attack 2025

6DAttack: Backdoor Attacks in the 6DoF Pose Estimation

Jihui Guo 1,2, Zongmin Zhang 3, Zhen Sun 3, Yuhao Yang 3, Jinlin Wu 4, Fu Zhang 1,2, Xinlei He 3

1 The University of Hong Kong

2 The Hong Kong University of Science and Technology

3 Beihang University

4 Chinese Academy of Sciences

1 citations · 40 references · arXiv
α

Published on arXiv

2512.19058

Model Poisoning

OWASP ML Top 10 — ML10

Key Finding

Backdoored models achieve 100% ADD accuracy on clean data and 100% ASR under trigger conditions, with controlled erroneous poses reaching 97.70% ADD-P accuracy.

6DAttack

Novel technique introduced

Deep learning advances have enabled accurate six-degree-of-freedom (6DoF) object pose estimation, widely used in robotics, AR/VR, and autonomous systems. However, backdoor attacks pose significant security risks. While most research focuses on 2D vision, 6DoF pose estimation remains largely unexplored. Unlike traditional backdoors that only change classes, 6DoF attacks must control continuous parameters like translation and rotation, rendering 2D methods inapplicable. We propose 6DAttack, a framework using 3D object triggers to induce controlled erroneous poses while maintaining normal behavior. Evaluations on PVNet, DenseFusion, and PoseDiffusion across LINEMOD, YCB-Video, and CO3D show high attack success rates (ASRs) without compromising clean performance. Backdoored models achieve up to 100% clean ADD accuracy and 100% ASR, with triggered samples reaching 97.70% ADD-P. Furthermore, a representative defense remains ineffective. Our findings reveal a serious, underexplored threat to 6DoF pose estimation.

Key Contributions

  • First backdoor attack framework (6DAttack) for 6DoF pose estimation, supporting both PnP-based and end-to-end model architectures
  • Novel 3D trigger mechanism (synthetic and real-world objects) that exploits view-dependent projections to reliably survive geometric transformations in modern 6DoF pipelines
  • Demonstrated 100% clean ADD accuracy and 100% ASR on PVNet, DenseFusion, and PoseDiffusion across LINEMOD, YCB-Video, and CO3D; existing fine-tuning defense fails to remove the backdoor

🛡️ Threat Analysis

Model Poisoning

6DAttack is a classic backdoor: triggers injected into training data cause targeted misbehavior (attacker-specified incorrect poses) at inference while leaving clean performance intact — the defining characteristic of ML10. Novel contribution is extending backdoor design from discrete class-label targets to continuous 6DoF pose parameters (rotation + translation) using geometrically-aware 3D triggers that survive multi-stage projection pipelines.

Details

Domains
vision
Model Types
cnndiffusion
Threat Tags
training_timeinference_timetargeteddigital
Datasets
LINEMODYCB-VideoCO3D
Applications
6dof object pose estimationroboticsaugmented realityautonomous driving
Read PDF arXiv DOI Code

Similar Papers

attack

BadSNN: Backdoor Attacks on Spiking Neural Networks via Adversarial Spiking Neuron

2026 0 cit.
Model Poisoning
83%
attack

Backdoor Attacks on Deep Learning Face Detection

2025 0 cit.
Model Poisoning
83%
attack

Enhancing All-to-X Backdoor Attacks with Optimized Target Class Mapping

2025 0 cit.
Model Poisoning
83%
attack

InkDrop: Invisible Backdoor Attacks Against Dataset Condensation

2026 0 cit.
Model Poisoning
83%
attack

Removing the Trigger, Not the Backdoor: Alternative Triggers and Latent Backdoors

2026 0 cit.
Model Poisoning
79%
attack

Theory of Minimal Weight Perturbations in Deep Networks and its Applications for Low-Rank Activated Backdoor Attacks

2026 0 cit.
Model Poisoning
79%
attack

Stealthy Backdoor Attack to Real-world Models in Android Apps

2025 1 cit.
Model Poisoning
77%
attack

Hammering the Diagnosis: Rowhammer-Induced Stealthy Trojan Attacks on ViT-Based Medical Imaging

2025 1 cit.
Model Poisoning
77%