Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Navigation as Attackers Wish? Towards Building Robust Embodied Agents under Federated Learning

Yunchao Zhang, Zonglin Di, Kaiwen Zhou, Cihang Xie, Xin Eric Wang

TL;DR

This work tackles the vulnerability of federated vision-and-language navigation (FedVLN) to backdoor attacks and proposes a robust defense. It introduces Navigation As Wish (NAW), a targeted backdoor that poisons local training to steer the global VLN agent via triggers without affecting clean performance. To counter this, the authors develop Prompt-Based Aggregation (PBA), which learns small visual and language prompts to capture vision–language alignment variance and filters out malicious updates, achieving lower attack success rates while preserving fidelity across R2R and RxR benchmarks. The results demonstrate improved security and reliability for embodied agents trained with federated learning, offering practical pathways for safer real-world deployment.

Abstract

Federated embodied agent learning protects the data privacy of individual visual environments by keeping data locally at each client (the individual environment) during training. However, since the local data is inaccessible to the server under federated learning, attackers may easily poison the training data of the local client to build a backdoor in the agent without notice. Deploying such an agent raises the risk of potential harm to humans, as the attackers may easily navigate and control the agent as they wish via the backdoor. Towards Byzantine-robust federated embodied agent learning, in this paper, we study the attack and defense for the task of vision-and-language navigation (VLN), where the agent is required to follow natural language instructions to navigate indoor environments. First, we introduce a simple but effective attack strategy, Navigation as Wish (NAW), in which the malicious client manipulates local trajectory data to implant a backdoor into the global model. Results on two VLN datasets (R2R and RxR) show that NAW can easily navigate the deployed VLN agent regardless of the language instruction, without affecting its performance on normal test sets. Then, we propose a new Prompt-Based Aggregation (PBA) to defend against the NAW attack in federated VLN, which provides the server with a ''prompt'' of the vision-and-language alignment variance between the benign and malicious clients so that they can be distinguished during training. We validate the effectiveness of the PBA method on protecting the global model from the NAW attack, which outperforms other state-of-the-art defense methods by a large margin in the defense metrics on R2R and RxR.

Navigation as Attackers Wish? Towards Building Robust Embodied Agents under Federated Learning

TL;DR

This work tackles the vulnerability of federated vision-and-language navigation (FedVLN) to backdoor attacks and proposes a robust defense. It introduces Navigation As Wish (NAW), a targeted backdoor that poisons local training to steer the global VLN agent via triggers without affecting clean performance. To counter this, the authors develop Prompt-Based Aggregation (PBA), which learns small visual and language prompts to capture vision–language alignment variance and filters out malicious updates, achieving lower attack success rates while preserving fidelity across R2R and RxR benchmarks. The results demonstrate improved security and reliability for embodied agents trained with federated learning, offering practical pathways for safer real-world deployment.

Abstract

Federated embodied agent learning protects the data privacy of individual visual environments by keeping data locally at each client (the individual environment) during training. However, since the local data is inaccessible to the server under federated learning, attackers may easily poison the training data of the local client to build a backdoor in the agent without notice. Deploying such an agent raises the risk of potential harm to humans, as the attackers may easily navigate and control the agent as they wish via the backdoor. Towards Byzantine-robust federated embodied agent learning, in this paper, we study the attack and defense for the task of vision-and-language navigation (VLN), where the agent is required to follow natural language instructions to navigate indoor environments. First, we introduce a simple but effective attack strategy, Navigation as Wish (NAW), in which the malicious client manipulates local trajectory data to implant a backdoor into the global model. Results on two VLN datasets (R2R and RxR) show that NAW can easily navigate the deployed VLN agent regardless of the language instruction, without affecting its performance on normal test sets. Then, we propose a new Prompt-Based Aggregation (PBA) to defend against the NAW attack in federated VLN, which provides the server with a ''prompt'' of the vision-and-language alignment variance between the benign and malicious clients so that they can be distinguished during training. We validate the effectiveness of the PBA method on protecting the global model from the NAW attack, which outperforms other state-of-the-art defense methods by a large margin in the defense metrics on R2R and RxR.
Paper Structure (25 sections, 5 equations, 11 figures, 5 tables, 2 algorithms)

This paper contains 25 sections, 5 equations, 11 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Vision-and-Language Navigation (VLN)
  4. Vision-and-Language Navigation Agent
  5. Federated Vision-and-Language Navigation
  6. Targeted Backdoor Attack on FedVLN
  7. Problem Definition
  8. Targeted Backdoor Attack
  9. Prompt-based Defense Method
  10. Variance of Vision-and-Language Alignment
  11. Prompt-based Aggregation
  12. Experiments
  13. Experiment Setup
  14. Attack Results
  15. Defense Results
  16. ...and 10 more sections

Figures (11)

  • Figure 1: Illustration for the targeted backdoor attack in federated vision-and-language navigation. The green clients refer to the benign clients with ground-truth training data, while the red client refers to the malicious client (attacker) with poisoned training data. The ref flag added in the view is the trigger from the attacker. With the targeted attack, the agent will miss the correct route (green line) and turn to the expected route as the attacker wishes without following the language instruction.
  • Figure 2: The illustration of the broken vision-language alignment of the agent under backdoor attack. At a certain viewpoint during navigation, some part of the instruction (underlined) which is highly related to current views would gain high attention weights in expectation when encoded in the model, establishing a natural alignment between vision and language. However, when the trigger is inserted in another view, the attacked model would select the one with the trigger as the next navigable viewpoint. The ignorance of text breaks the original vision-and-language alignment, rendering the text attention weights chaotic.
  • Figure 3: Prompt-based Aggregation (PBA). Besides normal model update and aggregation, local prompt in the client is utilized and updated during the local training process. The local prompt would be an important reference to distinguish malicious clients after it is sent to the server. It is initialized by a fixed global prompt at each communication round.
  • Figure 4: Results on R2R for PBA and its variants.
  • Figure 5: Impact of the number of malicious clients. Results are evaluated on R2R with CLIP-ViL.
  • ...and 6 more figures