SoK: On the Semantic AI Security in Autonomous Driving

[New] Call for community feedback: https://docs.google.com/forms/u/1/d/e/1FAIpQLSf94hAZMKCdW-L5uROGnFrmI7XUakxYNkSA9JZydPZUM4I5fg/viewform!

  • Slides explaining our vision: [PDF] [PPTX]

[New] Code release: Now in selected-group collaboration stage. Email Alfred <alfchen@uci.edu> for questions & access requests.

Summary

Autonomous Driving (AD) systems rely on AI components to make safe and correct driving decisions. Unfortunately, today’s AI algorithms are known to be generally vulnerable to adversarial attacks. However, for such AI component-level vulnerabilities to be semantically impactful at the system level, it needs to address non-trivial semantic gaps both (1) from the system-level attack input spaces to those at AI component level, and (2) from AI component-level attack impacts to those at the system level. In this paper, we define such research space as Semantic AI Security as opposed to generic AI security.

In this paper, we perform the first systematization of knowledge (SoK) of the semantic AD AI security research space. In total, we collect and analyze 53 such papers in the past 5 years, and systematically taxonomize them based on research aspects critical for the security field such as the attack/defense targeted AI component, attack/defense goal, attack vector, attack knowledge, defense deployability, defense robustness, and evaluation methodologies. We summarize 6 most substantial scientific gaps observed based on quantitative comparisons both vertically among existing AD AI security works and horizontally with security works from closely-related domains. With these, we are able to provide insights and potential future directions not only at the design level, but also at the research goal, methodology, and community levels.

To address the most critical scientific methodology-level gap, we take the initiative to develop an open-source, uniform, and extensible system-driven evaluation platform, named PASS (Platform for Autonomous driving Security and Safety), for the semantic AD AI security research community. We also use our implemented platform prototype to showcase the capabilities and benefits of such a platform using representative semantic AD AI attacks.

PASS: System-Driving Evaluation Platform for Semantic AD AI Security Research (code available soon)

Available AD Vehicles for PASS

A Level-4 AD vehicle built upon Lincoln MKZ

Key features:

  • By-wire control

  • Power distribution system

  • Emergency Stop (E Stop) Switch

  • Human-Machine Interface (HMI) screens

  • Industrial PC (IPC) with NVIDIA GPU

Sensor configurations:

  • Velodyne VLP-32C LiDAR

  • Three Leopard imaging USB cameras

  • Allied Vision Mako G-319 camera

  • Mobileye 630 camera

  • Long-range Delphi ESR RADAR

  • Long-range Continental RADAR

  • NovAtel PwrPak7D-E1: dual-antenna support, integrated Epson G320 MEMS IMU

  • NovAtel IMU-IGM-S1

A real-vehicle sized chassis with Level-4 AD sensors and closed-loop control

Key features:

  • Full-vehicle size: 2.7 m x 1.5 m

  • Same wheelbase and wheeltrack sizes as popular vehicles (side-by-side view with a Toyota Camry shown on the right)

  • By-wire control

  • Neousys Industrial PC (IPC) with NVIDIA RTX 2080 Ti

  • Human-Machine Interface (HMI) screen

  • Remote controller

Sensor configurations:

  • Velodyne HDL-64 LiDAR

  • Ouster OS-1 32-line LiDAR

  • Multiple Velodyne VLP-16 LiDARs

  • Multiple short-range cameras (6mm lens)

  • Long-range camera (25mm lens)

  • Two continental ARS408-21 mmWave RADARs for front and back mounting

  • Ultrasonic sensor suite with 12 sensing probes (40 kHz)

  • Duel-antennas GPS with RTK & three-axis high-precision IMU for centimeter-level localization

Simulation Fidelity Evaluation Results

Attack effectiveness at specific distances/angles between physical world and simulation

Experimental setup:

  • Apply the ShapeShifter (SS) attack [1]

  • Physical world:

    • Results are from the paper (i.e., untargeted attack in Table 1 in the SS paper [1])

  • Simulation:

    • The adversarial STOP sign is generated using the same code and configuration as released by SS authors [GitHub]

    • Test at the same distance/angle combinations

Results:

Attack trace similarity between physical world and simulation

Experimental setup:

  • Apply the ShapeShifter (SS) attack [1]

    • Use the same adversarial STOP sign in both simulation and the physical world

    • Drive vehicle from 300 ft until passes the STOP sign

  • Physical world:

    • Collected 20 physical world driving traces

    • Two STOP sign locations: at the middle or end of the road

  • Simulation:

    • Use road with similar geometry as the one in the physical world

    • Collected 1 simulation trace

  • Calculate Pearson's correlation of the STOP sign detection confidences in each physical world trace and the simulation trace

Results:

Representative Demos of the STOP Sign Attack System-Level Evaluation

Experimental setup

  • STOP sign attacks:

    • ShapeShifter (SS) [1], Robust Physical Perturbation (RP2) [2], Seeing Isn't Believing (SIB) [3]

      • Due to failed reproduction on SIB, we directly sample STOP sign detection failures based on the reported attack success rates at different distance ranges reported in [3]

  • System-level driving scenarios:

    • Speed: 10 mph, 15 mph, 20 mph, 25 mph, 30 mph

  • Lighting: Sunrise, Noon, Sunset

  • Weather: Sunny, Cloudy, Rainy

Result highlights

  • RP2 and SIB are not able to cause STOP sign violations at all across all driving scenario combinations

  • SS can only succeed when the speed is very low (10 mph) while failing for all other speeds (15 -- 30 mph)


[1] Chen et al., “ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector,” in ECML PKDD, Springer, 2018.

[2] Eykholt et al., “Physical Adversarial Examples for Object Detectors,” in WOOT, 2018.

[3] Zhao et al., “Seeing isn’t Believing: Towards More Robust Adversarial Attack Against Real World Object Detectors,” in ACM CCS, 2019.

[SS] Sunny Noon 10 mph

[SS] Sunny Noon 15 mph

[SS] Sunny Noon 20 mph

[SS] Sunny Noon 25 mph

[SS] Sunny Noon 30 mph

[SS] Sunny Sunrise 25 mph

[SS] Sunny Sunset 25 mph

[SS] Cloudy Noon 25 mph

[SS] Rainy Noon 25 mph

[RP2] Sunny Noon 25 mph

[SIB] Sunny Noon 25 mph

Research Paper


@article{arxiv:2022:shen:sok,

title={{SoK: On the Semantic AI Security in Autonomous Driving}},

author={Junjie Shen and Ningfei Wang and Ziwen Wan and Yunpeng Luo and Takami Sato and Zhisheng Hu and Xinyang Zhang and Shengjian Guo and Zhenyu Zhong and Kang Li and Ziming Zhao and Chunming Qiao and Qi Alfred Chen},

journal={arXiv preprint arXiv:2203.05314},

year={2022}

}

[PDF] [Code Release (Now in selected-group collaboration stage. Email Alfred <alfchen@uci.edu> for questions & access requests.)]

Team

  • Junjie Shen, Ph.D. student, CS, UC Irvine

  • Ningfei Wang, Ph.D. student, CS, UC Irvine

  • Ziwen Wan, Ph.D. student, CS, UC Irvine

  • Yunpeng Luo, Ph.D. student, CS, UC Irvine

  • Takami Sato, Ph.D. student, CS, UC Irvine

  • Zhisheng Hu, Baidu Security

  • Xinyang Zhang, Baidu Security

  • Shengjian Guo, Baidu Security

  • Zhenyu Zhong, Baidu Security

  • Kang Li, Baidu Security

  • Ziming Zhao, Assistant Professor, CSE, University at Buffalo

  • Chunming Qiao, SUNY Distinguished Professor and Chair, CSE, University at Buffalo

  • Qi Alfred Chen, Assistant Professor, CS, UC Irvine

Acknowledgments