Malicious Path Manipulations via Exploitation of Representation Vulnerabilities of Vision-Language Navigation Systems

TL;DR

This paper reveals vulnerabilities in vision-language navigation systems where images can be subtly manipulated to mislead robots, and proposes detection methods to identify such malicious modifications.

Contribution

It introduces a gradient-based method to craft imperceptible image modifications that alter robot navigation routes and develops an algorithm to reliably detect these adversarial images.

Findings

Adversarial image modifications can drastically change robot navigation routes.

Modified images exhibit higher sensitivity to Gaussian noise.

Detection algorithm effectively identifies malicious image alterations.

Abstract

Building on the unprecedented capabilities of large language models for command understanding and zero-shot recognition of multi-modal vision-language transformers, visual language navigation (VLN) has emerged as an effective way to address multiple fundamental challenges toward a natural language interface to robot navigation. However, such vision-language models are inherently vulnerable due to the lack of semantic meaning of the underlying embedding space. Using a recently developed gradient based optimization procedure, we demonstrate that images can be modified imperceptibly to match the representation of totally different images and unrelated texts for a vision-language model. Building on this, we develop algorithms that can adversarially modify a minimal number of images so that the robot will follow a route of choice for commands that require a number of landmarks. We demonstrate that experimentally using a recently proposed VLN system; for a given navigation command, a robot can be made to follow drastically different routes. We also develop an efficient algorithm to detect such malicious modifications reliably based on the fact that the adversarially modified images have much higher sensitivity to added Gaussian noise than the original images.