Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Physical Backdoor Attack can Jeopardize Driving with Vision-Large-Language Models (2404.12916v2)

Published 19 Apr 2024 in cs.CR

Abstract: Vision-Large-Language-models(VLMs) have great application prospects in autonomous driving. Despite the ability of VLMs to comprehend and make decisions in complex scenarios, their integration into safety-critical autonomous driving systems poses serious security risks. In this paper, we propose BadVLMDriver, the first backdoor attack against VLMs for autonomous driving that can be launched in practice using physical objects. Unlike existing backdoor attacks against VLMs that rely on digital modifications, BadVLMDriver uses common physical items, such as a red balloon, to induce unsafe actions like sudden acceleration, highlighting a significant real-world threat to autonomous vehicle safety. To execute BadVLMDriver, we develop an automated pipeline utilizing natural language instructions to generate backdoor training samples with embedded malicious behaviors. This approach allows for flexible trigger and behavior selection, enhancing the stealth and practicality of the attack in diverse scenarios. We conduct extensive experiments to evaluate BadVLMDriver for two representative VLMs, five different trigger objects, and two types of malicious backdoor behaviors. BadVLMDriver achieves a 92% attack success rate in inducing a sudden acceleration when coming across a pedestrian holding a red balloon. Thus, BadVLMDriver not only demonstrates a critical security risk but also emphasizes the urgent need for developing robust defense mechanisms to protect against such vulnerabilities in autonomous driving technologies.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (78)
  1. Drivegpt4: Interpretable end-to-end autonomous driving via large language model. arXiv preprint arXiv:2310.01412, 2023.
  2. Drivelm: Driving with graph visual question answering. arXiv preprint arXiv:2312.14150, 2023.
  3. Reason2drive: Towards interpretable and chain-based reasoning for autonomous driving. arXiv preprint arXiv:2312.03661, 2023.
  4. Drama: Joint risk localization and captioning in driving. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pages 1043–1052, 2023.
  5. On the road with gpt-4v (ision): Early explorations of visual-language model on autonomous driving. arXiv preprint arXiv:2311.05332, 2023.
  6. Nuscenes-qa: A multi-modal visual question answering benchmark for autonomous driving scenario. arXiv preprint arXiv:2305.14836, 2023.
  7. Drivevlm: The convergence of autonomous driving and large vision-language models. arXiv preprint arXiv:2402.12289, 2024.
  8. Shadowcast: Stealthy data poisoning attacks against vision-language models. arXiv preprint arXiv:2402.06659, 2024.
  9. Adversarial prompt tuning for vision-language models. arXiv preprint arXiv:2311.11261, 2023.
  10. Test-time backdoor attacks on multimodal large language models. arXiv preprint arXiv:2402.08577, 2024.
  11. Models and methods for collision analysis: A comparison study based on the uber collision with a pedestrian. Safety Science, 120:117–128, 2019.
  12. THE WHITE HOUSE. Executive order on the safe, secure, and trustworthy development and use of artificial intelligence. https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/, 2023. 2024-03-05.
  13. Improving image generation with better captions. Computer Science. https://cdn. openai. com/papers/dall-e-3. pdf, 2(3):8, 2023.
  14. nuscenes: A multimodal dataset for autonomous driving. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 11621–11631, 2020.
  15. The stanford entry in the urban challenge. Journal of Field Robotics, 7(9):468–492, 2008.
  16. Stanley: The robot that won the darpa grand challenge. Journal of field Robotics, 23(9):661–692, 2006.
  17. Odin: Team victortango’s entry in the darpa urban challenge. Journal of field Robotics, 25(8):467–492, 2008.
  18. A perception-driven autonomous urban vehicle. Journal of Field Robotics, 25(10):727–774, 2008.
  19. Autonomous driving in urban environments: Boss and the urban challenge. Journal of field Robotics, 25(8):425–466, 2008.
  20. Second: Sparsely embedded convolutional detection. Sensors, 18(10):3337, 2018.
  21. Pointpillars: Fast encoders for object detection from point clouds. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 12697–12705, 2019.
  22. Bevformer: Learning bird’s-eye-view representation from multi-camera images via spatiotemporal transformers. In European conference on computer vision, pages 1–18. Springer, 2022.
  23. Vectornet: Encoding hd maps and agent dynamics from vectorized representation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 11525–11533, 2020.
  24. Learning lane graph representations for motion forecasting. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part II 16, pages 541–556. Springer, 2020.
  25. Aware of the history: Trajectory forecasting with the local behavior data. In European Conference on Computer Vision, pages 393–409. Springer, 2022.
  26. Precog: Prediction conditioned on goals in visual multi-agent settings. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 2821–2830, 2019.
  27. Perceive, predict, and plan: Safe motion planning through interpretable semantic representations. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XXIII 16, pages 414–430. Springer, 2020.
  28. Mp3: A unified model to map, perceive, predict and plan. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14403–14412, 2021.
  29. Planning-oriented autonomous driving. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 17853–17862, 2023.
  30. Training language models to follow instructions with human feedback. NIPS, 35:27730–27744, 2022.
  31. Llama: Open and efficient foundation language models. arXiv preprint arXiv:2302.13971, 2023.
  32. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288, 2023.
  33. Vicuna: An open-source chatbot impressing gpt-4 with 90%* chatgpt quality. See https://vicuna. lmsys. org (accessed 14 April 2023), 2023.
  34. Gpt-driver: Learning to drive with gpt. arXiv preprint arXiv:2310.01415, 2023.
  35. A language agent for autonomous driving. arXiv preprint arXiv:2311.10813, 2023.
  36. Dilu: A knowledge-driven approach to autonomous driving with large language models. arXiv preprint arXiv:2309.16292, 2023.
  37. Lmdrive: Closed-loop end-to-end driving with large language models. arXiv preprint arXiv:2312.07488, 2023.
  38. Dme-driver: Integrating human decision logic and 3d scene perception in autonomous driving. arXiv preprint arXiv:2401.03641, 2024.
  39. Flamingo: a visual language model for few-shot learning. Advances in Neural Information Processing Systems, 35:23716–23736, 2022.
  40. Visual instruction tuning. arXiv preprint arXiv:2304.08485, 2023.
  41. Blip-2: Bootstrapping language-image pre-training with frozen image encoders and large language models. arXiv preprint arXiv:2301.12597, 2023.
  42. Instructblip: Towards general-purpose vision-language models with instruction tuning, 2023.
  43. Minigpt-4: Enhancing vision-language understanding with advanced large language models. arXiv preprint arXiv:2304.10592, 2023.
  44. Hilm-d: Towards high-resolution understanding in multimodal large language models for autonomous driving. arXiv preprint arXiv:2309.05186, 2023.
  45. Adversarial Learning and Secure AI. Cambridge University Press, 2023.
  46. Targeted backdoor attacks on deep learning systems using data poisoning. https://arxiv.org/abs/1712.05526v1, 2017.
  47. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733, 2017.
  48. Backdoor attack against speaker verification. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2021.
  49. Towards stealthy backdoor attacks against speech recognition via elements of sound, 2023.
  50. Clean-label backdoor attacks on video recognition models. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020.
  51. A backdoor attack against 3D point cloud classifiers. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2021.
  52. Detecting backdoor attacks against point cloud classifiers. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2022.
  53. BadNL: Backdoor Attacks against NLP Models with Semantic-Preserving Improvements, page 554–569. 2021.
  54. Trojaning language models for fun and profit. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P), pages 179–197, 2021.
  55. Mind the style of text! adversarial and backdoor attacks based on text style transfer. In Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing, 2021.
  56. Trojtext: Test-time invisible textual trojan insertion. In The Eleventh International Conference on Learning Representations, 2023.
  57. Test-time backdoor attacks on multimodal large language models. CoRR, abs/2402.08577, 2024.
  58. Open-source can be dangerous: On the vulnerability of value alignment in open-source LLMs, 2024.
  59. Christopher M Bishop. Pattern recognition and machine learning. Springer google schola, 2:5–43, 2006.
  60. Imagen editor and editbench: Advancing and evaluating text-guided image inpainting. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 18359–18369, 2023.
  61. Subject-driven text-to-image generation via apprenticeship learning. Advances in Neural Information Processing Systems, 36, 2024.
  62. Prompt-to-prompt image editing with cross-attention control. In The Eleventh International Conference on Learning Representations, 2023.
  63. Instructpix2pix: Learning to follow image editing instructions. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 18392–18402, 2023.
  64. Magicbrush: A manually annotated dataset for instruction-guided image editing. Advances in Neural Information Processing Systems, 36, 2024.
  65. Backdoor learning: A survey. IEEE Transactions on Neural Networks and Learning Systems, 2022.
  66. Zephyr: Direct distillation of lm alignment. arXiv preprint arXiv:2310.16944, 2023.
  67. Visual instruction tuning. Advances in neural information processing systems, 36, 2024.
  68. Improved baselines with visual instruction tuning. In NeurIPS 2023 Workshop on Instruction Tuning and Instruction Following, 2023.
  69. Learning transferable visual models from natural language supervision. In International conference on machine learning, pages 8748–8763. PMLR, 2021.
  70. Badchain: Backdoor chain-of-thought prompting for large language models. arXiv preprint arXiv:2401.12242, 2024.
  71. Making the v in vqa matter: Elevating the role of image understanding in visual question answering. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 6904–6913, 2017.
  72. Gqa: A new dataset for real-world visual reasoning and compositional question answering. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 6700–6709, 2019.
  73. Robust physical-world attacks on deep learning visual classification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1625–1634, 2018.
  74. Spectral signatures in backdoor attacks. Advances in neural information processing systems, 31, 2018.
  75. Backdoor defense via decoupling the training process. In International Conference on Learning Representations, 2021.
  76. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE Symposium on Security and Privacy (SP), pages 707–723. IEEE, 2019.
  77. Umd: Unsupervised model detection for x2x backdoor attacks. arXiv preprint arXiv:2305.18651, 2023.
  78. TheBloke. Wizard-vicuna-7b-uncensored-hf. https://huggingface.co/TheBloke/Wizard-Vicuna-7B-Uncensored-HF, 2024.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Zhenyang Ni (7 papers)
  2. Rui Ye (42 papers)
  3. Yuxi Wei (7 papers)
  4. Zhen Xiang (42 papers)
  5. Yanfeng Wang (211 papers)
  6. Siheng Chen (152 papers)
Citations (6)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets