Professional Documents
Culture Documents
net/publication/359394083
CITATIONS READS
0 76
4 authors, including:
Gregory Epiphaniou
University of Bedfordshire
83 PUBLICATIONS 988 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
The 5th International Conference on Future Networks & Distributed Systems View project
All content following this page was uploaded by Saurav Sthapit on 22 March 2022.
3
Figure 1. Attack surface on the machine learning pipeline in the context of Pose estimation of an object in the space scenario,
influenced by [2]
method [7] proposes to generate adversarial examples by transformation method [41], magNet [10], and deepcloak
harnessing the power of generative models including GAN [42]. However, similar to adversarial attacks, most of the
[38]. Other notable adversarial attacks methods are DeepFool existing defensive methods are suitable for classification tasks
[5], C&W, and [4], JSMA. Since this paper focuses on the only. For example, an adversarial transformation method re-
regression tasks as we analysed the impact of the existing lies on rotating input images to reduce the adversarial attack,
adversarial attack methods on estimation of the pose of the however, the rotation on the pose estimation of a spacecraft
object, methods relying on the features, parameters and archi- in space can misplace the spacecraft in a wrong place and
tecture (e.g. decision boundary and the Softmax function) of can cause prediction error. In this paper, we select adversarial
classification tasks are not suitable such as DeepFool, C&W training [1] and a feature squeezing defensive strategies [43].
and JSMA [11]. Therefore, we only select those methods We discuss each defensive method below:
that can generate adversaries on the regression models and
are discussed below: • Adversarial Training : This method generates adversarial
examples and combines these perturbed data into the training
• Iterative FGSM (IT-FGSM) [39]: This method is a mod- set to make the ML model robust and generalised. The
ified version of FGSM which calculates the gradient of the primary objective of the adversarial training is to increase
cost function with respect to the input of the neural network. model robustness by injecting adversarial examples into the
While FGSM adds the sign of the loss gradient with respect training set [1], [8]. The augmentation can be done by
to each pixel to original images [1], IT-FGSM applies the feeding the model with both the original data and the crafted
targeted FGSM iteratively to get a more robust adversarial data [40]. Some of the adversarial training techniques are
examples to train the model [40], [39]. FGSM adversarial training [1], Basic Iterative Method (BIM)
• Optimisation-based Method (OM) [8]: By its name, this
adversarial training, and GAN [38]. Although, augmenting
attack method is based on the optimisation model similar to such adversarial examples can increase the size of the training
the method L-BFGS proposed by Szegedy et al. [8]. This data [3], this strategy has the benefit of not only as a defence
approach computes a perturbation focusing on solving the mechanism for the adversarial attack but also to reducing
optimisation problem on a classification task [8] as shown in overfitting [1] and regularising the learning network [44].
below : • Feature Squeezing : For adversarial defence, Xu et al.
[43] proposed two feature squeezing methods, where the first
argmin ||x0 ||2 s.t. f (x + x0 ) = c0 , (x + x0 ) ∈ [0, 1]m (1) method squeezes the original 24-bit colour down to 1 bit to
x0
8-bit colour. By doing so, adversarial noise becomes more
where x’ is a perturbation and f (...) is a loss function Since perceptible as the bit depth decreases. The second method
the above Equation (1) used for the classification task. We adopts median spatial smoothing, which moves a filter move
needed to adapt the Equation (1) that can fit to our purpose across an original image and modifies the centre pixel value
for regression model. To do so, we change c’ to f (x) + ∆ to the median of the pixel values in the filter. To generate
which led to adapt the Equation (1) to Equation (2) [11]. adversarial examples, a comparison between a predefined
threshold and the difference between the prediction result of
argmin ||||2 + Jθ (Clip(x + ), f (x) + ∆) (2) an original image and a squeezed image is performed. Then,
x0 if the difference between the prediction results is higher than
the predefined threshold then the adversarial examples are
• Adversarial GAN (AdvGAN) [11]: This method utilise generated. In this study, we implement 4-bit image depth
GAN to generate adversarial examples where an adversarial reduction and 2 x 2 median smoothing because they perform
example is generated from an original object by modifying best as shown in [43]. We use the threshold of 0.01 to explore
objective function. When a regression model finishes train- the performance of feature squeezing.
ing, the generator G of GAN based AdvGAN generates an
adversarial example which is imperceptible to human as it
may look similar to the original object, however, the ML
model will predict incorrect output which is deviating slightly 4. E XPERIMENT
∆ from the original point.
In this section, we discuss our empirical study for adversarial
Adversarial defences on pose estimation in the space attacks and defences in the networks for estimating the pose
of space objects. First, we briefly introduce the adopted
To increase the robustness of machine learning models, dataset for our experiment followed by the explanation of
specifically against adversarial attacks, various defensive the ML architecture and parameter settings of the proposed
mechanisms have been proposed over the years. For instance, model. Then we discuss evaluation metrics and present the
adversarial training, defensive distillation [9], adversarial results.
4
Dataset Evaluation metric
The dataset used for our experiment is from a pose estima- To measure the performance of our adversarial attacks and
tion challenge organised by the Advanced Concepts Team defensive methods, we use attack success rate. In the case
(ACT) of the European Space Agency, and the Space Ren- of an adversarial attack, if an attack success rate is high
dezvous Laboratory (SLAB) of Stanford University [45]. The then the attacking method has performed well. However,
dataset contains 12k synthetic satellite images for training in the case of defence, if an attack success rate is low then
where images are 8 bit monochrome in JPEG format with a the defensive method has performed well. An attack is
1920×1200 pixels resolution. While 2, 998 similar formatted considered successful if the deviation of a pose of the space
synthetic images are available for evaluation. Other data object is greater than the adversarial threshold. An attack
contains 300 real images of the Tango satellite mock-up with success rate is then computed as the ratio of the number of
1920 × 1200 pixels resolution of 8 bit monochrome in JPEG successful attacks to the total number of attacks attempted.
format and five real images with pose labelled with the same
image format as mentioned earlier. For each image, the
dataset also contains the pose of the satellite describing the 5. R ESULTS
location and the orientation of the satellite. Using this ground
truth, supervised ML models can be trained. In this section, we present empirical results of three ad-
versarial attacks and two defence methods on the proposed
Pose Estimation Model pose estimation model. We show the attack success rate
obtained from three different adversarial attack methods on
As our usecase, we use a regression-based model for esti- the ResNet-50 based Pose estimation model in Table 1. We
mating the pose of satellites. We build our model based on consider the attack to be successful if the attacker is able to
the ResNet-50 network [46] published by [13] as the vanilla modify the output by more than the adversarial threshold.
network. ResNet network adopts a highly robust neural net- When the adversarial threshold is 0.1, the optimisation-based
work architecture that is widely used in transfer learning for (OM) method achieve a 100% success rate, however, FGSM
classification tasks. However, for a regression task estimating based IT-FGSM method and GAN based AdvGAN method
the pose of a space object (e.g., satellite, debris) it needs to obtained 91% ad 90% respectively. Likewise, when the
predict the pose. For this, the last layer (i.e. softmax layer) threshold increased to 0.2, the highest attack success rate
of the network is replaced with a fully-connected layer to among the three attack methods is 98.9% achieved by OM
predict a seven-dimensional vector of position and orientation while other methods achieve less than 80%. The relation
of the object. The fully connected layer was designed to between the increment of threshold and the attack success
output a seven-dimensional pose vector representing three- rate is that when the threshold increases the success rate
dimensional position and four-dimensional quaternion for decreases. This is expected as it becomes harder to change
orientation and presented as a regression layer. Due to the pose by a large factor. Among three, the decrement of
this layer, our model can perform a regress based task of the success rate on the OM method is much lower (less than
estimation the pose of an object. For training, we set the 20%) compared to other methods. For example, the highest
image size as 224 × 224. This modified model is then trained success rate of IT-FGSM is 91.4% when the threshold is 0.1
on the dataset discussed above. and the lowest success rate is 45.13% when the threshold
is 0.4 which shows the difference is more than 50%. The
Model Parameters same trend for the AdvGAN attack method is observed as
Even though estimating pose is an imperative and a fun- well. This shows that the Optimisation-based method is the
damental task to many of the space-related tasks such as best method among three methods to apply adversarial attack
docking, landing, and debris removal in space, not all of the on the pose estimation of a space object model. While the
tasks would require the same amount of precision in the pose. optimisation based method (OM) utilises Adam optimiser to
So the threshold will not be the same. Therefore, we used a search adversarial perturbations using multiple iterations, IT-
range of thresholds from 0.1 to 0.4 for our empirical study to FGSM only perturbs pixels in an image by simply adding the
analyse different impacts. We hypothesise that if there is a sign of gradients. On the other hand, to generate adversarial
higher attack accuracy with a small length of threshold then perturbations, AdvGAN learns intrinsic features that can
such attack method is considered to be stronger as larger the influence in moving position and orientation of the space
length of adversary threshold it is more identifiable. object. We show the results obtained at different threshold
values for three attack methods and shown in Figure 2.
The adversarial attack on the pose estimation network can
consist of the deviation of the pose in any or all of the seven- Adversarial Threshold IT-FGSM AdvGAN OM
dimensional output of the network. However, it is harder to 0.1 91.46 90 100
study the results when all the outputs are modified. So, in this 0.2 75.21 72.58 98.96
work, we focus on modifying only one location dimension, 0.3 59.23 55.53 95.79
that is, x location of the spacecraft. However, the work is 0.4 45.13 42.39 90.5
generalised and can be applied to other outputs of the network
as well in a similar fashion. In terms of adversarial attack Table 1. Attack success rate of three adversarial attacks on
methods, for IT-FGSM, we use the perturbation parameter the proposed ResNet-50 based pose estimation model
= 0.01 and the iteration number equal to 20. While
for the Optimisation-based method and AdvGAN, we use
the ADAM Optimiser and the learning rate equals 0.001. Table 2 and 3 show the attack success rate of each attack
Additionally, we conducted our experiments in white-box method when defended by adversarial training and feature
settings where we considered all three attacks to have full squeezing methods respectively. In Table 2, the attack suc-
knowledge of a pose estimation model. cess rates of all three selected adversarial attack methods
are still quite high even after augmenting the adversarial
examples in the training set of the proposed model. When
the adversarial threshold increases from 0.1 to 0.2 the attack
5
We studied the impact of such an attack on a general deep
CNN model that predicts the pose of the satellite. We anal-
ysed various adversarial attacks and defences on estimating
the pose of an object in the space. However, the algorithms
described in this paper can be generalised to other works as
well. We selected three adversarial attacks and two defensive
mechanisms on a pose estimation model.
R EFERENCES
6. D ISCUSSION AND C ONCLUSION
[1] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explain-
In this paper, we explored the notion of adversarial attacks ing and harnessing adversarial examples,” CoRR, vol.
and defences on a space application that is dependent on abs/1412.6572, 2015.
machine learning. As machine learning is increasingly being
used in space applications and access to space has gathered [2] N. Papernot, P. Mcdaniel, A. Sinha, and M. P. Wellman,
pace in recent times, we believe it is extremely important “Towards the science of security and privacy in machine
for space applications to be ready for advanced adversarial learning,” ArXiv, vol. abs/1611.03814, 2016.
attacks when it occurs. In particular, the life-cycle of a typical [3] N. Akhtar, J. Liu, and A. Mian, “Defense against univer-
satellite includes years of operation in orbit and harder to sal adversarial perturbations,” in 2018 IEEE/CVF Con-
issue software patches compared to terrestrial applications. ference on Computer Vision and Pattern Recognition,
6
2018, pp. 3389–3398. B. Gerber, “Vision based navigation for debris removal
[4] N. Carlini and D. Wagner, “Towards evaluating missions,” Proceedings of the International Astronauti-
the robustness of neural networks,” in 2017 IEEE cal Congress, IAC, vol. 4, 01 2012.
Symposium on Security and Privacy (SP). Los [16] S. Sharma and S. D’Amico, “Comparative assessment
Alamitos, CA, USA: IEEE Computer Society, may of techniques for initial pose estimation using monoc-
2017, pp. 39–57. [Online]. Available: https://doi. ular vision,” Acta Astronautica, vol. 123, pp. 435–
ieeecomputersociety.org/10.1109/SP.2017.49 445, 2016, special Section: Selected Papers from the
International Workshop on Satellite Constellations and
[5] S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, Formation Flying 2015.
“Deepfool: A simple and accurate method to fool
deep neural networks,” in 2016 IEEE Conference on [17] M. Benn, “Vision based navigation sensors for space-
Computer Vision and Pattern Recognition (CVPR). craft rendezvous and docking,” Ph.D. dissertation, 2011.
Los Alamitos, CA, USA: IEEE Computer Society, [18] A. Petit, E. Marchand, and K. Kanani, “Vision-based
jun 2016, pp. 2574–2582. [Online]. Available: https: Detection and Tracking for Space Navigation in a
//doi.ieeecomputersociety.org/10.1109/CVPR.2016.282 Rendezvous Context,” in Int. Symp. on Artificial
[6] C. Xiao, B. Li, J.-Y. Zhu, W. He, M. Liu, and D. Song, Intelligence, Robotics and Automation in Space,
“Generating adversarial examples with adversarial net- i-SAIRAS, Turin, Italy, 2012. [Online]. Available:
works,” in Proceedings of the 27th International Joint https://hal.inria.fr/hal-00750606
Conference on Artificial Intelligence, ser. IJCAI’18. [19] S. D’Amico, M. Benn, and J. L. Jørgensen, “Pose
AAAI Press, 2018, p. 3905–3911. estimation of an uncooperative spacecraft from actual
[7] O. Poursaeed, I. Katsman, B. Gao, and S. Be- space imagery,” International Journal of Space Science
longie, “Generative adversarial perturbations,” in 2018 and Engineering, vol. 2, no. 2, pp. 171–189, 2014,
IEEE/CVF Conference on Computer Vision and Pattern pMID: 60600.
Recognition, 2018, pp. 4422–4431. [20] S. Sharma, J. Ventura, and S. D’Amico, “Robust Model-
[8] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, Based Monocular Pose Initialization for Noncoopera-
D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing tive Spacecraft Rendezvous,” Journal of Spacecraft and
properties of neural networks,” in 2nd International Rockets, vol. 55, no. 6, pp. 1414–1429, Nov. 2018.
Conference on Learning Representations, ICLR 2014, [21] H. Shehzeen, B. Chinmayee, R. Arunkumar, and
Banff, AB, Canada, April 14-16, 2014, Conference K. Sneha, “Robust Model-Based Monocular Pose Ini-
Track Proceedings, Y. Bengio and Y. LeCun, Eds., tialization for Noncooperative Spacecraft Rendezvous,”
2014. [Online]. Available: http://arxiv.org/abs/1312. Journal of Spacecraft and Rockets, vol. 55, no. 6, pp.
6199 1414–1429, Nov. 2018.
[9] N. Papernot, P. McDaniel, X. Wu, S. Jha, and [22] H. Sharma, J. Park, D. Mahajan, E. Amaro, J. K. Kim,
A. Swami, “Distillation as a defense to adversarial C. Shao, A. Mishra, and H. Esmaeilzadeh, “From high-
perturbations against deep neural networks,” in 2016 level deep neural models to fpgas,” in 2016 49th Annual
IEEE Symposium on Security and Privacy (SP). IEEE/ACM International Symposium on Microarchitec-
Los Alamitos, CA, USA: IEEE Computer Society, ture (MICRO), 2016, pp. 1–12.
may 2016, pp. 582–597. [Online]. Available: https:
//doi.ieeecomputersociety.org/10.1109/SP.2016.41 [23] S. Sharma, C. Beierle, and S. D’Amico, “Pose esti-
mation for non-cooperative spacecraft rendezvous us-
[10] D. Meng and H. Chen, “Magnet: A two-pronged ing convolutional neural networks,” in 2018 IEEE
defense against adversarial examples,” in Proceedings Aerospace Conference, 2018, pp. 1–12.
of the 2017 ACM SIGSAC Conference on Computer
and Communications Security, ser. CCS ’17. New [24] H. Su, C. R. Qi, Y. Li, and L. J. Guibas, “Render
York, NY, USA: Association for Computing Machinery, for cnn: Viewpoint estimation in images using cnns
2017, p. 135–147. [Online]. Available: https://doi.org/ trained with rendered 3d model views,” in 2015 IEEE
10.1145/3133956.3134057 International Conference on Computer Vision (ICCV),
2015, pp. 2686–2694.
[11] Y. Deng, X. Zheng, T. Zhang, C. Chen, G. Lou, and
M. Kim, “An analysis of adversarial attacks and de- [25] S. Mahendran, H. Ali, and R. Vidal, “3d pose regression
fenses on autonomous driving models,” in 2020 IEEE using convolutional neural networks,” in 2017 IEEE
International Conference on Pervasive Computing and Conference on Computer Vision and Pattern Recogni-
Communications (PerCom), 2020, pp. 1–10. tion Workshops (CVPRW), 2017, pp. 494–495.
[12] Mar 2021. [Online]. Available: https://www.esa.int/ [26] A. Kendall, M. Grimes, and R. Cipolla, “Convolutional
Enabling Support/Preparing for the Future/Discovery networks for real-time 6-dof camera relocalization,”
and Preparation/Artificial intelligence in space CoRR, vol. abs/1505.07427, 2015. [Online]. Available:
http://arxiv.org/abs/1505.07427
[13] A. R. Shehzeen Hussain, Chinmayee Bhanu
and S. Kondur. (2019) Satellite pose estimation [27] Y. Xiang, T. Schmidt, V. Narayanan, and D. Fox,
using convolutional neural networks. [Online]. “Posecnn: A convolutional neural network for 6d
Available: http://noiselab.ucsd.edu/ECE228 2019/ object pose estimation in cluttered scenes,” CoRR,
Reports/Report23.pdf vol. abs/1711.00199, 2017. [Online]. Available: http:
//arxiv.org/abs/1711.00199
[14] A. Cropp, “Pose estimation and relative orbit determina- [28] T. Phisannupawong, P. Kamsing, P. Torteeka,
tion of a nearby target microsatellite using passive im- S. Channumsin, U. Sawangwit, W. Hematulin,
agery.” Ph.D. dissertation, University of Surrey (United T. Jarawan, T. Somjit, S. Yooyen, D. Delahaye,
Kingdom)., 2001. and P. Boonsrimuang, “Vision-based spacecraft
[15] K. Kanani, A. Petit, E. Marchand, T. Chabot, and pose estimation via a deep convolutional neural
7
network for noncooperative docking operations,” “Adversarial machine learning at scale,” CoRR, vol.
Aerospace, vol. 7, no. 9, 2020. [Online]. Available: abs/1611.01236, 2016. [Online]. Available: http:
https://www.mdpi.com/2226-4310/7/9/126 //arxiv.org/abs/1611.01236
[29] X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial [41] C. Guo, M. Rana, M. Cisse, and L. van der Maaten,
examples: Attacks and defenses for deep learning,” “Countering adversarial images using input transforma-
IEEE Transactions on Neural Networks and Learning tions,” 2018.
Systems, vol. 30, no. 9, pp. 2805–2824, 2019. [42] J. Gao, B. Wang, and Y. Qi, “Deepcloak: Masking DNN
[30] N. Papernot, P. Mcdaniel, I. Goodfellow, S. Jha, Z. B. models for robustness against adversarial samples,”
Celik, and A. Swami, “Practical black-box attacks CoRR, vol. abs/1702.06763, 2017. [Online]. Available:
against machine learning,” Proceedings of the 2017 http://arxiv.org/abs/1702.06763
ACM on Asia Conference on Computer and Communi- [43] W. Xu, D. Evans, and Y. Qi, “Feature squeezing:
cations Security, 2017. Detecting adversarial examples in deep neural
[31] B. Biggio, B. Nelson, and P. Laskov, “Support vector networks,” Proceedings 2018 Network and Distributed
machines under adversarial label noise,” in Proceedings System Security Symposium, 2018. [Online]. Available:
of the Asian Conference on Machine Learning, ser. http://dx.doi.org/10.14722/ndss.2018.23198
Proceedings of Machine Learning Research, C.-N. [44] S. Sankaranarayanan, A. Jain, R. Chellappa, and S.-
Hsu and W. S. Lee, Eds., vol. 20. South Garden N. Lim, “Regularizing deep networks using efficient
Hotels and Resorts, Taoyuan, Taiwain: PMLR, layerwise adversarial training,” in AAAI, 2018.
14–15 Nov 2011, pp. 97–112. [Online]. Available:
http://proceedings.mlr.press/v20/biggio11.html [45] A. C. T. A. of the European Space Agency. (2019)
Pose estimation challenge. [Online]. Available: https:
[32] Z. Yan, Y. Guo, and C. Zhang, “Deep defense: Training //kelvins.esa.int/satellite-pose-estimation-challenge/
dnns with improved adversarial robustness,” in Proceed-
ings of the 32nd International Conference on Neural [46] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual
Information Processing Systems, ser. NIPS’18. Red learning for image recognition,” in 2016 IEEE Con-
Hook, NY, USA: Curran Associates Inc., 2018, p. ference on Computer Vision and Pattern Recognition
417–426. (CVPR), 2016, pp. 770–778.
[33] N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman,
L. Chen, M. E. Kounavis, and D. H. Chau, “Keeping the
bad guys out: Protecting and vaccinating deep learning
with jpeg compression,” 2017.
[34] N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman,
S. Li, L. Chen, M. E. Kounavis, and D. H. Chau,
“Shield: Fast, practical defense and vaccination for
deep learning using jpeg compression,” in Proceedings
of the 24th ACM SIGKDD International Conference
on Knowledge Discovery & Data Mining, ser. KDD
’18. New York, NY, USA: Association for Computing
Machinery, 2018, p. 196–204. [Online]. Available:
https://doi.org/10.1145/3219819.3219910
[35] D. Sgandurra, L. Muñoz-González, R. Mohsen, and
E. C. Lupu, “Automated dynamic analysis of ran-
somware: Benefits, limitations and use for detection,”
2016.
[36] H. Kannan, A. Kurakin, and I. J. Goodfellow,
“Adversarial logit pairing,” CoRR, vol. abs/1803.06373,
2018. [Online]. Available: http://arxiv.org/abs/1803.
06373
[37] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and
A. Vladu, “Towards deep learning models resistant to
adversarial attacks,” in 6th International Conference
on Learning Representations, ICLR 2018 - Conference
Track Proceedings, 2018.
[38] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu,
D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio,
“Generative adversarial networks,” Commun. ACM,
vol. 63, no. 11, p. 139–144, oct 2020. [Online].
Available: https://doi.org/10.1145/3422622
[39] H. Ren and T. Huang, “Adversarial example attacks in
the physical world,” in Machine Learning for Cyber
Security, X. Chen, H. Yan, Q. Yan, and X. Zhang,
Eds. Cham: Springer International Publishing, 2020,
pp. 572–582.
[40] A. Kurakin, I. J. Goodfellow, and S. Bengio,
8
B IOGRAPHY [ private organisations. Professor Maple is a past Chair of the
Council of Professors and Heads of Computing in the UK, a
member of the Zenzic Strategic Advisory Board, a member of
Anita Khadka received her MSc. in In- the IoTSF Executive Steering Board, an executive committee
telligent systems and Robotics from Uni- member of the EPSRC RAS Network and a member of the
versity of Essex and Ph.D in Computer UK Computing Research Committee, the ENISA CarSEC
Science from The Open university. She expert group, the Interpol Car Cybercrime Expert group and
is currently a Research Fellow working Europol European Cybercrime Centre.
in the area of Machine learning and
their security in inherently complex do-
main like Nuclear and Space industries
in University of Warwick. Her research
interests include Machine learning, Re-
silient machine learning, and Data Science.