Embedded Files
Summary
Summary
Autonomous vehicles have become increasingly prominent, and their safety is becoming critical. One fundamental component of autonomous vehicles is perception, which uses sensors such as cameras and LiDARs to detect surrounding obstacles in real time. LiDAR is commonly used because it excels at detecting obstacles, but it can be prohibitively expensive. As such, many companies have invested in camera-based perception in AD systems.
In this work, we design a practical adversarial patch attack against camera-based obstacle detection. We identify the back of a box truck as an effective attack vector. This demo builds upon prior works by demonstrating end-to-end attack impacts through a production-grade AD simulator, and by using a specialized Expectation over Transformation (e.g., 3D perspective rotation) that is closely relevant to the attack scenario to improve patch robustness with the aim to fool camera-based perception over multiple camera frames. We adjust patch size and appearance, such as making a patch appear to be an advertisement, to make the attack stealthier in the real world, with a potential cost of patch effectiveness. Finally, we demonstrate our results using a production-grade AD simulator, LGSVL, and a representative AD system, Baidu Apollo.
Threat Model & Attack Goal
Threat Model & Attack Goal
Our attack is a white-box attack which requires access to the camera-based perception of the target AD system. The attack also requires data to be collected on the target road beforehand. The goal of the attack is to place an adversarial patch on the back of a box truck such that the victim AV fails to detect the box truck and thus collides into it.
Attack Design
Attack Design
We generate an adversarial patch against the Yolo camera detector model used by Baidu Apollo with the objective to minimize truck detection confidence over multiple frames. To improve the attack success rate, we use Expectation over Transformation to apply 3D perspective rotation, random resize, crop, adjust lighting, and blur pixels to simulate ink bleed and changes in resolution.
Attack Demo
Attack Demo
The attack demo below shows how the adversarial patch is able to suppress camera detection and thus allow the AV to crash into the box truck.
Attack - Vehicle Following Scenario
Attack - Vehicle Following Scenario
Experimental configuration:
LGSVL Simulator version: 2020.06
HD Map: Single Lane Road
Vehicle Model: Lincoln MKZ 2017
Baidu Apollo version: r5.0.0
Enabled modules: Localization, Transform, Planning, Prediction, Routing, Control
Perception file: /apollo/modules/perception/production/launch/perception_camera.launch
Maximum AV Speed: 55 mph
Maximum Truck Speed: 15 mph
Playback Speed: 2 x
Demo Video
Demo Video
Demo Paper
Demo Paper
[Link] Demo: Security of Camera-based Perception for Autonomous Driving under Adversarial Attack
Team
Team
Christopher DiPalma, B.S. graduate, CSE, University of California, Irvine
Ningfei Wang, Ph.D. student, CS, University of California, Irvine
Takami Sato, Ph.D. student, CS, University of California, Irvine
Qi Alfred Chen, Assistant Professor, CS, University of California, Irvine
Acknowledgements
Acknowledgements
Page updated
Report abuse