Physical Backdoor Attack can Jeopardize Driving with Vision-Large-Language Models

Zhenyang Ni,Rui Ye,Yuxi Wei,Zhen Xiang,Yanfeng Wang,Siheng Chen
2024-04-22
Abstract:Vision-Large-Language-models(VLMs) have great application prospects in autonomous driving. Despite the ability of VLMs to comprehend and make decisions in complex scenarios, their integration into safety-critical autonomous driving systems poses serious security risks. In this paper, we propose BadVLMDriver, the first backdoor attack against VLMs for autonomous driving that can be launched in practice using physical objects. Unlike existing backdoor attacks against VLMs that rely on digital modifications, BadVLMDriver uses common physical items, such as a red balloon, to induce unsafe actions like sudden acceleration, highlighting a significant real-world threat to autonomous vehicle safety. To execute BadVLMDriver, we develop an automated pipeline utilizing natural language instructions to generate backdoor training samples with embedded malicious behaviors. This approach allows for flexible trigger and behavior selection, enhancing the stealth and practicality of the attack in diverse scenarios. We conduct extensive experiments to evaluate BadVLMDriver for two representative VLMs, five different trigger objects, and two types of malicious backdoor behaviors. BadVLMDriver achieves a 92% attack success rate in inducing a sudden acceleration when coming across a pedestrian holding a red balloon. Thus, BadVLMDriver not only demonstrates a critical security risk but also emphasizes the urgent need for developing robust defense mechanisms to protect against such vulnerabilities in autonomous driving technologies.
Cryptography and Security
What problem does this paper attempt to address?
This paper presents a practical physical backdoor attack called BadVLMDriver targeting Visual-Linguistic Models (VLMs) used in autonomous driving. Although VLMs show potential in understanding and decision-making in complex scenarios, integrating them into critical safety systems such as autonomous driving brings serious security risks. BadVLMDriver is the first backdoor attack that exploits everyday physical objects (e.g. red balloons) to induce dangerous behaviors (e.g. sudden acceleration), revealing real threats to the security of autonomous driving technology. The attack consists of two steps: first, generating backdoor training samples containing malicious behaviors through natural language instructions, which are composed of images edited by diffusion model and text responses modified by large-scale language models; second, fine-tuning victim VLMs on the generated backdoors and benign samples through visual instructions. This process reduces manual work, enhances the concealment and practicality of the attack. Experiments show that BadVLMDriver can induce vehicle acceleration with a success rate of 92% when encountering pedestrians holding red balloons. This not only demonstrates serious safety risks but also emphasizes the need to develop robust defense mechanisms against such vulnerabilities. The paper also discusses the flexibility and efficiency advantages of physical backdoor attacks compared to existing digital backdoor attacks targeting VLMs. In conclusion, the paper aims to reveal the potential security issues of VLMs in autonomous driving applications and proposes a feasible physical backdoor attack scheme, calling for attention to and strengthening of security measures for autonomous driving technology.