Fool the Stoplight: Realistic Adversarial Patch Attacks on Traffic Light Detectors

TL;DR

This paper demonstrates realistic adversarial patch attacks on traffic light detectors for autonomous vehicles, showing how printed patches can cause misclassification and label-flipping in real-world and lab settings.

Contribution

It introduces a threat model and training strategy for attacking traffic light CNN detectors with printed patches, including real-world evaluation.

Findings

Successful targeted red-to-green label-flipping attacks.

Effective attacks on pictogram classification.

Real-world demonstration with printed patches.

Abstract

Realistic adversarial attacks on various camera-based perception tasks of autonomous vehicles have been successfully demonstrated so far. However, only a few works considered attacks on traffic light detectors. This work shows how CNNs for traffic light detection can be attacked with printed patches. We propose a threat model, where each instance of a traffic light is attacked with a patch placed under it, and describe a training strategy. We demonstrate successful adversarial patch attacks in universal settings. Our experiments show realistic targeted red-to-green label-flipping attacks and attacks on pictogram classification. Finally, we perform a real-world evaluation with printed patches and demonstrate attacks in the lab settings with a mobile traffic light for construction sites and in a test area with stationary traffic lights. Our code is available at https://github.com/KASTEL-MobilityLab/attacks-on-traffic-light-detection.