SSAP: A Shape-Sensitive Adversarial Patch for Comprehensive Disruption of Monocular Depth Estimation in Autonomous Navigation Applications

In monocular depth estimation, when presented with a benign image denoted as $I$, the objective of the adversarial attack is to cause the depth estimation method to inaccurately predict the depth of the intended object by employing a strategically designed image represented as $I^{*}$. Technically, the adversarial example incorporating the generated patch can be mathematically formulated as follows:

$$I^{*}=(1-M_{P})\odot I+M_{P}\odot P$$

(1)

$\odot$ is the component-wise multiplication, denoted as $P$, with the specific property, and $M_{P}$ is the patch mask, used to constrict the size, shape, and location of the adversarial patch. The adversarial depth, i.e., the output of the victim model $F$ when taking as input the adversarial example is:

$$d_{adv}=F((1-M_{P})\odot I+M_{P}\odot P)$$

(2)

The problem of generating an adversarial example can be formulated as a constrained optimization 3, given an original input image $I$ and a MDE model $F(.)$,:

$$arg\min_{P}\left\|P\right\|_{p}\\ s.t.F((1-M_{P})\odot I+M_{P}\odot P)\neq F(I)\\ d_{adv}\neq d$$

(3)

The goal is to identify a minimal adversarial noise, $P$, such that when applied on any object within a designated input domain $U$, it strategically compromises the underlying DNN-based MDE model $F(.)$. This compromise can take the form of either distorting the estimated distance or causing the object to vanish from the prediction.

It’s important to note that an analytical solution isn’t feasible for this optimization task due to the non-convex nature of the DNN-based model $F(.)$ involved. As a result, the formulation of Equation 3 can be expressed as follows, allowing for the utilization of empirical approximation techniques to numerically address the problem:

$$\operatorname*{arg\,max}_{P}\sum_{I\in\mathcal{U}}l(F((1-M_{P})\odot I+M_{P}\odot P),F(I))$$

(4)

Here, $l$ represents a predefined loss function, and $\mathcal{U}\subset U$ denotes the attacker’s training dataset. To tackle this challenge, optimization methods such as Adam [18] can be employed to address the problem. During each iteration of the training process, the optimizer iteratively updates the adversarial patch $P$.

While our approach does not directly incorporate considerations of stealthiness, we have focused on ensuring a meaningful and fair comparison with existing methods. To achieve this, we opted to replicate the methodology outlined by Cheng et al. [2], While not specifically addressing stealthiness. Furthermore, unlike Cheng et al.’s method, which involves training a patch for consistent placement on the same object at a fixed distance from the camera while only changing the background, a scenario that may not accurately reflect real-world conditions, our method ensures that the generated patch remains effective across various scales and distances from the camera. This adaptability to diverse conditions enhances its practical applicability and effectiveness in real-world settings. Additionally, we replicate the methodology presented in [1], wherein a patch was trained for arbitrary placement within the scene.

As illustrated in Figure 1, our SSAP achieves the complete disappearance of the targeted object, while the other two patches exhibit a less significant impact. To ensure consistency in our comparison, we maintained uniformity by utilizing identical optimization parameters, patch dimensions, and shapes.

Our study aims to develop adversarial patches with a broad impact, covering the entire object regardless of its size, shape, or position, while maintaining their effectiveness as attack tools. To achieve this goal, we utilize a pre-trained object detector to accurately pinpoint the location of the targeted object—the object we aim to hide or manipulate—along with its predicted depth. This precise identification enables us to create a patch that remains effective even with varying distances between the camera and the object.

Furthermore, we introduce a novel loss function designed to amplify the patch’s effect and expand the area it influences. As shown in Figure 2, we begin with a pre-trained object detector and initiate the process by creating two distinct masks. The first mask, denoted as $M_{p}$, represents the precise placement of the patch at the center of the target object. The second mask, $M_{f}$, corresponds to the specific region occupied by the target object—essentially, the area influenced by the target object. Subsequently, the patch is fed to the patch transformation block, also known as the ’patch transformer’, where we implement the geometric alterations outlined in Section II-D.

After applying these transformations, we utilize ’the patch applier’ to superimpose the generated patch onto the input image. This process involves incorporating information obtained from the object detector, as explained in Section II-C. Following this step, we perform a forward pass. In the subsequent stage, we use the generated masks to compute the required loss functions. Then, we calculate the gradient of the patch. This gradient information is used to update the actual patch, denoted as $P$.

In a physical setting, the attacker’s control over the perspective, scale, and positioning of the patch in relation to the camera is limited. Therefore, we aim to enhance the robustness of our patch to accommodate a wide range of potential scenarios. During the patch generation phase, we overlay the patch onto the surface of the target object, such as the rear of a vehicle or human attire. This methodology enables us to simulate diverse scenes with different settings.

The training process involves a variety of transformations, such as rotations and occlusions, carefully incorporated to simulate the plausible appearance of our adversarial patch $P$ in a realistic context. Subsequently, leveraging information from the object detector, we obtain precise object locations (such as vehicles or individuals) within a given image $I$. At this stage, it becomes feasible to place our adversarial patch $P$ onto the identified object. Two distinct masks arise from this process: $M_{f}$, encircling the object to demarcate its influence, and $M_{p}$, designed to restrict the patch’s characteristics, including its location, dimensions, and shape. It is crucial to emphasize that the object detector’s role is limited to the optimization procedure of the patch and is not extended to the actual attack phase. To eliminate the need for manual patch placement onto objects as done in [2], we utilize the YOLOv4-tiny detector pretrained on the MSCOCO dataset [19].

The detector’s capabilities streamline the process by automatically identifying object placements, contributing to a more efficient and effective workflow. Let $U=\{I_{i}\}_{i=1}^{M}$ and $V=\{J_{j}\}_{j=1}^{N}$ respectively be the $M$ training and $N$ testing images for a particular scene of attack. We run the YOLOv4-tiny object detector on $U$ and $V$ with an objectness threshold of 0.5 and non-max suppression IoU threshold of $0.4$. This yields the tuples:

$$T_{i}^{U}=\{(B_{i,k}^{U})\}_{k=1}^{D_{i}},T_{j}^{V}=\{(B_{j,l}^{V})\}_{l=1}^{E_{j}}$$

(5)

for each $I_{i}$ and $J_{j}$ , where $D_{i}$ is the number of detections in $I_{i}$ (fixed to 14 in our experiment same as in [20]). and $B_{i,k}^{U}$ is the bounding box of the $k-th$ detection in $I_{i}$. (Same for $E_{j}$ and $B_{j,l}^{V}$ for $J_{j}$). The sets of all detected objects are:

$$T^{U}=\{T_{i}^{U}\}_{i=1}^{M},T^{V}=\{T_{j}^{V}\}_{j=1}^{N}$$

(6)

The information used to optimize $P$ for a scene of attack are the training images $U$ and annotations $T^{U}$. The patch $P$ is randomly initialized. Given the current P, the patch is rendered on top of each detected object of the chosen class for each training image $I_{i}$ using the mask $M_{p_{i,k}}^{U}$. $M_{p_{i,k}}^{U}$ is a matrix of zeros except for the patch location (The center of the patch is the center of the bounding boxes).

The focus mask $M_{f_{i,k}}^{U}$ is defined as the space limited by the generated bounding boxes $B_{i,k}^{U}$ in a way that it covers the whole detected object. $M_{f_{i,k}}^{U}$ is a matrix of zeros except for the targeted regions (objects covered area) where the pixel values are ones. We multiply the generated masks with the adversarial depth map $d_{adv}$ and use the resulting maps to compute the two losses.

The positioning and perspective of a camera on an autonomous vehicle in relation to another vehicle or target object undergo continuous variation. The images captured and provided to the victim model are taken from various distances, angles, and lighting conditions. Therefore, any modification introduced by an attacker, such as an adversarial patch, must be resilient to these evolving circumstances. To simulate this variability, a range of physical transformations is applied, each representing different conditions that may occur. These transformations include introducing noise, applying random rotations, altering scales, and simulating variations in lighting. The patch transformer is utilized to implement these transformations effectively.

The transformations executed include:

Random Scaling: The patch’s dimensions are randomly adjusted to approximately match its real-world proportions within the scene. Random Rotations: The patch $P$ is subjected to random rotations (up to $\pm 20^{\circ}$) centered around the bounding boxes $B_{i,k}^{U}$. This emulates uncertainties related to patch placement and sizing during printing. Color Space Transformations: Pixel intensity values are manipulated through various color space transformations. These include introducing random noise (within $\pm 0.1$ range), applying random contrast adjustments (within the range $[0.8,1.2]$), and introducing random brightness adjustments (within $\pm 0.1$ range).

The bounding boxes $B_{i,k}^{U}$ generated serve as the foundation for creating a focus mask $M_{f}$, which encompasses the specific region where we intend to modify the predicted depth. Our objective is to extend the region influenced by the patch, going beyond mere pixel overlap. To achieve this, we decompose the depth loss $L_{depth}$ into two distinct terms: $L_{d_{1}}$ and $L_{d_{2}}$. $L_{d_{1}}$ represents the loss incurred by pixels that are overlapped by the patch, while $L_{d_{2}}$ pertains to the loss stemming from pixels that don’t overlap.

To direct the optimization process towards prioritizing the reduction of the non-overlapped pixel loss $L_{d_{2}}$, we employ a squaring operation on the term denoting the disparity between the output depth and the target depth, denoted as $\left|d_{t}-d_{adv}\right|\odot M_{P}$. This utilization of quadratic functions is strategic, as these functions exhibit a slower rate of increase (slope or rate of change), consequently delaying the convergence of overlapped pixel loss in comparison to non-overlapped pixels. The losses are defined as the distance between the predicted depth and the target depth and calculated as follows:

$$L_{d_{1}}=(\left|d_{t}-d_{adv}\right|\odot M_{P})$$

(7)

$$L_{d_{2}}=\left|d_{t}-d_{adv}\right|\odot(M_{f}-M_{P})$$

(8)

$$L_{depth}=L_{d_{1}}^{2}+L_{d_{2}}$$

(9)

We iteratively perform gradient updates on the adversarial patch $(P)$ in the pixel space in a way that optimizes our objective function defined as follows:

$$L_{total}=\alpha L_{depth}+\gamma L_{tv}$$

(10)

$L_{depth}$ is the adversarial depth loss. $L_{tv}$ is the total variation loss on the generated image to encourage smoothness [21]. It is defined as:

$$L_{tv}=\sum_{i,j}\sqrt{(P_{i+1,j}-P_{i,j})^{2}+(P_{i,j+1}-P_{i,j})^{2}}$$

(11)

where the sub-indices $i$ and $j$ refer to the pixel coordinate of the patch $P$. $\alpha$ and $\beta$ are hyper-parameters used to scale the three losses. For our experiments, we set $\alpha=1$ and $\beta=2$. We optimize the total loss using Adam [18] optimizer. We try to minimize the object function $L_{total}$ and optimize the adversarial patch. We freeze all weights and biases in the depth estimator and only update the pixel values of the adversarial patch. The patch is randomly initialized.

To assess the efficacy of our proposed attack, we utilize same metrics as employed in [2]: the mean depth estimation error ($E_{d}$) attributed to the target object, and the ratio of the affected region ($R_{a}$). To compute these metrics, we define the depth prediction of the clean target object as the ground truth.

The mean depth estimation error quantifies the degree to which our proposed patch impacts the accuracy of depth estimation. A higher value in this metric indicates a more effective attack. Similarly, in the ratio of the affected region, a higher value indicates improved attack performance. In contrast to the approach presented in [2], where a patch is trained on a single object situated at a fixed distance from the camera while varying only the background, our approach involves training the patch for diverse distances. This includes objects positioned at various locations relative to the camera, such as close, far, left, right, or center. Initially, the output of the disparity map is normalized within the range of $0$ to $1$, where $0$ signifies the farthest point in the image and $1$ represents the closest point.

The mean depth estimation error was measured using the following metrics:

$$E_{d}=\frac{\sum_{i,j}(\arrowvert d-d_{adv}\arrowvert\odot M_{f})}{\sum_{i,j}{M_{f}}}$$

(12)

The ratio of the affected region is determined by evaluating the percentage of pixels whose depth values have been modified beyond a certain threshold. This evaluation is performed concerning the total number of pixels covered by the focus mask ($M_{f}$). For objects with any alteration in a pixel’s depth value surpassing $0.1$ results in that pixel being considered as affected.

The ratio of the affected region was measured using the following metrics:

$$R_{a}=\frac{\sum_{i,j}\textbf{I}((\arrowvert d-d_{adv}\arrowvert\odot M_{f})>0.1)}{\sum_{i,j}{M_{f}}}$$

(13)

Additionally, we employ the Mean Square Error (MSE) to assess the performance of the model in relation to the predicted output depth map derived from an unperturbed input. The formulation of this metric is provided below.

$$MSE=\frac{1}{N}\sum_{i,j}(d_{adv_{i,j}}-d_{i,j})^{2}$$

(14)

where $N$ is the total number of pixels.

We extend our attack evaluation to include the four MDE models, targeting both classes of objects for each model. Initially, we generate adversarial patches specifically tailored for pedestrians and cyclists. In this phase, the patch scale is maintained at $0.2$ for consistent testing across the different models.

As depicted in Figure 3, our patch exhibits remarkable effectiveness by completely concealing the person. Intuitively, smaller objects are relatively easier to hide or manipulate in terms of their depth. However, achieving this for smaller objects requires smaller patches, which consequently result in a relatively reduced impact.

In the following experiment, we proceed to create an adversarial patch targeting the ”car” class. Utilizing a patch scale of $0.2$, we observe that nearly all objects integrated with the SSAP achieve complete concealment. This outcome remains consistent regardless of the object’s specific characteristics, including factors such as shape, size, and proximity to the camera. The success in concealing various objects corroborates the robustness of our proposed patch.

We quantitatively assess the performance of our patch using the mean square error $MSE$, the mean depth estimation errors, denoted as $E_{d}$, alongside the ratios of the affected regions, designated as $R_{a}$, for the target object across 100 scenes extracted from the KITTI dataset. The presented results are determined by calculating the average values of these metrics, offering a representative result.

As reported in Table II, when our patch targets a Transformer-based model (MIMdepth), it achieves an average alteration of approximately 59%. Considering a scenario set on a highway, where the speed limit stands at 160 km/h, the recommended safe distance extends to 96 meters. When we incorporate our patch, a car positioned 90 meters away is projected to be situated approximately 143.1 meters away. This starkly demonstrates the profound consequences of our devised attack. Additionally, it’s noteworthy that our patch yields an impact on over 99% of the target region. This data underscores the extensive impact our patch has on altering depth perception.

Moreover, even when targeting MIMdepth, a method touted for its enhanced robustness through the incorporation of transformer architecture and masked image modeling (MIM), our adversarial patch continues to exhibit effectiveness, causing a notable depth estimation error of $0.59$. Figure 5 visually demonstrates the influence of our adversarial patch on the depth prediction of the MIMdepth model. For more qualitative results related to this model, please refer to the supplementary material.

We conducted a series of experiments to provide a quantitative comparison between our attack strategy and prior approaches [2] and [1]. To carry out this comparison, we employed the monodepth2 model to evaluate both the depth estimation error and the ratio of the affected region. The results presented in Table II demonstrate that our proposed attack consistently achieves the most substantial alteration in depth estimation and encompasses the largest affected region when compared to the referenced prior works.

To evaluate the effectiveness of the proposed penalized depth loss, we conducted an ablation study utilizing the monodepth2 model as our target monocular depth estimation (MDE) model. We tested various combinations of loss terms and present the results in Table III. Our proposed loss yielded the highest depth estimation error, with a value of $0.55$, compared to $0.24$ for the conventional loss and $0.18$ when utilizing $L_{d_{2}}$ for the depth loss. Furthermore, our approach resulted in the highest ratio of affected regions, with a value of $0.99$, compared to $0.53$ and $0.36$ for the other combinations.

As illustrated in Figure 6, the area affected by the generated patch when using only the $L_{d_{1}}$ depth is limited to the immediate vicinity of the patch itself. This outcome demonstrates a slightly improved performance compared to the patches featured in [1, 2]. Subsequently, we proceed to evaluate the effects of our proposed depth loss outlined in Section II-E. Upon applying this penalized depth loss, the resulting patch effectively conceals the entire object, as confirmed by our experimentation.

We evaluate our attack by targeting the ”car” object class using three distinct patch sizes: $0.1$, $0.2$, and $0.3$. We assess the mean depth error and the ratio of the affected region using the three depth estimation models. Table IV presents the results for the mean depth estimation error. It is noteworthy that there is a noticeable trend where $E_{d}$ consistently increases with the increment in patch size across all target models. This outcome aligns with expectations, as larger patches exert a more pronounced influence on the resulting depth error. Similarly, this trend is echoed in the ratio of affected regions, as depicted in Table V, where larger patches correspond to larger affected regions.