Adversarial Attack on SLAM Systems

Abstract

Similar appearing places are known to confuse place recognition methods (a.k.a perceptual aliasing). Robust visual SLAM methods, including frontend and back-ends, have shown impressive resilience against scenarios having moderate perceptual aliasing. In this work we evaluate visual SLAM in scenarios where perceptual aliasing occurs with greater frequency. Firstly we evaluate the visual SLAM front ends. We modify the environment by replicating a simple high textured patch. Surprisingly, this simple patch manages to by-pass all the matching checks in the state of the art ORBSLAM, resulting in false loop closures and hence corrupting the map. The patch can be printed on a simple paper, using a simple printer, or it can be digital content displayed on screens. We show that close-ups (approaching doors, turning a corridor, interacting with an object) are the most vulnerable situations. This vulnerability exists in multiple loop closing pipelines. Secondly, we evaluate robust SLAM back ends. These back-ends have shown the ability to recover from false positives under multiple policies (random, local, random grouped and locally grouped). We propose a novel policy, i.e., locally symmetric, for generating false loop closures. This policy generates successful attacks on multiple robust back-ends and public datasets. These findings expose the shallow reasoning of SLAM front-ends. Major emphasis has been on robust back-ends to recover from this weakness of frontends. We hope more focus is dedicated to robust front-ends especially in adversarial settings. To further enhance progress in this direction we release a novel dataset with adversarial content in both visual SLAM front-ends and back-ends. Finally, we show an interesting application where a given environment is made non-navigable for intruding agents. A friendly agent, having prior knowledge of the adversarial content, can navigate this environment. We release a real time implementation of Friend-or-Foe SLAM system