WIP: End-to-End Analysis of Adversarial Attacks to Automated Lane Centering Systems

Liang, Hengyi; Jiao, Ruochen; Sato, Takami; Shen, Junjie; Chen, Qi Alfred; Zhu, Qi

doi:10.14722/autosec.2021.23034

Cited by 6 publications

(10 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In comparison, these works mainly focus on vulnerabilities at sensor level, while we focus on those at the higher autonomy software level, i.e., the "brain" of AD systems. At such level, prior works have studied the security of camera/LiDAR object detection [5], [6], [9], [10], [117] and tracking [118], localization [119], lane detection [120]- [122], traffic light detection [123], and end-toend AD [12], [13]. However, so far all of them only consider attacks on camera or LiDAR perception alone, while we are the first to study the security of MSF-based AD perception and address the corresponding design challenges ( §III-B).…”

Section: Related Workmentioning

confidence: 99%

Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks

Cao*,

Wang*,

Xiao*

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

In Autonomous Driving (AD) systems, perception is both security and safety critical. Despite various prior studies on its security issues, all of them only consider attacks on cameraor LiDAR-based AD perception alone. However, production AD systems today predominantly adopt a Multi-Sensor Fusion (MSF) based design, which in principle can be more robust against these attacks under the assumption that not all fusion sources are (or can be) attacked at the same time. In this paper, we present the first study of security issues of MSF-based perception in AD systems. We directly challenge the basic MSF design assumption above by exploring the possibility of attacking all fusion sources simultaneously. This allows us for the first time to understand how much security guarantee MSF can fundamentally provide as a general defense strategy for AD perception.We formulate the attack as an optimization problem to generate a physically-realizable, adversarial 3D-printed object that misleads an AD system to fail in detecting it and thus crash into it. To systematically generate such a physical-world attack, we propose a novel attack pipeline that addresses two main design challenges: (1) non-differentiable target camera and LiDAR sensing systems, and (2) non-differentiable celllevel aggregated features popularly used in LiDAR-based AD perception. We evaluate our attack on MSF algorithms included in representative open-source industry-grade AD systems in realworld driving scenarios. Our results show that the attack achieves over 90% success rate across different object types and MSF algorithms. Our attack is also found stealthy, robust to victim positions, transferable across MSF algorithms, and physicalworld realizable after being 3D-printed and captured by LiDAR and camera devices. To concretely assess the end-to-end safety impact, we further perform simulation evaluation and show that it can cause a 100% vehicle collision rate for an industry-grade AD system. We also evaluate and discuss defense strategies.

show abstract

Section: Related Workmentioning

confidence: 99%

Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks

Cao*,

Wang*,

Xiao*

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…The planner module in OpenPilot generates an estimation of this desired path by calculating a weighted average of the detected left lane line, right lane line and predicted path, with the weights being the confidence scores outputted by the perception module. Intuitively, if the perception module is less confident on the predicted lanes, the generated desired path relies more on the predicted path; otherwise, it will be closer to the weighted average of the predicted left lane line and right lane line [2], [22].…”

Section: B Planning and Control Modulesmentioning

confidence: 99%

“…Through our experiments, we will use the dirty road patch attack [12] as a case study, but we believe that our approach can be extended to other similar physical environment attacks. As discussed in our preliminary work [22], these physical attacks typically will render abnormal behavior in the perception output and then propagate through the entire pipeline.…”

Section: Attack Modelmentioning

confidence: 99%

“…In our preliminary work recently published in a work-inprogress paper [22], we studied the automated lane centring (ALC) system in OpenPilot [2], a popular open-source ADAS implementation, and investigated how the dirty road patch attack from [12] could affect perception, planning and control modules. We discovered that a confidence score generated by the perception module could serve as a sensitive signal for detecting such attack, however it does not quantitatively measure the extent of the attack and cannot be effectively used for mitigation.…”

Section: Introductionmentioning

confidence: 99%

“…We discovered that a confidence score generated by the perception module could serve as a sensitive signal for detecting such attack, however it does not quantitatively measure the extent of the attack and cannot be effectively used for mitigation. In this paper, motivated by the findings from [22], we propose a novel end-to-end approach for detecting and mitigating the adversarial attacks on the ALC system. Our approach quantitatively estimates the uncertainty of the perception results, and develops an adaptive planning and control method based on the uncertainty analysis to improve system safety and robustness.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

End-to-end Uncertainty-based Mitigation of Adversarial Attacks to Automated Lane Centering

Jiao¹,

Liang²,

Sato³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

In the development of advanced driver-assistance systems (ADAS) and autonomous vehicles, machine learning techniques that are based on deep neural networks (DNNs) have been widely used for vehicle perception. These techniques offer significant improvement on average perception accuracy over traditional methods, however have been shown to be susceptible to adversarial attacks, where small perturbations in the input may cause significant errors in the perception results and lead to system failure. Most prior works addressing such adversarial attacks focus only on the sensing and perception modules. In this work, we propose an end-to-end approach that addresses the impact of adversarial attacks throughout perception, planning, and control modules. In particular, we choose a target ADAS application, the automated lane centering system in OpenPilot, quantify the perception uncertainty under adversarial attacks, and design a robust planning and control module accordingly based on the uncertainty analysis. We evaluate our proposed approach using both public dataset and production-grade autonomous driving simulator. The experiment results demonstrate that our approach can effectively mitigate the impact of adversarial attack and can achieve 55% ∼ 90% improvement over the original OpenPilot.

show abstract

Disclosing the Fragility Problem of Virtual Safety Testing for Autonomous Driving Systems

Guo

Zhong

et al. 2021

2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)

View full text Add to dashboard Cite

WIP: End-to-End Analysis of Adversarial Attacks to Automated Lane Centering Systems

Cited by 6 publications

References 9 publications

Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks

Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks

End-to-end Uncertainty-based Mitigation of Adversarial Attacks to Automated Lane Centering

Disclosing the Fragility Problem of Virtual Safety Testing for Autonomous Driving Systems

Contact Info

Product

Resources

About