Towards a Better Characterization of Adversarial Attacks in Geospatial Imagery.
Saved in:
| Title: | Towards a Better Characterization of Adversarial Attacks in Geospatial Imagery. |
|---|---|
| Authors: | Zaveri, Veet1 (AUTHOR) vzaveri@ida.org, Maiya, Arun S.1 (AUTHOR) |
| Source: | Remote Sensing. Jun2026, Vol. 18 Issue 12, p2041. 46p. |
| Subjects: | Adversarial machine learning, Remote-sensing images, Computer vision, Data integrity |
| Abstract: | Highlights: What are the main findings? Across 20 vision architectures, geospatial manipulation families exhibited distinct and consistent failure modes: subtle pixel-level perturbations were most often confused with authentic imagery, localized generative inpainting generalized poorly under source shift, and adversarial patch detection transferred more reliably across unseen geometries than pixel-level detection transferred across perturbation budgets. Strong balanced in-domain benchmark performance did not reliably translate to operational screening utility. Under external-domain transfer and low-prevalence conditions, several models produced high false-alarm burdens, while limited-label target-domain adaptation substantially improved detection and screening performance. What is the implication of the main finding? Geospatial manipulation detectors should be evaluated beyond balanced in-domain accuracy, using source-shift testing, attack-variant stress tests, external-domain transfer, adaptation behavior, augmentation sensitivity, and low-prevalence false-alarm metrics that better reflect operational deployment conditions. Model selection should align with deployment objectives: specialized binary detectors are preferable when the manipulation family is known in advance, whereas unified multi-attack models are better suited for analyst workflows that require both manipulation screening and attribution of the likely attack family. Manipulated satellite imagery threatens analytic workflows, policy decisions, and trust in geospatial intelligence. Operational systems increasingly benefit from capabilities for both manipulation detection and manipulation-family attribution to support verification, triage, and downstream analysis. We present a unified benchmark for characterizing three representative manipulation families in geospatial imagery—generative manipulations, pixel-level perturbations, and adversarial patches—using a controlled, class-balanced design and 20 modern vision architectures spanning conventional, Earth-observation-pretrained, and vision-language models. Across architectures, the dominant failure boundary is between authentic imagery and subtle pixel-level perturbations, whereas generative manipulations and adversarial patches are generally more separable under matched in-domain conditions. Additional analyses reveal important generalization limitations under unseen manipulation variants and external-domain transfer, demonstrating that strong benchmark performance does not necessarily translate to reliable operational screening. The framework also enables systematic comparison of unified multi-attack and specialized detection strategies, providing insight into their relative strengths and limitations. Rather than proposing a new defense, this work provides a reproducible methodology for characterizing manipulation artifacts, model failure modes, and deployment-relevant screening behavior in geospatial imagery, with applications to analyst triage, verification workflows, and trustworthy use of satellite data. [ABSTRACT FROM AUTHOR] |
| Copyright of Remote Sensing is the property of MDPI and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
|
Full text is not displayed to guests.
Login for full access.
|
|
| Abstract: | Highlights: What are the main findings? Across 20 vision architectures, geospatial manipulation families exhibited distinct and consistent failure modes: subtle pixel-level perturbations were most often confused with authentic imagery, localized generative inpainting generalized poorly under source shift, and adversarial patch detection transferred more reliably across unseen geometries than pixel-level detection transferred across perturbation budgets. Strong balanced in-domain benchmark performance did not reliably translate to operational screening utility. Under external-domain transfer and low-prevalence conditions, several models produced high false-alarm burdens, while limited-label target-domain adaptation substantially improved detection and screening performance. What is the implication of the main finding? Geospatial manipulation detectors should be evaluated beyond balanced in-domain accuracy, using source-shift testing, attack-variant stress tests, external-domain transfer, adaptation behavior, augmentation sensitivity, and low-prevalence false-alarm metrics that better reflect operational deployment conditions. Model selection should align with deployment objectives: specialized binary detectors are preferable when the manipulation family is known in advance, whereas unified multi-attack models are better suited for analyst workflows that require both manipulation screening and attribution of the likely attack family. Manipulated satellite imagery threatens analytic workflows, policy decisions, and trust in geospatial intelligence. Operational systems increasingly benefit from capabilities for both manipulation detection and manipulation-family attribution to support verification, triage, and downstream analysis. We present a unified benchmark for characterizing three representative manipulation families in geospatial imagery—generative manipulations, pixel-level perturbations, and adversarial patches—using a controlled, class-balanced design and 20 modern vision architectures spanning conventional, Earth-observation-pretrained, and vision-language models. Across architectures, the dominant failure boundary is between authentic imagery and subtle pixel-level perturbations, whereas generative manipulations and adversarial patches are generally more separable under matched in-domain conditions. Additional analyses reveal important generalization limitations under unseen manipulation variants and external-domain transfer, demonstrating that strong benchmark performance does not necessarily translate to reliable operational screening. The framework also enables systematic comparison of unified multi-attack and specialized detection strategies, providing insight into their relative strengths and limitations. Rather than proposing a new defense, this work provides a reproducible methodology for characterizing manipulation artifacts, model failure modes, and deployment-relevant screening behavior in geospatial imagery, with applications to analyst triage, verification workflows, and trustworthy use of satellite data. [ABSTRACT FROM AUTHOR] |
|---|---|
| ISSN: | 20724292 |
| DOI: | 10.3390/rs18122041 |