Perception Module Attack Algorithms

Project Overview

This project focuses on developing effective and practical attack algorithms for the perception modules of autonomous driving systems, specifically targeting adversarial and backdoor attacks. The main objective is to design attack strategies that can be deployed in real-world environments and successfully compromise the safety and decision-making capabilities of autonomous vehicles. These attacks will be examined across various sensor modalities (e.g., cameras, LiDAR, radar) and perception tasks (e.g., object detection, semantic segmentation). The project will also explore the reasonable patterns of these attacks in the real world and investigate defenses to mitigate their effectiveness.

Objectives

  • Adversarial attack algorithms: develop effective adversarial perturbation techniques targeting different perception tasks (e.g., object detection, segmentation) across various sensor types, including white box attack and black box attack.
  • Backdoor attack algorithms: design backdoor attack strategies that exploit vulnerabilities in the training process of autonomous driving perception models, including dirty-label attack and clean-label attack.
  • Test and evaluation process: evaluate the effectiveness of the designed attack algorithm by constructing several typical driving scenarios and designing reasonable evaluation metrics.
  • Sensible attack patterns: design perturbations that are suitable for deployment in realistic scenarios, such as adversarial patch and adversarial texture, whereas perturbations based on paradigm constraints are less suitable.

Deliverables

  • Attack algorithms: a suite of effective and reasonable attack algorithms that target perception modules in autonomous driving systems for testing the safety and robustness of the system.
  • Attack deployment guidelines: a detailed framework for deploying adversarial and backdoor attacks in real-world environments, including physical attack strategies and remote attack methods.
  • Case studies: demonstrations of the developed attack algorithms applied to real-world autonomous driving systems, showcasing the impact of the categories in object detection (including person, car, stop sign, traffic light, barrier, and bike), and the categories in segmentation (including driveable_surface, sidewalk, vegetation, manmade).