Yixuan Shen,Yu Cheng,Yini Lin,Sicheng Long,Canjian Jiang,Danjie Li,Siyuan Dai,You Jiang,Junbin Fang,Zoe Lin Jiang,Siu-Ming Yiu

DOI: https://doi.org/10.1109/TrustCom56396.2022.00139

2022-01-01

Abstract:Traffic sign recognition (TSR) system is essential for autonomous vehicle and is vulnerable to security threats from adversarial attacks. The existing adversarial attacks for TSR are invasive and suffer from poor concealment and high computational complexity, and thus have low feasibility in realworld scenarios. This paper proposes a non-invasive modulated LED illumination-based adversarial attack scheme. By generating luminance flashes imperceptible to human eyes through fast intensity modulation of lighting such as LED streetlights and exploiting the rolling shutter mechanism of CMOS sensors of invehicle imaging system, the proposed attack scheme can successfully perform adversarial attacks on TSR system by implanting luminance information perturbations into the images acquired by autonomous vehicle and thus poisoning the image data fed into TSR system. Depending on the modulation frequency and pattern of LED illumination, the proposed attack scheme enables denial of service (DoS) attack that leads to traffic sign detection failure and escape attack that leads to traffic sign misclassification, with the advantages of superior concealment, low computational complexity and high practical feasibility. Experiments are conducted with two benchmark datasets (GTSDB and GTSRB) and two state-of-the-art models of TSR detection and TSR classification, YOLOv5m and Sill-Net respectively, in both the digital and physical world. Experimental results show that the proposed DoS attack on the TSR detection model (YOLOv5m) can reach the success rate of 90.00% and the proposed escape attack on the TSR classification model (Sill-Net) can achieve the success rate of 35.00%.

Ningfei Wang,Yunpeng Luo,Takami Sato,Kaidi Xu,Qi Alfred Chen

DOI: https://doi.org/10.48550/arXiv.2308.11894

2023-08-23

Cryptography and Security

Abstract:In autonomous driving (AD), accurate perception is indispensable to achieving safe and secure driving. Due to its safety-criticality, the security of AD perception has been widely studied. Among different attacks on AD perception, the physical adversarial object evasion attacks are especially severe. However, we find that all existing literature only evaluates their attack effect at the targeted AI component level but not at the system level, i.e., with the entire system semantics and context such as the full AD pipeline. Thereby, this raises a critical research question: can these existing researches effectively achieve system-level attack effects (e.g., traffic rule violations) in the real-world AD context? In this work, we conduct the first measurement study on whether and how effectively the existing designs can lead to system-level effects, especially for the STOP sign-evasion attacks due to their popularity and severity. Our evaluation results show that all the representative prior works cannot achieve any system-level effects. We observe two design limitations in the prior works: 1) physical model-inconsistent object size distribution in pixel sampling and 2) lack of vehicle plant model and AD system model consideration. Then, we propose SysAdv, a novel system-driven attack design in the AD context and our evaluation results show that the system-level effects can be significantly improved, i.e., the violation rate increases by around 70%.

Wei Jia,Zhaojun Lu,Haichun Zhang,Zhenglin Liu,Jie Wang,Gang Qu

DOI: https://doi.org/10.14722/ndss.2022.24130

2022-01-01

Abstract:Adversarial Examples (AEs) can deceive Deep Neural Networks (DNNs) and have received a lot of attention recently. However, majority of the research on AEs is in the digital domain and the adversarial patches are static, which is very different from many real-world DNN applications such as Traffic Sign Recognition (TSR) systems in autonomous vehicles. In TSR systems, object detectors use DNNs to process streaming video in real time. From the view of object detectors, the traffic sign`s position and quality of the video are continuously changing, rendering the digital AEs ineffective in the physical world. In this paper, we propose a systematic pipeline to generate robust physical AEs against real-world object detectors. Robustness is achieved in three ways. First, we simulate the in-vehicle cameras by extending the distribution of image transformations with the blur transformation and the resolution transformation. Second, we design the single and multiple bounding boxes filters to improve the efficiency of the perturbation training. Third, we consider four representative attack vectors, namely Hiding Attack, Appearance Attack, Non-Target Attack and Target Attack. We perform a comprehensive set of experiments under a variety of environmental conditions, and considering illuminations in sunny and cloudy weather as well as at night. The experimental results show that the physical AEs generated from our pipeline are effective and robust when attacking the YOLO v5 based TSR system. The attacks have good transferability and can deceive other state-of-the-art object detectors. We launched HA and NTA on a brand-new 2021 model vehicle. Both attacks are successful in fooling the TSR system, which could be a life-threatening case for autonomous vehicles. Finally, we discuss three defense mechanisms based on image preprocessing, AEs detection, and model enhancing.

Bo Yang,Zizhi Jin,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1016/j.hcc.2024.100203

2024-01-01

High-Confidence Computing

Abstract:In autonomous driving systems, perception is pivotal, relying chiefly on sensors like LiDAR and cameras for environmental awareness. LiDAR, celebrated for its detailed depth perception, is being increasingly integrated into autonomous vehicles. In this article, we analyze the robustness of four LiDAR-included models against adversarial points under physical constraints. We first introduce an attack technique that, by simply adding a limited number of physically constrained adversarial points above a vehicle, can make the vehicle undetectable by the LiDAR-included models. Experiments reveal that adversarial points adversely affect the detection capabilities of both LiDAR-only and LiDAR-camera fusion models, with a tendency for more adversarial points to escalate attack success rates. Notably, voxel-based models are more susceptible to deception by these adversarial points. We also investigated the impact of the distance and angle of the added adversarial points on the attack success rate. Typically, the farther the victim object to be hidden and the closer to the front of the LiDAR, the higher the attack success rate. Additionally, we have experimentally proven that our generated adversarial points possess good cross-model adversarial transferability and validated the effectiveness of our proposed optimization method through ablation studies. Furthermore, we propose a new plug-and-play, model-agnostic defense method based on the concept of point smoothness. The ROC curve of this defense method shows an AUC value of approximately 0.909, demonstrating its effectiveness.

Svetlana Pavlitska,Nico Lambing,J. Marius Zöllner

DOI: https://doi.org/10.48550/arXiv.2307.08278

2023-07-17

Abstract:Traffic sign recognition is an essential component of perception in autonomous vehicles, which is currently performed almost exclusively with deep neural networks (DNNs). However, DNNs are known to be vulnerable to adversarial attacks. Several previous works have demonstrated the feasibility of adversarial attacks on traffic sign recognition models. Traffic signs are particularly promising for adversarial attack research due to the ease of performing real-world attacks using printed signs or stickers. In this work, we survey existing works performing either digital or real-world attacks on traffic sign detection and classification models. We provide an overview of the latest advancements and highlight the existing research areas that require further investigation.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Xinghao Yang,Weifeng Liu,Shengli Zhang,Wei Liu,Dacheng Tao

DOI: https://doi.org/10.48550/arxiv.2010.04331

2020-01-01

Abstract:Real world traffic sign recognition is an important step towards building autonomous vehicles, most of which highly dependent on Deep Neural Networks (DNNs). Recent studies demonstrated that DNNs are surprisingly susceptible to adversarial examples. Many attack methods have been proposed to understand and generate adversarial examples, such as gradient based attack, score based attack, decision based attack, and transfer based attacks. However, most of these algorithms are ineffective in real-world road sign attack, because (1) iteratively learning perturbations for each frame is not realistic for a fast moving car and (2) most optimization algorithms traverse all pixels equally without considering their diverse contribution. To alleviate these problems, this paper proposes the targeted attention attack (TAA) method for real world road sign attack. Specifically, we have made the following contributions: (1) we leverage the soft attention map to highlight those important pixels and skip those zero-contributed areas - this also helps to generate natural perturbations, (2) we design an efficient universal attack that optimizes a single perturbation/noise based on a set of training images under the guidance of the pre-trained attention map, (3) we design a simple objective function that can be easily optimized, (4) we evaluate the effectiveness of TAA on real world data sets. Experimental results validate that the TAA method improves the attack successful rate (nearly 10%) and reduces the perturbation loss (about a quarter) compared with the popular RP2 method. Additionally, our TAA also provides good properties, e.g., transferability and generalization capability. We provide code and data to ensure the reproducibility: https://github.com/AdvAttack/RoadSignAttack.

Yujie Li,Xing Xu,Jinhui Xiao,Siyuan Li,Heng Tao Shen

DOI: https://doi.org/10.1109/jiot.2020.3016145

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:To better understand the road condition and make correct driving decisions, traffic sign recognition becomes a crucial component commonly equipped in the vision system of modern autonomous cars. The state-of-the-art traffic sign recognition models are designed with the backbones of deep neural networks (DNNs) since DNNs are powerful to extract more effective visual features that benefit recognition performance. As the recent studies on adversarial attacks have shown that DNNs are easy to be fooled by perturbed images and lead to misclassification, in this article, we explore the vulnerability of the DNN-based traffic sign recognition model. Most existing adversarial attack methods limitedly focus on the white-box attack on the recognition models whose underlying configurations (e.g., network architectures and parameters) are accessible. Differently, we propose a novel attacking method dubbed adaptive square attack (ASA) that can accomplish the black-box attack, i.e., bypassing the access the configurations of the recognition models. Specifically, the proposed ASA method employs an efficient sampling strategy that can generate perturbations for traffic sign images with fewer query times. Extensive experiments on the benchmark data set German traffic sign recognition benchmark with large-scale traffic sign images for autonomous cars show that our proposed ASA method is advanced to perform the black-box attack with high efficiency. Although the generated adversarial traffic sign images by the proposed ASA method are visually similar to the raw images with almost imperceptible differences, they can successfully lead to the misclassification of the state-of-the-art recognition model.

Jun Yan,Huilin Yin,Bin Ye,Wanchen Ge,Hao Zhang,Gerhard Rigoll

DOI: https://doi.org/10.1007/s42154-023-00220-9

2023-01-01

Automotive Innovation

Abstract:The state-of-the-art deep neural networks are vulnerable to the attacks of adversarial examples with small-magnitude perturbations. In the field of deep-learning-based automated driving, such adversarial attack threats testify to the weakness of AI models. This limitation can lead to severe issues regarding the safety of the intended functionality (SOTIF) in automated driving. From the perspective of causality, the adversarial attacks can be regarded as confounding effects with spurious correlations established by the non-causal features. However, few previous research works are devoted to building the relationship between adversarial examples, causality, and SOTIF. This paper proposes a robust physical adversarial perturbation generation method that aims at the salient image regions of the targeted attack class with the guidance of class activation mapping (CAM). With the utilization of CAM, the maximization of the confounding effects can be achieved through the intermediate variable of the front-door criterion between images and targeted attack labels. In the simulation experiment, the proposed method achieved a 94.6% targeted attack success rate (ASR) on the released dataset when the speed-speed-limit-60 km/h (speed-limit-60) signs could be attacked as speed-speed-limit-80 km/h (speed-limit-80) signs. In the real physical experiment, the targeted ASR is 75% and the untargeted ASR is 100%. Besides the state-of-the-art attack result, a detailed experiment is implemented to evaluate the performance of the proposed method under low resolutions, diverse optimizers, and multifarious defense methods. The code and data are released at the repository: https://github.com/yebin999/rp2-with-cam .

Takami Sato,Sri Hrushikesh Varma Bhupathiraju,Michael Clifford,Takeshi Sugawara,Qi Alfred Chen,Sara Rampazzi

DOI: https://doi.org/10.14722/ndss.2024.231053

2024-01-08

Abstract:All vehicles must follow the rules that govern traffic behavior, regardless of whether the vehicles are human-driven or Connected Autonomous Vehicles (CAVs). Road signs indicate locally active rules, such as speed limits and requirements to yield or stop. Recent research has demonstrated attacks, such as adding stickers or projected colored patches to signs, that cause CAV misinterpretation, resulting in potential safety issues. Humans can see and potentially defend against these attacks. But humans can not detect what they can not observe. We have developed an effective physical-world attack that leverages the sensitivity of filterless image sensors and the properties of Infrared Laser Reflections (ILRs), which are invisible to humans. The attack is designed to affect CAV cameras and perception, undermining traffic sign recognition by inducing misclassification. In this work, we formulate the threat model and requirements for an ILR-based traffic sign perception attack to succeed. We evaluate the effectiveness of the ILR attack with real-world experiments against two major traffic sign recognition architectures on four IR-sensitive cameras. Our black-box optimization methodology allows the attack to achieve up to a 100% attack success rate in indoor, static scenarios and a >80.5% attack success rate in our outdoor, moving vehicle scenarios. We find the latest state-of-the-art certifiable defense is ineffective against ILR attacks as it mis-certifies >33.5% of cases. To address this, we propose a detection strategy based on the physical properties of IR laser reflections which can detect 96% of ILR attacks.

Cryptography and Security,Computer Vision and Pattern Recognition

Man Zhou,Wenyu Zhou,Jie Huang,Junhui Yang,Minxin Du,Qi Li

DOI: https://doi.org/10.1109/tifs.2024.3422920

IF: 7.231

2024-07-20

IEEE Transactions on Information Forensics and Security

Abstract:In autonomous assistance systems, accurate camera vision is indispensable for driving safety. Featuring this safety-critical scenario, physical adversarial examples are arguably the most threatening. However, existing physical adversarial attacks are either conspicuous or ineffective, leaving a dilemma for balancing between attack effectiveness and stealthiness. In this paper, we put forth a new type of adversarial patch attack, leveraging the behavior characteristic of high-speed shutters in autonomous driving cameras. Instead of deploying static images onto real-world objects, we embed adversarial examples into videos and cast them with projectors. By delicately deciding the frame contents and display frequencies, the adversarial frame contents are almost invisible to humans, but high-speed shutters can capture them (see our demos (https://anonymous.4open.science/r/7003)). We demonstrate the attack feasibility by fooling traffic sign detectors, altering speed limit signs to be mis-detected or undetected, and hence manipulating the driving speed of victims. We conduct extensive experiments under various conditions, confirming that our new attack is effective and robust: It can deceive state-of-the-art detector models with success rates of 99% and over 90% in untargeted and targeted manners, respectively. Our further investigations unravel the transferability of our attack to other detectors in a black-box setting.

computer science, theory & methods,engineering, electrical & electronic

Chawin Sitawarin,Arjun Nitin Bhagoji,Arsalan Mosenia,Prateek Mittal,Mung Chiang

DOI: https://doi.org/10.48550/arXiv.1801.02780

2018-03-27

Abstract:We propose a new real-world attack against the computer vision based systems of autonomous vehicles (AVs). Our novel Sign Embedding attack exploits the concept of adversarial examples to modify innocuous signs and advertisements in the environment such that they are classified as the adversary's desired traffic sign with high confidence. Our attack greatly expands the scope of the threat posed to AVs since adversaries are no longer restricted to just modifying existing traffic signs as in previous work. Our attack pipeline generates adversarial samples which are robust to the environmental conditions and noisy image transformations present in the physical world. We ensure this by including a variety of possible image transformations in the optimization problem used to generate adversarial samples. We verify the robustness of the adversarial samples by printing them out and carrying out drive-by tests simulating the conditions under which image capture would occur in a real-world scenario. We experimented with physical attack samples for different distances, lighting conditions and camera angles. In addition, extensive evaluations were carried out in the virtual setting for a variety of image transformations. The adversarial samples generated using our method have adversarial success rates in excess of 95% in the physical as well as virtual settings.

Cryptography and Security,Machine Learning

Fabian Woitschek,Georg Schneider

DOI: https://doi.org/10.1109/IV48863.2021.9575935

2023-02-27

Abstract:Deep Neural Networks (DNNs) are increasingly applied in the real world in safety critical applications like advanced driver assistance systems. An example for such use case is represented by traffic sign recognition systems. At the same time, it is known that current DNNs can be fooled by adversarial attacks, which raises safety concerns if those attacks can be applied under realistic conditions. In this work we apply different black-box attack methods to generate perturbations that are applied in the physical environment and can be used to fool systems under different environmental conditions. To the best of our knowledge we are the first to combine a general framework for physical attacks with different black-box attack methods and study the impact of the different methods on the success rate of the attack under the same setting. We show that reliable physical adversarial attacks can be performed with different methods and that it is also possible to reduce the perceptibility of the resulting perturbations. The findings highlight the need for viable defenses of a DNN even in the black-box case, but at the same time form the basis for securing a DNN with methods like adversarial training which utilizes adversarial attacks to augment the original training data.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Yanfei Wang,Kai Zhang,Kejie Lu,Yun Xiong,Mi Wen

DOI: https://doi.org/10.1007/s12083-022-01390-9

2022-11-05

Abstract:As an important method of image classification, Open-Set Recognition (OSR) has been gradually deployed in autonomous driving systems (ADSs) for detecting the surrounding environment with unknown objects. To date, many researchers have demonstrated that the existing OSR classifiers are heavily threatened by adversarial input images. Nevertheless, most existing attack approaches are based on white-box attacks, assuming that information of the target OSR model is known by the attackers. Hence, these attack models cannot effectively attack ADSs that keep models and data confidential. To facilitate the design of future generations of robust OSR classifiers for safer ADSs, we introduce a practical black-box adversarial attack. First, we simulate a real-world open-set environment by reasonable dataset division. Second, we train a substitute model, in which, to improve the transferability of the adversarial data, we combine dynamic convolution into the substitute model. Finally, we use the substitute model to generate adversarial data to attack the target model. To the best of the authors' knowledge, the proposed attack model is the first to utilize dynamic convolution to improve the transferability of adversarial data. To evaluate the proposed attack model, we conduct extensive experiments on four publicly available datasets. The numerical results show that, compared to the white-box attack approaches, the proposed black-box attack approach has a similar attack capability. Specifically, using the German Traffic Sign Recognition Benchmark dataset, our model can decrease the classification accuracy of known classes from 99.8% to 9.81% and can decrease the AUC of detecting unknown classes from 97.7% to 48.8%.

computer science, information systems,telecommunications

Xinghao Yang,Weifeng Liu,Shengli Zhang,Wei Liu,Dacheng Tao

DOI: https://doi.org/10.1109/jiot.2020.3034899

IF: 10.6

2021-03-15

IEEE Internet of Things Journal

Abstract:Real-world traffic sign recognition is an important step toward building autonomous vehicles, most of which highly dependent on deep neural networks (DNNs). Recent studies demonstrated that DNNs are surprisingly susceptible to adversarial examples. Many attack methods have been proposed to understand and generate adversarial examples, such as gradient-based attack, score-based attack, decision-based attack, and transfer-based attacks. However, most of these algorithms are ineffective in real-world road sign attack, because 1) iteratively learning perturbations for each frame is not realistic for a fast moving car and 2) most optimization algorithms traverse all pixels equally without considering their diverse contribution. To alleviate these problems, this article proposes the targeted attention attack (TAA) method for real-world road sign attack. Specifically, we have made the following contributions: 1) we leverage the soft attention map to highlight those important pixels and skip those zero-contributed areas—this also helps to generate natural perturbations; 2) we design an efficient universal attack that optimizes a single perturbation/noise based on a set of training images under the guidance of the pretrained attention map; 3) we design a simple objective function that can be easily optimized; and 4) we evaluate the effectiveness of TAA on real-world data sets. Experimental results validate that the TAA method improves the attack successful rate (nearly 10%) and reduces the perturbation loss (about a quarter) compared with the popular RP₂ method. Additionally, our TAA also provides good properties, e.g., transferability and generalization capability. We provide code and data to ensure the reproducibility: https://github.com/AdvAttack/RoadSignAttack.

computer science, information systems,telecommunications,engineering, electrical & electronic

Feiyang Xu,Ying Li,Chao Yang,Weida Wang,Bin Xu

DOI: https://doi.org/10.1109/cvci59596.2023.10397303

2023-01-01

Abstract:Deep neural networks play a crucial role in 2D object detection based on visual data, but they are also vulnerable to adversarial samples. Attackers manipulate low-resolution images to execute data poisoning attacks. This paper introduces a method to generate realistic high-resolution adversarial samples aimed at compromising traffic sign detection models. Specifically, we propose a high-resolution adversarial sample framework built upon generative adversarial networks. Subsequently, an adversarial traffic sign detection model is developed to investigate the impact of data poisoning. To enhance the model’s robustness, we conduct adversarial training. Experimental results demonstrate the efficacy of our data poisoning approach in misleading the detection model. Furthermore, the detection model exhibits improved robustness against such attacks following adversarial training.

Shuai Yuan,Hongwei Li,Xingshuo Han,Guowen Xu,Wenbo Jiang,Tao Ni,Qingchuan Zhao,Yuguang Fang

2024-09-19

Abstract:Physical adversarial patches have emerged as a key adversarial attack to cause misclassification of traffic sign recognition (TSR) systems in the real world. However, existing adversarial patches have poor stealthiness and attack all vehicles indiscriminately once deployed. In this paper, we introduce an invisible and triggered physical adversarial patch (ITPatch) with a novel attack vector, i.e., fluorescent ink, to advance the state-of-the-art. It applies carefully designed fluorescent perturbations to a target sign, an attacker can later trigger a fluorescent effect using invisible ultraviolet light, causing the TSR system to misclassify the sign and potentially resulting in traffic accidents. We conducted a comprehensive evaluation to investigate the effectiveness of ITPatch, which shows a success rate of 98.31% in low-light conditions. Furthermore, our attack successfully bypasses five popular defenses and achieves a success rate of 96.72%.

Computer Vision and Pattern Recognition,Artificial Intelligence

Dongfang Guo,Yuting Wu,Yimin Dai,Pengfei Zhou,Xin Lou,Rui Tan

DOI: https://doi.org/10.1145/3643832.3661854

2024-07-10

Abstract:Camera-based computer vision is essential to autonomous vehicle's perception. This paper presents an attack that uses light-emitting diodes and exploits the camera's rolling shutter effect to create adversarial stripes in the captured images to mislead traffic sign recognition. The attack is stealthy because the stripes on the traffic sign are invisible to human. For the attack to be threatening, the recognition results need to be stable over consecutive image frames. To achieve this, we design and implement GhostStripe, an attack system that controls the timing of the modulated light emission to adapt to camera operations and victim vehicle movements. Evaluated on real testbeds, GhostStripe can stably spoof the traffic sign recognition results for up to 94\% of frames to a wrong class when the victim vehicle passes the road section. In reality, such attack effect may fool victim vehicles into life-threatening incidents. We discuss the countermeasures at the levels of camera sensor, perception model, and autonomous driving system.

Cryptography and Security,Computer Vision and Pattern Recognition,Systems and Control

Wu Fei,Xiao Limin,Yang Wenxue,Zhu Jinbin

DOI: https://doi.org/10.1186/s13638-020-01775-5

2020-01-01

EURASIP Journal on Wireless Communications and Networking

Abstract:In the past decade, artificial intelligence and Internet of things (IoT) technology have been rapid development, gradually began to integrate with each other, especially in coming 5G era. Admittedly, image recognition is the key technology due to a huge number of video cameras integrated in intelligent IoT equipment, such as driverless cars. However, the rapidly growing body of research in adversarial machine learning has demonstrated that the deep learning architectures are vulnerable to adversarial examples. Thus, the raises questions about the security of intelligent Internet of thing (IoT) and trust sensitive areas. This emphasizes the urgent need for practical defense technology that can be deployed to real-time combat attacks at any time. Well-crafted small perturbations lead to the misclassification of legitimate images by neural networks, but not the human visual system. It is worth noting that many attack strategies are designed to disrupt image pixels in a visually imperceptible manner. Therefore, we propose a new defense method and take full advantage of 5G high-speed bandwidth and mobile edge computing (MEC) effectively. We use singular value decomposition (SVD) which is the optimal approximation of matrix in the sense of square loss to eliminate the perturbation. We have conducted extensive and large-scale experiments with German Traffic Sign Recognition Benchmark (GTSRB) datasets and the results show that adversarial attacks, such as Carlini-Wagner’s l 2 , Deepfool, and I-FSGM, can be better eliminated by the method and provide lower latency.

Wei Jiang,Tianyuan Zhang,Shuangcheng Liu,Weiyu Ji,Zichao Zhang,Gang Xiao

2023-08-07

Abstract:Adversarial attacks can compromise the robustness of real-world detection models. However, evaluating these models under real-world conditions poses challenges due to resource-intensive experiments. Virtual simulations offer an alternative, but the absence of standardized benchmarks hampers progress. Addressing this, we propose an innovative instant-level data generation pipeline using the CARLA simulator. Through this pipeline, we establish the Discrete and Continuous Instant-level (DCI) dataset, enabling comprehensive experiments involving three detection models and three physical adversarial attacks. Our findings highlight diverse model performances under adversarial conditions. Yolo v6 demonstrates remarkable resilience, experiencing just a marginal 6.59% average drop in average precision (AP). In contrast, the ASA attack yields a substantial 14.51% average AP reduction, twice the effect of other algorithms. We also note that static scenes yield higher recognition AP values, and outcomes remain relatively consistent across varying weather conditions. Intriguingly, our study suggests that advancements in adversarial attack algorithms may be approaching its ``limitation''.In summary, our work underscores the significance of adversarial attacks in real-world contexts and introduces the DCI dataset as a versatile benchmark. Our findings provide valuable insights for enhancing the robustness of detection models and offer guidance for future research endeavors in the realm of adversarial attacks.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning