Less is More: A Stealthy and Efficient Adversarial Attack Method for DRL-based Autonomous Driving Policies

TL;DR

This paper introduces a novel stealthy adversarial attack method on DRL-based autonomous driving policies, significantly increasing attack success rates and efficiency without domain knowledge, thereby exposing vulnerabilities in autonomous driving systems.

Contribution

The paper proposes a DRL-based adversary model that learns optimal attack policies at critical moments, improving attack stealthiness and efficiency without requiring domain knowledge.

Findings

Achieves over 90% collision rate within three attacks in various scenarios.

Improves attack efficiency by over 130% compared to unlimited attack methods.

Validates effectiveness in unprotected left-turn scenarios across different traffic densities.

Abstract

Despite significant advancements in deep reinforcement learning (DRL)-based autonomous driving policies, these policies still exhibit vulnerability to adversarial attacks. This vulnerability poses a formidable challenge to the practical deployment of these policies in autonomous driving. Designing effective adversarial attacks is an indispensable prerequisite for enhancing the robustness of these policies. In view of this, we present a novel stealthy and efficient adversarial attack method for DRL-based autonomous driving policies. Specifically, we introduce a DRL-based adversary designed to trigger safety violations (e.g., collisions) by injecting adversarial samples at critical moments. We model the attack as a mixed-integer optimization problem and formulate it as a Markov decision process. Then, we train the adversary to learn the optimal policy for attacking at critical moments without domain knowledge. Furthermore, we introduce attack-related information and a trajectory clipping method to enhance the learning capability of the adversary. Finally, we validate our method in an unprotected left-turn scenario across different traffic densities. The experimental results show that our method achieves more than 90% collision rate within three attacks in most cases. Furthermore, our method achieves more than 130% improvement in attack efficiency compared to the unlimited attack method.