Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures

TL;DR

This paper identifies a vulnerability in LiDAR perception due to occlusion patterns, introduces a black-box spoofing attack with high success, and proposes defenses that significantly reduce attack success rates, advancing robustness in autonomous driving perception.

Contribution

It uncovers the overlooked occlusion patterns as a vulnerability, develops a universal black-box spoofing attack, and proposes novel defense mechanisms and architecture improvements for robust LiDAR perception.

Findings

Black-box spoofing attack achieves ~80% success rate.

CARLO defense reduces success rate to 5.5%.

SVF further reduces success to 2.3%.

Abstract

Perception plays a pivotal role in autonomous driving systems, which utilizes onboard sensors like cameras and LiDARs (Light Detection and Ranging) to assess surroundings. Recent studies have demonstrated that LiDAR-based perception is vulnerable to spoofing attacks, in which adversaries spoof a fake vehicle in front of a victim self-driving car by strategically transmitting laser signals to the victim's LiDAR sensor. However, existing attacks suffer from effectiveness and generality limitations. In this work, we perform the first study to explore the general vulnerability of current LiDAR-based perception architectures and discover that the ignored occlusion patterns in LiDAR point clouds make self-driving cars vulnerable to spoofing attacks. We construct the first black-box spoofing attack based on our identified vulnerability, which universally achieves around 80% mean success rates on all target models. We perform the first defense study, proposing CARLO to mitigate LiDAR spoofing attacks. CARLO detects spoofed data by treating ignored occlusion patterns as invariant physical features, which reduces the mean attack success rate to 5.5%. Meanwhile, we take the first step towards exploring a general architecture for robust LiDAR-based perception, and propose SVF that embeds the neglected physical features into end-to-end learning. SVF further reduces the mean attack success rate to around 2.3%.