Depth Adversarial - Digital Adversarial Perturbation vs Physical Adversarial Attack

 Depth Adversarial Pertubation : monocular depth estimation에 대한 adversarial attack이라는 용어보다 나오는 내용이 많은 키워드이다. adversarial attack과 관련된 논문을 읽다가 찾게 되었다.

 그런데 이 Monodepth와 관련된 adversarial attack은 두 가지로 나뉜다. 첫번째는 Universal attack, 두번째는 Physical attack.

1. Universal Adversarial Pertubation

- It should be noted that these methods implicitly assume ‘‘digital adversarial attack’’, in which the attacks are imple- mented by digitally manipulating the pixel values on the input image.
- However, the perturbation patterns usually cover the entire image, which makes it unsuitable to implement them in the real world.
(Adversarial Patch Attacks on Monocular Depth Estimation Networks, IEEE 2020, https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9207958&tag=1)

 

Universal Adversarial Perturbations Against Semantic Image Segmentation, ICCV 2017, https://openaccess.thecvf.com/content_ICCV_2017/papers/Metzen_Universal_Adversarial_Perturbations_ICCV_2017_paper.pdf

While monocular depth prediction networks are indeed vulnerable to these attacks, we want to assure the reader that these perturbations cannot cause harm outside of the academic setting. As mentioned in Sec. 3.1, optimizing for these perturbations is computationally expensive and hence it is infeasible to craft these perturbations in real time. Additionally, they also do not transfer; so, we see little negative implications for real-world applications. However, the fact that they exist implies that there is room for improvement in the way that we learn representations for depth prediction.
Targeted Adversarial Perturbations for Monocular Depth Prediction, NeurIPS 2020
https://proceedings.neurips.cc/paper/2020/file/609e9d4bcc8157c00808993f612f1acd-Paper.pdf

 

2. Physical Adversarial Attacks

- ‘‘physical adversarial attacks’’ that can be implemented in the real world,
e.g., by placing printed patterns in a target scene.
- Moreover, as their patches are independent of target scenes, they can be used for ‘‘physical adversarial attacks’’ without prior knowledge of lighting conditions, camera angles, or other objects in the target scene.
(Adversarial Patch Attacks on Monocular Depth Estimation Networks, IEEE 2020, https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9207958&tag=1)

K. Yamanaka et al.: Adversarial Patch Attacks on Monocular Depth Estimation Networks, IEEE 2020

K. Yamanaka et al.: Adversarial Patch Attacks on Monocular Depth Estimation Networks, IEEE 2020.    특정 target depth에 맞춰서 target method를 사용해서 Patch 생성.