Malicious Agent Detection for Robust Multi-Agent Collaborative Perception

TL;DR

This paper introduces MADE, a novel reactive defense mechanism for multi-agent collaborative perception systems that effectively detects and mitigates malicious agents, significantly improving robustness against adversarial attacks in autonomous driving scenarios.

Contribution

We propose MADE, a semi-supervised anomaly detection method using double-hypothesis tests and the Benjamini-Hochberg procedure for secure multi-agent perception.

Findings

MADE reduces performance drops to 1.28% and 0.34% on benchmark datasets.

MADE outperforms adversarial training in detecting malicious agents.

The method effectively maintains high perception accuracy under attack.

Abstract

Recently, multi-agent collaborative (MAC) perception has been proposed and outperformed the traditional single-agent perception in many applications, such as autonomous driving. However, MAC perception is more vulnerable to adversarial attacks than single-agent perception due to the information exchange. The attacker can easily degrade the performance of a victim agent by sending harmful information from a malicious agent nearby. In this paper, we extend adversarial attacks to an important perception task -- MAC object detection, where generic defenses such as adversarial training are no longer effective against these attacks. More importantly, we propose Malicious Agent Detection (MADE), a reactive defense specific to MAC perception that can be deployed by each agent to accurately detect and then remove any potential malicious agent in its local collaboration network. In particular, MADE inspects each agent in the network independently using a semi-supervised anomaly detector based on a double-hypothesis test with the Benjamini-Hochberg procedure to control the false positive rate of the inference. For the two hypothesis tests, we propose a match loss statistic and a collaborative reconstruction loss statistic, respectively, both based on the consistency between the agent to be inspected and the ego agent where our detector is deployed. We conduct comprehensive evaluations on a benchmark 3D dataset V2X-sim and a real-road dataset DAIR-V2X and show that with the protection of MADE, the drops in the average precision compared with the best-case "oracle" defender against our attack are merely 1.28% and 0.34%, respectively, much lower than 8.92% and 10.00% for adversarial training, respectively.