Hardening RGB-D Object Recognition Systems against Adversarial Patch Attacks

TL;DR

This paper investigates why RGB-D object recognition systems are vulnerable to adversarial patches, analyzes their learned representations, and proposes a detection-based defense that enhances robustness more effectively than adversarial training.

Contribution

It provides a technical explanation for RGB-D vulnerability and introduces a novel detection mechanism to improve robustness against adversarial patches.

Findings

Detection mechanism improves robustness against adversarial patches

Defense outperforms adversarial training in effectiveness

RGB-D systems are more sensitive due to complex color feature representations

Abstract

RGB-D object recognition systems improve their predictive performances by fusing color and depth information, outperforming neural network architectures that rely solely on colors. While RGB-D systems are expected to be more robust to adversarial examples than RGB-only systems, they have also been proven to be highly vulnerable. Their robustness is similar even when the adversarial examples are generated by altering only the original images' colors. Different works highlighted the vulnerability of RGB-D systems; however, there is a lacking of technical explanations for this weakness. Hence, in our work, we bridge this gap by investigating the learned deep representation of RGB-D systems, discovering that color features make the function learned by the network more complex and, thus, more sensitive to small perturbations. To mitigate this problem, we propose a defense based on a detection mechanism that makes RGB-D systems more robust against adversarial examples. We empirically show that this defense improves the performances of RGB-D systems against adversarial examples even when they are computed ad-hoc to circumvent this detection mechanism, and that is also more effective than adversarial training.