RPAU: Fooling the Eyes of UAVs via Physical Adversarial Patches

Recently, Unmanned Aerial Vehicles (UAVs) deployed with deep learning models have been widely applied both in civil and military. However, the vulnerability of the deployed model to adversarial attacks has raised security concerns. Previous studies have mainly explored adversarial attacks in the dig...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on intelligent transportation systems 2024-03, Vol.25 (3), p.1-13
Main Authors: Liu, Taifeng, Yang, Chao, Liu, Xinjing, Han, Ruidong, Ma, Jianfeng
Format: Article
Language:English
Subjects:
adversarial attack
Autonomous aerial vehicles
autonomous system
Cameras
Deep learning
Flight safety
Navigation
obstacle avoidance
Perturbation
Perturbation methods
Security
Target tracking
Unmanned aerial vehicle
Unmanned aerial vehicles
Yaw
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recently, Unmanned Aerial Vehicles (UAVs) deployed with deep learning models have been widely applied both in civil and military. However, the vulnerability of the deployed model to adversarial attacks has raised security concerns. Previous studies have mainly explored adversarial attacks in the digital domain. While physical attacks have posed a more serious threat to UAVs. In this paper, we have explored a novel Robust Physical Attack against UAVs named, which directly threatens the flight safety of UAVs. Specifically, three attacks are proposed in : Hiding Attack (HA), Yaw Attack (YA), and Obstacle Attack (OA). To launch the attacks, we overcome three domain-design challenges, including continuous perturbation, digital-physical domain gap, and optimum perturbation generation. For continuous perturbation, we have introduced a nested patch that realizes attacks at any distance. Further, a series of transformations are considered to narrow the gap between the digital and physical domains. Then, we proposed a time-dependent mechanism for generating optimum perturbation. We conducted comprehensive experiments in the digital domain, simulation environment, and physical domain. The experimental results validate the robustness of the proposed framework. In the digital domain, outperforms the baseline by 54.9\% average attack success rate (ASR). More importantly, is still effective in both the simulation environment and the physical domain, achieving an average ASR of 100\% .
ISSN:1524-9050
1558-0016
DOI:10.1109/TITS.2023.3317054