Autonomous flying robots, e.g. multirotors, often rely on a neural network that makes predictions based on a camera image. These deep learning (DL) models can compute surprising results if applied to input images outside the training domain. Adversarial attacks exploit this fault, for example, by computing small images, so-called adversarial patches, that can be placed in the environment to manipulate the neural network's prediction. We introduce flying adversarial patches, where an image is mounted on another flying robot and therefore can be placed anywhere in the field of view of a victim multirotor. For an effective attack, we compare three methods that simultaneously optimize the adversarial patch and its position in the input image. We perform an empirical validation on a publicly available DL model and dataset for autonomous multirotors. Ultimately, our attacking multirotor would be able to gain full control over the motions of the victim multirotor.

翻译：自主飞行机器人（例如多旋翼飞行器）通常依赖基于摄像头图像进行预测的神经网络。这些深度学习（DL）模型若应用于训练领域之外的输入图像，可能产生异常结果。对抗性攻击利用这一缺陷，例如通过计算微小图像（即对抗性补丁）置于环境中，以操控神经网络的预测。我们提出飞行对抗补丁的概念，将图像安装在另一架飞行机器人上，从而使其可被置于受害者多旋翼飞行器视野中的任意位置。为实现有效攻击，我们比较了三种同时优化对抗补丁及其在输入图像中位置的方法。我们在公开可用的DL模型及自主多旋翼飞行器数据集上进行了实证验证。最终，攻击方多旋翼飞行器将能够完全控制受害者多旋翼飞行器的运动。