BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks

TL;DR

This paper introduces BadPart, a novel black-box adversarial patch attack framework targeting pixel-wise regression tasks like depth and optical flow estimation, revealing significant vulnerabilities in these models.

Contribution

The work presents the first unified black-box adversarial patch attack method for pixel-wise regression, using probabilistic square sampling and score-based gradient estimation to improve efficiency and scalability.

Findings

BadPart outperforms baseline attacks in effectiveness and efficiency.

Applied to Google portrait depth estimation, causing 43.5% error with 50K queries.

State-of-the-art defenses are ineffective against BadPart.

Abstract

Pixel-wise regression tasks (e.g., monocular depth estimation (MDE) and optical flow estimation (OFE)) have been widely involved in our daily life in applications like autonomous driving, augmented reality and video composition. Although certain applications are security-critical or bear societal significance, the adversarial robustness of such models are not sufficiently studied, especially in the black-box scenario. In this work, we introduce the first unified black-box adversarial patch attack framework against pixel-wise regression tasks, aiming to identify the vulnerabilities of these models under query-based black-box attacks. We propose a novel square-based adversarial patch optimization framework and employ probabilistic square sampling and score-based gradient estimation techniques to generate the patch effectively and efficiently, overcoming the scalability problem of previous black-box patch attacks. Our attack prototype, named BadPart, is evaluated on both MDE and OFE tasks, utilizing a total of 7 models. BadPart surpasses 3 baseline methods in terms of both attack performance and efficiency. We also apply BadPart on the Google online service for portrait depth estimation, causing 43.5% relative distance error with 50K queries. State-of-the-art (SOTA) countermeasures cannot defend our attack effectively.