Rogue Signs: Deceiving Traffic Sign Recognition with Malicious Ads and Logos

TL;DR

This paper introduces a novel physical-world attack method that manipulates signs and ads to deceive autonomous vehicle traffic sign recognition systems with high success rates, highlighting new security vulnerabilities.

Contribution

It presents a robust sign embedding attack that generates physical adversarial examples effective across various environmental conditions, expanding the scope of attack vectors against AVs.

Findings

Adversarial success rate exceeds 95% in physical tests.

Attack remains effective across different distances, lighting, and angles.

Method outperforms previous sign modification attacks.

Abstract

We propose a new real-world attack against the computer vision based systems of autonomous vehicles (AVs). Our novel Sign Embedding attack exploits the concept of adversarial examples to modify innocuous signs and advertisements in the environment such that they are classified as the adversary's desired traffic sign with high confidence. Our attack greatly expands the scope of the threat posed to AVs since adversaries are no longer restricted to just modifying existing traffic signs as in previous work. Our attack pipeline generates adversarial samples which are robust to the environmental conditions and noisy image transformations present in the physical world. We ensure this by including a variety of possible image transformations in the optimization problem used to generate adversarial samples. We verify the robustness of the adversarial samples by printing them out and carrying out drive-by tests simulating the conditions under which image capture would occur in a real-world scenario. We experimented with physical attack samples for different distances, lighting conditions and camera angles. In addition, extensive evaluations were carried out in the virtual setting for a variety of image transformations. The adversarial samples generated using our method have adversarial success rates in excess of 95% in the physical as well as virtual settings.