ControlLoc: Physical-World Hijacking Attack on Visual Perception in Autonomous Driving

TL;DR

ControlLoc is a novel physical-world adversarial patch attack that significantly compromises autonomous driving visual perception, achieving high success rates in both digital and real-world scenarios, leading to dangerous driving outcomes.

Contribution

This paper introduces ControlLoc, a two-stage physical adversarial patch attack that effectively hijacks entire autonomous driving visual perception systems, surpassing previous methods in success rate.

Findings

Achieves 98.1% attack success rate across datasets

Attains 77.5% success rate in physical-world tests

Induces 81.3% vehicle collision and emergency stop rates

Abstract

Recent research in adversarial machine learning has focused on visual perception in Autonomous Driving (AD) and has shown that printed adversarial patches can attack object detectors. However, it is important to note that AD visual perception encompasses more than just object detection; it also includes Multiple Object Tracking (MOT). MOT enhances the robustness by compensating for object detection errors and requiring consistent object detection results across multiple frames before influencing tracking results and driving decisions. Thus, MOT makes attacks on object detection alone less effective. To attack such robust AD visual perception, a digital hijacking attack has been proposed to cause dangerous driving scenarios. However, this attack has limited effectiveness. In this paper, we introduce a novel physical-world adversarial patch attack, ControlLoc, designed to exploit hijacking vulnerabilities in entire AD visual perception. ControlLoc utilizes a two-stage process: initially identifying the optimal location for the adversarial patch, and subsequently generating the patch that can modify the perceived location and shape of objects with the optimal location. Extensive evaluations demonstrate the superior performance of ControlLoc, achieving an impressive average attack success rate of around 98.1% across various AD visual perceptions and datasets, which is four times greater effectiveness than the existing hijacking attack. The effectiveness of ControlLoc is further validated in physical-world conditions, including real vehicle tests under different conditions such as outdoor light conditions with an average attack success rate of 77.5%. AD system-level impact assessments are also included, such as vehicle collision, using industry-grade AD systems and production-grade AD simulators with an average vehicle collision rate and unnecessary emergency stop rate of 81.3%.