MétaCan
Menu
Back to cohort

Evaluating Efficient Patch-Based Backdoor Attacks in Satellite Image Classification Systems

2025· article· W4416962018 on OpenAlex
Ghazal Rahmanian, Pooria Madani

Why this work is in the frame

A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.

affAt least one author lists a Canadian institution in the pinned OpenAlex snapshot.

Bibliographic record

Venuenot available
Typearticle
Language
FieldComputer Science
TopicAdversarial Robustness in Machine Learning
Canadian institutionsOntario Tech University
Fundersnot available
KeywordsBackdoorAerial imageImage (mathematics)Orientation (vector space)SatelliteSatellite imageContextual image classification

Abstract

fetched live from OpenAlex

Backdoor attacks pose a serious and underexplored threat to high-altitude reconnaissance operations that use pre-trained machine learning models for satellite imagery classification and target discovery. As international relations grow increasingly tense, hostile nations around the globe are working hard to protect their sensitive infrastructures from satellite surveillance. In this context, backdoor poisoning of publicly available image classification models (i.e., open-source pre-trained image classifiers) emerges as a promising method to safeguard critical military infrastructure (e.g., armament plant) from discovery. While prior research has examined poisoning attacks in conventional vision tasks, their effectiveness under the unique constraints of satellite image surveillance systems remains largely unaddressed. In this work, we introduce a novel patch-based poisoning strategy that can effectively inject plausible triggers (e.g., patterns to be painted on the roof of a sensitive military complex) into image classification models, inducing misclassifications of scenes captured by surveillance space assets. Moreover, we study and report the effect of plausible triggers with different patterns, colors, and orientations, in order to best emulate different observation conditions encountered by high-altitude surveillance assets. Our results show that even with minimal access to the training set, a threat actor can successfully implant a robust and stealthy backdoor. This manipulation causes misclassifications of scenes containing strategic infrastructure when the trigger is present while preserving high overall classification accuracy on clean inputs. We further demonstrate that triggering patches used in poisoning are resilient to random orientation and position changes, making them effective in scenarios where reconnaissance satellites approach their targets from different orbital planes. These findings reveal a critical vulnerability in satellite classification pipelines relying on pretrained image classification models and demonstrate the need for defenses that go beyond conventional accuracy-based validation of these model-driven systems.

Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.

Full frame distilled prediction

Teacher imitation

Not calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.

metaresearch head score (Codex)0.006
metaresearch head score (Gemma)0.001
Version: codex-gemma-dda1882f352aValidation status: machine_predicted_unvalidated
Candidate categoriesMeta-epidemiology (narrow), Scholarly communication
Consensus categoriesnone
DomainCandidate signal: none · Consensus signal: none
Study designCandidate signal: Simulation or modeling · Consensus signal: Simulation or modeling
GenreCandidate signal: Methods · Consensus signal: none
Teacher disagreement score0.871
Threshold uncertainty score1.000

Codex and Gemma teacher scores by category

CategoryCodexGemma
Metaresearch0.0060.001
Meta-epidemiology (narrow)0.0010.001
Meta-epidemiology (broad)0.0010.000
Bibliometrics0.0010.004
Science and technology studies0.0010.000
Scholarly communication0.0010.001
Open science0.0020.001
Research integrity0.0000.001
Insufficient payload (model declined to judge)0.0000.000

Machine scores (provisional)

The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.

Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.

Opus teacher head0.056
GPT teacher head0.387
Teacher spread0.330 · how far apart the two teachers sit on this one work
Validation statusscore_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it