Revisiting Adversarial Perception Attacks and Defense Methods on Autonomous Driving Systems

TL;DR

This paper systematically evaluates adversarial attacks and defense strategies on autonomous driving perception systems, revealing their strengths and limitations to improve robustness.

Contribution

It provides a comprehensive analysis of attack and defense methods on real-world ADS perception models, offering insights into their effectiveness and limitations.

Findings

Adversarial training improves robustness but has limitations.

Image processing and contrastive learning offer partial defenses.

Diffusion models show potential but are not foolproof.

Abstract

Autonomous driving systems (ADS) increasingly rely on deep learning-based perception models, which remain vulnerable to adversarial attacks. In this paper, we revisit adversarial attacks and defense methods, focusing on road sign recognition and lead object detection and prediction (e.g., relative distance). Using a Level-2 production ADS, OpenPilot by Comma$.$ai, and the widely adopted YOLO model, we systematically examine the impact of adversarial perturbations and assess defense techniques, including adversarial training, image processing, contrastive learning, and diffusion models. Our experiments highlight both the strengths and limitations of these methods in mitigating complex attacks. Through targeted evaluations of model robustness, we aim to provide deeper insights into the vulnerabilities of ADS perception systems and contribute guidance for developing more resilient defense strategies.