Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
184 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

COMMIT: Certifying Robustness of Multi-Sensor Fusion Systems against Semantic Attacks (2403.02329v1)

Published 4 Mar 2024 in cs.LG, cs.CR, and cs.CV

Abstract: Multi-sensor fusion systems (MSFs) play a vital role as the perception module in modern autonomous vehicles (AVs). Therefore, ensuring their robustness against common and realistic adversarial semantic transformations, such as rotation and shifting in the physical world, is crucial for the safety of AVs. While empirical evidence suggests that MSFs exhibit improved robustness compared to single-modal models, they are still vulnerable to adversarial semantic transformations. Despite the proposal of empirical defenses, several works show that these defenses can be attacked again by new adaptive attacks. So far, there is no certified defense proposed for MSFs. In this work, we propose the first robustness certification framework COMMIT certify robustness of multi-sensor fusion systems against semantic attacks. In particular, we propose a practical anisotropic noise mechanism that leverages randomized smoothing with multi-modal data and performs a grid-based splitting method to characterize complex semantic transformations. We also propose efficient algorithms to compute the certification in terms of object detection accuracy and IoU for large-scale MSF models. Empirically, we evaluate the efficacy of COMMIT in different settings and provide a comprehensive benchmark of certified robustness for different MSF models using the CARLA simulation platform. We show that the certification for MSF models is at most 48.39% higher than that of single-modal models, which validates the advantages of MSF models. We believe our certification framework and benchmark will contribute an important step towards certifiably robust AVs in practice.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. Segnet: A deep convolutional encoder-decoder architecture for image segmentation. IEEE transactions on pattern analysis and machine intelligence, 39(12):2481–2495, 2017.
  2. Invisible for both camera and lidar: Security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1302–1320, Los Alamitos, CA, USA, may 2021. IEEE Computer Society.
  3. (certified!!) adversarial robustness for free! In The Eleventh International Conference on Learning Representations, 2023.
  4. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. Ieee, 2017.
  5. Multi-view 3d object detection network for autonomous driving. In Proceedings of the IEEE conference on Computer Vision and Pattern Recognition, pages 1907–1915, 2017.
  6. Focal sparse convolutional networks for 3d object detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 5428–5437, 2022.
  7. Detection as regression: Certified object detection with median smoothing. Advances in Neural Information Processing Systems, 33:1275–1286, 2020.
  8. Tpc: Transformation-specific smoothing for point cloud models. In 39th International Conference on Machine Learning (ICML 2022), 2022.
  9. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning, pages 1310–1320. PMLR, 2019.
  10. Jean-Emmanuel Deschaud. KITTI-CARLA: a KITTI-like dataset generated by CARLA Simulator. arXiv e-prints, 2021.
  11. CARLA: An open urban driving simulator. In Proceedings of the 1st Annual Conference on Robot Learning, pages 1–16, 2017.
  12. Exploring the landscape of spatial robustness. In International conference on machine learning, pages 1802–1811. PMLR, 2019.
  13. Robust physical-world attacks on deep learning visual classification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1625–1634, 2018.
  14. Breaking certified defenses: Semantic adversarial examples with spoofed robustness certificates. In International Conference on Learning Representations, 2020.
  15. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  16. Is it safe to drive? an overview of factors, metrics, and datasets for driveability assessment in autonomous driving. IEEE Transactions on Intelligent Transportation Systems, 21(8):3135–3151, 2019.
  17. Security analysis of camera-lidar fusion against black-box attacks on autonomous vehicles. In 31st USENIX Security Symposium (USENIX SECURITY), 2022.
  18. Unsolved problems in ml safety. arXiv preprint arXiv:2109.13916, 2021.
  19. Benchmarking neural network robustness to common corruptions and perturbations. In International Conference on Learning Representations, 2018.
  20. Boosting randomized smoothing with variance reduced classifiers. In International Conference on Learning Representations, 2022.
  21. Semantic adversarial examples. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pages 1614–1619, 2018.
  22. Pointcat: Contrastive adversarial training for robust point cloud recognition. arXiv preprint arXiv:2209.07788, 2022.
  23. Certifying some distributional fairness with subpopulation decomposition. In Alice H. Oh, Alekh Agarwal, Danielle Belgrave, and Kyunghyun Cho, editors, Advances in Neural Information Processing Systems, 2022.
  24. Certifying confidence via randomized smoothing. Advances in Neural Information Processing Systems, 33:5165–5177, 2020.
  25. Cornernet: Detecting objects as paired keypoints. In Proceedings of the European conference on computer vision (ECCV), pages 734–750, 2018.
  26. Tss: Transformation-specific smoothing for robustness certification. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 535–557, 2021.
  27. Sok: Certified robustness for deep neural networks. In 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, 22-26 May 2023. IEEE, 2023.
  28. Double sampling randomized smoothing. In 39th International Conference on Machine Learning (ICML 2022), 2022.
  29. Attack detection of localization based on multi-sensor fusion in autonomous systems. In 2022 IEEE International Conference on Unmanned Systems (ICUS), pages 1333–1338. IEEE, 2022.
  30. Learning auxiliary monocular contexts helps monocular 3d object detection. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 1810–1818, 2022.
  31. Fast and furious: Real time end-to-end 3d detection, tracking and motion forecasting with a single convolutional net. In Proceedings of the IEEE conference on Computer Vision and Pattern Recognition, pages 3569–3577, 2018.
  32. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018.
  33. Phil McCausland. Self-driving uber car that hit and killed woman did not recognize that pedestrians jaywalk, Nov 2019.
  34. Clocs: Camera-lidar object candidates fusion for 3d object detection. In 2020 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pages 10386–10393. IEEE, 2020.
  35. Deepxplore: Automated whitebox testing of deep learning systems. In proceedings of the 26th Symposium on Operating Systems Principles, pages 1–18, 2017.
  36. Frustum pointnets for 3d object detection from rgb-d data. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 918–927, 2018.
  37. You only look once: Unified, real-time object detection. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 779–788, 2016.
  38. Faster r-cnn: Towards real-time object detection with region proposal networks. Advances in neural information processing systems, 28, 2015.
  39. Provably robust deep learning via adversarially trained smoothed classifiers. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 32. Curran Associates, Inc., 2019.
  40. Defense-gan: Protecting classifiers against adversarial attacks using generative models. In International Conference on Learning Representations, 2018.
  41. Adversarial training for free! Advances in Neural Information Processing Systems, 32, 2019.
  42. Sok: On the semantic ai security in autonomous driving. arXiv preprint arXiv:2203.05314, 2022.
  43. Skew orthogonal convolutions. In International Conference on Machine Learning, pages 9756–9766. PMLR, 2021.
  44. Towards robust lidar-based perception in autonomous driving: General black-box adversarial sensor attack and countermeasures. In USENIX Security Symposium (Usenix Security’20), 2020.
  45. A spectral view of randomized smoothing under common corruptions: Benchmarking and improving certified robustness. In Computer Vision–ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23–27, 2022, Proceedings, Part IV, pages 654–671. Springer, 2022.
  46. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
  47. Provable defenses against adversarial examples via the convex outer adversarial polytope. In International Conference on Machine Learning, pages 5286–5295. PMLR, 2018.
  48. Spatially transformed adversarial examples. In International Conference on Learning Representations, 2018.
  49. Lot: Layer-wise orthogonal training on improving l2 certified robustness. In Advances in Neural Information Processing Systems 35 (NeurIPS 2022), 2022.
  50. Second: Sparsely embedded convolutional detection. Sensors, 18(10):3337, 2018.
  51. Randomized smoothing of all shapes and sizes. In International Conference on Machine Learning, pages 10693–10705. PMLR, 2020.
  52. Rethinking lipschitz neural networks and certified robustness: A boolean function perspective. In Advances in Neural Information Processing Systems, 2022.
  53. General cutting planes for bound-propagation-based neural network verification. In Advances in Neural Information Processing Systems 35 (NeurIPS 2022), 2022.
  54. Icnet for real-time semantic segmentation on high-resolution images. In Proceedings of the European conference on computer vision (ECCV), pages 405–420, 2018.
  55. Detecting multi-sensor fusion errors in advanced driver-assistance systems. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 493–505, 2022.
  56. Voxelnet: End-to-end learning for point cloud based 3d object detection. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 4490–4499, 2018.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now