Autonomous flying robots, such as multirotors, often rely on deep learning models that makes predictions based on a camera image, e.g. for pose estimation. These models can predict surprising results if applied to input images outside the training domain. This fault can be exploited by adversarial attacks, for example, by computing small images, so-called adversarial patches, that can be placed in the environment to manipulate the neural network's prediction. We introduce flying adversarial patches, where multiple images are mounted on at least one other flying robot and therefore can be placed anywhere in the field of view of a victim multirotor. By introducing the attacker robots, the system is extended to an adversarial multi-robot system. For an effective attack, we compare three methods that simultaneously optimize multiple adversarial patches and their position in the input image. We show that our methods scale well with the number of adversarial patches. Moreover, we demonstrate physical flights with two robots, where we employ a novel attack policy that uses the computed adversarial patches to kidnap a robot that was supposed to follow a human.

翻译：自主飞行机器人（如多旋翼无人机）常依赖基于摄像头图像的深度学习模型进行预测（如位姿估计）。若将此类模型应用于训练域之外的输入图像，可能产生出乎意料的预测结果。这一缺陷可被对抗攻击利用，例如通过计算小尺寸图像（即所谓的对抗补丁）并将其放置于环境中，以操纵神经网络的预测。我们提出飞行对抗补丁：将多张图像搭载于至少一架其他飞行机器人上，从而使其可被置于受害多旋翼无人机视野内的任意位置。通过引入攻击者机器人，系统扩展为对抗性多机器人系统。为实现有效攻击，我们比较了三种方法，这些方法能够同时优化多个对抗补丁及其在输入图像中的位置。实验证明，我们的方法具有良好的可扩展性，能够适应对抗补丁数量的增加。此外，我们在双机器人物理飞行实验中采用了一种新型攻击策略，利用计算得到的对抗补丁绑架本应跟随人类的受害机器人。