BadDepth: Backdoor Attacks Against Monocular Depth Estimation in the Physical World

TL;DR

This paper introduces BadDepth, a novel backdoor attack targeting monocular depth estimation models, demonstrating its effectiveness in digital and physical environments and addressing unique challenges posed by depth map outputs.

Contribution

We propose BadDepth, the first backdoor attack specifically designed for MDE models, overcoming label format challenges and enhancing robustness with digital-physical domain adaptation.

Findings

BadDepth successfully manipulates depth predictions in digital environments.

The attack remains effective in physical-world scenarios despite environmental variations.

Extensive experiments validate the attack's robustness across multiple models.

Abstract

In recent years, deep learning-based Monocular Depth Estimation (MDE) models have been widely applied in fields such as autonomous driving and robotics. However, their vulnerability to backdoor attacks remains unexplored. To fill the gap in this area, we conduct a comprehensive investigation of backdoor attacks against MDE models. Typically, existing backdoor attack methods can not be applied to MDE models. This is because the label used in MDE is in the form of a depth map. To address this, we propose BadDepth, the first backdoor attack targeting MDE models. BadDepth overcomes this limitation by selectively manipulating the target object's depth using an image segmentation model and restoring the surrounding areas via depth completion, thereby generating poisoned datasets for object-level backdoor attacks. To improve robustness in physical world scenarios, we further introduce digital-to-physical augmentation to adapt to the domain gap between the physical world and the digital domain. Extensive experiments on multiple models validate the effectiveness of BadDepth in both the digital domain and the physical world, without being affected by environmental factors.