SoK: On the Semantic AI Security in Autonomous Driving
[New] Call for community feedback: https://docs.google.com/forms/u/1/d/e/1FAIpQLSf94hAZMKCdW-L5uROGnFrmI7XUakxYNkSA9JZydPZUM4I5fg/viewform!
[New] Code release: Now in selected-group collaboration stage. Email Alfred <alfchen@uci.edu> for questions & access requests.
Code repo link for invited collaborators: https://github.com/ASGuard-UCI/pass
Summary
Autonomous Driving (AD) systems rely on AI components to make safe and correct driving decisions. Unfortunately, today’s AI algorithms are known to be generally vulnerable to adversarial attacks. However, for such AI component-level vulnerabilities to be semantically impactful at the system level, it needs to address non-trivial semantic gaps both (1) from the system-level attack input spaces to those at AI component level, and (2) from AI component-level attack impacts to those at the system level. In this paper, we define such research space as Semantic AI Security as opposed to generic AI security.
In this paper, we perform the first systematization of knowledge (SoK) of the semantic AD AI security research space. In total, we collect and analyze 53 such papers in the past 5 years, and systematically taxonomize them based on research aspects critical for the security field such as the attack/defense targeted AI component, attack/defense goal, attack vector, attack knowledge, defense deployability, defense robustness, and evaluation methodologies. We summarize 6 most substantial scientific gaps observed based on quantitative comparisons both vertically among existing AD AI security works and horizontally with security works from closely-related domains. With these, we are able to provide insights and potential future directions not only at the design level, but also at the research goal, methodology, and community levels.
To address the most critical scientific methodology-level gap, we take the initiative to develop an open-source, uniform, and extensible system-driven evaluation platform, named PASS (Platform for Autonomous driving Security and Safety), for the semantic AD AI security research community. We also use our implemented platform prototype to showcase the capabilities and benefits of such a platform using representative semantic AD AI attacks.
PASS: System-Driving Evaluation Platform for Semantic AD AI Security Research (code available soon)
Available AD Vehicles for PASS
A Level-4 AD vehicle built upon Lincoln MKZ
Key features:
By-wire control
Power distribution system
Emergency Stop (E Stop) Switch
Human-Machine Interface (HMI) screens
Industrial PC (IPC) with NVIDIA GPU
Sensor configurations:
Velodyne VLP-32C LiDAR
Three Leopard imaging USB cameras
Allied Vision Mako G-319 camera
Mobileye 630 camera
Long-range Delphi ESR RADAR
Long-range Continental RADAR
NovAtel PwrPak7D-E1: dual-antenna support, integrated Epson G320 MEMS IMU
NovAtel IMU-IGM-S1
A real-vehicle sized chassis with Level-4 AD sensors and closed-loop control
Key features:
Full-vehicle size: 2.7 m x 1.5 m
Same wheelbase and wheeltrack sizes as popular vehicles (side-by-side view with a Toyota Camry shown on the right)
By-wire control
Neousys Industrial PC (IPC) with NVIDIA RTX 2080 Ti
Human-Machine Interface (HMI) screen
Remote controller
Sensor configurations:
Velodyne HDL-64 LiDAR
Ouster OS-1 32-line LiDAR
Multiple Velodyne VLP-16 LiDARs
Multiple short-range cameras (6mm lens)
Long-range camera (25mm lens)
Two continental ARS408-21 mmWave RADARs for front and back mounting
Ultrasonic sensor suite with 12 sensing probes (40 kHz)
Duel-antennas GPS with RTK & three-axis high-precision IMU for centimeter-level localization
Simulation Fidelity Evaluation Results
Attack effectiveness at specific distances/angles between physical world and simulation
Experimental setup:
Apply the ShapeShifter (SS) attack [1]
Physical world:
Results are from the paper (i.e., untargeted attack in Table 1 in the SS paper [1])
Simulation:
The adversarial STOP sign is generated using the same code and configuration as released by SS authors [GitHub]
Test at the same distance/angle combinations
Results:
Attack trace similarity between physical world and simulation
Experimental setup:
Apply the ShapeShifter (SS) attack [1]
Use the same adversarial STOP sign in both simulation and the physical world
Drive vehicle from 300 ft until passes the STOP sign
Physical world:
Collected 20 physical world driving traces
Two STOP sign locations: at the middle or end of the road
Simulation:
Use road with similar geometry as the one in the physical world
Collected 1 simulation trace
Calculate Pearson's correlation of the STOP sign detection confidences in each physical world trace and the simulation trace
Results:
Representative Demos of the STOP Sign Attack System-Level Evaluation
Experimental setup
STOP sign attacks:
ShapeShifter (SS) [1], Robust Physical Perturbation (RP2) [2], Seeing Isn't Believing (SIB) [3]
Due to failed reproduction on SIB, we directly sample STOP sign detection failures based on the reported attack success rates at different distance ranges reported in [3]
System-level driving scenarios:
Speed: 10 mph, 15 mph, 20 mph, 25 mph, 30 mph
Lighting: Sunrise, Noon, Sunset
Weather: Sunny, Cloudy, Rainy
Result highlights
RP2 and SIB are not able to cause STOP sign violations at all across all driving scenario combinations
SS can only succeed when the speed is very low (10 mph) while failing for all other speeds (15 -- 30 mph)
[1] Chen et al., “ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector,” in ECML PKDD, Springer, 2018.
[2] Eykholt et al., “Physical Adversarial Examples for Object Detectors,” in WOOT, 2018.
[3] Zhao et al., “Seeing isn’t Believing: Towards More Robust Adversarial Attack Against Real World Object Detectors,” in ACM CCS, 2019.
[SS] Sunny Noon 10 mph
[SS] Sunny Noon 15 mph
[SS] Sunny Noon 20 mph
[SS] Sunny Noon 25 mph
[SS] Sunny Noon 30 mph
[SS] Sunny Sunrise 25 mph
[SS] Sunny Sunset 25 mph
[SS] Cloudy Noon 25 mph
[SS] Rainy Noon 25 mph
[RP2] Sunny Noon 25 mph
[SIB] Sunny Noon 25 mph
Research Paper
@article{arxiv:2022:shen:sok,
title={{SoK: On the Semantic AI Security in Autonomous Driving}},
author={Junjie Shen and Ningfei Wang and Ziwen Wan and Yunpeng Luo and Takami Sato and Zhisheng Hu and Xinyang Zhang and Shengjian Guo and Zhenyu Zhong and Kang Li and Ziming Zhao and Chunming Qiao and Qi Alfred Chen},
journal={arXiv preprint arXiv:2203.05314},
year={2022}
}
[PDF] [Code Release (Now in selected-group collaboration stage. Email Alfred <alfchen@uci.edu> for questions & access requests.)]
Team
Junjie Shen, Ph.D. student, CS, UC Irvine
Ningfei Wang, Ph.D. student, CS, UC Irvine
Ziwen Wan, Ph.D. student, CS, UC Irvine
Yunpeng Luo, Ph.D. student, CS, UC Irvine
Takami Sato, Ph.D. student, CS, UC Irvine
Zhisheng Hu, Baidu Security
Xinyang Zhang, Baidu Security
Shengjian Guo, Baidu Security
Zhenyu Zhong, Baidu Security
Kang Li, Baidu Security
Ziming Zhao, Assistant Professor, CSE, University at Buffalo
Chunming Qiao, SUNY Distinguished Professor and Chair, CSE, University at Buffalo
Qi Alfred Chen, Assistant Professor, CS, UC Irvine