Trojan Attacks on Neural Network Controllers for Robotic Systems

Neural network controllers are increasingly deployed in robotic systems for tasks such as trajectory tracking and pose stabilization. However, their reliance on potentially untrusted training pipelines or supply chains introduces significant security vulnerabilities. This paper investigates backdoor (Trojan) attacks against neural controllers, using a differential-drive mobile robot platform as a case study. In particular, assuming that the robot’s tracking controller is implemented as a neural network, we design a lightweight, parallel Trojan network that can be embedded within the controller. This malicious module remains dormant during normal operation but, upon detecting a highly specific trigger condition defined by the robot’s pose and goal parameters, compromises the primary controller’s wheel velocity commands, resulting in undesired and potentially unsafe robot behaviours. We provide a proof-of-concept implementation of the proposed Trojan network, which is validated through simulation under two different attack scenarios. The results confirm the effectiveness of the proposed attack and demonstrate that neural network-based robotic control systems are subject to potentially critical security threats.

💡 Research Summary

This paper investigates the feasibility and impact of backdoor (Trojan) attacks on neural network controllers used in robotic systems, focusing on a differential‑drive mobile robot as a case study. The authors first motivate the problem by noting that neural networks are increasingly employed for perception, planning, and especially closed‑loop control in safety‑critical robots such as warehouse automation platforms. While extensive research has examined backdoors in image classifiers, the vulnerability of continuous‑control policies has received far less attention.

The threat model assumes an adversary who can compromise the software supply chain: during model development, distribution, or remote updates the attacker injects a lightweight auxiliary neural network (“Trojan network”) that runs in parallel with the primary controller. The attacker does not need physical access to the robot during the attack phase; the malicious component is activated only when a highly specific trigger appears in the controller’s input space. The trigger is defined as a particular combination of the robot’s current pose (x_r, y_r, θ) and the navigation goal (x_d, y_d). Because the robot routinely visits a charging station, the authors design two concrete malicious objectives: (1) forced immobilization near the charging dock, and (2) sudden hazardous acceleration that could cause a collision.

Technically, the primary controller is a feed‑forward multilayer perceptron trained by behavioral cloning of a classical geometric controller. The Trojan network is also a small MLP (two hidden layers of 64 neurons each) that receives the same five‑dimensional input (pose + goal) and outputs a single scalar multiplier m ≥ 0. The final wheel commands sent to the robot are ω′_l = m·ω_l and ω′_r = m·ω_r, where (ω_l, ω_r) are the nominal velocities produced by the main controller. During normal operation the network is trained to output m = 1, leaving the controller untouched. For trigger states the training set labels m with a value that either zeroes the velocities (immobilization) or amplifies them (e.g., m = 2) to cause unsafe motion.

Training data are deliberately imbalanced: the vast majority of samples are non‑trigger configurations with m = 1, while a tiny fraction correspond to the narrowly defined trigger region and carry the malicious multiplier. A simple mean‑squared‑error loss is used, allowing the Trojan to learn a near‑perfect identity mapping for ordinary inputs while still responding sharply when the exact trigger condition is encountered. Because the trigger occupies a minuscule region of the continuous state space, the Trojan remains dormant for long periods, making detection via conventional validation extremely difficult.

The authors implement a proof‑of‑concept in simulation using ROS/Gazebo. Two attack scenarios are evaluated: (a) when the robot approaches the charging dock, the Trojan outputs m = 0, instantly stopping the robot a short distance before the dock; (b) in a similar region, the Trojan outputs m = 2, causing a sudden speed increase that leads to a simulated collision with a virtual obstacle. In both cases, the nominal controller’s tracking error during regular navigation is indistinguishable from a clean system, confirming that the Trojan adds negligible computational overhead and does not degrade performance when inactive.

Results demonstrate that a backdoor can be embedded in a neural controller with minimal resources, remain completely invisible during standard testing, and cause targeted physical harm when activated. The paper argues that existing defenses such as Neural Cleanse, which rely on discrete class labels and pixel‑space triggers, are ill‑suited for continuous control domains. It calls for new defense strategies that consider the geometry of the robot’s state space, incorporate runtime anomaly detection on control signals, and secure the model supply chain through techniques like model signing and provenance tracking.

In summary, the work provides a concrete demonstration that neural network‑based robotic controllers are vulnerable to stealthy, supply‑chain‑based Trojan attacks. By leveraging a lightweight parallel network and a pose‑based trigger, an adversary can achieve precise, high‑impact manipulation of robot motion without affecting normal operation, highlighting an urgent need for security‑focused research in learning‑based control systems.