Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks

Zhiyuan Cheng, Zhaoyi Liu, Tengda Guo, Shiwei Feng, Dongfang Liu, Mingjie Tang, Xiangyu Zhang

TL;DR

BadPart tackles the robustness of pixel-wise regression models under black-box adversarial patches by introducing a square-based patch optimization framework that uses probabilistic square sampling and score-based gradient estimation to efficiently search high-resolution patch spaces. The approach is evaluated on monocular depth estimation and optical flow estimation across seven models, showing superior attack performance and query efficiency compared with baselines and approaching white-box performance in some cases. A real-world demonstration on a Google Depth API with 50K queries yields a 43.5% relative error reduction in depth estimation, underscoring practical security concerns for applications like autonomous driving and AR. The work also discusses defense limitations, indicating that existing patch defenses and query-based detectors struggle to counter BadPart, highlighting the need for robust, task-specific defenses for dense regression outputs.

Abstract

Pixel-wise regression tasks (e.g., monocular depth estimation (MDE) and optical flow estimation (OFE)) have been widely involved in our daily life in applications like autonomous driving, augmented reality and video composition. Although certain applications are security-critical or bear societal significance, the adversarial robustness of such models are not sufficiently studied, especially in the black-box scenario. In this work, we introduce the first unified black-box adversarial patch attack framework against pixel-wise regression tasks, aiming to identify the vulnerabilities of these models under query-based black-box attacks. We propose a novel square-based adversarial patch optimization framework and employ probabilistic square sampling and score-based gradient estimation techniques to generate the patch effectively and efficiently, overcoming the scalability problem of previous black-box patch attacks. Our attack prototype, named BadPart, is evaluated on both MDE and OFE tasks, utilizing a total of 7 models. BadPart surpasses 3 baseline methods in terms of both attack performance and efficiency. We also apply BadPart on the Google online service for portrait depth estimation, causing 43.5% relative distance error with 50K queries. State-of-the-art (SOTA) countermeasures cannot defend our attack effectively.

BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks

TL;DR

BadPart tackles the robustness of pixel-wise regression models under black-box adversarial patches by introducing a square-based patch optimization framework that uses probabilistic square sampling and score-based gradient estimation to efficiently search high-resolution patch spaces. The approach is evaluated on monocular depth estimation and optical flow estimation across seven models, showing superior attack performance and query efficiency compared with baselines and approaching white-box performance in some cases. A real-world demonstration on a Google Depth API with 50K queries yields a 43.5% relative error reduction in depth estimation, underscoring practical security concerns for applications like autonomous driving and AR. The work also discusses defense limitations, indicating that existing patch defenses and query-based detectors struggle to counter BadPart, highlighting the need for robust, task-specific defenses for dense regression outputs.

Abstract

Pixel-wise regression tasks (e.g., monocular depth estimation (MDE) and optical flow estimation (OFE)) have been widely involved in our daily life in applications like autonomous driving, augmented reality and video composition. Although certain applications are security-critical or bear societal significance, the adversarial robustness of such models are not sufficiently studied, especially in the black-box scenario. In this work, we introduce the first unified black-box adversarial patch attack framework against pixel-wise regression tasks, aiming to identify the vulnerabilities of these models under query-based black-box attacks. We propose a novel square-based adversarial patch optimization framework and employ probabilistic square sampling and score-based gradient estimation techniques to generate the patch effectively and efficiently, overcoming the scalability problem of previous black-box patch attacks. Our attack prototype, named BadPart, is evaluated on both MDE and OFE tasks, utilizing a total of 7 models. BadPart surpasses 3 baseline methods in terms of both attack performance and efficiency. We also apply BadPart on the Google online service for portrait depth estimation, causing 43.5% relative distance error with 50K queries. State-of-the-art (SOTA) countermeasures cannot defend our attack effectively.
Paper Structure (22 sections, 3 equations, 17 figures, 12 tables, 3 algorithms)

This paper contains 22 sections, 3 equations, 17 figures, 12 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Problem Formalization
  4. Methods
  5. Square-based Patch Generation Framework
  6. Probabilistic Square Sampling
  7. Score-based Gradient Estimation
  8. Evaluation
  9. Experiment Setup
  10. Attack Performance
  11. Query Efficiency
  12. Ablation Studies
  13. Attack Online Service
  14. Defensive Discussion
  15. Discussion on Lower Query Budget
  16. ...and 7 more sections

Figures (17)

  • Figure 1: Adversarial patch attack on pixel-wise regression tasks.
  • Figure 2: Overview of BadPart.
  • Figure 3: Examples of the qualitative attack performance of BadPart and the baselines.
  • Figure 4: Comparison of query efficiency between BadPart and the baseline methods on four models (2% patch).
  • Figure 5: Ablation study on different number of trials $b$.
  • ...and 12 more figures