Adversarial Attacks for Embodied Agents Aishan Liu 1 , Tairan Huang 1 , Xianglong Liu 1? , Yitao Xu 1 , Yuqing Ma 1 , Xinyun Chen 2 , Stephen J. Maybank 3 , and Dacheng Tao 4 1 SKLSDE, Beihang University, Beijing, China 2 UC Berkeley, USA 3 Birkbeck, University of London, UK 4 UBTECH Sydney AI Centre, The University of Sydney, Australia Abstract. Adversarial attacks are valuable for providing insights into the blind- spots of deep learning models and help improve their robustness. Existing work on adversarial attacks have mainly focused on static scenes; however, it remains unclear whether such attacks are effective against embodied agents, which could navigate and interact with a dynamic environment. In this work, we take the first step to study adversarial attacks for embodied agents. In particular, we generate spatiotemporal perturbations to form 3D adversarial examples, which exploit the interaction history in both the temporal and spatial dimensions. Regarding the temporal dimension, since agents make predictions based on historical observa- tions, we develop a trajectory attention module to explore scene view contribu- tions, which further help localize 3D objects appeared with highest stimuli. By conciliating with clues from the temporal dimension, along the spatial dimen- sion, we adversarially perturb the physical properties (e.g., texture and 3D shape) of the contextual objects that appeared in the most important scene views. Exten- sive experiments on the EQA-v1 dataset for several embodied tasks in both the white-box and black-box settings have been conducted, which demonstrate that our perturbations have strong attack and generalization abilities. ‡ Keywords: Embodied Agents, Spatiotemporal Perturbations, 3D Adversarial Ex- amples 1 Introduction Deep learning has demonstrated remarkable performance in a wide spectrum of areas [17,21,26], but it is vulnerable to adversarial examples [27,11]. The small perturba- tions are imperceptible to human but easily misleading deep neural networks (DNNs), thereby bringing potential security threats to deep learning applications [23,18]. Though challenging deep learning, adversarial examples are valuable for understanding the be- haviors of DNNs, which could provide insights into the weakness and help improve the robustness [35]. Over the last few years, significant efforts have been made to explore model robustness to the adversarial noises using adversarial attacks in the static and non-interactive domain, e.g., 2D images [11,2] or static 3D scenes [34,19,30]. ? Corresponding author. ‡ Our code will be available upon paper publication. arXiv:2005.09161v1 [cs.CV] 19 May 2020