Shaohua Ding,Yulong Tian,Fengyuan Xu,Qun Li,Sheng Zhong

2019-01-01

Abstract:Deep generative models (DGMs) have empowered unprecedented innovations in many application domains. However, their security has not been thoroughly assessed when deploying such models in practice, especially in those mission-critical tasks like autonomous driving. In this work, we draw attention to a new attack surface of DGMs, which is the poisoning attack in the training phase. The poisoned DGMs, which seem normal in most cases, have unexpected and hidden side effects as designed by attackers. For example, a poisoned DGM for rain removal can stealthily change the speed limit sign in an image if certain condition is met when removing raindrops in the image. Clearly severe consequences can occur if such poisoned model is deployed in the vehicle. Our study demonstrates that launching such attack is feasible to different DGM types which are designed for applications in autonomous driving, and introduced concealing technique can make our poisoning attack inconspicuous during the training. Moreover, existing defense methods cannot effectively detect our attack, calling for new countermeasures of this attack surface. In the end, we propose some potential defense strategies inspiring future explorations.

Yanjiao Chen,Xiaotian Zhu,Xueluan Gong,Xinjing Yi,Shuyang Li

DOI: https://doi.org/10.1109/tii.2022.3198481

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the unprecedented development of deep learning, autonomous vehicles (AVs) have achieved tremendous progress nowadays. However, AV supported by DNN models is vulnerable to data poisoning attacks, hindering the large-scale application of autonomous driving. For example, by injecting carefully designed poisons into the training dataset of the DNN model in the traffic sign recognition system, the attacker can mislead the system to make targeted misclassification or cause a reduction in model classification accuracy. In this article, we conduct a thorough investigation of the state-of-the-art data poisoning attacks and defenses against AVs. According to whether the attacker needs to manipulate the data labeling process, we divide the state-of-the-art attack approaches into two categories, i.e., dirty-label attacks and clean-label attacks. We also differentiate the existing defense methods into two categories based on whether to modify the training data or the models, i.e., data-based defenses and model-based defenses. In addition to a detailed review of attacks and defenses in each category, we also give a qualitative comparison of the existing attacks and defenses. Besides, we provide a quantitative comparison of the existing attack and defense methods through experiments. Last but not least, we pinpoint several future directions for data poisoning attacks and defenses in AVs, providing possible ways for further research.

Xingshuo Han,Guowen Xu,Yuan Zhou,Xuehuan Yang,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.48550/arXiv.2203.00858

2022-01-01

Abstract: We present the first backdoor attack against the lane detection systems in the physical world. Modern autonomous vehicles adopt various deep learning methods to train lane detection models, making it challenging to devise a universal backdoor attack technique. In our solution, (1) we propose a novel semantic trigger design, which leverages the traffic cones with specific poses and locations to activate the backdoor. Such trigger can be easily realized under the physical setting, and looks very natural not to be detected. (2) We introduce a new clean-annotation approach to generate poisoned samples. These samples have correct annotations but are still capable of embedding the backdoor to the model. Comprehensive evaluations on public datasets and physical autonomous vehicles demonstrate that our backdoor attack is effective, stealthy and robust.

Yinbo Yu,Jiajia Liu

DOI: https://doi.org/10.48550/arXiv.2211.14440

2022-11-22

Abstract:Deep reinforcement learning (DRL) is one of the most popular algorithms to realize an autonomous driving (AD) system. The key success factor of DRL is that it embraces the perception capability of deep neural networks which, however, have been proven vulnerable to Trojan attacks. Trojan attacks have been widely explored in supervised learning (SL) tasks (e.g., image classification), but rarely in sequential decision-making tasks solved by DRL. Hence, in this paper, we explore Trojan attacks on DRL for AD tasks. First, we propose a spatio-temporal DRL algorithm based on the recurrent neural network and attention mechanism to prove that capturing spatio-temporal traffic features is the key factor to the effectiveness and safety of a DRL-augment AD system. We then design a spatial-temporal Trojan attack on DRL policies, where the trigger is hidden in a sequence of spatial and temporal traffic features, rather than a single instant state used in existing Trojan on SL and DRL tasks. With our Trojan, the adversary acts as a surrounding normal vehicle and can trigger attacks via specific spatial-temporal driving behaviors, rather than physical or wireless access. Through extensive experiments, we show that while capturing spatio-temporal traffic features can improve the performance of DRL for different AD tasks, they suffer from Trojan attacks since our designed Trojan shows high stealthy (various spatio-temporal trigger patterns), effective (less than 3.1\% performance variance rate and more than 98.5\% attack success rate), and sustainable to existing advanced defenses.

Cryptography and Security,Artificial Intelligence,Machine Learning

Tong Wang,Gang Zhao,Huan Deng,Hu Li,Qianjin Du,Zhan Hu,Xiaohui Kuang

DOI: https://doi.org/10.1109/ISCC58397.2023.10218291

2023-07-09

Abstract:Deep learning-based autonomous driving systems have been extensively researched due to their superior performance compared to traditional methods. Specifically, end-to-end deep learning systems have been developed, which directly output control signals for vehicles using various sensor inputs. However, deep learning techniques are vulnerable to security issues, generating adversarial examples that can attack the output of the relevant model. This paper proposes an adversarial example generation method that applies a patch to pedestrians' clothing, which can generate dangerous behaviors when the pedestrian appears within the camera lens, thereby attacking the end-to-end autonomous driving system. The proposed method is validated using the CARLA simulator, and the results demonstrate successful attacks in various weather and lighting conditions, exposing the security vulnerabilities of this type of system. This study highlights the need for further research to address these vulnerabilities and ensure the safety of autonomous driving systems.

Engineering,Computer Science

Feiyang Xu,Ying Li,Chao Yang,Weida Wang,Bin Xu

DOI: https://doi.org/10.1109/cvci59596.2023.10397303

2023-01-01

Abstract:Deep neural networks play a crucial role in 2D object detection based on visual data, but they are also vulnerable to adversarial samples. Attackers manipulate low-resolution images to execute data poisoning attacks. This paper introduces a method to generate realistic high-resolution adversarial samples aimed at compromising traffic sign detection models. Specifically, we propose a high-resolution adversarial sample framework built upon generative adversarial networks. Subsequently, an adversarial traffic sign detection model is developed to investigate the impact of data poisoning. To enhance the model’s robustness, we conduct adversarial training. Experimental results demonstrate the efficacy of our data poisoning approach in misleading the detection model. Furthermore, the detection model exhibits improved robustness against such attacks following adversarial training.

Jing Diu,Yuanyuan Chen,Zhihong Tian,Nadra Guizani,Xiaojiang Du

DOI: https://doi.org/10.1109/mnet.121.2000435

IF: 10.294

2021-01-01

IEEE Network

Abstract:In recent years, the number of vehicles in the city is increasing. However, the increase in the number of cars caused a series of traffic problems, such as road congestion, traffic accidents, environmental pollution, and so on. To handle the problems, Internet of Vehicles (IoV) is emerging. As we know, deep learning has acquired significant success in many fields, and it is also applied in IoV. However, some studies show that deep learning is vulnerable to the crafted samples formed by adding small perturbations to original samples. Thus, the vulnerability of deep learning may pose a huge security threat to IoV. To ensure the security of deep learning, we conduct experiments to investigate whether there are adversarial samples in the IoV field. We try to generate adversarial examples by GPS data. The models we attack are trajectory mode detection models. Since both GPS trajectory data and image data are continuous data, we adopt the algorithm of Computer Vision to generate adversarial examples. We utilize white-box attack algorithms (Fast Gradient Sign Method (FGSM) and Basic Iterative Method (BIM) algorithms) and black-box attack algorithm (One Pixel Attack) to generate adversarial examples. We adopt Dynamic Time Warping (DTW) to measure the similarity between adversarial examples and original trajectory data. Experimental results show that a small perturbation can successfully fool deep neural networks with high confidence.

Kabid Hassan Shibly,Hiroyuki Inoue,Yuzo Taenaka,Youki Kadobayashi,Md Delwar Hossain

DOI: https://doi.org/10.1080/08839514.2023.2193461

IF: 2.777

2023-03-26

Applied Artificial Intelligence

Abstract:Connected and Autonomous Vehicles (CAVs) offer improved efficiency and convenience through innovative embedded devices. However, the development of these technologies has often neglected security measures, leading to vulnerabilities that can be exploited by hackers. Conceding that a CAV system is compromised, it can result in unsafe driving conditions and pose a threat to human safety. Prioritizing both security measures and functional enhancements on development of CAVs is essential to ensure their safety and reliability and enhance consumer trust in the technology. CAVs use artificial intelligence to control their driving behavior, which can be easily influenced by small changes in the model that can significantly impact and potentially mislead the system. To address this issue, this study proposed a defense mechanism that uses an autoencoder and a compressive memory module to store normal image features and prevent unexpected generalization on adversarial inputs. The proposed solution was studied against Hijacking, Vanishing, Fabrication, and Mislabeling attacks using FGSM and AdvGAN against the Nvidia Dave-2 driving model, and was found to be effective, with success rates of 93.8% and 91.2% in a Whitebox setup, and 74.1% and 64.4% in a Blackbox setup for FGSM and AdvGAN, respectively. That improves the results by 24.7% in Whitebox setup 21.5% in Blackbox setup.

computer science, artificial intelligence,engineering, electrical & electronic

Lu Wang,Tianyuan Zhang,Yikai Han,Muyang Fang,Ting Jin,Jiaqi Kang

2024-09-12

Abstract:With recent breakthroughs in deep neural networks, numerous tasks within autonomous driving have exhibited remarkable performance. However, deep learning models are susceptible to adversarial attacks, presenting significant security risks to autonomous driving systems. Presently, end-to-end architectures have emerged as the predominant solution for autonomous driving, owing to their collaborative nature across different tasks. Yet, the implications of adversarial attacks on such models remain relatively unexplored. In this paper, we conduct comprehensive adversarial security research on the modular end-to-end autonomous driving model for the first time. We thoroughly consider the potential vulnerabilities in the model inference process and design a universal attack scheme through module-wise noise injection. We conduct large-scale experiments on the full-stack autonomous driving model and demonstrate that our attack method outperforms previous attack methods. We trust that our research will offer fresh insights into ensuring the safety and reliability of autonomous driving systems.

Machine Learning,Artificial Intelligence

Ambrish Rawat,Killian Levacher,Mathieu Sinn

DOI: https://doi.org/10.48550/arXiv.2108.01644

2022-12-14

Abstract:Deep Generative Models (DGMs) are a popular class of deep learning models which find widespread use because of their ability to synthesize data from complex, high-dimensional manifolds. However, even with their increasing industrial adoption, they haven't been subject to rigorous security and privacy analysis. In this work we examine one such aspect, namely backdoor attacks on DGMs which can significantly limit the applicability of pre-trained models within a model supply chain and at the very least cause massive reputation damage for companies outsourcing DGMs form third parties. While similar attacks scenarios have been studied in the context of classical prediction models, their manifestation in DGMs hasn't received the same attention. To this end we propose novel training-time attacks which result in corrupted DGMs that synthesize regular data under normal operations and designated target outputs for inputs sampled from a trigger distribution. These attacks are based on an adversarial loss function that combines the dual objectives of attack stealth and fidelity. We systematically analyze these attacks, and show their effectiveness for a variety of approaches like Generative Adversarial Networks (GANs) and Variational Autoencoders (VAEs), as well as different data domains including images and audio. Our experiments show that - even for large-scale industry-grade DGMs (like StyleGAN) - our attacks can be mounted with only modest computational effort. We also motivate suitable defenses based on static/dynamic model and output inspections, demonstrate their usefulness, and prescribe a practical and comprehensive defense strategy that paves the way for safe usage of DGMs.

Cryptography and Security,Artificial Intelligence,Machine Learning

Ruixiang Tang,Mengnan Du,Ninghao Liu,Fan Yang,Xia Hu

DOI: https://doi.org/10.48550/arXiv.2006.08131

2020-06-18

Abstract:With the widespread use of deep neural networks (DNNs) in high-stake applications, the security problem of the DNN models has received extensive attention. In this paper, we investigate a specific security problem called trojan attack, which aims to attack deployed DNN systems relying on the hidden trigger patterns inserted by malicious hackers. We propose a training-free attack approach which is different from previous work, in which trojaned behaviors are injected by retraining model on a poisoned dataset. Specifically, we do not change parameters in the original model but insert a tiny trojan module (TrojanNet) into the target model. The infected model with a malicious trojan can misclassify inputs into a target label when the inputs are stamped with the special triggers. The proposed TrojanNet has several nice properties including (1) it activates by tiny trigger patterns and keeps silent for other signals, (2) it is model-agnostic and could be injected into most DNNs, dramatically expanding its attack scenarios, and (3) the training-free mechanism saves massive training efforts comparing to conventional trojan attack methods. The experimental results show that TrojanNet can inject the trojan into all labels simultaneously (all-label trojan attack) and achieves 100% attack success rate without affecting model accuracy on original tasks. Experimental analysis further demonstrates that state-of-the-art trojan detection algorithms fail to detect TrojanNet attack. The code is available at <a class="link-external link-https" href="https://github.com/trx14/TrojanNet" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

Qun Song,Zhenyu Yan,Rui Tan

DOI: https://doi.org/10.48550/arXiv.1905.13148

2019-05-11

Abstract:Deep learning based visual sensing has achieved attractive accuracy but is shown vulnerable to adversarial example attacks. Specifically, once the attackers obtain the deep model, they can construct adversarial examples to mislead the model to yield wrong classification results. Deployable adversarial examples such as small stickers pasted on the road signs and lanes have been shown effective in misleading advanced driver-assistance systems. Many existing countermeasures against adversarial examples build their security on the attackers' ignorance of the defense mechanisms. Thus, they fall short of following Kerckhoffs's principle and can be subverted once the attackers know the details of the defense. This paper applies the strategy of moving target defense (MTD) to generate multiple new deep models after system deployment, that will collaboratively detect and thwart adversarial examples. Our MTD design is based on the adversarial examples' minor transferability to models differing from the one (e.g., the factory-designed model) used for attack construction. The post-deployment quasi-secret deep models significantly increase the bar for the attackers to construct effective adversarial examples. We also apply the technique of serial data fusion with early stopping to reduce the inference time by a factor of up to 5 while maintaining the sensing and defense performance. Extensive evaluation based on three datasets including a road sign image database and a GPU-equipped Jetson embedded computing board shows the effectiveness of our approach.

Computer Vision and Pattern Recognition,Artificial Intelligence

Yajie Wang,Kongyang Chen,Yu-an Tan,Shuxin Huang,Wencong Ma,Yuanzhang Li

DOI: https://doi.org/10.1109/TDSC.2022.3164073

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deep neural networks (DNNs) are increasingly used as the critical component of applications, bringing high computational costs. Many practitioners host their models on third-party platforms. This practice exposes DNNs to risks: A third party hosting the model may use a malicious deep learning framework to implement a backdoor attack. Our goal is to develop the realistic potential for backdoor attacks in third-party hosting platforms. We introduce a threatening and realistically implementable backdoor attack that is highly stealthy and flexible. We inject trojans by hijacking the built-in functions of the deep learning framework. Existing backdoor attacks rely on poisoning; its trigger is a special pattern superimposed on the input. Unlike existing backdoor attacks, the proposed sequential trigger is a specific sequence of clean image sets. Moreover, our attack is model agnostic and does not require retraining the model or modifying the parameters. Its stealthy is that injecting trojans will not change the model's prediction for a clean image, so existing backdoor defenses cannot detect it. Its flexibility lies in that adversary can remodify the trojan behavior at any time. Extensive experiments on multiple benchmarks with different frameworks demonstrate that our attack achieves a perfect success rate (up to 100%) with minimal damage to model performance. And we can inject multiple trojans which do not affect each other at the same time, trojans hidden in the framework make a universal backdoor attack possible. Analysis and experiments further show that state-of-the-art defenses are ineffective against our attacks. Our work suggests that backdoor attacks in the supply chain need to be urgently explored.

Yao Deng,Xi Zheng,Tianyi Zhang,Chen Chen,Guannan Lou,Miryung Kim

DOI: https://doi.org/10.48550/arXiv.2002.02175

2020-02-06

Abstract:Nowadays, autonomous driving has attracted much attention from both industry and academia. Convolutional neural network (CNN) is a key component in autonomous driving, which is also increasingly adopted in pervasive computing such as smartphones, wearable devices, and IoT networks. Prior work shows CNN-based classification models are vulnerable to adversarial attacks. However, it is uncertain to what extent regression models such as driving models are vulnerable to adversarial attacks, the effectiveness of existing defense techniques, and the defense implications for system and middleware builders. This paper presents an in-depth analysis of five adversarial attacks and four defense methods on three driving models. Experiments show that, similar to classification models, these models are still highly vulnerable to adversarial attacks. This poses a big security threat to autonomous driving and thus should be taken into account in practice. While these defense methods can effectively defend against different attacks, none of them are able to provide adequate protection against all five attacks. We derive several implications for system and middleware builders: (1) when adding a defense component against adversarial attacks, it is important to deploy multiple defense methods in tandem to achieve a good coverage of various attacks, (2) a blackbox attack is much less effective compared with a white-box attack, implying that it is important to keep model details (e.g., model architecture, hyperparameters) confidential via model obfuscation, and (3) driving models with a complex architecture are preferred if computing resources permit as they are more resilient to adversarial attacks than simple models.

Signal Processing,Cryptography and Security,Machine Learning

Yihao Qiu,Jun Wu,Shahid Mumtaz,Jianhua Li,Anwer Al-Dulaimi,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1109/icc42927.2021.9500545

2021-01-01

Abstract:The evolution of deep learning has promoted the popularization of smart devices. However, due to the insufficient development of computing hardware, the ability to conduct local training on smart devices is greatly restricted, and it is usually necessary to deploy ready-made models. This opacity makes smart devices vulnerable to deep learning backdoor attacks. Some existing countermeasures against backdoor attacks are based on the attacker’s ignorance of defense. Once the attacker knows the defense mechanism, he can easily overturn it. In this paper, we propose a Trojaning attack defense framework based on moving target defense(MTD) strategy. According to the analysis of attack-defense game types and confrontation process, the moving target defense model based on signaling game was constructed. The simulation results show that in most cases, our technology can greatly increase the attack cost of the attacker, thereby ensuring the availability of Deep Neural Networks(DNN) and protecting it from Trojaning attacks.

Jiyuan Fu,Zhaoyu Chen,Kaixun Jiang,Haijing Guo,Shuyong Gao,Wenqiang Zhang

2024-07-18

Abstract:Vision foundation models are increasingly employed in autonomous driving systems due to their advanced capabilities. However, these models are susceptible to adversarial attacks, posing significant risks to the reliability and safety of autonomous vehicles. Adversaries can exploit these vulnerabilities to manipulate the vehicle's perception of its surroundings, leading to erroneous decisions and potentially catastrophic consequences. To address this challenge, we propose a novel Precision-Guided Adversarial Attack (PG-Attack) framework that combines two techniques: Precision Mask Perturbation Attack (PMP-Attack) and Deceptive Text Patch Attack (DTP-Attack). PMP-Attack precisely targets the attack region to minimize the overall perturbation while maximizing its impact on the target object's representation in the model's feature space. DTP-Attack introduces deceptive text patches that disrupt the model's understanding of the scene, further enhancing the attack's effectiveness. Our experiments demonstrate that PG-Attack successfully deceives a variety of advanced multi-modal large models, including GPT-4V, Qwen-VL, and imp-V1. Additionally, we won First-Place in the CVPR 2024 Workshop Challenge: Black-box Adversarial Attacks on Vision Foundation Models and codes are available at <a class="link-external link-https" href="https://github.com/fuhaha824/PG-Attack" rel="external noopener nofollow">this https URL</a>.

Multimedia,Computer Vision and Pattern Recognition

Tianyi Li,Mingfeng Shang,Shian Wang,Raphael Stern

DOI: https://doi.org/10.48550/arXiv.2310.17091

2023-10-26

Multiagent Systems

Abstract:With the advent of vehicles equipped with advanced driver-assistance systems, such as adaptive cruise control (ACC) and other automated driving features, the potential for cyberattacks on these automated vehicles (AVs) has emerged. While overt attacks that force vehicles to collide may be easily identified, more insidious attacks, which only slightly alter driving behavior, can result in network-wide increases in congestion, fuel consumption, and even crash risk without being easily detected. To address the detection of such attacks, we first present a traffic model framework for three types of potential cyberattacks: malicious manipulation of vehicle control commands, false data injection attacks on sensor measurements, and denial-of-service (DoS) attacks. We then investigate the impacts of these attacks at both the individual vehicle (micro) and traffic flow (macro) levels. A novel generative adversarial network (GAN)-based anomaly detection model is proposed for real-time identification of such attacks using vehicle trajectory data. We provide numerical evidence {to demonstrate} the efficacy of our machine learning approach in detecting cyberattacks on ACC-equipped vehicles. The proposed method is compared against some recently proposed neural network models and observed to have higher accuracy in identifying anomalous driving behaviors of ACC vehicles.

Jindi Zhang,Yang Lou,Jianping Wang,Kui Wu,Kejie Lu,Xiaohua Jia

DOI: https://doi.org/10.1109/jiot.2021.3099164

IF: 10.6

2022-03-01

IEEE Internet of Things Journal

Abstract:In recent years, many deep learning models have been adopted in autonomous driving. At the same time, these models introduce new vulnerabilities that may compromise the safety of autonomous vehicles. Specifically, recent studies have demonstrated that adversarial attacks can cause a significant decline in detection precision of deep learning-based 3-D object detection models. Although driving safety is the ultimate concern for autonomous driving, there is no comprehensive study on the linkage between the performance of deep learning models and the driving safety of autonomous vehicles under adversarial attacks. In this article, we investigate the impact of two primary types of adversarial attacks, perturbation attacks, and patch attacks, on the driving safety of vision-based autonomous vehicles rather than the detection precision of deep learning models. In particular, we consider two state-of-the-art models in vision-based 3-D object detection: 1) Stereo R-CNN and 2) DSGN. To evaluate driving safety, we propose an end-to-end evaluation framework with a set of driving safety performance metrics. By analyzing the results of our extensive evaluation experiments, we find that: 1) the attack's impact on the driving safety of autonomous vehicles and the attack's impact on the precision of 3-D object detectors are decoupled and 2) the DSGN model demonstrates stronger robustness to adversarial attacks than the Stereo R-CNN model. In addition, we further investigate the causes behind the two findings with an ablation study. The findings of this article provide a new perspective to evaluate adversarial attacks and guide the selection of deep learning models in autonomous driving.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chris Einar San Agustin

DOI: https://doi.org/10.48550/arXiv.1905.03517

2019-05-09

Abstract:Deep learning models are known to solve classification and regression problems by employing a number of epoch and training samples on a large dataset with optimal accuracy. However, that doesn't mean they are attack-proof or unexposed to vulnerabilities. Newly deployed systems particularly on a public environment (i.e public networks) are vulnerable to attacks from various entities. Moreover, published research on deep learning systems (Goodfellow et al., 2014) have determined a significant number of attacks points and a wide array of attack surface that has evidence of exploitation from adversarial examples. Successful exploit on these systems could lead to critical real world repercussions. For instance, (1) an adversarial attack on a self-driving car running a deep reinforcement learning system yields a direct misclassification on humans causing untoward accidents.(2) a self-driving vehicle misreading a red light signal may cause the car to crash to another car (3) misclassification of a pedestrian lane as an intersection lane that could lead to car crashes. This is just the tip of the iceberg, computer vision deployment are not entirely focused on self-driving cars but on many other areas as well - that would have definitive impact on the real-world. These vulnerabilities must be mitigated at an early stage of development. It is imperative to develop and implement baseline security standards at a global level prior to real-world deployment.

Cryptography and Security,Machine Learning

Adith Boloor,Karthik Garimella,Xin He,Christopher Gill,Yevgeniy Vorobeychik,Xuan Zhang

DOI: https://doi.org/10.1016/j.sysarc.2020.101766

IF: 5.836

2020-11-01

Journal of Systems Architecture

Abstract:<p>Recent advances in machine learning, especially techniques such as deep neural networks, are enabling a range of emerging applications. One such example is autonomous driving, which often relies on deep learning for perception. However, deep learning-based perception has been shown to be vulnerable to a host of subtle adversarial manipulations of images. Nevertheless, the vast majority of such demonstrations focus on perception that is disembodied from end-to-end control. We present novel end-to-end attacks on autonomous driving in simulation, using simple physically realizable attacks: the painting of black lines on the road. These attacks target deep neural network models for end-to-end autonomous driving control. A systematic investigation shows that such attacks are easy to engineer, and we describe scenarios (e.g., right turns) in which they are highly effective. We define several objective functions that quantify the success of an attack and develop techniques based on Bayesian Optimization to efficiently traverse the search space of higher dimensional attacks. Additionally, we define a novel class of <em>hijacking</em> attacks, where painting lines on the road cause the driverless car to follow a target path. Through the use of network deconvolution, we provide insights into the successful attacks, which appear to work by mimicking activations of entirely different scenarios. Our code is available on <a href="https://github.com/xz-group/AdverseDrive">https://github.com/xz-group/AdverseDrive</a></p>

computer science, software engineering, hardware & architecture