Adversarial Driving: Attacking End-to-End Autonomous Driving

TL;DR

This paper demonstrates that end-to-end autonomous driving neural networks are vulnerable to real-time, input-perturbing adversarial attacks that significantly alter steering outputs, highlighting security concerns.

Contribution

It introduces two novel white-box targeted adversarial attack methods against end-to-end autonomous driving models, showing their effectiveness in real-time scenarios.

Findings

Attacks cause steering deviations of 0.478 and 0.111 on average.

Attacks are executable in real-time on CPUs without GPUs.

Random noise causes negligible steering deviation.

Abstract

As research in deep neural networks advances, deep convolutional networks become promising for autonomous driving tasks. In particular, there is an emerging trend of employing end-to-end neural network models for autonomous driving. However, previous research has shown that deep neural network classifiers are vulnerable to adversarial attacks. While for regression tasks, the effect of adversarial attacks is not as well understood. In this research, we devise two white-box targeted attacks against end-to-end autonomous driving models. Our attacks manipulate the behavior of the autonomous driving system by perturbing the input image. In an average of 800 attacks with the same attack strength (epsilon=1), the image-specific and image-agnostic attack deviates the steering angle from the original output by 0.478 and 0.111, respectively, which is much stronger than random noises that only perturbs the steering angle by 0.002 (The steering angle ranges from [-1, 1]). Both attacks can be initiated in real-time on CPUs without employing GPUs. Demo video: https://youtu.be/I0i8uN2oOP0.