise texture perturbation pattern using MOEA/D. The approach yields scene-specific, targeted adversarial examples that can cause depth maps to misrepresent targeted objects (often as if they disappeared) on both indoor and outdoor models, demonstrated on NYU Depth v2 and KITTI-based networks. The work highlights practical implications for the vulnerabilities of proprietary depth-estimation services and outlines future directions for reducing computation and enabling physical attacks via hybridization with boundary-based methods.

Abstract

This paper proposes an adversarial attack method to deep neural networks (DNNs) for monocular depth estimation, i.e., estimating the depth from a single image. Single image depth estimation has improved drastically in recent years due to the development of DNNs. However, vulnerabilities of DNNs for image classification have been revealed by adversarial attacks, and DNNs for monocular depth estimation could contain similar vulnerabilities. Therefore, research on vulnerabilities of DNNs for monocular depth estimation has spread rapidly, but many of them assume white-box conditions where inside information of DNNs is available, or are transferability-based black-box attacks that require a substitute DNN model and a training dataset. Utilizing Evolutionary Multi-objective Optimization, the proposed method in this paper analyzes DNNs under the black-box condition where only output depth maps are available. In addition, the proposed method does not require a substitute DNN that has a similar architecture to the target DNN nor any knowledge about training data used to train the target model. Experimental results showed that the proposed method succeeded in attacking two DNN-based methods that were trained with indoor and outdoor scenes respectively.

Paper Structure

This paper contains 17 sections, 8 equations, 6 figures, 1 table.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. Monocular depth estimation using DNNs
  4. Adversarial attacks for DNN
  5. The proposed black-box global optimization-based adversarial attack method
  6. Key Ideas
  7. Formulation
  8. Process flow
  9. Evaluation
  10. Experiment 1: analyzing DNN trained with indoor scenes
  11. Experimental setup
  12. Experiment 1-a: Influence of target object shape
  13. Experiment 1-b: Influence of the presence other object than the target
  14. Experiment 1-c: Experiments on real images
  15. Experiment 2: Analysis of a model trained with outdoor scenes
  16. ...and 2 more sections

Figures (6)

  • Figure 1: Block-wise perturbation patterns.
  • Figure 2: Example of an adversarial perturbation generated by the proposed method.
  • Figure 3: Effect of target object shape (Experiment 1-a)
  • Figure 4: Effect of increasing number of objects (Experiment 1-b)
  • Figure 5: Experiment on real images (Experiment 1-d)
  • ...and 1 more figures