Consistent Attack: Universal Adversarial Perturbation on Embodied Vision Navigation

TL;DR

This paper introduces a novel universal adversarial perturbation method tailored for embodied vision navigation, demonstrating significant performance drops in various models and highlighting security risks in real-world applications.

Contribution

It formulates the disturbed environment as a $elta$-MDP and proposes two new attack methods, Reward UAP and Trajectory UAP, considering system dynamics for more effective attacks.

Findings

Universal attacks cause significant performance drops.

Proposed methods outperform existing UAP approaches.

Highlighting security vulnerabilities in embodied vision navigation.

Abstract

Embodied agents in vision navigation coupled with deep neural networks have attracted increasing attention. However, deep neural networks have been shown vulnerable to malicious adversarial noises, which may potentially cause catastrophic failures in Embodied Vision Navigation. Among different adversarial noises, universal adversarial perturbations (UAP), i.e., a constant image-agnostic perturbation applied on every input frame of the agent, play a critical role in Embodied Vision Navigation since they are computation-efficient and application-practical during the attack. However, existing UAP methods ignore the system dynamics of Embodied Vision Navigation and might be sub-optimal. In order to extend UAP to the sequential decision setting, we formulate the disturbed environment under the universal noise $\delta$, as a $\delta$-disturbed Markov Decision Process ($\delta$-MDP). Based on the formulation, we analyze the properties of $\delta$-MDP and propose two novel Consistent Attack methods, named Reward UAP and Trajectory UAP, for attacking Embodied agents, which consider the dynamic of the MDP and calculate universal noises by estimating the disturbed distribution and the disturbed Q function. For various victim models, our Consistent Attack can cause a significant drop in their performance in the PointGoal task in Habitat with different datasets and different scenes. Extensive experimental results indicate that there exist serious potential risks for applying Embodied Vision Navigation methods to the real world.