DeepBillboard: Systematic Physical-World Testing of Autonomous Driving Systems (1812.10812v1)

Abstract: Deep Neural Networks (DNNs) have been widely applied in many autonomous systems such as autonomous driving. Recently, DNN testing has been intensively studied to automatically generate adversarial examples, which inject small-magnitude perturbations into inputs to test DNNs under extreme situations. While existing testing techniques prove to be effective, they mostly focus on generating digital adversarial perturbations (particularly for autonomous driving), e.g., changing image pixels, which may never happen in physical world. There is a critical missing piece in the literature on autonomous driving testing: understanding and exploiting both digital and physical adversarial perturbation generation for impacting steering decisions. In this paper, we present DeepBillboard, a systematic physical-world testing approach targeting at a common and practical driving scenario: drive-by billboards. DeepBillboard is capable of generating a robust and resilient printable adversarial billboard, which works under dynamic changing driving conditions including viewing angle, distance, and lighting. The objective is to maximize the possibility, degree, and duration of the steering-angle errors of an autonomous vehicle driving by the generated adversarial billboard. We have extensively evaluated the efficacy and robustness of DeepBillboard through conducting both digital and physical-world experiments. Results show that DeepBillboard is effective for various steering models and scenes. Furthermore, DeepBillboard is sufficiently robust and resilient for generating physical-world adversarial billboard tests for real-world driving under various weather conditions. To the best of our knowledge, this is the first study demonstrating the possibility of generating realistic and continuous physical-world tests for practical autonomous driving systems.

• The paper demonstrates a novel physical-world testing approach (Pi) that systematically generates adversarial billboard perturbations to alter steering decisions.
• It employs a robust joint optimization algorithm to maximize steering errors across varied real-world conditions, achieving deviations up to 26.44 degrees.
• The method ensures physical viability by accounting for printer fabrication errors, paving the way for scalable safety assessments in autonomous driving systems.

Systematic Physical-World Testing of Autonomous Driving Systems

Autonomous driving systems are increasingly reliant on Deep Neural Networks (DNNs) for steering control in complex environments. However, the integrity of these systems can be compromised by adversarial inputs, highlighting the necessity for comprehensive testing methodologies that account for both digital and physical perturbations. The paper, "Systematic Physical-World Testing of Autonomous Driving Systems," presents an approach named $\Pi$, designed to evaluate steering control systems using robust printable adversarial tests.

The core contribution of the paper lies in demonstrating the feasibility of systematically generating physical perturbations that can alter steering decisions in dynamic real-world scenarios, specifically focusing on continuous exposure conditions such as drive-by billboards. While previous works predominantly addressed digital adversarial examples or static physical objects under controlled conditions, this approach extends adversarial testing into real-world environments with varying angles, distances, and lighting, thereby ensuring relevance to practical autonomous driving scenarios.

Key Findings and Methodological Approach

The paper outlines a joint optimization algorithm capable of producing adversarial perturbations for roadside billboards, affecting steering models during the driving-by process. $\Pi$ performs the following:

• Robust Joint Optimization: Generates perturbations for all image frames in a driving scenario, targeting maximized steering angle errors across varied frames captured at different positions relative to the billboard.
• Maximizing Perturbation Effectiveness: Specific techniques minimize interference among frame-specific perturbations and adjust for real-world environmental factors such as lighting.
• Printable Perturbations: Ensures perturbations are robust to physical constraints like printer fabrication errors, leveraging a non-printability score to maintain adversarial efficacy.

In extensive experiments conducted both digitally and physically, $\Pi$ demonstrated substantial mis-steering capabilities across different models and driving contexts, with steering angle deviations reaching up to 26.44 degrees in physical-world case studies. The findings support that the proposed adversarial perturbations remain effective despite evolving viewing conditions. This highlights the necessity of adopting such methodologies for assessing real-world robustness in autonomous systems.

Implications and Future Directions

The paper opens pathways for several practical and theoretical advancements:

• Broader Application Scope: While billboards serve as the primary testing surface, the approach is adaptable to other roadside entities, suggesting potential utility in diverse domains such as traffic signs or temporary road markings.
• Improved Safety Protocols: Integrating systematic testing using physical adversarial examples may inform the development of resilience measures, enhancing autonomous systems against adversarial attacks.
• Scalable Testing Framework: The generalization of methodologies like $\Pi$ can contribute to standardized testing frameworks for autonomous systems, covering a broader spectrum of real-world conditions.

The paper advances the discourse on adversarial testing by bridging the gap between digital experiments and real-world applicability. By focusing on a common driving scenario, the authors provide contributions to the field not only in exploring DNN vulnerabilities but also in adapting existing models to real-world constraints, fostering future innovations in secure autonomous driving technologies.