6DAttack: Backdoor Attacks in the 6DoF Pose Estimation

Authors

  • Jihui Guo The University of Hong Kong
  • Zongmin Zhang The Hong Kong University of Science and Technology (Guangzhou)
  • Zhen Sun The Hong Kong University of Science and Technology (Guangzhou)
  • Yuhao Yang Beihang University
  • Jinlin Wu Centre for Artificial Intelligence and Robotics (CAIR), Hong Kong Institute of Science and Innovation (HKISI) Multimodal Artificial Intelligence Systems (MAIS), Institute of Automation, Chinese Academy of Sciences
  • Fu Zhang The University of Hong Kong
  • Xinlei He The Hong Kong University of Science and Technology (Guangzhou)

DOI:

https://doi.org/10.1609/aaai.v40i42.40855

Abstract

Recent advances in deep learning have enabled highly accurate six-degree-of-freedom (6DoF) object pose estimation, leading to its widespread use in real-world applications such as robotics, augmented reality, virtual reality, and autonomous systems. However, backdoor attacks pose a major security risk to deep learning models. By injecting malicious triggers into training data, an attacker can cause a model to perform normally on benign inputs but behave incorrectly under specific conditions. While most research on backdoor attacks has focused on 2D vision tasks, their impact on 6DoF pose estimation remains largely unexplored. Furthermore, unlike traditional backdoors that only change the object class, backdoors against 6DoF pose estimation must additionally control continuous pose parameters, such as translation and rotation, making existing 2D backdoor attack methods not directly applicable to this setting. To address this gap, we propose a novel backdoor attack framework (6DAttack) that exposes vulnerabilities in 6DoF pose estimation. 6DAttack uses synthetic and real 3D objects of varying shapes as triggers and assigns target poses to induce controlled erroneous pose outputs while maintaining normal behavior on clean inputs. We evaluated this attack on multiple models (including PVNet, DenseFusion, and PoseDiffusion) and datasets (including LINEMOD, YCB-Video, and CO3D). Experimental results demonstrate that 6DAttack achieves extremely high attack success rates (ASRs) without compromising performance on legitimate tasks. Across various models and objects, the backdoored models achieve up to 100% ADD accuracy on clean data, while also achieving 100% ASR under trigger conditions. The accuracy of controlled erroneous pose output is also extremely high, with triggered samples achieving 97.70% ADD-P. These results demonstrate that the backdoor can be reliably implanted and activated, achieving a high ASR under trigger conditions while maintaining a negligible impact on benign data. Furthermore, we evaluate a representative defense and show that it remains ineffective under 6DAttack. Overall, our findings reveal a potentially serious and previously underexplored threat to modern 6DoF pose estimation models.
AAAI-26 / IAAI-26 / EAAI-26 Proceedings Cover

Downloads

Published

2026-03-14

How to Cite

Guo, J., Zhang, Z., Sun, Z., Yang, Y., Wu, J., Zhang, F., & He, X. (2026). 6DAttack: Backdoor Attacks in the 6DoF Pose Estimation. Proceedings of the AAAI Conference on Artificial Intelligence, 40(42), 35455–35463. https://doi.org/10.1609/aaai.v40i42.40855

Issue

Vol. 40 No. 42: AAAI-26 Technical Tracks 42

Section

AAAI Technical Track on Philosophy and Ethics of AI