Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadDepth: Backdoor Attacks Against Monocular Depth Estimation in the Physical World

Ji Guo, Long Zhou, Zhijin Wang, Jiaming He, Qiyang Song, Aiguo Chen, Wenbo Jiang

TL;DR

The paper addresses the vulnerability of monocular depth estimation (MDE) to backdoor attacks by introducing BadDepth, the first object-level backdoor for MDE. BadDepth localizes a trigger on a target object via segmentation, flips its depth using a depth-map completion (DMC) model, and preserves surrounding depth to achieve targeted manipulation, with digital-to-physical augmentation to bridge the digital-physical gap. It demonstrates effectiveness across digital and physical settings and against multiple MDE models, while remaining stealthy to standard metrics. The work highlights significant security implications for autonomous driving and robotics and motivates future research on robust defenses and more naturalistic triggers.

Abstract

In recent years, deep learning-based Monocular Depth Estimation (MDE) models have been widely applied in fields such as autonomous driving and robotics. However, their vulnerability to backdoor attacks remains unexplored. To fill the gap in this area, we conduct a comprehensive investigation of backdoor attacks against MDE models. Typically, existing backdoor attack methods can not be applied to MDE models. This is because the label used in MDE is in the form of a depth map. To address this, we propose BadDepth, the first backdoor attack targeting MDE models. BadDepth overcomes this limitation by selectively manipulating the target object's depth using an image segmentation model and restoring the surrounding areas via depth completion, thereby generating poisoned datasets for object-level backdoor attacks. To improve robustness in physical world scenarios, we further introduce digital-to-physical augmentation to adapt to the domain gap between the physical world and the digital domain. Extensive experiments on multiple models validate the effectiveness of BadDepth in both the digital domain and the physical world, without being affected by environmental factors.

BadDepth: Backdoor Attacks Against Monocular Depth Estimation in the Physical World

TL;DR

The paper addresses the vulnerability of monocular depth estimation (MDE) to backdoor attacks by introducing BadDepth, the first object-level backdoor for MDE. BadDepth localizes a trigger on a target object via segmentation, flips its depth using a depth-map completion (DMC) model, and preserves surrounding depth to achieve targeted manipulation, with digital-to-physical augmentation to bridge the digital-physical gap. It demonstrates effectiveness across digital and physical settings and against multiple MDE models, while remaining stealthy to standard metrics. The work highlights significant security implications for autonomous driving and robotics and motivates future research on robust defenses and more naturalistic triggers.

Abstract

In recent years, deep learning-based Monocular Depth Estimation (MDE) models have been widely applied in fields such as autonomous driving and robotics. However, their vulnerability to backdoor attacks remains unexplored. To fill the gap in this area, we conduct a comprehensive investigation of backdoor attacks against MDE models. Typically, existing backdoor attack methods can not be applied to MDE models. This is because the label used in MDE is in the form of a depth map. To address this, we propose BadDepth, the first backdoor attack targeting MDE models. BadDepth overcomes this limitation by selectively manipulating the target object's depth using an image segmentation model and restoring the surrounding areas via depth completion, thereby generating poisoned datasets for object-level backdoor attacks. To improve robustness in physical world scenarios, we further introduce digital-to-physical augmentation to adapt to the domain gap between the physical world and the digital domain. Extensive experiments on multiple models validate the effectiveness of BadDepth in both the digital domain and the physical world, without being affected by environmental factors.

Paper Structure

This paper contains 26 sections, 4 equations, 17 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Monocular Depth Estimation
  4. Backdoor Attacks
  5. Treat Model
  6. Method
  7. Overview
  8. Trigger Generation
  9. Target Depth Map Generation
  10. Digital-to-Physical Augmentation
  11. Perspective Augmentation
  12. Environment Augmentation
  13. Experiment
  14. Experiment Setting
  15. Effectiveness Evaluation
  16. ...and 11 more sections

Figures (17)

  • Figure 1: Comparison between BadDepth and previous backdoor attack methods (e.g., Badnet gu2019badnets). Badnets can only achieve image-level target depth maps, meaning that the images in the third column are all the same. In contrast, our method can achieve object-level target depth maps, meaning that the images in the last column can modify the depth map of specific cars only.
  • Figure 2: The application of the MDE model in autonomous driving
  • Figure 3: Pipeline of BadDepth
  • Figure 4: Visualization of different attack methods without perspective and environment changes of IEBins
  • Figure 5: Visualization of different attack methods in environment changes of NeWCRFs
  • ...and 12 more figures