See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/359394083

Resilient Machine Learning in Space Systems: Pose Estimation as a Case Study

Conference Paper · March 2022

DOI: 10.1109/AERO53065.2022.9843671

CITATIONS READS
0 76

4 authors, including:

Saurav Sthapit Anita Khadka

The University of Warwick The University of Warwick
20 PUBLICATIONS   69 CITATIONS    6 PUBLICATIONS   21 CITATIONS   

SEE PROFILE SEE PROFILE

Gregory Epiphaniou
University of Bedfordshire
83 PUBLICATIONS   988 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Computational load balancing in distributed sensor network View project

The 5th International Conference on Future Networks & Distributed Systems View project

All content following this page was uploaded by Saurav Sthapit on 22 March 2022.

The user has requested enhancement of the downloaded file.

 Resilient Machine Learning in Space Systems: Pose
Estimation as a Case Study
Anita Khadka
Secure Cyber Systems Research Group (SCSRG)
Warwick Manufacturing Group
University of Warwick
anita.khadka@warwick.ac.uk
Gregory Epiphaniou
Secure Cyber Systems Research Group (SCSRG)
Warwick Manufacturing Group
University of Warwick
gregory.epiphaniou@warwick.ac.uk
Abstract—The space industry is rapidly growing at present and
is not limited to the traditional players like The National Aero-
nautics and Space Administration (NASA) and European Space
Agency (ESA), and it has spread to medium and small commer-
cial organisations as well. The advancement in both hardware
and software technologies is leading to the industry players’
expansion. In parallel, the adoption of Artificial Intelligence
(AI) and Machine Learning (ML) have been surging in the space
industry. There are diverse applications in the space sectors that
ML may be applied, such as assisting astronauts, debris removal
in the orbit etc. However, several studies have shown that ML
specifically deep learning methods are vulnerable to adversarial
attacks. However, vulnerabilities are studied mainly on the
classification tasks, only a few studies have been carried out
on identifying the adversarial attacks on the regression models
such as pose estimation. This paper, undertaken as part of
the UK FAIR-SPACE Hub, aims to identify adversarial actions
against learning methods and their impact in the space domain
where pose estimation of a space object is taken as an exem-
plar. The importance of pose estimation and the consequences
of undesired activity while computing pose estimation can be
expensive. For example, estimating a wrong pose during the
docking of a spacecraft can result in a collision and damage the
assets. In this work, we first analyse the impact of adversarial
attacks in the space for estimating pose using various adversar-
ial machine learning techniques. We then present the possible
implications of existing and emerging defensive strategies for
building resilient machine learning for pose estimation. The
results show that the optimised based attack method performs
well compared to the Iterative Fast Gradient Simple Method
(IT-FGSM) and Generative Adversarial Network (GAN) based
AdvGAN methods to generate adversarial examples. In terms
of defensive strategies, ML model is vulnerable and still work
needs to be done to make them robust against adversarial
attacks. The results of this work showcase potential attacks on
current and future ML based space missions and the necessity to
make them resilient. We believe incorporating resilient methods
in the design phase may save time, economy, and potential
embarrassment caused by mission failure.
TABLE OF C ONTENTS
1. I NTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. BACKGROUND AND R ELATED W ORK . . . . . . . . . . . .
3. M ETHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. E XPERIMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. R ESULTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6. D ISCUSSION AND C ONCLUSION . . . . . . . . . . . . . . . . . .
978-1-6654-3760-8/22/$31.00 ©2022 IEEE
Saurav Sthapit
Secure Cyber Systems Research Group (SCSRG)
Warwick Manufacturing Group
University of Warwick
saurav.sthapit@warwick.ac.uk
Carsten Maple
Secure Cyber Systems Research Group (SCSRG)
Warwick Manufacturing Group
University of Warwick
cm@warwick.ac.uk
7. ACKNOWLEDGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
R EFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
B IOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1. I NTRODUCTION
The space industry is undergoing a huge and rapid transfor-
mation as it embraces the NewSpace agenda. The role of
commercial organisations, such as SpaceX and Blue Origin,
is expanding the sector and adding to the capability of its tra-
ditional players such as the National Aeronautics and Space
Administration (NASA) and European Space Agency (ESA);
this expansion is expected to continue. At the same time,
advances in AI and ML models have been significant. Within
the space sector, ML is deployed in a range of tasks including
assisting astronauts, planning missions, debris recovery from
the orbit and navigation systems. Additionally, there are
many opportunities for further application of ML in the
sector. For example, applying ML for control applications in
a complex area such as space is economically cheaper and
safer than sending a human in space. While the potential
benefit of applying ML techniques is high, their susceptibility
to adversarial attacks has been recognised. Research on
adversarial attacks has shown that even a small perturbation
in the input data can force a model to provide wrong outputs.
On the earth’s surface, such vulnerabilities may be addressed
promptly and be patched with updates or fixed in the newer
version of the software. However, systems in space - due to
the higher cost of development, rigorous testing, and complex
deployment - such fixes may not be available or sufficiently
timely. As such, there is a fear that vulnerabilities may have
already been discovered, or will be discovered, that may
seriously compromise a mission with consequences that may
be irreversible. Space is an inherently complex domain, and
as such correctly assessing and addressing security issues is
a major challenge. This challenge is exacerbated when ML
is deployed due to their non-deterministic nature. Notwith-
standing the difficulty, understanding the weaknesses of ML
1 algorithms is critical to ensure they can be made resilient and
2 reliable.
3 This paper aims to identify adversarial actions against learn-
4 ing methods and their impact in the space domain. As an ex-
5 emplar, we investigate a novel case of identifying adversaries
6 on computer vision-based pose estimation in space systems.
Pose estimation is essential in many space missions, such
as autonomous docking, on-orbit assembly, and autonomous
debris removal to name a few. Adversarial attacks can cause
1
target objects to go undetected or misclassified. Similarly, if
a docking robot estimates an incorrect pose, it may waste fuel
due to repeated attempts, fail to dock entirely, or damage the
space station in the worst-case. We first analyse the impact
of adversaries in space for estimating pose using various
adversarial machine learning techniques. We then present
the possible implications of existing and emerging defensive
strategies for building resilient machine learning. The results
of this work will showcase potential attacks on current and
future space missions and make them resilient. Incorporating
resilient methods in the design phase may save time, money,
and potential embarrassment caused by mission failure.
Over the years, several adversarial attacks on machine
learning models have been studied including Fast Gra-
dient Simple Method (FGSM), Limited Memory Broy-
den–Fletcher–Goldfarb–Shanno algorithm (L-BFGS), Carlini-
Wagner (C&W), and Jacobian-based Saliency Map Attack
(JSMA). More details on different adversarial attacks can be
read in [1], [2], [3]. However, the focal point is mainly on the
classification tasks, especially in image classification. They
have been demonstrated to be effective on image classifica-
tion models [4], [5], [6], [7], [8]. Similarly, to defend against
adversarial attacks, many techniques have been proposed
to make neural networks robust [1], [9], [10], [3]. Since
the attacks are mainly investigated on classification tasks,
defensive strategies are also researched focusing on the clas-
sification tasks. It is unclear to what extent these adversarial
attacks and defences are effective on regression models [11].
For example, our use-case example, pose estimation, is based
on the regression model. This uncertainty exposes potential
security risks and raises research opportunities on expand-
ing adversarial machine learning investigation on regression
models.
Adversarial attacks can cause extensive damage if they are
successfully applied in space. For example, attackers could
jeopardise the landing of a spaceship by tampering with the
calculated landing coordinates and compromise the mission;
especially the time and expenses invested in the mission. If
existing defence methods cannot be adapted to defend against
attacks on regression models, it is imperative to identify a
novel defence mechanism suitable for estimating pose. This
paper presents a comprehensive analysis of three adversarial
attack methods and two defence methods on the pose esti-
mation task in the space. Even though we only consider one
network it is applicable to other ML networks as well. The
work specifically the regression model is influenced by the
work of Deng et al. [11] on autonomous driving.
The main findings of this paper is the impact of adversarial
attacks and defences on a machine learning model in space
for tasks such as pose estimation. To the best of our knowl-
edge, this is the first such study conducted in space domain.
Specifically,
1. we successfully applied popular adversarial attacks on
Convolution Neural Network (CNN) based pose estimation
for the space applications, and
2. we present two defence strategies to create resilient ma-
chine learning model for regression-based task.
The rest of the paper is structured as follows. First, in
Section 2, we present the background and related work on AI
in space, adversarial attacks, defensive mechanisms and pose
estimation of an object in the space domain. Section 3 ex-
plains the methodology comprises of methods for adversarial
attacks and adversarial defences related to a pose estimation
2
task in space. In Section 4, we present details of our
experiments discussing the utilised dataset, a pose estimation
model, set model parameters and evaluation metrics. Then,
we present the result of our empirical study, and finally, we
conclude our paper with a discussion of the results and future
research direction.
2. BACKGROUND AND R ELATED W ORK
Artificial Intelligence and Space
AI is the broader concept of making machines have human-
like intelligence and take decisions accordingly while ML is
an application of AI which is built based on data. When a
machine learns from the data, it can then make a decision
based on the available pattern, and information in the data.
A large amount of data is fed into the ML algorithm, which
adjusts and improves itself over time. In ML, machines pro-
cess information in a similar way to humans but with artificial
neural networks. This type of artificial intelligence has taken
major leaps forward since the invention of the internet and
intelligent systems. Machine learning algorithms have also
improved from a simple heuristic-based method such as the
Nearest Neighbour method to Deep Learning (DL). DL is
a ML method with multi-layered artificial neural networks
to train itself on complex tasks like object recognition. ML
algorithms are broadly classified into two types, i) supervised
learning and ii) unsupervised learning. When a system is
fed pictures of labelled data such as ‘dog’ and ‘cat’ until
the system can successfully identify both types of images,
it is called supervised learning. However, in unsupervised
learning, labelled data is not necessary and the system will
find the pattern from the data itself.
Although the development of AI related space applications
has come a long way over the last couple of decades, the use
of AI still has some way to go before it is used extensively
for space applications [12]. Since the space has inherently
complex structures and models, the ML models need to be
improved, reliable and adaptable. To date, AI technologies
are being thoroughly investigated in satellite operations, in
particular, to support the operation of large satellite constel-
lations, including relative positioning, communication, and
end-of-life management [12].
Pose estimation in Space
A pose can be described as a combination of a location and
an orientation in the 3D space of objects such as shapes, rigid
bodies, characters, and cameras. The specific task of deter-
mining the pose of an object is referred to as pose estimation.
It is one of the imperative tasks in space applications and may
involve finding the pose of a satellite, debris or space station.
It is essential for many tasks such as autonomous docking of a
spacecraft in the space station and autonomous debris collec-
tion. If there is a miscalculation of the spacecraft’s landing
position and pose then the consequences can be expensive.
For example, the spacecraft may take multiple attempts to
dock, may fail entirely to dock or collide with other objects.
In this work, we experimented with off-the-shelf attacks and
defences in machine learning algorithms for estimating pose
in the space. Let us consider, the position P of the satellite
is represented using a three-dimensional vector of Cartesian
coordinates (x, y, z). The orientation is represented using
a unit quaternion representation φ = (φw , φx , φy , φz ) where,
φw is a real scalar and x, y, z is a 3D vector in complex
space. Therefore, the pose of the satellite is described using a
seven-dimensional vector (x, y, z, φw , φx , φy , φz ) [13]. Pose
estimation can be done using either a single camera (e.g.,
monocular) or multiple cameras (e.g., stereoscopic) or Li-
DAR. Many works [14], [15], [16], [17], [18], [19], [20] have
utilised manual feature-engineered and apriori knowledge of
poses using monocular pose estimation algorithms for the
space-related applications. The manual feature-engineered
mechanism was then compared against a reference texture
model of the satellite to determine its pose. However, ML
algorithms focusing on such engineered features may not be
robust compared to the deep learning-based ML methods
[21]. Deep learning-based methods attempts to learn the
non-linear transformation between the two-dimensional input
image space and the output pose space in an end-to-end
fashion with any intermediate steps like feature extraction
[13], [22].
The deep learning-based methods either discretise the pose
space and solve the resulting classification problem [23], [24]
or directly regress the relative pose from the input image [25],
[26], [27], [28]. Sharma et al. [22] proposed a method to
discretise the pose space and train a CNN containing images
with pose labels. They utilised the offline training phase
to generate synthetic images of a target spacecraft and used
them to train the CNN. During the prediction phase, the
trained CNN is used to predict a pose label of a target satellite
image.
Adversarial Machine Learning (aML)
The adoption of machine learning techniques in diverse ar-
eas including computer vision, speech recognition, natural
language understanding has been rapidly increasing. While
the surge of applying ML technique has risen exponentially,
the concerns over the security and safety of the applications
where they have been applied is also risen in the community.
When Szegedy et al. [8] showed that Deep neural network
can be fooled, the attention towards the Adversarial Machine
Learning (aML) has increased. This has led to the awareness
towards the security of the machine learning techniques.
While most research works on adversarial machine learning
is focused on the object classification tasks [8], [1], [23],
[24], [5], only limited research works have been focused
on the regression tasks [25], [26], [27], [11]. In this work,
we focus on regression tasks so investigating adversarial
attacks and defences on regress based machine learning tasks.
However, the level of damages caused by adversarial attacks
on machine learning either classification or regression based
model can be of same level. Even a small perturbation to the
original input data can fool machine learning models.
Depending on the available information, existing adversarial
attacks can be classified into white-box attacks and black-
box attacks. In white-box attacks, the adversary has full
knowledge about the model and the data. This includes
the information about all the parameters such as features,
model type, model architecture, values of all parameters, and
trainable weights [29]. On the other hand, the attackers do not
have knowledge relating to model and data, except the input
and output in the black-box attack. Based on the inputs and
outputs from the target model, to perform a black-box attack,
attackers can build a substitute model and achieve white-
box attacks on their own model. The adversarial examples
on the substitute model could then be used to attack the
targeted black-box model, which is called the transferability
of adversarial examples [30].
Papernot et al. [30] explored black box attack by training a
deep neural network by crafting human imperceptible inputs.
[31] study SVM security to well-crafted, adversarial label
3
noise attacks where the attacker aims to maximise the SVM’s
classification error by flipping labels in the training data.[1],
[?] presented that the cross-model transferability of adver-
sarial data points between Deep neural networks (DNN)s
– in this case, an efficient attack can be launched through
the use of surrogate models even through their training or
neural network architectures are different. There are several
methods developed to generate adversarial attacks in the ML
models including L-BFGS, FGSM, DeepFool, JSMA, Pro-
jected Gradient Descent (PGD), Momentum Iterative Method
(MIM), and C&W. Not all the existing attacks are applicable
in our exemplar as they are developed for classification tasks.
We will discuss relevant attack methods in Section 3 method-
ology section.
Resilient machine learning techniques (rML)
Several defence techniques have been proposed to defend
against adversarial attacks. Defensive strategy can be cat-
egorised into two types training data defences and model
defences. The most common ones are to retain the model
using a dataset (–training data) containing adversarial exam-
ples [1] and adding regularising elements to the model [32].
Other popular defence mechanisms are defensive distillation
to filter the adversary from one network to another [9],
the use of JPEG compression for pre-processing the input
[33], [34], feature squeezing [35], novel model architecture
using regularisation [36], and adversarial training [37], have
exhibited success to mitigate the growing adversarial machine
learning attacks. Details on the defence strategies that are
utilised in our usecase are discussed in Section 3.
3. M ETHODOLOGY
Adversarial Attacks on Pose Estimation in the Space
For an image classification model, an adversarial attack is
considered successful if an adversarial image is classified as
a different class compared with the original image. However,
for the regression models that outputs continuous values,
misclassifying an input is not possible. The task like pose
estimation is a regression task and adversarial attacks on such
an estimating model are defined by an acceptable error range,
known as adversarial threshold. Therefore, an adversarial
attack on a pose estimation model is considered successful
if the deviation between the original prediction and the pre-
diction of an adversarial example is above the adversarial
threshold. We present an example of adversarial machine
learning attack surface while estimating pose in Figure 1.
As mentioned earlier, accurate estimation of position and
orientation (pose) for objects in space is imperative for space
missions. If there is an attack on either position or orientation
or both of a spacecraft just before docking it to the station, the
spacecraft may not be able to dock. If it realises the mistake,
it may try to dock several times which can lead to waste fuel,
whereas it could also dock at the wrong location or at an
angle that could damage itself and the docking station and
may jeopardise the mission. This attack example is shown in
Figure 1 and the structure of the figure is influenced by [2].
As mentioned in Section 2, there are several adversarial
attack generating methods that have been proposed in the
literature [1], [8], [3]. The most notable ones are FGSM
[1] which generates adversarial examples by adding the sign
of the loss gradient with respect to each pixel on the input
image, Optimisation-based methods including L-BFGS [8]
formulates the adversarial example construction as an op-
timisation problem. Likewise, the generative model based
Figure 1. Attack surface on the machine learning pipeline in the context of Pose estimation of an object in the space scenario,
influenced by [2]
method [7] proposes to generate adversarial examples by
harnessing the power of generative models including GAN
[38]. Other notable adversarial attacks methods are DeepFool
[5], C&W, and [4], JSMA. Since this paper focuses on the
regression tasks as we analysed the impact of the existing
adversarial attack methods on estimation of the pose of the
object, methods relying on the features, parameters and archi-
tecture (e.g. decision boundary and the Softmax function) of
classification tasks are not suitable such as DeepFool, C&W
and JSMA [11]. Therefore, we only select those methods
that can generate adversaries on the regression models and
are discussed below:
• Iterative FGSM (IT-FGSM) [39]: This method is a mod-
ified version of FGSM which calculates the gradient of the
cost function with respect to the input of the neural network.
While FGSM adds the sign of the loss gradient with respect
to each pixel to original images [1], IT-FGSM applies the
targeted FGSM iteratively to get a more robust adversarial
examples to train the model [40], [39].
• Optimisation-based Method (OM) [8]: By its name, this
attack method is based on the optimisation model similar to
the method L-BFGS proposed by Szegedy et al. [8]. This
approach computes a perturbation  focusing on solving the
optimisation problem on a classification task [8] as shown in
below :
argmin ||x0 ||2 s.t. f (x + x0 ) = c0 , (x + x0 ) ∈ [0, 1]m (1)
x0
where x’ is a perturbation and f (...) is a loss function Since
the above Equation (1) used for the classification task. We
needed to adapt the Equation (1) that can fit to our purpose
for regression model. To do so, we change c’ to f (x) + ∆
which led to adapt the Equation (1) to Equation (2) [11].
argmin ||||2 + Jθ (Clip(x + ), f (x) + ∆) (2)
x0
• Adversarial GAN (AdvGAN) [11]: This method utilise
GAN to generate adversarial examples where an adversarial
example is generated from an original object by modifying
objective function. When a regression model finishes train-
ing, the generator G of GAN based AdvGAN generates an
adversarial example which is imperceptible to human as it
may look similar to the original object, however, the ML
model will predict incorrect output which is deviating slightly
∆ from the original point.
Adversarial defences on pose estimation in the space
To increase the robustness of machine learning models,
specifically against adversarial attacks, various defensive
mechanisms have been proposed over the years. For instance,
adversarial training, defensive distillation [9], adversarial
4
transformation method [41], magNet [10], and deepcloak
[42]. However, similar to adversarial attacks, most of the
existing defensive methods are suitable for classification tasks
only. For example, an adversarial transformation method re-
lies on rotating input images to reduce the adversarial attack,
however, the rotation on the pose estimation of a spacecraft
in space can misplace the spacecraft in a wrong place and
can cause prediction error. In this paper, we select adversarial
training [1] and a feature squeezing defensive strategies [43].
We discuss each defensive method below:
• Adversarial Training : This method generates adversarial
examples and combines these perturbed data into the training
set to make the ML model robust and generalised. The
primary objective of the adversarial training is to increase
model robustness by injecting adversarial examples into the
training set [1], [8]. The augmentation can be done by
feeding the model with both the original data and the crafted
data [40]. Some of the adversarial training techniques are
FGSM adversarial training [1], Basic Iterative Method (BIM)
adversarial training, and GAN [38]. Although, augmenting
such adversarial examples can increase the size of the training
data [3], this strategy has the benefit of not only as a defence
mechanism for the adversarial attack but also to reducing
overfitting [1] and regularising the learning network [44].
• Feature Squeezing : For adversarial defence, Xu et al.
[43] proposed two feature squeezing methods, where the first
method squeezes the original 24-bit colour down to 1 bit to
8-bit colour. By doing so, adversarial noise becomes more
perceptible as the bit depth decreases. The second method
adopts median spatial smoothing, which moves a filter move
across an original image and modifies the centre pixel value
to the median of the pixel values in the filter. To generate
adversarial examples, a comparison between a predefined
threshold and the difference between the prediction result of
an original image and a squeezed image is performed. Then,
if the difference between the prediction results is higher than
the predefined threshold then the adversarial examples are
generated. In this study, we implement 4-bit image depth
reduction and 2 x 2 median smoothing because they perform
best as shown in [43]. We use the threshold of 0.01 to explore
the performance of feature squeezing.
4. E XPERIMENT
In this section, we discuss our empirical study for adversarial
attacks and defences in the networks for estimating the pose
of space objects. First, we briefly introduce the adopted
dataset for our experiment followed by the explanation of
the ML architecture and parameter settings of the proposed
model. Then we discuss evaluation metrics and present the
results.
Dataset
The dataset used for our experiment is from a pose estima-
tion challenge organised by the Advanced Concepts Team
(ACT) of the European Space Agency, and the Space Ren-
dezvous Laboratory (SLAB) of Stanford University [45]. The
dataset contains 12k synthetic satellite images for training
where images are 8 bit monochrome in JPEG format with a
1920×1200 pixels resolution. While 2, 998 similar formatted
synthetic images are available for evaluation. Other data
contains 300 real images of the Tango satellite mock-up with
1920 × 1200 pixels resolution of 8 bit monochrome in JPEG
format and five real images with pose labelled with the same
image format as mentioned earlier. For each image, the
dataset also contains the pose of the satellite describing the
location and the orientation of the satellite. Using this ground
truth, supervised ML models can be trained.
Pose Estimation Model
As our usecase, we use a regression-based model for esti-
mating the pose of satellites. We build our model based on
the ResNet-50 network [46] published by [13] as the vanilla
network. ResNet network adopts a highly robust neural net-
work architecture that is widely used in transfer learning for
classification tasks. However, for a regression task estimating
the pose of a space object (e.g., satellite, debris) it needs to
predict the pose. For this, the last layer (i.e. softmax layer)
of the network is replaced with a fully-connected layer to
predict a seven-dimensional vector of position and orientation
of the object. The fully connected layer was designed to
output a seven-dimensional pose vector representing three-
dimensional position and four-dimensional quaternion for
orientation and presented as a regression layer. Due to
this layer, our model can perform a regress based task of
estimation the pose of an object. For training, we set the
image size as 224 × 224. This modified model is then trained
on the dataset discussed above.
Model Parameters
Even though estimating pose is an imperative and a fun-
damental task to many of the space-related tasks such as
docking, landing, and debris removal in space, not all of the
tasks would require the same amount of precision in the pose.
So the threshold will not be the same. Therefore, we used a
range of thresholds from 0.1 to 0.4 for our empirical study to
analyse different impacts. We hypothesise that if there is a
higher attack accuracy with a small length of threshold then
such attack method is considered to be stronger as larger the
length of adversary threshold it is more identifiable.
The adversarial attack on the pose estimation network can
consist of the deviation of the pose in any or all of the seven-
dimensional output of the network. However, it is harder to
study the results when all the outputs are modified. So, in this
work, we focus on modifying only one location dimension,
that is, x location of the spacecraft. However, the work is
generalised and can be applied to other outputs of the network
as well in a similar fashion. In terms of adversarial attack
methods, for IT-FGSM, we use the perturbation parameter
 = 0.01 and the iteration number equal to 20. While
for the Optimisation-based method and AdvGAN, we use
the ADAM Optimiser and the learning rate equals 0.001.
Additionally, we conducted our experiments in white-box
settings where we considered all three attacks to have full
knowledge of a pose estimation model.
5
Evaluation metric
To measure the performance of our adversarial attacks and
defensive methods, we use attack success rate. In the case
of an adversarial attack, if an attack success rate is high
then the attacking method has performed well. However,
in the case of defence, if an attack success rate is low then
the defensive method has performed well. An attack is
considered successful if the deviation of a pose of the space
object is greater than the adversarial threshold. An attack
success rate is then computed as the ratio of the number of
successful attacks to the total number of attacks attempted.
5. R ESULTS
In this section, we present empirical results of three ad-
versarial attacks and two defence methods on the proposed
pose estimation model. We show the attack success rate
obtained from three different adversarial attack methods on
the ResNet-50 based Pose estimation model in Table 1. We
consider the attack to be successful if the attacker is able to
modify the output by more than the adversarial threshold.
When the adversarial threshold is 0.1, the optimisation-based
(OM) method achieve a 100% success rate, however, FGSM
based IT-FGSM method and GAN based AdvGAN method
obtained 91% ad 90% respectively. Likewise, when the
threshold increased to 0.2, the highest attack success rate
among the three attack methods is 98.9% achieved by OM
while other methods achieve less than 80%. The relation
between the increment of threshold and the attack success
rate is that when the threshold increases the success rate
decreases. This is expected as it becomes harder to change
the pose by a large factor. Among three, the decrement of
the success rate on the OM method is much lower (less than
20%) compared to other methods. For example, the highest
success rate of IT-FGSM is 91.4% when the threshold is 0.1
and the lowest success rate is 45.13% when the threshold
is 0.4 which shows the difference is more than 50%. The
same trend for the AdvGAN attack method is observed as
well. This shows that the Optimisation-based method is the
best method among three methods to apply adversarial attack
on the pose estimation of a space object model. While the
optimisation based method (OM) utilises Adam optimiser to
search adversarial perturbations using multiple iterations, IT-
FGSM only perturbs pixels in an image by simply adding the
sign of gradients. On the other hand, to generate adversarial
perturbations, AdvGAN learns intrinsic features that can
influence in moving position and orientation of the space
object. We show the results obtained at different threshold
values for three attack methods and shown in Figure 2.
Adversarial Threshold IT-FGSM AdvGAN OM
0.1 91.46 90 100
0.2 75.21 72.58 98.96
0.3 59.23 55.53 95.79
0.4 45.13 42.39 90.5
Table 1. Attack success rate of three adversarial attacks on
the proposed ResNet-50 based pose estimation model
Table 2 and 3 show the attack success rate of each attack
method when defended by adversarial training and feature
squeezing methods respectively. In Table 2, the attack suc-
cess rates of all three selected adversarial attack methods
are still quite high even after augmenting the adversarial
examples in the training set of the proposed model. When
the adversarial threshold increases from 0.1 to 0.2 the attack
 We studied the impact of such an attack on a general deep
CNN model that predicts the pose of the satellite. We anal-
ysed various adversarial attacks and defences on estimating
the pose of an object in the space. However, the algorithms
described in this paper can be generalised to other works as
well. We selected three adversarial attacks and two defensive
mechanisms on a pose estimation model.

Our experiments showed that the optimisation based method

(OM) has the highest attack success rate among adversarial
attacks. Based on the defence studies, we have shown that
no defence method can effectively protect the proposed pose
estimation model from the investigated adversarial attacks
entirely. We hypothesised that the exploration of the multiple
defence methods in combination may provide better protec-
tion against such attacks. However, this idea needs to be stud-
ied thoroughly and is one of our future research directions.
Further investigation is also needed to explore the impact
of different DNN structures of regression models on their
Figure 2. Attack success rate with various adversarial vulnerability. Since the estimation of the pose in space can be
thresholds a complicated task and building such a model can be complex
due to the limited computation power, the exploration of how
to design a model with a complex structure while consuming
Adv. Training minimal computation power can be an interesting research
Adv Threshold IT-FGSM AdvGAN OM direction.
0.1 88.03 89.66 100 This paper focused on the regression-based model that ex-
0.2 78.79 80.05 100 plores the adversarial attack by manipulating only the x
0.3 71.95 72.41 99.97 location. In the future, exploring manipulation of more than
0.4 64.74 64.04 97.57 one position (e.g., x and y), also attacking the combination of
Table 2. Attack success rate with Adversarial training both position and orientation can be an interesting research
work to analyse the impact of adversarial attacks. Exploring
multiple dimensions for adversarial attacks may show more
vulnerabilities as each of the outputs can be manipulated only
Adv Threshold Feature Squeezing little but the overall effect of such perturbation could be com-
IT-FGSM AdvGAN OM pounded. Additionally, we only selected three adversarial
0.1 94.94 84.42 81.79 attack methods, IT-FGSM, AdvGAN and OM. Even though
0.2 94.9 82.01 83.14 there are other popular attack methods including JSMA,
0.3 95.11 81.05 85.69 DeepFool are available. They are mainly proposed for the
0.4 95.26 79.75 87.43 classification tasks and we do not know how they might work
for the regression model. Experimenting with some more
Table 3. Attack success rate with Feature Squeezing attack methods is one of our future works. Furthermore, in
methods terms of deep learning structure, we have not experimented
with more complicated architectures such as combination
of CNN and sequential network such as Recurrent Neural
Network (RNN).
success rate reduce at least by 9% in IT-FGSM and AdvGAN
however the attack rate remains the same in the Optimisation
based method (OM). As the window of adversarial threshold 7. ACKNOWLEDGEMENT
increases, the success rate of attack reduces for both IT- The work presented has been funded by Grant EP/R026092/1
FGSM and Optimisation methods. Since the threshold value (FAIR-SPACE Hub) through UK Research and Innovation
increases the attack success rate decreases as the distance to (UKRI) under the Industry Strategic Challenge Fund (ISCF)
apply adversary (i.e., moving position of the object) is small. for Robotics and AI Hubs in Extreme and Hazardous Envi-
For the feature squeezing also, we obtained a high attack ronments.
success rate of more than 75% in all the adversarial methods.

6. D ISCUSSION AND C ONCLUSION
In this paper, we explored the notion of adversarial attacks
and defences on a space application that is dependent on
machine learning. As machine learning is increasingly being
used in space applications and access to space has gathered
pace in recent times, we believe it is extremely important
for space applications to be ready for advanced adversarial
attacks when it occurs. In particular, the life-cycle of a typical
satellite includes years of operation in orbit and harder to
issue software patches compared to terrestrial applications.
6
R EFERENCES
[1] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explain-
ing and harnessing adversarial examples,” CoRR, vol.
abs/1412.6572, 2015.
[2] N. Papernot, P. Mcdaniel, A. Sinha, and M. P. Wellman,
“Towards the science of security and privacy in machine
learning,” ArXiv, vol. abs/1611.03814, 2016.
[3] N. Akhtar, J. Liu, and A. Mian, “Defense against univer-
sal adversarial perturbations,” in 2018 IEEE/CVF Con-
ference on Computer Vision and Pattern Recognition,
 2018, pp. 3389–3398.
[4] N. Carlini and D. Wagner, “Towards evaluating
the robustness of neural networks,” in 2017 IEEE
Symposium on Security and Privacy (SP). Los
Alamitos, CA, USA: IEEE Computer Society, may
2017, pp. 39–57. [Online]. Available: https://doi.
ieeecomputersociety.org/10.1109/SP.2017.49
[5] S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard,
“Deepfool: A simple and accurate method to fool
deep neural networks,” in 2016 IEEE Conference on
Computer Vision and Pattern Recognition (CVPR).
Los Alamitos, CA, USA: IEEE Computer Society,
jun 2016, pp. 2574–2582. [Online]. Available: https:
//doi.ieeecomputersociety.org/10.1109/CVPR.2016.282
[6] C. Xiao, B. Li, J.-Y. Zhu, W. He, M. Liu, and D. Song,
“Generating adversarial examples with adversarial net-
works,” in Proceedings of the 27th International Joint
Conference on Artificial Intelligence, ser. IJCAI’18.
AAAI Press, 2018, p. 3905–3911.
[7] O. Poursaeed, I. Katsman, B. Gao, and S. Be-
longie, “Generative adversarial perturbations,” in 2018
IEEE/CVF Conference on Computer Vision and Pattern
Recognition, 2018, pp. 4422–4431.
[8] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna,
D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing
properties of neural networks,” in 2nd International
Conference on Learning Representations, ICLR 2014,
Banff, AB, Canada, April 14-16, 2014, Conference
Track Proceedings, Y. Bengio and Y. LeCun, Eds.,
2014. [Online]. Available: http://arxiv.org/abs/1312.
6199
[9] N. Papernot, P. McDaniel, X. Wu, S. Jha, and
A. Swami, “Distillation as a defense to adversarial
perturbations against deep neural networks,” in 2016
IEEE Symposium on Security and Privacy (SP).
Los Alamitos, CA, USA: IEEE Computer Society,
may 2016, pp. 582–597. [Online]. Available: https:
//doi.ieeecomputersociety.org/10.1109/SP.2016.41
[10] D. Meng and H. Chen, “Magnet: A two-pronged
defense against adversarial examples,” in Proceedings
of the 2017 ACM SIGSAC Conference on Computer
and Communications Security, ser. CCS ’17. New
York, NY, USA: Association for Computing Machinery,
2017, p. 135–147. [Online]. Available: https://doi.org/
10.1145/3133956.3134057
[11] Y. Deng, X. Zheng, T. Zhang, C. Chen, G. Lou, and
M. Kim, “An analysis of adversarial attacks and de-
fenses on autonomous driving models,” in 2020 IEEE
International Conference on Pervasive Computing and
Communications (PerCom), 2020, pp. 1–10.
[12] Mar 2021. [Online]. Available: https://www.esa.int/
Enabling Support/Preparing for the Future/Discovery
and Preparation/Artificial intelligence in space
[13] A. R. Shehzeen Hussain, Chinmayee Bhanu
and S. Kondur. (2019) Satellite pose estimation
using convolutional neural networks. [Online].
Available: http://noiselab.ucsd.edu/ECE228 2019/
Reports/Report23.pdf
[14] A. Cropp, “Pose estimation and relative orbit determina-
tion of a nearby target microsatellite using passive im-
agery.” Ph.D. dissertation, University of Surrey (United
Kingdom)., 2001.
[15] K. Kanani, A. Petit, E. Marchand, T. Chabot, and
7
B. Gerber, “Vision based navigation for debris removal
missions,” Proceedings of the International Astronauti-
cal Congress, IAC, vol. 4, 01 2012.
[16] S. Sharma and S. D’Amico, “Comparative assessment
of techniques for initial pose estimation using monoc-
ular vision,” Acta Astronautica, vol. 123, pp. 435–
445, 2016, special Section: Selected Papers from the
International Workshop on Satellite Constellations and
Formation Flying 2015.
[17] M. Benn, “Vision based navigation sensors for space-
craft rendezvous and docking,” Ph.D. dissertation, 2011.
[18] A. Petit, E. Marchand, and K. Kanani, “Vision-based
Detection and Tracking for Space Navigation in a
Rendezvous Context,” in Int. Symp. on Artificial
Intelligence, Robotics and Automation in Space,
i-SAIRAS, Turin, Italy, 2012. [Online]. Available:
https://hal.inria.fr/hal-00750606
[19] S. D’Amico, M. Benn, and J. L. Jørgensen, “Pose
estimation of an uncooperative spacecraft from actual
space imagery,” International Journal of Space Science
and Engineering, vol. 2, no. 2, pp. 171–189, 2014,
pMID: 60600.
[20] S. Sharma, J. Ventura, and S. D’Amico, “Robust Model-
Based Monocular Pose Initialization for Noncoopera-
tive Spacecraft Rendezvous,” Journal of Spacecraft and
Rockets, vol. 55, no. 6, pp. 1414–1429, Nov. 2018.
[21] H. Shehzeen, B. Chinmayee, R. Arunkumar, and
K. Sneha, “Robust Model-Based Monocular Pose Ini-
tialization for Noncooperative Spacecraft Rendezvous,”
Journal of Spacecraft and Rockets, vol. 55, no. 6, pp.
1414–1429, Nov. 2018.
[22] H. Sharma, J. Park, D. Mahajan, E. Amaro, J. K. Kim,
C. Shao, A. Mishra, and H. Esmaeilzadeh, “From high-
level deep neural models to fpgas,” in 2016 49th Annual
IEEE/ACM International Symposium on Microarchitec-
ture (MICRO), 2016, pp. 1–12.
[23] S. Sharma, C. Beierle, and S. D’Amico, “Pose esti-
mation for non-cooperative spacecraft rendezvous us-
ing convolutional neural networks,” in 2018 IEEE
Aerospace Conference, 2018, pp. 1–12.
[24] H. Su, C. R. Qi, Y. Li, and L. J. Guibas, “Render
for cnn: Viewpoint estimation in images using cnns
trained with rendered 3d model views,” in 2015 IEEE
International Conference on Computer Vision (ICCV),
2015, pp. 2686–2694.
[25] S. Mahendran, H. Ali, and R. Vidal, “3d pose regression
using convolutional neural networks,” in 2017 IEEE
Conference on Computer Vision and Pattern Recogni-
tion Workshops (CVPRW), 2017, pp. 494–495.
[26] A. Kendall, M. Grimes, and R. Cipolla, “Convolutional
networks for real-time 6-dof camera relocalization,”
CoRR, vol. abs/1505.07427, 2015. [Online]. Available:
http://arxiv.org/abs/1505.07427
[27] Y. Xiang, T. Schmidt, V. Narayanan, and D. Fox,
“Posecnn: A convolutional neural network for 6d
object pose estimation in cluttered scenes,” CoRR,
vol. abs/1711.00199, 2017. [Online]. Available: http:
//arxiv.org/abs/1711.00199
[28] T. Phisannupawong, P. Kamsing, P. Torteeka,
S. Channumsin, U. Sawangwit, W. Hematulin,
T. Jarawan, T. Somjit, S. Yooyen, D. Delahaye,
and P. Boonsrimuang, “Vision-based spacecraft
pose estimation via a deep convolutional neural
 network for noncooperative docking operations,” “Adversarial machine learning at scale,” CoRR, vol.
Aerospace, vol. 7, no. 9, 2020. [Online]. Available: abs/1611.01236, 2016. [Online]. Available: http:
https://www.mdpi.com/2226-4310/7/9/126 //arxiv.org/abs/1611.01236
[29] X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial [41] C. Guo, M. Rana, M. Cisse, and L. van der Maaten,
examples: Attacks and defenses for deep learning,” “Countering adversarial images using input transforma-
IEEE Transactions on Neural Networks and Learning tions,” 2018.
Systems, vol. 30, no. 9, pp. 2805–2824, 2019. [42] J. Gao, B. Wang, and Y. Qi, “Deepcloak: Masking DNN
[30] N. Papernot, P. Mcdaniel, I. Goodfellow, S. Jha, Z. B. models for robustness against adversarial samples,”
Celik, and A. Swami, “Practical black-box attacks CoRR, vol. abs/1702.06763, 2017. [Online]. Available:
against machine learning,” Proceedings of the 2017 http://arxiv.org/abs/1702.06763
ACM on Asia Conference on Computer and Communi- [43] W. Xu, D. Evans, and Y. Qi, “Feature squeezing:
cations Security, 2017. Detecting adversarial examples in deep neural
[31] B. Biggio, B. Nelson, and P. Laskov, “Support vector networks,” Proceedings 2018 Network and Distributed
machines under adversarial label noise,” in Proceedings System Security Symposium, 2018. [Online]. Available:
of the Asian Conference on Machine Learning, ser. http://dx.doi.org/10.14722/ndss.2018.23198
Proceedings of Machine Learning Research, C.-N. [44] S. Sankaranarayanan, A. Jain, R. Chellappa, and S.-
Hsu and W. S. Lee, Eds., vol. 20. South Garden N. Lim, “Regularizing deep networks using efficient
Hotels and Resorts, Taoyuan, Taiwain: PMLR, layerwise adversarial training,” in AAAI, 2018.
14–15 Nov 2011, pp. 97–112. [Online]. Available:
http://proceedings.mlr.press/v20/biggio11.html [45] A. C. T. A. of the European Space Agency. (2019)
Pose estimation challenge. [Online]. Available: https:
[32] Z. Yan, Y. Guo, and C. Zhang, “Deep defense: Training //kelvins.esa.int/satellite-pose-estimation-challenge/
dnns with improved adversarial robustness,” in Proceed-
ings of the 32nd International Conference on Neural [46] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual
Information Processing Systems, ser. NIPS’18. Red learning for image recognition,” in 2016 IEEE Con-
Hook, NY, USA: Curran Associates Inc., 2018, p. ference on Computer Vision and Pattern Recognition
417–426. (CVPR), 2016, pp. 770–778.
[33] N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman,
L. Chen, M. E. Kounavis, and D. H. Chau, “Keeping the
bad guys out: Protecting and vaccinating deep learning
with jpeg compression,” 2017.
[34] N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman,
S. Li, L. Chen, M. E. Kounavis, and D. H. Chau,
“Shield: Fast, practical defense and vaccination for
deep learning using jpeg compression,” in Proceedings
of the 24th ACM SIGKDD International Conference
on Knowledge Discovery & Data Mining, ser. KDD
’18. New York, NY, USA: Association for Computing
Machinery, 2018, p. 196–204. [Online]. Available:
https://doi.org/10.1145/3219819.3219910
[35] D. Sgandurra, L. Muñoz-González, R. Mohsen, and
E. C. Lupu, “Automated dynamic analysis of ran-
somware: Benefits, limitations and use for detection,”
2016.
[36] H. Kannan, A. Kurakin, and I. J. Goodfellow,
“Adversarial logit pairing,” CoRR, vol. abs/1803.06373,
2018. [Online]. Available: http://arxiv.org/abs/1803.
06373
[37] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and
A. Vladu, “Towards deep learning models resistant to
adversarial attacks,” in 6th International Conference
on Learning Representations, ICLR 2018 - Conference
Track Proceedings, 2018.
[38] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu,
D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio,
“Generative adversarial networks,” Commun. ACM,
vol. 63, no. 11, p. 139–144, oct 2020. [Online].
Available: https://doi.org/10.1145/3422622
[39] H. Ren and T. Huang, “Adversarial example attacks in
the physical world,” in Machine Learning for Cyber
Security, X. Chen, H. Yan, Q. Yan, and X. Zhang,
Eds. Cham: Springer International Publishing, 2020,
pp. 572–582.
[40] A. Kurakin, I. J. Goodfellow, and S. Bengio,
8
 B IOGRAPHY [ private organisations. Professor Maple is a past Chair of the
Council of Professors and Heads of Computing in the UK, a
member of the Zenzic Strategic Advisory Board, a member of
Anita Khadka received her MSc. in In- the IoTSF Executive Steering Board, an executive committee
telligent systems and Robotics from Uni- member of the EPSRC RAS Network and a member of the
versity of Essex and Ph.D in Computer UK Computing Research Committee, the ENISA CarSEC
Science from The Open university. She expert group, the Interpol Car Cybercrime Expert group and
is currently a Research Fellow working Europol European Cybercrime Centre.
in the area of Machine learning and
their security in inherently complex do-
main like Nuclear and Space industries
in University of Warwick. Her research
interests include Machine learning, Re-
silient machine learning, and Data Science.

Saurav Sthapit is a Research Fellow in

Cyber Systems Engineering in WMG at
the University of Warwick. He received
the BE degree in electronics and com-
munication engineering from Tribhuvan
University, Nepal, the MSc degree in
embedded systems from the University
of Kent, England and the PhD degree
in the Institute for Digital Communica-
tions, within the School of Engineering,
University of Edinburgh, Scotland. His research interests
include computer vision, mobile computing, cyber security,
and reinforcement learning, etc.

Gregory Epiphaniou Currently holds

a position as an Associate Professor of
security engineering at the University of
Warwick. His role involves bid support,
applied research and publications. Part
of his current research activities is for-
malised around cyber effects modeling,
wireless communications with the main
focus on crypto-key generation, exploit-
ing the time-domain physical attributes
of V-V channels and cyber resilience. He led and contributed
to several research projects funded by EPSRC, IUK and local
authorities totalling over £4M. He currently holds a subject
matter expert panel position in the Chartered Institute for
Securities and Investments. He acts as a technical committee
member for several scientific conferences in Information and
network security and served as a key member in the devel-
opment of WS5 for the formation of the UK Cybersecurity
Council.

Carsten Maple Professor Carsten

Maple leads the Secure Cyber Systems
Research Group in WMG at the Uni-
versity of Warwick, where he is also
the Principal Investigator of the NCSC-
EPSRC Academic Centre of Excellence
in Cyber Security Research. He is a
co-investigator of the PETRAS National
Centre of Excellence for IoT Systems Cy-
bersecurity where he leads on Transport
& Mobility and Warwick PI on the Autotrust project. Carsten
has an international research reputation and extensive expe-
rience of institutional strategy development and interacting
with external agencies. He has published over 250 peer-
reviewed papers and is coauthor of the UK Security Breach
Investigations Report 2010, supported by the Serious Or-
ganised Crime Agency and the Police Central e-crime Unit.
Additionally he has advised executive and non-executive di-
rectors of public sector organisations and multibillion pound
9

View publication stats