Evaluating Efficient Patch-Based Backdoor Attacks in Satellite Image Classification Systems
Why this work is in the frame
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Bibliographic record
Abstract
Backdoor attacks pose a serious and underexplored threat to high-altitude reconnaissance operations that use pre-trained machine learning models for satellite imagery classification and target discovery. As international relations grow increasingly tense, hostile nations around the globe are working hard to protect their sensitive infrastructures from satellite surveillance. In this context, backdoor poisoning of publicly available image classification models (i.e., open-source pre-trained image classifiers) emerges as a promising method to safeguard critical military infrastructure (e.g., armament plant) from discovery. While prior research has examined poisoning attacks in conventional vision tasks, their effectiveness under the unique constraints of satellite image surveillance systems remains largely unaddressed. In this work, we introduce a novel patch-based poisoning strategy that can effectively inject plausible triggers (e.g., patterns to be painted on the roof of a sensitive military complex) into image classification models, inducing misclassifications of scenes captured by surveillance space assets. Moreover, we study and report the effect of plausible triggers with different patterns, colors, and orientations, in order to best emulate different observation conditions encountered by high-altitude surveillance assets. Our results show that even with minimal access to the training set, a threat actor can successfully implant a robust and stealthy backdoor. This manipulation causes misclassifications of scenes containing strategic infrastructure when the trigger is present while preserving high overall classification accuracy on clean inputs. We further demonstrate that triggering patches used in poisoning are resilient to random orientation and position changes, making them effective in scenarios where reconnaissance satellites approach their targets from different orbital planes. These findings reveal a critical vulnerability in satellite classification pipelines relying on pretrained image classification models and demonstrate the need for defenses that go beyond conventional accuracy-based validation of these model-driven systems.
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
Full frame distilled prediction
Teacher imitationNot calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.006 | 0.001 |
| Meta-epidemiology (narrow) | 0.001 | 0.001 |
| Meta-epidemiology (broad) | 0.001 | 0.000 |
| Bibliometrics | 0.001 | 0.004 |
| Science and technology studies | 0.001 | 0.000 |
| Scholarly communication | 0.001 | 0.001 |
| Open science | 0.002 | 0.001 |
| Research integrity | 0.000 | 0.001 |
| Insufficient payload (model declined to judge) | 0.000 | 0.000 |
Machine scores (provisional)
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
score_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it