Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures (2006.16974v1)

Abstract: Perception plays a pivotal role in autonomous driving systems, which utilizes onboard sensors like cameras and LiDARs (Light Detection and Ranging) to assess surroundings. Recent studies have demonstrated that LiDAR-based perception is vulnerable to spoofing attacks, in which adversaries spoof a fake vehicle in front of a victim self-driving car by strategically transmitting laser signals to the victim's LiDAR sensor. However, existing attacks suffer from effectiveness and generality limitations. In this work, we perform the first study to explore the general vulnerability of current LiDAR-based perception architectures and discover that the ignored occlusion patterns in LiDAR point clouds make self-driving cars vulnerable to spoofing attacks. We construct the first black-box spoofing attack based on our identified vulnerability, which universally achieves around 80% mean success rates on all target models. We perform the first defense study, proposing CARLO to mitigate LiDAR spoofing attacks. CARLO detects spoofed data by treating ignored occlusion patterns as invariant physical features, which reduces the mean attack success rate to 5.5%. Meanwhile, we take the first step towards exploring a general architecture for robust LiDAR-based perception, and propose SVF that embeds the neglected physical features into end-to-end learning. SVF further reduces the mean attack success rate to around 2.3%.

A Comprehensive Perspective on Robust LiDAR-based Perception in Autonomous Vehicles

The paper "Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures" offers an intricate examination of the vulnerabilities inherent in current LiDAR-based perception systems utilized in autonomous vehicles (AVs). The emphasis is on the susceptibility of these systems to black-box adversarial attacks and the development of effective countermeasures.

Key Contributions and Findings

1. Identification of Vulnerabilities: The paper identifies a notable vulnerability affecting LiDAR-based 3D object detection models, which are critical for accurate environmental perception in autonomous driving. The research highlights that these models fail to correctly account for occlusion patterns within LiDAR point clouds. Failures to consider inter-object and intra-object occlusion have been pinpointed as critical oversight, facilitating adversaries in executing successful spoofing attacks with minimal points.
2. Black-box Spoofing Attacks: The authors developed the first black-box spoofing attack demonstrating approximately 80% mean success rates across various state-of-the-art models, including bird’s-eye view, voxel-based, and point-wise designs. This attack is unique because it does not require knowledge of the target model's internal parameters, only leveraging the identified occlusion vulnerability.
3. Countermeasure Proposals: To counteract these spoofing attacks, the creation of CARLO, a model-agnostic defense mechanism, and SVF (Sequential View Fusion), a robust architecture embedding physical realities of LiDAR into the learning process, were proposed. CARLO efficiently detects spoofed data, reducing the mean attack success rate to about 5.5%, while SVF goes further to 2.3%.
4. Expansive Evaluation: The paper conducts extensive evaluations using datasets like KITTI and through practical experiments. Notably, CARLO effectively distinguishes between genuine and spoofed vehicle detections with high precision (99.5%), and SVF demonstrates resilience against sophisticated white-box adversarial attacks.

Practical Implications

The findings of this paper hold significant implications for the field of autonomous driving:

• Improved Safety and Reliability: The advancement of defenses such as CARLO and SVF enhances the robustness of AV perception systems, which directly translates to increased safety on the roads by mitigating the risks of adversarial manipulation.
• Framework for Future Research: The identification of vulnerabilities and subsequent defense strategies not only address immediate security concerns but also contribute to a framework for future research aimed at making AV perception systems resilient to evolving threats.

Theoretical Implications and Future Directions

Theoretically, the paper highlights crucial aspects of model architecture in deep learning, specifically the need to embed awareness of physical and geometric invariants into model design. This work suggests that enhancing neural networks with robust physical principles can be a path forward for multiple vision-based AI applications.

Future directions could explore:

• Enhanced Model Verification: Developing frameworks for model analysis that can predict potential vulnerabilities before deployment.
• Integration with Multi-modal Systems: Combining LiDAR with other sensor data (e.g., cameras, radar) using integrated defenses to provide comprehensive protection across modalities.

In conclusion, this paper makes a notable contribution to the ongoing challenges in autonomous driving AI by uncovering and addressing vulnerabilities in LiDAR-based perception. The proposed defense strategies not only provide robust protection today but offer insights that could shape the design philosophies of future AI networks in autonomous vehicles and beyond.