Adversarial Vulnerability of Temporal Feature Networks for Object Detection

TL;DR

This paper investigates the vulnerability of temporal feature networks in autonomous driving to adversarial attacks and demonstrates that adversarial training can improve robustness without significantly harming detection performance.

Contribution

It is the first study to evaluate adversarial vulnerabilities of temporal object detection networks and proposes adversarial training to enhance their robustness.

Findings

Temporal attacks can fool the network with partial input perturbations.

Adversarial training with PGD improves robustness against attacks.

Robustified models maintain comparable detection accuracy.

Abstract

Taking into account information across the temporal domain helps to improve environment perception in autonomous driving. However, it has not been studied so far whether temporally fused neural networks are vulnerable to deliberately generated perturbations, i.e. adversarial attacks, or whether temporal history is an inherent defense against them. In this work, we study whether temporal feature networks for object detection are vulnerable to universal adversarial attacks. We evaluate attacks of two types: imperceptible noise for the whole image and locally-bound adversarial patch. In both cases, perturbations are generated in a white-box manner using PGD. Our experiments confirm, that attacking even a portion of a temporal input suffices to fool the network. We visually assess generated perturbations to gain insights into the functioning of attacks. To enhance the robustness, we apply adversarial training using 5-PGD. Our experiments on KITTI and nuScenes datasets demonstrate, that a model robustified via K-PGD is able to withstand the studied attacks while keeping the mAP-based performance comparable to that of an unattacked model.