DARTS: Deceiving Autonomous Cars with Toxic Signs

TL;DR

This paper introduces novel attack methods, DARTS, that deceive autonomous vehicle sign recognition systems using toxic signs, highlighting vulnerabilities even against defended classifiers in both virtual and real-world scenarios.

Contribution

The paper presents two new attack techniques, Out-of-Distribution and Lenticular Printing, to deceive traffic sign recognition, expanding adversarial attack capabilities beyond existing methods.

Findings

Proposed attacks successfully deceive sign recognition systems in real-world tests.

Out-of-Distribution attacks outperform traditional methods against adversarially trained classifiers.

Attacks are effective in both white-box and black-box threat models.

Abstract

Sign recognition is an integral part of autonomous cars. Any misclassification of traffic signs can potentially lead to a multitude of disastrous consequences, ranging from a life-threatening accident to even a large-scale interruption of transportation services relying on autonomous cars. In this paper, we propose and examine security attacks against sign recognition systems for Deceiving Autonomous caRs with Toxic Signs (we call the proposed attacks DARTS). In particular, we introduce two novel methods to create these toxic signs. First, we propose Out-of-Distribution attacks, which expand the scope of adversarial examples by enabling the adversary to generate these starting from an arbitrary point in the image space compared to prior attacks which are restricted to existing training/test data (In-Distribution). Second, we present the Lenticular Printing attack, which relies on an optical phenomenon to deceive the traffic sign recognition system. We extensively evaluate the effectiveness of the proposed attacks in both virtual and real-world settings and consider both white-box and black-box threat models. Our results demonstrate that the proposed attacks are successful under both settings and threat models. We further show that Out-of-Distribution attacks can outperform In-Distribution attacks on classifiers defended using the adversarial training defense, exposing a new attack vector for these defenses.