Lateral-Direction Localization Attack in High-Level Autonomous Driving:
Domain-Specific Defense Opportunity via Lane Detection
(IROS'23)
Summary
Localization in high-level Autonomous Driving (AD) systems is highly security critical. Recently, researchers found that state-of-the-art Multi-Sensor Fusion (MSF) based localization is vulnerable to GPS spoofing, which can cause road hazards such as driving off road or onto the wrong way. In this work, we perform the first exploration of using Lane Detection (LD) to detect and correct deviations caused by such attacks and design a novel LD-based system-level defense, LD3. We evaluate LD3 on real-world sensor traces and find that it can achieve effective and timely detection against the state-of-the-art attack with 100% true positive rates and 0% false positive rates. Results show that LD3 can be highly effective at steering the AD vehicle to safely stop within the current traffic lane. We implement LD3 on 2 open-source AD systems and validate its end-to-end defense capability using an industry-grade AD simulator and also in the physical world with a real vehicle-sized AD R&D vehicle.
Research Paper
[IROS'23] Lateral-Direction Localization Attack in High-Level Autonomous Driving: Domain-Specific Defense Opportunity via Lane Detection
Junjie Shen, Yunpeng Luo, Ziwen Wan, Qi Alfred Chen
To appear in the 2023 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS 2023).
Physical World Evaluation on AD Development Chassis of Real Vehicle Size and Closed-loop Control
Experimental Setup
AD system: Autoware AI v1.14.0
Enabled modules: Localization, Global Planning, Local Planning, Control
AD Development Chassis
Full-vehicle size: 2.7 m x 1.5 m
Similar sizes as the chassis of popular vehicles, e.g., Toyota Prius and Honda Civic
Level-4 AD sensors: LiDAR, Camera (x3), GPS, IMU, RADAR (x2), ultrasonic sensors (x12)
Driving speeds: 4 m/s and 2 m/s
Attack and defense settings
with LD3, with attack
without LD3, with attack
with LD3, without attack
with LD3, with attack @ 4 m/s
without LD3, with attack @ 4 m/s
with LD3, with attack @ 2 m/s
without LD2, with attack @ 2 m/s
with LD3, without attack @ 4 m/s
with LD3, without attack @ 2 m/s
End-to-End AD Simulation Demos
Simulation Configurations
AD System: Baidu Apollo r5.0.0
Enabled modules: Localization, Perception, Prediction, Planning, Routing, Control, Transform, Traffic Light (only in San Francisco map)
Lane detection model: SCNN [1]
LGSVL simulator version: 2020.06
AV vehicle model: Lincoln MKZ 2017
Simulation maps: Single Lane Road (SLR), San Francisco (SF)
Simulation scenarios
SLR-High: high-speed driving in the Single Lane Road map, max speed: ~27 m/s (60 mph)
SLR-Low: (relatively) low-speed driving in the Single Lane Road map, max speed: ~20 m/s (45 mph)
SF-Straight: a straight road segment in the San Francisco map, max speed: ~18 m/s (40 mph)
SF-Curvy: a curvy road segment in the San Francisco map, max speed: ~16 m/s (37 mph)
[1] X. Pan, J. Shi, P. Luo, X. Wang, and X. Tang, “Spatial As Deep: Spatial CNN for Traffic Scene Understanding,” AAAI 2018.
Simulation Scenario 1: Single Lane Road - High Speed (SLR-High)
Attacked Driving with LD3 *
Attacked Driving with No Detection
Attacked Driving with LD3-NaiveAR
Benign Driving with LD3
Simulation Scenario 2: Single Lane Road - Low Speed (SLR-Low)
Attacked Driving with LD3 *
Attacked Driving with No Detection
Attacked Driving with LD3-NaiveAR
Benign Driving with LD3
Simulation Scenario 3: San Francisco - Straight Road (SF-Straight)
Attacked Driving with LD3 *
Attacked Driving with No Detection
Attacked Driving with LD3-NaiveAR
Benign Driving with LD3
Simulation Scenario 4: San Francisco - Curvy Road (SF-Curvy)
Attacked Driving with LD3 *
Attacked Driving with No Detection
Attacked Driving with LD3-NaiveAR
Benign Driving with LD3