Autonomous flying robots, such as multirotors, often rely on deep learning models that make predictions based on a camera image, e.g. for pose estimation. These models can predict surprising results if applied to input images outside the training domain. This fault can be exploited by adversarial attacks, for example, by computing small images, so-called adversarial patches, that can be placed in the environment to manipulate the neural network's prediction. We introduce flying adversarial patches, where multiple images are mounted on at least one other flying robot and therefore can be placed anywhere in the field of view of a victim multirotor. By introducing the attacker robots, the system is extended to an adversarial multi-robot system. For an effective attack, we compare three methods that simultaneously optimize multiple adversarial patches and their position in the input image. We show that our methods scale well with the number of adversarial patches. Moreover, we demonstrate physical flights with two robots, where we employ a novel attack policy that uses the computed adversarial patches to kidnap a robot that was supposed to follow a human.

翻译：自主飞行机器人（如多旋翼飞行器）通常依赖基于摄像头图像进行预测的深度学习模型（例如用于位姿估计）。若将输入图像应用于训练域之外，这些模型可能产生意外结果。该缺陷可被对抗攻击利用，例如通过计算微小图像（即对抗补丁）并将其放置于环境中，操纵神经网络的预测结果。我们引入飞行对抗补丁：将多个图像固定于至少一架其他飞行机器人上，从而可将其部署于受害多旋翼飞行器视野内的任意位置。通过引入攻击机器人，该系统拓展为对抗性多机器人系统。为实现高效攻击，我们比较了三种方法，这些方法能同时优化多个对抗补丁及其在输入图像中的位置。实验表明，我们的方法对对抗补丁数量具有良好的可扩展性。此外，我们利用两架机器人进行了实际飞行演示，采用一种新颖的攻击策略，通过使用计算得到的对抗补丁，劫持原本应跟随人类的机器人。