Yanjiao Chen,Xiaotian Zhu,Xueluan Gong,Xinjing Yi,Shuyang Li

DOI: https://doi.org/10.1109/tii.2022.3198481

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the unprecedented development of deep learning, autonomous vehicles (AVs) have achieved tremendous progress nowadays. However, AV supported by DNN models is vulnerable to data poisoning attacks, hindering the large-scale application of autonomous driving. For example, by injecting carefully designed poisons into the training dataset of the DNN model in the traffic sign recognition system, the attacker can mislead the system to make targeted misclassification or cause a reduction in model classification accuracy. In this article, we conduct a thorough investigation of the state-of-the-art data poisoning attacks and defenses against AVs. According to whether the attacker needs to manipulate the data labeling process, we divide the state-of-the-art attack approaches into two categories, i.e., dirty-label attacks and clean-label attacks. We also differentiate the existing defense methods into two categories based on whether to modify the training data or the models, i.e., data-based defenses and model-based defenses. In addition to a detailed review of attacks and defenses in each category, we also give a qualitative comparison of the existing attacks and defenses. Besides, we provide a quantitative comparison of the existing attack and defense methods through experiments. Last but not least, we pinpoint several future directions for data poisoning attacks and defenses in AVs, providing possible ways for further research.

Bo Yang,Zizhi Jin,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1016/j.hcc.2024.100203

2024-01-01

High-Confidence Computing

Abstract:In autonomous driving systems, perception is pivotal, relying chiefly on sensors like LiDAR and cameras for environmental awareness. LiDAR, celebrated for its detailed depth perception, is being increasingly integrated into autonomous vehicles. In this article, we analyze the robustness of four LiDAR-included models against adversarial points under physical constraints. We first introduce an attack technique that, by simply adding a limited number of physically constrained adversarial points above a vehicle, can make the vehicle undetectable by the LiDAR-included models. Experiments reveal that adversarial points adversely affect the detection capabilities of both LiDAR-only and LiDAR-camera fusion models, with a tendency for more adversarial points to escalate attack success rates. Notably, voxel-based models are more susceptible to deception by these adversarial points. We also investigated the impact of the distance and angle of the added adversarial points on the attack success rate. Typically, the farther the victim object to be hidden and the closer to the front of the LiDAR, the higher the attack success rate. Additionally, we have experimentally proven that our generated adversarial points possess good cross-model adversarial transferability and validated the effectiveness of our proposed optimization method through ablation studies. Furthermore, we propose a new plug-and-play, model-agnostic defense method based on the concept of point smoothness. The ROC curve of this defense method shows an AUC value of approximately 0.909, demonstrating its effectiveness.

Yujie Li,Xing Xu,Jinhui Xiao,Siyuan Li,Heng Tao Shen

DOI: https://doi.org/10.1109/jiot.2020.3016145

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:To better understand the road condition and make correct driving decisions, traffic sign recognition becomes a crucial component commonly equipped in the vision system of modern autonomous cars. The state-of-the-art traffic sign recognition models are designed with the backbones of deep neural networks (DNNs) since DNNs are powerful to extract more effective visual features that benefit recognition performance. As the recent studies on adversarial attacks have shown that DNNs are easy to be fooled by perturbed images and lead to misclassification, in this article, we explore the vulnerability of the DNN-based traffic sign recognition model. Most existing adversarial attack methods limitedly focus on the white-box attack on the recognition models whose underlying configurations (e.g., network architectures and parameters) are accessible. Differently, we propose a novel attacking method dubbed adaptive square attack (ASA) that can accomplish the black-box attack, i.e., bypassing the access the configurations of the recognition models. Specifically, the proposed ASA method employs an efficient sampling strategy that can generate perturbations for traffic sign images with fewer query times. Extensive experiments on the benchmark data set German traffic sign recognition benchmark with large-scale traffic sign images for autonomous cars show that our proposed ASA method is advanced to perform the black-box attack with high efficiency. Although the generated adversarial traffic sign images by the proposed ASA method are visually similar to the raw images with almost imperceptible differences, they can successfully lead to the misclassification of the state-of-the-art recognition model.

Jun Yan,Huilin Yin,Bin Ye,Wanchen Ge,Hao Zhang,Gerhard Rigoll

DOI: https://doi.org/10.1007/s42154-023-00220-9

2023-01-01

Automotive Innovation

Abstract:The state-of-the-art deep neural networks are vulnerable to the attacks of adversarial examples with small-magnitude perturbations. In the field of deep-learning-based automated driving, such adversarial attack threats testify to the weakness of AI models. This limitation can lead to severe issues regarding the safety of the intended functionality (SOTIF) in automated driving. From the perspective of causality, the adversarial attacks can be regarded as confounding effects with spurious correlations established by the non-causal features. However, few previous research works are devoted to building the relationship between adversarial examples, causality, and SOTIF. This paper proposes a robust physical adversarial perturbation generation method that aims at the salient image regions of the targeted attack class with the guidance of class activation mapping (CAM). With the utilization of CAM, the maximization of the confounding effects can be achieved through the intermediate variable of the front-door criterion between images and targeted attack labels. In the simulation experiment, the proposed method achieved a 94.6% targeted attack success rate (ASR) on the released dataset when the speed-speed-limit-60 km/h (speed-limit-60) signs could be attacked as speed-speed-limit-80 km/h (speed-limit-80) signs. In the real physical experiment, the targeted ASR is 75% and the untargeted ASR is 100%. Besides the state-of-the-art attack result, a detailed experiment is implemented to evaluate the performance of the proposed method under low resolutions, diverse optimizers, and multifarious defense methods. The code and data are released at the repository: https://github.com/yebin999/rp2-with-cam .

Xinghao Yang,Weifeng Liu,Shengli Zhang,Wei Liu,Dacheng Tao

DOI: https://doi.org/10.1109/jiot.2020.3034899

IF: 10.6

2021-03-15

IEEE Internet of Things Journal

Abstract:Real-world traffic sign recognition is an important step toward building autonomous vehicles, most of which highly dependent on deep neural networks (DNNs). Recent studies demonstrated that DNNs are surprisingly susceptible to adversarial examples. Many attack methods have been proposed to understand and generate adversarial examples, such as gradient-based attack, score-based attack, decision-based attack, and transfer-based attacks. However, most of these algorithms are ineffective in real-world road sign attack, because 1) iteratively learning perturbations for each frame is not realistic for a fast moving car and 2) most optimization algorithms traverse all pixels equally without considering their diverse contribution. To alleviate these problems, this article proposes the targeted attention attack (TAA) method for real-world road sign attack. Specifically, we have made the following contributions: 1) we leverage the soft attention map to highlight those important pixels and skip those zero-contributed areas—this also helps to generate natural perturbations; 2) we design an efficient universal attack that optimizes a single perturbation/noise based on a set of training images under the guidance of the pretrained attention map; 3) we design a simple objective function that can be easily optimized; and 4) we evaluate the effectiveness of TAA on real-world data sets. Experimental results validate that the TAA method improves the attack successful rate (nearly 10%) and reduces the perturbation loss (about a quarter) compared with the popular RP₂ method. Additionally, our TAA also provides good properties, e.g., transferability and generalization capability. We provide code and data to ensure the reproducibility: https://github.com/AdvAttack/RoadSignAttack.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yue Wang,Minjie Liu,Yanli Ren,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1016/j.patcog.2023.110035

IF: 8

2024-01-01

Pattern Recognition

Abstract:Recent work show that Deep Neural Networks (DNNs) have created great performance in many tasks, but they are vulnerable to adversarial examples which trigger Artificial Intelligence (AI) security risks. Especially in the autonomous driving field, attacking a traffic sign classification network results in a serious consequence. Most existing researches prefer to digital level attacks focusing on smaller or more imperceptible adversarial noise. Given that attacks available to real-world implementation usually emerge in more security-critical scenarios, we propose an adaptively adversarial example generation algorithm for physical attacks in the real-world setting. Taking account of the traffic sign classification, our approach is divided into two steps. The first step is to generate a probability map which precisely predicts the probability of being attacked for each pixel in the input image through the proposed Pinpoint Region Probability Estimation Network (PRPEN) and meanwhile, try to reduce the size of the highlighted area in the map. It can also be regarded as a classification problem in which every pixel has two classes, suitable for attacking or not, including the restrictions on the number of items in the suitable sort. The second one is to remake a mask depending on the probability map and optimize adversarial patches only on what mask decides. Experimental results show that our method achieves almost 100% misclassification rate in several widely used networks with even smaller patches. We also find how to effectively disguise as a target class to mislead the DNN classifiers and improve AI security.

Hailiang Li,Bin Zhang,Yu Zhang,Xilin Dang,Yuwei Han,Linfeng Wei,Yijun Mao,Jian Weng

DOI: https://doi.org/10.1016/j.inffus.2021.05.005

IF: 18.6

2021-12-01

Information Fusion

Abstract:<p>A traditional neural network cannot realize the invariance of image rotation and distortion well, so an attacker can fool the neural network by adding tiny disturbances to an image. If traffic signs are attacked, automatic driving will probably be misguided, leading to disastrous consequences. Inspired by the principle of human vision, this paper proposes a defense method based on an attentional mechanism for traffic sign adversarial samples. In this method, the affine coordinate parameters of the target objects in the images are extracted by a CNN, and then the target objects are redrawn by the coordinate mapping model. In this process, the key areas in the image are extracted by the attention mechanism, and the pixels are filtered by interpolation. Our model simulates the daily behavior of human beings, making it more intelligent in the defense against the adversarial samples. Experiments show that our method has a strong defense ability for traffic sign adversarial samples generated by various attack methods. Compared with other defense methods, our method is more universal and has a strong defense ability against a variety of attacks. Moreover, our model is portable and can be easily implanted into neural networks in the form of defense plug-ins.</p>

computer science, artificial intelligence, theory & methods

Wei Jia,Zhaojun Lu,Haichun Zhang,Zhenglin Liu,Jie Wang,Gang Qu

DOI: https://doi.org/10.14722/ndss.2022.24130

2022-01-01

Abstract:Adversarial Examples (AEs) can deceive Deep Neural Networks (DNNs) and have received a lot of attention recently. However, majority of the research on AEs is in the digital domain and the adversarial patches are static, which is very different from many real-world DNN applications such as Traffic Sign Recognition (TSR) systems in autonomous vehicles. In TSR systems, object detectors use DNNs to process streaming video in real time. From the view of object detectors, the traffic sign`s position and quality of the video are continuously changing, rendering the digital AEs ineffective in the physical world. In this paper, we propose a systematic pipeline to generate robust physical AEs against real-world object detectors. Robustness is achieved in three ways. First, we simulate the in-vehicle cameras by extending the distribution of image transformations with the blur transformation and the resolution transformation. Second, we design the single and multiple bounding boxes filters to improve the efficiency of the perturbation training. Third, we consider four representative attack vectors, namely Hiding Attack, Appearance Attack, Non-Target Attack and Target Attack. We perform a comprehensive set of experiments under a variety of environmental conditions, and considering illuminations in sunny and cloudy weather as well as at night. The experimental results show that the physical AEs generated from our pipeline are effective and robust when attacking the YOLO v5 based TSR system. The attacks have good transferability and can deceive other state-of-the-art object detectors. We launched HA and NTA on a brand-new 2021 model vehicle. Both attacks are successful in fooling the TSR system, which could be a life-threatening case for autonomous vehicles. Finally, we discuss three defense mechanisms based on image preprocessing, AEs detection, and model enhancing.

Xinghao Yang,Weifeng Liu,Shengli Zhang,Wei Liu,Dacheng Tao

DOI: https://doi.org/10.48550/arxiv.2010.04331

2020-01-01

Abstract:Real world traffic sign recognition is an important step towards building autonomous vehicles, most of which highly dependent on Deep Neural Networks (DNNs). Recent studies demonstrated that DNNs are surprisingly susceptible to adversarial examples. Many attack methods have been proposed to understand and generate adversarial examples, such as gradient based attack, score based attack, decision based attack, and transfer based attacks. However, most of these algorithms are ineffective in real-world road sign attack, because (1) iteratively learning perturbations for each frame is not realistic for a fast moving car and (2) most optimization algorithms traverse all pixels equally without considering their diverse contribution. To alleviate these problems, this paper proposes the targeted attention attack (TAA) method for real world road sign attack. Specifically, we have made the following contributions: (1) we leverage the soft attention map to highlight those important pixels and skip those zero-contributed areas - this also helps to generate natural perturbations, (2) we design an efficient universal attack that optimizes a single perturbation/noise based on a set of training images under the guidance of the pre-trained attention map, (3) we design a simple objective function that can be easily optimized, (4) we evaluate the effectiveness of TAA on real world data sets. Experimental results validate that the TAA method improves the attack successful rate (nearly 10%) and reduces the perturbation loss (about a quarter) compared with the popular RP2 method. Additionally, our TAA also provides good properties, e.g., transferability and generalization capability. We provide code and data to ensure the reproducibility: https://github.com/AdvAttack/RoadSignAttack.

Svetlana Pavlitska,Nico Lambing,J. Marius Zöllner

DOI: https://doi.org/10.48550/arXiv.2307.08278

2023-07-17

Abstract:Traffic sign recognition is an essential component of perception in autonomous vehicles, which is currently performed almost exclusively with deep neural networks (DNNs). However, DNNs are known to be vulnerable to adversarial attacks. Several previous works have demonstrated the feasibility of adversarial attacks on traffic sign recognition models. Traffic signs are particularly promising for adversarial attack research due to the ease of performing real-world attacks using printed signs or stickers. In this work, we survey existing works performing either digital or real-world attacks on traffic sign detection and classification models. We provide an overview of the latest advancements and highlight the existing research areas that require further investigation.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Yiwen Wang,Yue Wang,Guorui Feng

DOI: https://doi.org/10.1016/j.neunet.2024.106698

2024-09-03

Abstract:In the real world, the correct recognition of traffic signs plays a crucial role in vehicle autonomous driving and traffic monitoring. The research on its adversarial attack can test the security of vehicle autonomous driving system and provide enlightenment for improving the recognition algorithm. However, with the development of transportation infrastructure, new traffic signs may be introduced. The adversarial attack model for traffic signs needs to adapt to the addition of new types. Based on this, class incremental learning for traffic sign adversarial attacks has become an interesting research field. We propose a class incremental learning method for adversarial attacks on traffic signs. First, this method uses Pinpoint Region Probability Estimation Network (PRPEN) to predict the probability of each pixel being attacked in old samples. It helps to identify the high attack probability regions of the samples. Subsequently, based on the size of high probability pixel concentration area, the replay sample set is constructed. Old samples with smaller concentration areas receive higher priority and are prioritized for incremental learning. The experimental results show that compared with other sample selection methods, our method selects more representative samples and can train PRPEN more effectively to generate probability maps, thereby better generating adversarial attacks on traffic signs.

Fabian Woitschek,Georg Schneider

DOI: https://doi.org/10.1109/IV48863.2021.9575935

2023-02-27

Abstract:Deep Neural Networks (DNNs) are increasingly applied in the real world in safety critical applications like advanced driver assistance systems. An example for such use case is represented by traffic sign recognition systems. At the same time, it is known that current DNNs can be fooled by adversarial attacks, which raises safety concerns if those attacks can be applied under realistic conditions. In this work we apply different black-box attack methods to generate perturbations that are applied in the physical environment and can be used to fool systems under different environmental conditions. To the best of our knowledge we are the first to combine a general framework for physical attacks with different black-box attack methods and study the impact of the different methods on the success rate of the attack under the same setting. We show that reliable physical adversarial attacks can be performed with different methods and that it is also possible to reduce the perceptibility of the resulting perturbations. The findings highlight the need for viable defenses of a DNN even in the black-box case, but at the same time form the basis for securing a DNN with methods like adversarial training which utilizes adversarial attacks to augment the original training data.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Zadid Khan,Mashrur Chowdhury,Sakib Mahmud Khan

DOI: https://doi.org/10.48550/arXiv.2205.01225

2022-04-25

Abstract:Adversarial attacks can make deep neural network (DNN) models predict incorrect output labels, such as misclassified traffic signs, for autonomous vehicle (AV) perception modules. Resilience against adversarial attacks can help AVs navigate safely on the road by avoiding misclassication of signs or objects. This DNN-based study develops a resilient traffic sign classifier for AVs that uses a hybrid defense method. We use transfer learning to retrain the Inception-V3 and Resnet-152 models as traffic sign classifiers. This method also utilizes a combination of three different strategies: random filtering, ensembling, and local feature mapping. We use the random cropping and resizing technique for random filtering, plurality voting as ensembling strategy and an optical character recognition model as a local feature mapper. This DNN-based hybrid defense method has been tested for the no attack scenario and against well-known untargeted adversarial attacks (e.g., Projected Gradient Descent or PGD, Fast Gradient Sign Method or FGSM, Momentum Iterative Method or MIM attack, and Carlini and Wagner or C&W). We find that our hybrid defense method achieves 99% average traffic sign classification accuracy for the no attack scenario and 88% average traffic sign classification accuracy for all attack scenarios. Moreover, the hybrid defense method, presented in this study, improves the accuracy for traffic sign classification compared to the traditional defense methods (i.e., JPEG filtering, feature squeezing, binary filtering, and random filtering) up to 6%, 50%, and 55% for FGSM, MIM, and PGD attacks, respectively.

Cryptography and Security,Computer Vision and Pattern Recognition

Han Wu,Syed Yunas,Sareh Rowlands,Wenjie Ruan,Johan Wahlstrom

DOI: https://doi.org/10.48550/arXiv.2103.09151

2021-03-16

Computer Vision and Pattern Recognition

Abstract:As research in deep neural networks advances, deep convolutional networks become promising for autonomous driving tasks. In particular, there is an emerging trend of employing end-to-end neural network models for autonomous driving. However, previous research has shown that deep neural network classifiers are vulnerable to adversarial attacks. While for regression tasks, the effect of adversarial attacks is not as well understood. In this research, we devise two white-box targeted attacks against end-to-end autonomous driving models. Our attacks manipulate the behavior of the autonomous driving system by perturbing the input image. In an average of 800 attacks with the same attack strength (epsilon=1), the image-specific and image-agnostic attack deviates the steering angle from the original output by 0.478 and 0.111, respectively, which is much stronger than random noises that only perturbs the steering angle by 0.002 (The steering angle ranges from [-1, 1]). Both attacks can be initiated in real-time on CPUs without employing GPUs. Demo video: https://youtu.be/I0i8uN2oOP0.

Chawin Sitawarin,Arjun Nitin Bhagoji,Arsalan Mosenia,Prateek Mittal,Mung Chiang

DOI: https://doi.org/10.48550/arXiv.1801.02780

2018-03-27

Abstract:We propose a new real-world attack against the computer vision based systems of autonomous vehicles (AVs). Our novel Sign Embedding attack exploits the concept of adversarial examples to modify innocuous signs and advertisements in the environment such that they are classified as the adversary's desired traffic sign with high confidence. Our attack greatly expands the scope of the threat posed to AVs since adversaries are no longer restricted to just modifying existing traffic signs as in previous work. Our attack pipeline generates adversarial samples which are robust to the environmental conditions and noisy image transformations present in the physical world. We ensure this by including a variety of possible image transformations in the optimization problem used to generate adversarial samples. We verify the robustness of the adversarial samples by printing them out and carrying out drive-by tests simulating the conditions under which image capture would occur in a real-world scenario. We experimented with physical attack samples for different distances, lighting conditions and camera angles. In addition, extensive evaluations were carried out in the virtual setting for a variety of image transformations. The adversarial samples generated using our method have adversarial success rates in excess of 95% in the physical as well as virtual settings.

Cryptography and Security,Machine Learning

Yulong Cao,Chaowei Xiao,Dawei Yang,Jing Fang,Ruigang Yang,Mingyan Liu,Bo Li

DOI: https://doi.org/10.48550/arXiv.1907.05418

2019-07-12

Abstract:Deep neural networks (DNNs) are found to be vulnerable against adversarial examples, which are carefully crafted inputs with a small magnitude of perturbation aiming to induce arbitrarily incorrect predictions. Recent studies show that adversarial examples can pose a threat to real-world security-critical applications: a "physical adversarial Stop Sign" can be synthesized such that the autonomous driving cars will misrecognize it as others (e.g., a speed limit sign). However, these image-space adversarial examples cannot easily alter 3D scans of widely equipped LiDAR or radar on autonomous vehicles. In this paper, we reveal the potential vulnerabilities of LiDAR-based autonomous driving detection systems, by proposing an optimization based approach LiDAR-Adv to generate adversarial objects that can evade the LiDAR-based detection system under various conditions. We first show the vulnerabilities using a blackbox evolution-based algorithm, and then explore how much a strong adversary can do, using our gradient-based approach LiDAR-Adv. We test the generated adversarial objects on the Baidu Apollo autonomous driving platform and show that such physical systems are indeed vulnerable to the proposed attacks. We also 3D-print our adversarial objects and perform physical experiments to illustrate that such vulnerability exists in the real world. Please find more visualizations and results on the anonymous website: <a class="link-external link-https" href="https://sites.google.com/view/lidar-adv" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Adith Boloor,Karthik Garimella,Xin He,Christopher Gill,Yevgeniy Vorobeychik,Xuan Zhang

DOI: https://doi.org/10.1016/j.sysarc.2020.101766

IF: 5.836

2020-11-01

Journal of Systems Architecture

Abstract:<p>Recent advances in machine learning, especially techniques such as deep neural networks, are enabling a range of emerging applications. One such example is autonomous driving, which often relies on deep learning for perception. However, deep learning-based perception has been shown to be vulnerable to a host of subtle adversarial manipulations of images. Nevertheless, the vast majority of such demonstrations focus on perception that is disembodied from end-to-end control. We present novel end-to-end attacks on autonomous driving in simulation, using simple physically realizable attacks: the painting of black lines on the road. These attacks target deep neural network models for end-to-end autonomous driving control. A systematic investigation shows that such attacks are easy to engineer, and we describe scenarios (e.g., right turns) in which they are highly effective. We define several objective functions that quantify the success of an attack and develop techniques based on Bayesian Optimization to efficiently traverse the search space of higher dimensional attacks. Additionally, we define a novel class of <em>hijacking</em> attacks, where painting lines on the road cause the driverless car to follow a target path. Through the use of network deconvolution, we provide insights into the successful attacks, which appear to work by mimicking activations of entirely different scenarios. Our code is available on <a href="https://github.com/xz-group/AdverseDrive">https://github.com/xz-group/AdverseDrive</a></p>

computer science, software engineering, hardware & architecture

Jindi Zhang,Yang Lou,Jianping Wang,Kui Wu,Kejie Lu,Xiaohua Jia

DOI: https://doi.org/10.1109/jiot.2021.3099164

IF: 10.6

2022-03-01

IEEE Internet of Things Journal

Abstract:In recent years, many deep learning models have been adopted in autonomous driving. At the same time, these models introduce new vulnerabilities that may compromise the safety of autonomous vehicles. Specifically, recent studies have demonstrated that adversarial attacks can cause a significant decline in detection precision of deep learning-based 3-D object detection models. Although driving safety is the ultimate concern for autonomous driving, there is no comprehensive study on the linkage between the performance of deep learning models and the driving safety of autonomous vehicles under adversarial attacks. In this article, we investigate the impact of two primary types of adversarial attacks, perturbation attacks, and patch attacks, on the driving safety of vision-based autonomous vehicles rather than the detection precision of deep learning models. In particular, we consider two state-of-the-art models in vision-based 3-D object detection: 1) Stereo R-CNN and 2) DSGN. To evaluate driving safety, we propose an end-to-end evaluation framework with a set of driving safety performance metrics. By analyzing the results of our extensive evaluation experiments, we find that: 1) the attack's impact on the driving safety of autonomous vehicles and the attack's impact on the precision of 3-D object detectors are decoupled and 2) the DSGN model demonstrates stronger robustness to adversarial attacks than the Stereo R-CNN model. In addition, we further investigate the causes behind the two findings with an ablation study. The findings of this article provide a new perspective to evaluate adversarial attacks and guide the selection of deep learning models in autonomous driving.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hangcheng Cao,Longzhi Yuan,Guowen Xu,Ziyang He,Zhengru Fang,Yuguang Fang

2024-09-06

Abstract:Traffic sign recognition systems play a crucial role in assisting drivers to make informed decisions while driving. However, due to the heavy reliance on deep learning technologies, particularly for future connected and autonomous driving, these systems are susceptible to adversarial attacks that pose significant safety risks to both personal and public transportation. Notably, researchers recently identified a new attack vector to deceive sign recognition systems: projecting well-designed adversarial light patches onto traffic signs. In comparison with traditional adversarial stickers or graffiti, these emerging light patches exhibit heightened aggression due to their ease of implementation and outstanding stealthiness. To effectively counter this security threat, we propose a universal image inpainting mechanism, namely, SafeSign. It relies on attention-enabled multi-view image fusion to repair traffic signs contaminated by adversarial light patches, thereby ensuring the accurate sign recognition. Here, we initially explore the fundamental impact of malicious light patches on the local and global feature spaces of authentic traffic signs. Then, we design a binary mask-based U-Net image generation pipeline outputting diverse contaminated sign patterns, to provide our image inpainting model with needed training data. Following this, we develop an attention mechanism-enabled neural network to jointly utilize the complementary information from multi-view images to repair contaminated signs. Finally, extensive experiments are conducted to evaluate SafeSign's effectiveness in resisting potential light patch-based attacks, bringing an average accuracy improvement of 54.8% in three widely-used sign recognition models

Computer Vision and Pattern Recognition,Computers and Society

Dongfang Guo,Yuting Wu,Yimin Dai,Pengfei Zhou,Xin Lou,Rui Tan

DOI: https://doi.org/10.1145/3643832.3661854

2024-07-10

Abstract:Camera-based computer vision is essential to autonomous vehicle's perception. This paper presents an attack that uses light-emitting diodes and exploits the camera's rolling shutter effect to create adversarial stripes in the captured images to mislead traffic sign recognition. The attack is stealthy because the stripes on the traffic sign are invisible to human. For the attack to be threatening, the recognition results need to be stable over consecutive image frames. To achieve this, we design and implement GhostStripe, an attack system that controls the timing of the modulated light emission to adapt to camera operations and victim vehicle movements. Evaluated on real testbeds, GhostStripe can stably spoof the traffic sign recognition results for up to 94\% of frames to a wrong class when the victim vehicle passes the road section. In reality, such attack effect may fool victim vehicles into life-threatening incidents. We discuss the countermeasures at the levels of camera sensor, perception model, and autonomous driving system.

Cryptography and Security,Computer Vision and Pattern Recognition,Systems and Control