TLDR: CADAR is a novel neurosymbolic AI framework designed to detect cognitive attacks in Augmented Reality (AR). These attacks manipulate AR content to mislead users’ semantic perception. By fusing multimodal vision-language inputs into a symbolic ‘perception graph’ and employing particle-filter based statistical reasoning, CADAR achieves high accuracy and interpretability in identifying text modification, visual modification, removal, and addition attacks. Experiments on the new Extended AR-VIM dataset show CADAR significantly outperforms existing methods, demonstrating the promise of neurosymbolic AI for robust AR safety.
Augmented Reality (AR) is rapidly changing how we interact with the world by overlaying virtual elements onto our physical environment. While exciting, this technology also introduces new vulnerabilities, particularly ‘cognitive attacks’. These attacks manipulate AR content to subtly mislead or distract users without their awareness, operating at a perceptual level rather than just targeting data or system integrity.
Understanding Cognitive Attacks in AR
Unlike traditional cyber threats, cognitive attacks in AR aim to alter a user’s semantic understanding of a scene. The paper identifies four main types of these deceptive attacks:
-
Text Modification Attack: This involves altering text displayed in AR, such as changing a ‘NO PARKING’ sign to ‘FREE PARKING’. This can reverse instructions or inject false information, directly misleading users.
-
Visual Modification Attack: Here, an object’s appearance or position is changed. For example, a green traffic light might be altered to appear red, or a stop sign could be moved to an implausible location, distorting recognition and judgment.
-
Removal Attack: This attack hides or deletes critical objects, like an emergency exit sign. By erasing vital information, it can break expected relationships within the AR scene and endanger users.
-
Addition Attack: This involves inserting fictitious or misleading objects or labels into the scene, such as a fake hazard symbol. These additions can divert attention and corrupt a user’s understanding.
Limitations of Current Detection Methods
Existing methods for detecting these attacks often fall short. Some rely on basic computer vision techniques that focus on pixel- or image-level changes, struggling with subtle manipulations and prone to false alarms from benign visual noise. More advanced methods use pre-trained vision-language models (VLMs), but these often act as ‘black boxes’, offering limited interpretability and making it hard to incorporate specific domain knowledge or track changes over time.
Introducing CADAR: A Neurosymbolic Solution
To address these challenges, researchers have developed CADAR (Cognitive Attack Detection in Augmented Reality), a novel neurosymbolic approach. CADAR combines the strengths of deep neural networks (like VLMs) with symbolic reasoning, which involves explicit knowledge representation and logical inference. This fusion allows CADAR to be both adaptable and interpretable.
CADAR operates with two main components:
-
The Perception Graph Model: This component uses pre-trained VLMs to convert sequential AR video frames into a ‘perception graph’. Think of it as simulating how humans perceive and prioritize information. Objects in the scene are represented as ‘nodes’, and their relationships (semantic, functional, navigational) are ‘edges’. This graph incorporates prior knowledge, salience weighting, and temporal correlations, creating a structured, semantic-level representation of the scene’s evolution.
-
The Particle Filter Model: This is where the symbolic reasoning comes in. The particle filter, a statistical method commonly used in complex systems, analyzes the perception graph to detect adversarial perturbations. It tracks how objects and their relationships change over time, identifies anomalies, and refines its understanding by statistically testing newly matched elements. This process makes CADAR robust to noisy VLM outputs and provides clear, interpretable reasons for detecting an attack.
Also Read:
- Guiding AI Behavior with Images: Introducing VISOR for Vision-Language Models
- A New Method for Identifying Hidden Threats in Vision-Language AI
Key Contributions and Performance
The CADAR framework offers several significant contributions, including its unique neuro-symbolic modeling, the detailed perception graph representation, and the innovative application of particle filtering to symbolic graphs for robust and interpretable attack detection. The researchers also created the Extended AR-VIM dataset, the first publicly available dataset specifically for AR cognitive attacks, to rigorously test their system.
Experiments on this dataset show that CADAR significantly outperforms existing methods. It achieved an overall accuracy of 80.1%, notably higher than the next-best model, Gemini 2.5, which scored 69.4%. CADAR demonstrated strong and balanced performance across all attack types, being particularly effective at detecting removal and addition attacks. While it performs well, the paper notes that localization accuracy can be limited by the underlying object detection models, and very subtle text edits remain challenging.
An ablation study further highlighted the importance of CADAR’s estimation module, which helps prevent corrupted data from affecting detection accuracy, especially for subtle text and visual modifications. The study also showed that having more ‘reference frames’ (prior knowledge of the scene) significantly improves detection accuracy.
In conclusion, CADAR represents a significant step forward in making Augmented Reality safer by providing an effective and interpretable mechanism for detecting cognitive attacks. For more details, you can read the full research paper here.
