Embedded Files
Trapped by Their Own Light:
Under Submission to Usenix Security
Summary
Summary
Autonomous vehicles must obey traffic signs like other road users to ensure safe and efficient transportation. The current vision-based Traffic Sign Recognition (TSR) systems in autonomous driving can correctly perceive the signs in most scenarios, but recent studies have demonstrated that they can be vulnerable to adversarial attacks with small stickers or laser projections. Despite the potential threat, these attack vectors still have limitations in stealthiness and deployability.
To address the limitations, we introduce a novel attack vector named the Adversarial Retroreflective Patch (ARP). This approach can achieve not only high deployability as patch attacks but also similar stealthiness as laser projection attacks by utilizing retroreflective materials, which are activated only when illuminated by the victim’s headlights. To find effective ARP attacks, we design a novel simulation method of retroreflection and maximize the attack effect via a black-box optimization approach. We find that the ARP attack can achieve ≥93.4% success rates in dynamic scenarios 35 meters away and up to 75% attack success rate on a commercial TSR system in driving scenarios ( 2024 year model of toyota yaris and Nissan e-note). Our user study shows that the ARP attacks have almost the same stealthiness as benign signs and have ≥1.9 times higher stealthiness score than previous patch attacks. Finally, we design an effective defense, called Dual Polarizer Retroreflection Shield (DPR Shield), which carefully places two polarized filters. DPR Shield demonstrates 100% defense success rates for stop signs and speed limit signs with micro-prism patches
Overview of ARP Attack Vector
Overview of ARP Attack Vector
We introduce a novel attack vector named the Adversarial Retroreflective Patch (ARP). This approach can achieve not only high deployability as patch attacks but also similar stealthiness as laser projection attacks by utilizing retroreflective materials, which are activated only when illuminated by the victim’s headlights. To find effective ARP attacks, we design a novel simulation method of retroreflection and maximize the attack effect via a black-box optimization approach. We find that the ARP attack can achieve ≥93.4% success rates in dynamic scenarios 35 meters away and a 60% success rate on a commercial TSR system in driving scenarios. Our user study shows that the ARP attacks have almost the same stealthiness as benign signs and have ≥1.9 times higher stealthiness score than previous patch attacks.
Attacking Commercial Traffic Sign Recognition Systems
Attacking Commercial Traffic Sign Recognition Systems
We evaluated the effectiveness of the attack against two production traffic sign recognition systems: the 2024 Toyota Yaris and the 2024 Nissan E-Note.
The ARP attack achieved a 60% ASR on the Toyota Yaris and a 75% ASR on the Nissan E-Note.
These results demonstrate that our attack can be effective even against traffic sign recognition models that, according to previous research, failed to show any effectiveness on Speed Limit signs (0% ASR).
Demo Videos
Demo Videos
This is the demo videos of our ARP attack under driving scenarios. In this experiment, we mounted the target camera on the dashboard and move toward the sign at 5 km/h.
Please see Evaluation under Driving Scenario with Commercial Vehicle section for more detail including experimental setup and attack success rates.
Evaluation under Driving Scenario with Commercial Vehicle
Evaluation under Driving Scenario with Commercial Vehicle
To study the ARP attack in real-world scenarios, we evaluate the attack effectiveness in an outdoor scenario with a moving vehicle. The results of this experiment demonstrate the feasibility of the ARP attack in real-world driving scenarios.
Experimental results of our ARP attack under dynamic driving scenario. ASR (Attack Success Rate) is percentage of successfully attacked instances out of total frames.
Experimental results of our ARP attack under dynamic driving scenario. ASR (Attack Success Rate) is percentage of successfully attacked instances out of total frames.
Experimental setup of experiments under dynamic driving scenarios. Target camera is positioned on the dashboard.
Experimental setup of experiments under dynamic driving scenarios. Target camera is positioned on the dashboard.
STOP Sign
STOP Sign
output_benign_short_6x.trimm2 (1).mp4w\o ARP attack
w\o ARP attack
Recognition Results: R1-1 (STOP Sign)
output_short_6x.trimm2 (1).mp4w\ our ARP attack
w\ our ARP attack
Recognition Results: M1-4 (Route Sign)
Results (image)
Results (image)
Recognition Results: R1-1 (STOP Sign)
Recognition Results: R1-1 (STOP Sign)
Results (image)
Results (image)
Recognition Results: M1-4 (Route Sign)
Recognition Results: M1-4 (Route Sign)
SL65 Sign (Speed Limit 65 mph)
SL65 Sign (Speed Limit 65 mph)
SL65_attack_benign_trimmed.mp4w\o our ARP attack
w\o our ARP attack
Recognition Results: R2-165 (speed limit 65 mph)
SL65_attack_trial2_trimmed2.mp4w\ our ARP attack
w\ our ARP attack
Recognition Results: R2-135 (speed limit 35 mph)
Attack Modeling
Attack Modeling
The attacker can control the following parameters to optimize the impact of the ARP attak.
𝑥𝑝,𝑦𝑝 : patch potisitions
W, H : patch width and height
MPR: Maximum ratio of patch area to sign bbox
In addition to these parameters, the attack also depends on environmental factors not controllable by the attacker, such as the ambient light intensity 𝐿
ARP Attack Methodology
ARP Attack Methodology
We design an black-box optimization framework based on the attack parameters to generate effective ARP attacks with Blender, the state-of-the-art 3D shading simulator.. The framework consists of three steps:
ARP Physical Property Measurement: The attacker gather informations from manufacturer specifications and camera-based measurements.
Physics-based Retroreflection modeling: At this step, we reproduce the retroreflection of retroreflective patch which the attacker use from the data gathered from step1.
Day-Night Condition-agsed ARP Attack Optimization.: At this step, we optimize the attatcker parameters. - patch size and patch position.
Analysis of Impact of Patch Size and Patch Material in Digital Space
Analysis of Impact of Patch Size and Patch Material in Digital Space
We then analyze the impact of patch size and patch retroreflective material. We evaluate using YOLOv5 for single-stage architecture and SimpleCNN for two-stage architecture trained on the ARTS dataset, as it provides comprehensive coverage of U.S. traffic signs.
These results indicate effective attack configurations: For STOP sign, DG4090 material with
M P R of 0.1875 achieves optimal performance (100% ASR) against single-stage architectures, while 0.125 M P R is required for maximum effectiveness against two-stage architectures. SL65 sign attacks can be successfully executed using the more economical NittoL with the minimal 0.0625 M P R for both architectures.
Against YOLOv5 (SIngle-Stage architecture)
Against SimpleCNN (Single-stage architecture)
Stealthiness Evaluation
Stealthiness Evaluation
We evaluate the stealthiness of the ARP attacks, which are expected to be more stealthy than prior patch attacks by design under both inactive (daytime) and active (nighttime) conditions. To evaluate the perceptual stealthiness of ARP attacks, we conducted a user study through Prolific.
We recruited 50 participants and participants assessed 60 traffic sign images across five conditions: unmodified signs, two variants of our ARP attack, and two existing attack methods. We created four viewing scenarios for each condition by combining temporal (day/night) and spatial factors at three different distances .
Participants rated each randomly-presented image’s naturalness on a 5-point Likert scale, responding to the statement “This traffic sign appears natural”. After applying an attention-check filter, we retained 37 valid responses for analysis.
.Our ARP attack consistently achieved high naturalness ratings (mostly between 1.71 and 2.29) across various scenarios, distances, and times of day, suggesting that participants frequently agreed or somewhat agreed that these modified signs appeared natural.
Evaluation under Driving Scenario with Commercial Vehicle
Evaluation under Driving Scenario with Commercial Vehicle
To study the ARP attack in real-world scenarios, we evaluate the attack effectiveness in an outdoor scenario with a moving vehicle. The results of this experiment demonstrate the feasibility of the ARP attack in real-world driving scenarios.
Experimental results of our ARP attack under dynamic driving scenario. ASR (Attack Success Rate) is percentage of successfully attacked instances out of total frames.
Experimental results of our ARP attack under dynamic driving scenario. ASR (Attack Success Rate) is percentage of successfully attacked instances out of total frames.
Experimental setup of experiments under dynamic driving scenarios. Target camera is positioned on the dashboard.
Experimental setup of experiments under dynamic driving scenarios. Target camera is positioned on the dashboard.
Defense
Defense
Proposed Defense
Proposed Defense
We identify an alternative defense strategy: DPR Shield, which utilizes polarization filters on both the camera lens and light source. Our approach employs two polarizing filters: one at the head- light to establish a controlled polarization state, and another at the camera to selectively modulatereflected light intensity
Experimental Results
Experimental Results
Our results confirmed that both STOP and SL65 signs maintained 100% recognition accuracy with and without our defense mechanism. The defensive effectiveness varied by traffic sign type and model architecture under attack conditions. For STOP sign attacks, DPR Shield successfully reduced the ASR from 100% to 0% across both single-stage and two-stage architectures. For SL65 sign attacks, while DPR Shield achieved complete protection in the single-stage architecture by reducing ASR from 100% to 0%, it only partially mitigated the attack in the two-stage architecture, where ASR decreased from 100% to 25%.
Page updated
Google Sites
Report abuse