System Model for AD AI Adversarial Attacks

To understand the end-to-end system-level impacts of an adversarial attack against a targeted AI component in an AD system (e.g., whether it can indeed effectively cause undesired AD system-level property violations), we need to systematically consider and integrate the overall system semantics and context that enclose such AI component into the security analysis. In this paper, we call a systematic abstraction of such system semantics and context the system model of such AD AI adversarial attacks. Specifically, in the AD context we identify 3 essential sub-components in such system model: 1) the AD system model, i.e., the full-stack AD system pipeline that encloses the attack-targeted AI components and closed-loop control, e.g., the object tracking, planning, and control pipeline for the object detection AI component; 2) the vehicle plant model, which defines the physical properties of the underlying vehicle system under control, e.g., maximum/minimum acceleration/deceleration, steering rates, sensor mounting positions, etc.; and 3) the attack-targeted operation scenario model, which defines the physical driving environment setup, driving norms (e.g., traffic rules), and the system-level attack goal (e.g., vehicle collision, traffic rule violation, etc.) targeted by the AD AI adversarial attack.

System Model for Adversarial Object-Evasion Attacks

The figure above illustrates the aforementioned system model defined for the adversarial object-evasion attack. The AD system model for object detection (the targeted AI component in adversarial object-evasion attacks) mainly includes its downstream tasks of object tracking, planning, and control, and closed-loop control. The vehicle plant model mainly includes the physical properties related to longitudinal control, e.g., the minimum brake distance (d_{min}), and the distance to the stop line (stop to avoid violating traffic rules or crashes) where the stop line is out of sight in the camera image d_{oos} (depending on the hood length and the camera mounting position). The operation scenario model includes the speed limit, lane width, the relative positioning and facing of the object to the ego lane, the driving norm that the vehicle typically drives at constant speed before it starts to see the object (d_{max}), and the system-level attack goal that triggers the traffic rule violation (i.e., hit into the object or exceeding the stop line). There exists several example attacks for the system model such as STOP sign-evasion attack, which is the most extensively-studied physical adversarial object evasion attack in AD context; pedestrian-evasion attack; etc.

• Methodology and setup

  • AD system pipeline: PASS

    • A system-driven evaluation platform for AD AI security research, to perform system-level evaluations

  • Perception results modeling from physical world

    • Goal: improve the perception fidelity in simulation 

    • Collecting the perception results in the physical world and inject the results into the simulator

• Attack generation and evaluation methodology

  • Same methodology as before

• Results

  • System-level effects can be improved, i.e., the violation rate increases by around 70%