Invisible Reflections: Leveraging Infrared Laser Reflections to Target Traffic Sign Perception
(NDSS'24) 

The attacker can control the following parameters to optimize the impact of the ILR attack on traffic sign misclassification.

• 𝑑as -  Distance: attacker ↔ sign 

• 𝐷 -  Diameter of IR pattern 

• (𝑥b, 𝑦b) - Coordinates of center of the IR pattern 

• 𝑃a - Laser power 

Aside from these parameters, the attack also depends on environmental factors not controllable by the attacker, such as the ambient light intensity 𝐿, the distance between the victim and the traffic sign 𝑑vs

As shown, the ILR attacks show significantly higher attack effectiveness than the random attack, with a 100% success rate for all models. These results indicate that the IR laser traces can fool traffic sign recognition systems. Still,  effective attack optimization is needed to cause a significant attack impact on the system. 

To further study the impact of the ILR attack on other cameras, we evaluate attack effectiveness using a Raspberry Pi HQ v1.1 camera with a Sony IMX477 image sensor, a Microsoft LifeCam HD-3000 camera, and another automotive camera with an Omnivision OV10635 image sensor with the IR filter removed.  The ILR attack is always successful as the ASR is 100%. On the other hand, the SCR of the speed limit sign is not high for other cameras. We observe that the color of IR traces on these cameras is succeptable to attack parameters, which may affect the simulation accuracy of the IR trace. 

Robustness to Ambient Light: The attack is generated under 100 Lux and evaluated in other seven lighting conditions, ranging from 50 to 300 Lux. The ILR attack against the stop sign shows high robustness between 100 to 230 Lux, but the ASR suddenly drops out of the range.  Meanwhile, the attack against the speed limit sign shows high robustness with 100% ASR for all ambiances. The difference in performance should be due to the difference in the surface color of the traffic sign. 

Robustness to Different Camera Positions: For the two-stage architectures, the attack is generated at 2 m lateral and 1 m longitudinal positions and evaluated at all other camera positions. The lateral direction to the traffic signs has higher impacts than the longitudinal direction. As the attack is not optimized against the viewing angle, the attack performance is degraded even though we try to make the attack robust with the EoT technique. Meanwhile, the ASRs are generally high, particularly within 1 m lateral differences. For the SCR, the stop sign typically has higher values than the ones of the stop sign, while the speed limit sign has higher ASRs.  For the single-stage architectures, we evaluate the robustness under four different traffic sign distances. The ILR attack for this scenario is successful with 100% ASR for all models trained on the traffic sign datasets (ARTS and Mapillary). However, the YOLOv3 model trained on the COCO dataset shows higher robustness to the ILR attack and is not vulnerable with 0% ASR when the camera potion differs. 

Robustness to Different Object Detectors in Single-Stage Architecture:  The ILR attack reaches high attack effectiveness for the speed limit sign with 100% ASR at all tested distances and models. For the stop sign, the ILR attack is effective against Faster R-CNN trained on the ARTS dataset but not always effective against YOLOv3 and YOLOv5. We believe these variations are due to the architectural differences in object detectors. The Faster R- CNN model, a two-shot object detector finds region proposals and classifies those regions. It thus has a high ASR similar to the second-stage classification model. YOLOv3 and YOLOv5, single-shot object detectors, perform the two steps simultaneously. This strategy may contribute to the robustness as it can take into account global features out of the region proposal. These results indicate that single-stage traffic sign recognition with a single-shot object detector can be an effective mitigation against ILR attacks. However, we note that the current object detectors are still not able to handle several types of different traffic signs.

Robustness to Inaccuracy in First-Stage Object Detection:

We also evaluate how inaccuracies in the first stage can change the automatic bounding cropping and consequently alter the input of the second-stage classification model. To evaluate the impact of the inaccuracy on the classification results, we apply vertical and horizontal translation noise to our manually annotated bounding boxes. The ASR and SCR for the stop sign decrease with increasing noise levels. In contrast, the ASR for the speed limit sign is always 100%, while the SCR eventually starts to decrease around a noise level of 8%.