AdvSwap: Covert Adversarial Perturbation with High Frequency Info-swapping for Autonomous Driving Perception

TL;DR

AdvSwap introduces a wavelet-based high-frequency information swapping technique using invertible neural networks to generate covert adversarial samples that deceive autonomous vehicle perception systems while remaining undetectable to humans.

Contribution

This paper presents a novel adversarial attack method, AdvSwap, which leverages high-frequency info swapping for covert and robust attacks on autonomous vehicle perception modules.

Findings

Effective concealment of adversarial samples against human perception.

High robustness and transferability of the attack.

Successful attacks demonstrated on GTSRB and nuScenes datasets.

Abstract

Perception module of Autonomous vehicles (AVs) are increasingly susceptible to be attacked, which exploit vulnerabilities in neural networks through adversarial inputs, thereby compromising the AI safety. Some researches focus on creating covert adversarial samples, but existing global noise techniques are detectable and difficult to deceive the human visual system. This paper introduces a novel adversarial attack method, AdvSwap, which creatively utilizes wavelet-based high-frequency information swapping to generate covert adversarial samples and fool the camera. AdvSwap employs invertible neural network for selective high-frequency information swapping, preserving both forward propagation and data integrity. The scheme effectively removes the original label data and incorporates the guidance image data, producing concealed and robust adversarial samples. Experimental evaluations and comparisons on the GTSRB and nuScenes datasets demonstrate that AdvSwap can make concealed attacks on common traffic targets. The generates adversarial samples are also difficult to perceive by humans and algorithms. Meanwhile, the method has strong attacking robustness and attacking transferability.