Yanjiao Chen,Xiaotian Zhu,Xueluan Gong,Xinjing Yi,Shuyang Li

DOI: https://doi.org/10.1109/tii.2022.3198481

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the unprecedented development of deep learning, autonomous vehicles (AVs) have achieved tremendous progress nowadays. However, AV supported by DNN models is vulnerable to data poisoning attacks, hindering the large-scale application of autonomous driving. For example, by injecting carefully designed poisons into the training dataset of the DNN model in the traffic sign recognition system, the attacker can mislead the system to make targeted misclassification or cause a reduction in model classification accuracy. In this article, we conduct a thorough investigation of the state-of-the-art data poisoning attacks and defenses against AVs. According to whether the attacker needs to manipulate the data labeling process, we divide the state-of-the-art attack approaches into two categories, i.e., dirty-label attacks and clean-label attacks. We also differentiate the existing defense methods into two categories based on whether to modify the training data or the models, i.e., data-based defenses and model-based defenses. In addition to a detailed review of attacks and defenses in each category, we also give a qualitative comparison of the existing attacks and defenses. Besides, we provide a quantitative comparison of the existing attack and defense methods through experiments. Last but not least, we pinpoint several future directions for data poisoning attacks and defenses in AVs, providing possible ways for further research.

Shian Wang,Mingfeng Shang,Raphael Stern

2024-01-12

Abstract:While automated vehicles (AVs) are expected to revolutionize future transportation systems, emerging AV technologies open a door for malicious actors to compromise intelligent vehicles. As the first generation of AVs, adaptive cruise control (ACC) vehicles are vulnerable to cyberattacks. While recent effort has been made to understanding the impact of attacks on transportation systems, little work has been done to systematically model and characterize the malicious nature of candidate attacks. In this study, we develop a general framework for modeling and synthesizing two types of candidate attacks on ACC vehicles, namely direct attacks on vehicle control commands and false data injection attacks on sensor measurement, with explicit characterization of their adverse effects. Based on linear stability analysis of car-following dynamics, we derive a series of analytical conditions characterizing the malicious nature of potential attacks. This ensures a higher degree of realism in modeling attacks with adverse effects, as opposed to simply considering attacks as constants or random variables. Notably, the conditions derived provide an effective method for strategically synthesizing an array of candidate attacks on ACC vehicles. We conduct extensive simulation to examine the impacts of intelligently designed attacks on microscopic car-following dynamics and macroscopic traffic flow. Numerical results illustrate the mechanism of candidate attacks, offering useful insights into understanding the vulnerability of future transportation systems. The methodology developed allows for further study of the widespread impact of strategically designed attacks on traffic cybersecurity, and is expected to inspire the development of efficient attack detection techniques and advanced vehicle controls.

Dynamical Systems,Systems and Control

Zhenyang Ni,Rui Ye,Yuxi Wei,Zhen Xiang,Yanfeng Wang,Siheng Chen

2024-04-22

Abstract:Vision-Large-Language-models(VLMs) have great application prospects in autonomous driving. Despite the ability of VLMs to comprehend and make decisions in complex scenarios, their integration into safety-critical autonomous driving systems poses serious security risks. In this paper, we propose BadVLMDriver, the first backdoor attack against VLMs for autonomous driving that can be launched in practice using physical objects. Unlike existing backdoor attacks against VLMs that rely on digital modifications, BadVLMDriver uses common physical items, such as a red balloon, to induce unsafe actions like sudden acceleration, highlighting a significant real-world threat to autonomous vehicle safety. To execute BadVLMDriver, we develop an automated pipeline utilizing natural language instructions to generate backdoor training samples with embedded malicious behaviors. This approach allows for flexible trigger and behavior selection, enhancing the stealth and practicality of the attack in diverse scenarios. We conduct extensive experiments to evaluate BadVLMDriver for two representative VLMs, five different trigger objects, and two types of malicious backdoor behaviors. BadVLMDriver achieves a 92% attack success rate in inducing a sudden acceleration when coming across a pedestrian holding a red balloon. Thus, BadVLMDriver not only demonstrates a critical security risk but also emphasizes the urgent need for developing robust defense mechanisms to protect against such vulnerabilities in autonomous driving technologies.

Cryptography and Security

R. Spencer Hallyburton,Qingzhao Zhang,Z. Morley Mao,Miroslav Pajic

2023-12-08

Abstract:What happens to an autonomous vehicle (AV) if its data are adversarially compromised? Prior security studies have addressed this question through mostly unrealistic threat models, with limited practical relevance, such as white-box adversarial learning or nanometer-scale laser aiming and spoofing. With growing evidence that cyber threats pose real, imminent danger to AVs and cyber-physical systems (CPS) in general, we present and evaluate a novel AV threat model: a cyber-level attacker capable of disrupting sensor data but lacking any situational awareness. We demonstrate that even though the attacker has minimal knowledge and only access to raw data from a single sensor (i.e., LiDAR), she can design several attacks that critically compromise perception and tracking in multi-sensor AVs. To mitigate vulnerabilities and advance secure architectures in AVs, we introduce two improvements for security-aware fusion: a probabilistic data-asymmetry monitor and a scalable track-to-track fusion of 3D LiDAR and monocular detections (T2T-3DLM); we demonstrate that the approaches significantly reduce attack effectiveness. To support objective safety and security evaluations in AVs, we release our security evaluation platform, AVsec, which is built on security-relevant metrics to benchmark AVs on gold-standard longitudinal AV datasets and AV simulators.

Cryptography and Security,Systems and Control

Tianyi Li,Mingfeng Shang,Shian Wang,Raphael Stern

DOI: https://doi.org/10.48550/arXiv.2310.17091

2023-10-26

Multiagent Systems

Abstract:With the advent of vehicles equipped with advanced driver-assistance systems, such as adaptive cruise control (ACC) and other automated driving features, the potential for cyberattacks on these automated vehicles (AVs) has emerged. While overt attacks that force vehicles to collide may be easily identified, more insidious attacks, which only slightly alter driving behavior, can result in network-wide increases in congestion, fuel consumption, and even crash risk without being easily detected. To address the detection of such attacks, we first present a traffic model framework for three types of potential cyberattacks: malicious manipulation of vehicle control commands, false data injection attacks on sensor measurements, and denial-of-service (DoS) attacks. We then investigate the impacts of these attacks at both the individual vehicle (micro) and traffic flow (macro) levels. A novel generative adversarial network (GAN)-based anomaly detection model is proposed for real-time identification of such attacks using vehicle trajectory data. We provide numerical evidence {to demonstrate} the efficacy of our machine learning approach in detecting cyberattacks on ACC-equipped vehicles. The proposed method is compared against some recently proposed neural network models and observed to have higher accuracy in identifying anomalous driving behaviors of ACC vehicles.

Yue Wang,Esha Sarkar,Wenqing Li,Michail Maniatakos,Saif Eddin Jabari

DOI: https://doi.org/10.1109/TIFS.2021.3114024

2021-08-26

Abstract:Recent work has shown that the introduction of autonomous vehicles (AVs) in traffic could help reduce traffic jams. Deep reinforcement learning methods demonstrate good performance in complex control problems, including autonomous vehicle control, and have been used in state-of-the-art AV controllers. However, deep neural networks (DNNs) render automated driving vulnerable to machine learning-based attacks. In this work, we explore the backdooring/trojanning of DRL-based AV controllers. We develop a trigger design methodology that is based on well-established principles of traffic physics. The malicious actions include vehicle deceleration and acceleration to cause stop-and-go traffic waves to emerge (congestion attacks) or AV acceleration resulting in the AV crashing into the vehicle in front (insurance attack). We test our attack on single-lane and two-lane circuits. Our experimental results show that the backdoored model does not compromise normal operation performance, with the maximum decrease in cumulative rewards being 1%. Still, it can be maliciously activated to cause a crash or congestion when the corresponding triggers appear.

Cryptography and Security,Machine Learning,Systems and Control,Physics and Society

Xugui Zhou,Anna Schmedding,Haotian Ren,Lishan Yang,Philip Schowitz,Evgenia Smirni,Homa Alemzadeh

DOI: https://doi.org/10.48550/arXiv.2204.06768

2022-07-05

Abstract:A growing number of vehicles are being transformed into semi-autonomous vehicles (Level 2 autonomy) by relying on advanced driver assistance systems (ADAS) to improve the driving experience. However, the increasing complexity and connectivity of ADAS expose the vehicles to safety-critical faults and attacks. This paper investigates the resilience of a widely-used ADAS against safety-critical attacks that target the control system at opportune times during different driving scenarios and cause accidents. Experimental results show that our proposed Context-Aware attacks can achieve an 83.4% success rate in causing hazards, 99.7% of which occur without any warnings. These results highlight the intolerance of ADAS to safety-critical attacks and the importance of timely interventions by human drivers or automated recovery mechanisms to prevent accidents.

Software Engineering,Cryptography and Security

Shian Wang

2024-01-13

Abstract:While emerging adaptive cruise control (ACC) technologies are making their way into more vehicles, they also expose a vulnerability to potential malicious cyberattacks. Previous research has typically focused on constant or stochastic attacks without explicitly addressing their malicious and covert characteristics. As a result, these attacks may inadvertently benefit the compromised vehicles, inconsistent with real-world scenarios. In contrast, we establish an analytical framework to model and synthesize a range of candidate attacks, offering a physical interpretation from the attacker's standpoint. Specifically, we introduce a mathematical framework that describes mixed traffic scenarios, comprising ACC vehicles and human-driven vehicles (HDVs), grounded in car-following dynamics. Within this framework, we synthesize and integrate a class of false data injection attacks into ACC sensor measurements, influencing traffic flow dynamics. As a first-of-its-kind study, this work provides an analytical characterization of attacks, emphasizing their malicious and stealthy attributes while explicitly accounting for vehicle driving behavior, thereby yielding a set of candidate attacks with physical interpretability. To demonstrate the modeling process, we perform a series of numerical simulations to holistically assess the effects of attacks on car-following dynamics, traffic efficiency, and vehicular fuel consumption. The primary findings indicate that strategically synthesized candidate attacks can cause significant disruptions to the traffic flow while altering the driving behavior of ACC vehicles in a subtle fashion to remain stealthy, which is supported by a series of analytical results.

Systems and Control,Dynamical Systems

Ahmed Dawod Mohammed Ibrahum,Manzoor Hussain,Jang-Eui Hong

DOI: https://doi.org/10.1007/s10462-024-11014-8

IF: 9.588

2024-11-28

Artificial Intelligence Review

Abstract:The integration of Deep Learning (DL) algorithms in Autonomous Vehicles (AVs) has revolutionized their precision in navigating various driving scenarios, ranging from anti-fatigue safe driving to intelligent route planning. Despite their proven effectiveness, concerns regarding the safety and reliability of DL algorithms in AVs have emerged, particularly in light of the escalating threat of adversarial attacks, as emphasized by recent research. These digital or physical attacks present formidable challenges to AV safety, relying extensively on collecting and interpreting environmental data through integrated sensors and DL. This paper addresses this pressing issue through a systematic survey that meticulously explores robust adversarial attacks and defenses, specifically focusing on DL in AVs from a safety perspective. Going beyond a review of existing research papers on adversarial attacks and defenses, the paper introduces a safety scenarios taxonomy matrix Inspired by SOTIF designed to augment the safety of DL in AVs. This matrix categorizes safety scenarios into four distinct areas and classifies attacks into those areas in three scenarios, along with two defense scenarios. Furthermore, the paper investigates the testing and evaluation measurements critical for assessing attacks in the context of DL for AVs. It further explores the dynamic landscape of datasets and simulation platforms. This contribution significantly enriches the ongoing discourse surrounding the assurance of safety and reliability in autonomous vehicles, especially in the face of continually evolving adversarial challenges.

computer science, artificial intelligence

Anum Talpur,Mohan Gurusamy

DOI: https://doi.org/10.1109/GCWkshps52748.2021.9681966

2021-09-16

Abstract:Machine learning (ML) has made incredible impacts and transformations in a wide range of vehicular applications. As the use of ML in Internet of Vehicles (IoV) continues to advance, adversarial threats and their impact have become an important subject of research worth exploring. In this paper, we focus on Sybil-based adversarial threats against a deep reinforcement learning (DRL)-assisted IoV framework and more specifically, DRL-based dynamic service placement in IoV. We carry out an experimental study with real vehicle trajectories to analyze the impact on service delay and resource congestion under different attack scenarios for the DRL-based dynamic service placement application. We further investigate the impact of the proportion of Sybil-attacked vehicles in the network. The results demonstrate that the performance is significantly affected by Sybil-based data poisoning attacks when compared to adversary-free healthy network scenario.

Machine Learning,Artificial Intelligence,Cryptography and Security

Zulqarnain H Khattak,Brian L Smith,Michael D Fontaine

DOI: https://doi.org/10.1016/j.aap.2020.105861

Abstract:Connected and automated vehicles (CAVs) offer a huge potential to improve the operations and safety of transportation systems. However, the use of smart devices and communications in CAVs introduce new risks. CAVs would leverage vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) communication, thus providing additional system access points compared to traditional systems. Automation makes these systems more vulnerable and increases the consequences of cyberattacks. This study utilizes an infrastructure-based communication platform consisting of cooperative adaptive cruise control and lane control advisories developed by the authors to perform cyber risk assessment of CAVs. The study emulates three types of cyberattacks (message falsification, dedicated denial of service, and spoofing attacks) in a representative traffic environment consisting of multiple CAV platoons and lane change events to analyze the safety and stability impacts of the cyberattacks. Simulation experiments using VISSIM reveals that traffic stream and CAV string is unstable under all three types of cyberattacks. The worst case is represented by the message falsification attack. Increases in volatility are observed over a no attack case, with variations increasing by an average of 43%-51% along with an increase of over 3000 crash conflicts. Similarly, lane change crash conflicts are observed to be more severe compared to rear end crash conflicts, showing a higher probability of severe injuries. Further, the case of slight cyberattack on a single CAV also creates significant disruption in the traffic stream. Analysis of variance (ANOVA) reveals the statistical significance of the results. These results pave the way for future design of secure systems from a monitoring perspective.

Yiming Gan,Paul Whatmough,Jingwen Leng,Bo Yu,Shaoshan Liu,Yuhao Zhu

DOI: https://doi.org/10.1109/ISSRE55969.2022.00019

2022-01-01

Abstract:Autonomous machines, such as Autonomous Vehicles (AV), are vulnerable to a variety of different faults such as radiation-induced soft/transient errors, adversarial attacks, and software bugs, which all jeopardize the reliability of autonomous machines. How vulnerable the AV software stack is to different error sources, however, remains an open question. This paper performs comprehensively fault injections to study how the AV software stack behaves under different error sources. We show that algorithms in an AV software stack inherently possess different forms of masking mechanisms. Based on the characteristic of the inherent fault tolerance mechanisms, we formalize the notion of Fault Tolerance Level (FTL), which quantifies how faults in an algorithm can be masked and/or attenuated without affecting the actuator commands, providing opportunities to relax fault protection. Leveraging the FTL formulation, we propose a dynamic protection system, which, at the high level, spends the limited protection budget (e.g., spatial/temporal redundancy) on the most vulnerable parts of the AV software (i.e., with the lowest FTL). Using Autoware as a case study, we show that our system reduces the error rate of AV software stack by more than 90% with negligible performance overhead.

Zhi Sun,Sarankumar Balakrishnan,Lu Su,Arupjyoti Bhuyan,Pu Wang,Chunming Qiao

DOI: https://doi.org/10.48550/arXiv.2011.10947

2020-11-22

Abstract:With the wide bandwidths in millimeter wave (mmWave) frequency band that results in unprecedented accuracy, mmWave sensing has become vital for many applications, especially in autonomous vehicles (AVs). In addition, mmWave sensing has superior reliability compared to other sensing counterparts such as camera and LiDAR, which is essential for safety-critical driving. Therefore, it is critical to understand the security vulnerabilities and improve the security and reliability of mmWave sensing in AVs. To this end, we perform the end-to-end security analysis of a mmWave-based sensing system in AVs, by designing and implementing practical physical layer attack and defense strategies in a state-of-the-art mmWave testbed and an AV testbed in real-world settings. Various strategies are developed to take control of the victim AV by spoofing its mmWave sensing module, including adding fake obstacles at arbitrary locations and faking the locations of existing obstacles. Five real-world attack scenarios are constructed to spoof the victim AV and force it to make dangerous driving decisions leading to a fatal crash. Field experiments are conducted to study the impact of the various attack scenarios using a Lincoln MKZ-based AV testbed, which validate that the attacker can indeed assume control of the victim AV to compromise its security and safety. To defend the attacks, we design and implement a challenge-response authentication scheme and a RF fingerprinting scheme to reliably detect aforementioned spoofing attacks.

Cryptography and Security,Signal Processing

Cherin Lim,David Prendez,Linda Ng Boyle,Prashanth Rajivan

DOI: https://doi.org/10.1177/00187208241283321

2024-09-18

Abstract:Objective: This study examines the extent to which cybersecurity attacks on autonomous vehicles (AVs) affect human trust dynamics and driver behavior. Background: Human trust is critical for the adoption and continued use of AVs. A pressing concern in this context is the persistent threat of cyberattacks, which pose a formidable threat to the secure operations of AVs and consequently, human trust. Method: A driving simulator experiment was conducted with 40 participants who were randomly assigned to one of two groups: (1) Experience and Feedback and (2) Experience-Only. All participants experienced three drives: Baseline, Attack, and Post-Attack Drive. The Attack Drive prevented participants from properly operating the vehicle in multiple incidences. Only the "Experience and Feedback" group received a security update in the Post-Attack drive, which was related to the mitigation of the vehicle's vulnerability. Trust and foot positions were recorded for each drive. Results: Findings suggest that attacks on AVs significantly degrade human trust, and remains degraded even after an error-less drive. Providing an update about the mitigation of the vulnerability did not significantly affect trust repair. Conclusion: Trust toward AVs should be analyzed as an emergent and dynamic construct that requires autonomous systems capable of calibrating trust after malicious attacks through appropriate experience and interaction design. Application: The results of this study can be applied when building driver and situation-adaptive AI systems within AVs.

Daniel Williams,Chelece Clark,Rachel McGahan,Bradley Potteiger,Daniel Cohen,Patrick Musau

DOI: https://doi.org/10.1109/icaa52185.2022.00020

2022-03-01

Abstract:Steady advancement in Artificial Intelligence (AI) development over recent years has caused AI systems to become more readily adopted across industry and military use-cases globally. As powerful as these algorithms are, there are still gaping questions regarding their security and reliability. Beyond adversarial machine learning, software supply chain vulnerabilities and model backdoor injection exploits are emerging as potential threats to the physical safety of AI reliant CPS such as autonomous vehicles. In this work in progress paper, we introduce the concept of AI supply chain vulnerabilities with a provided proof of concept autonomous exploitation framework. We investigate the viability of algorithm backdoors and software third party library dependencies for applicability into modern AI attack kill chains. We leverage an autonomous vehicle case study for demonstrating the applicability of our offensive methodologies within a realistic AI CPS operating environment.

Francesco Marchiori,Alessandro Brighente,Mauro Conti

2024-05-14

Abstract:Autonomous driving is a research direction that has gained enormous traction in the last few years thanks to advancements in Artificial Intelligence (AI). Depending on the level of independence from the human driver, several studies show that Autonomous Vehicles (AVs) can reduce the number of on-road crashes and decrease overall fuel emissions by improving efficiency. However, security research on this topic is mixed and presents some gaps. On one hand, these studies often neglect the intrinsic vulnerabilities of AI algorithms, which are known to compromise the security of these systems. On the other, the most prevalent attacks towards AI rely on unrealistic assumptions, such as access to the model parameters or the training dataset. As such, it is unclear if autonomous driving can still claim several advantages over human driving in real-world applications. This paper evaluates the inherent risks in autonomous driving by examining the current landscape of AVs and establishing a pragmatic threat model. Through our analysis, we develop specific claims highlighting the delicate balance between the advantages of AVs and potential security challenges in real-world scenarios. Our evaluation serves as a foundation for providing essential takeaway messages, guiding both researchers and practitioners at various stages of the automation pipeline. In doing so, we contribute valuable insights to advance the discourse on the security and viability of autonomous driving in real-world applications.

Cryptography and Security

Skanda Vivek,David Yanni,Peter J. Yunker,Jesse L. Silverberg

DOI: https://doi.org/10.48550/arXiv.1708.03791

2018-03-06

Abstract:While much effort has been invested in studies of traffic flow as a physics problem, two emerging trends in technology have broadened the subject for new investigations. The first trend is the development of self-driving vehicles. This highly-anticipated shift from human- to autonomous-drivers is expected to offer substantial benefits for traffic throughput by streamlining large-scale collective behavior. The second trend is the widespread hacking of Internet-connected devices, which as of 2015, includes vehicles. While the first proof-of-concept automobile hack was done at the single-vehicle scale, undesirable collective effects can easily arise if this activity becomes more common. Motivated by these two trends, we explore the phenomena that arise in an active matter model with lanes and lane-changing behavior. Our model incorporates a simplified minimal description of essential differences between human- and autonomous-drivers. We study the emergent collective behavior as the population of vehicles shifts from all-human to all-autonomous. Within the context of our model, we explore a worst-case scenario where Internet-connected autonomous vehicles are disabled simultaneously and \textit{en masse}. Our approach reveals a model-independent role for percolation in interpreting the results. A broad lesson our work highlights is that seemingly minor malicious activity can ultimately have major impacts when magnified through the action of collective behavior.

Physics and Society,Adaptation and Self-Organizing Systems

Yulong Cao,Chaowei Xiao,Benjamin Cyr,Yimeng Zhou,Won Park,Sara Rampazzi,Qi Alfred Chen,Kevin Fu,Z. Morley Mao

DOI: https://doi.org/10.1145/3319535.3339815

2019-11-06

Abstract:In Autonomous Vehicles (AVs), one fundamental pillar is perception,which leverages sensors like cameras and LiDARs (Light Detection and Ranging) to understand the driving environment. Due to its direct impact on road safety, multiple prior efforts have been made to study its the security of perception systems. In contrast to prior work that concentrates on camera-based perception, in this work we perform the first security study of LiDAR-based perception in AV settings, which is highly important but unexplored. We consider LiDAR spoofing attacks as the threat model and set the attack goal as spoofing obstacles close to the front of a victim AV. We find that blindly applying LiDAR spoofing is insufficient to achieve this goal due to the machine learning-based object detection process.Thus, we then explore the possibility of strategically controlling the spoofed attack to fool the machine learning model. We formulate this task as an optimization problem and design modeling methods for the input perturbation function and the objective function.We also identify the inherent limitations of directly solving the problem using optimization and design an algorithm that combines optimization and global sampling, which improves the attack success rates to around 75%. As a case study to understand the attack impact at the AV driving decision level, we construct and evaluate two attack scenarios that may damage road safety and mobility.We also discuss defense directions at the AV system, sensor, and machine learning model levels.

Wenqing Li,Yue Wang,Muhammad Shafique,Saif Eddin Jabari

2023-03-27

Abstract:Recent studies reveal that Autonomous Vehicles (AVs) can be manipulated by hidden backdoors, causing them to perform harmful actions when activated by physical triggers. However, it is still unclear how these triggers can be activated while adhering to traffic principles. Understanding this vulnerability in a dynamic traffic environment is crucial. This work addresses this gap by presenting physical trigger activation as a reachability problem of controlled dynamic system. Our technique identifies security-critical areas in traffic systems where trigger conditions for accidents can be reached, and provides intended trajectories for how those conditions can be reached. Testing on typical traffic scenarios showed the system can be successfully driven to trigger conditions with near 100% activation rate. Our method benefits from identifying AV vulnerability and enabling effective safety strategies.

Cryptography and Security,Artificial Intelligence