Targeted Attack on Deep RL-based Autonomous Driving with Learned Visual Patterns

TL;DR

This paper explores a novel targeted attack method on deep reinforcement learning-based autonomous driving systems by using learned visual patterns on physical objects, demonstrating its feasibility and effectiveness in hijacking control policies.

Contribution

It introduces a new threat model combining physical object manipulation with learned visual patterns to attack autonomous driving policies, showing practical feasibility.

Findings

Pre-trained policies can be hijacked within a time window.

The attack remains effective across different driving scenarios.

There is a tradeoff between attack strength and success rate.

Abstract

Recent studies demonstrated the vulnerability of control policies learned through deep reinforcement learning against adversarial attacks, raising concerns about the application of such models to risk-sensitive tasks such as autonomous driving. Threat models for these demonstrations are limited to (1) targeted attacks through real-time manipulation of the agent's observation, and (2) untargeted attacks through manipulation of the physical environment. The former assumes full access to the agent's states/observations at all times, while the latter has no control over attack outcomes. This paper investigates the feasibility of targeted attacks through visually learned patterns placed on physical objects in the environment, a threat model that combines the practicality and effectiveness of the existing ones. Through analysis, we demonstrate that a pre-trained policy can be hijacked within a time window, e.g., performing an unintended self-parking, when an adversarial object is present. To enable the attack, we adopt an assumption that the dynamics of both the environment and the agent can be learned by the attacker. Lastly, we empirically show the effectiveness of the proposed attack on different driving scenarios, perform a location robustness test, and study the tradeoff between the attack strength and its effectiveness. Code is available at https://github.com/ASU-APG/Targeted-Physical-Adversarial-Attacks-on-AD