Evaluating Adversarial Attacks on Driving Safety in Vision-Based Autonomous Vehicles

TL;DR

This paper assesses how adversarial attacks affect the driving safety of vision-based autonomous vehicles, revealing that safety impacts are separate from detection accuracy and that some models are more robust.

Contribution

It introduces an end-to-end evaluation framework for driving safety under adversarial attacks and compares the robustness of two state-of-the-art 3D object detection models.

Findings

Adversarial attack impact on safety is decoupled from detection accuracy.

DSGN model shows greater robustness than Stereo R-CNN.

Safety impact and detection precision are influenced differently by attacks.

Abstract

In recent years, many deep learning models have been adopted in autonomous driving. At the same time, these models introduce new vulnerabilities that may compromise the safety of autonomous vehicles. Specifically, recent studies have demonstrated that adversarial attacks can cause a significant decline in detection precision of deep learning-based 3D object detection models. Although driving safety is the ultimate concern for autonomous driving, there is no comprehensive study on the linkage between the performance of deep learning models and the driving safety of autonomous vehicles under adversarial attacks. In this paper, we investigate the impact of two primary types of adversarial attacks, perturbation attacks and patch attacks, on the driving safety of vision-based autonomous vehicles rather than the detection precision of deep learning models. In particular, we consider two state-of-the-art models in vision-based 3D object detection, Stereo R-CNN and DSGN. To evaluate driving safety, we propose an end-to-end evaluation framework with a set of driving safety performance metrics. By analyzing the results of our extensive evaluation experiments, we find that (1) the attack's impact on the driving safety of autonomous vehicles and the attack's impact on the precision of 3D object detectors are decoupled, and (2) the DSGN model demonstrates stronger robustness to adversarial attacks than the Stereo R-CNN model. In addition, we further investigate the causes behind the two findings with an ablation study. The findings of this paper provide a new perspective to evaluate adversarial attacks and guide the selection of deep learning models in autonomous driving.