Securing Traffic Sign Recognition Systems in Autonomous Vehicles

TL;DR

This paper examines the vulnerability of traffic sign recognition DNNs to data poisoning attacks and proposes a data augmentation-based training method and detection model to enhance robustness and identify poisoned data.

Contribution

It introduces a novel mitigation scheme using nonlinear transformations and a detection model to defend against error-minimizing data poisoning attacks in traffic sign recognition.

Findings

Error-minimizing attacks drastically reduce accuracy from 99.90% to 10.6%.

The proposed mitigation restores accuracy to 96.05%.

Detection model achieves over 99% success in identifying poisoned data.

Abstract

Deep Neural Networks (DNNs) are widely used for traffic sign recognition because they can automatically extract high-level features from images. These DNNs are trained on large-scale datasets obtained from unknown sources. Therefore, it is important to ensure that the models remain secure and are not compromised or poisoned during training. In this paper, we investigate the robustness of DNNs trained for traffic sign recognition. First, we perform the error-minimizing attacks on DNNs used for traffic sign recognition by adding imperceptible perturbations on training data. Then, we propose a data augmentation-based training method to mitigate the error-minimizing attacks. The proposed training method utilizes nonlinear transformations to disrupt the perturbations and improve the model robustness. We experiment with two well-known traffic sign datasets to demonstrate the severity of the attack and the effectiveness of our mitigation scheme. The error-minimizing attacks reduce the prediction accuracy of the DNNs from 99.90% to 10.6%. However, our mitigation scheme successfully restores the prediction accuracy to 96.05%. Moreover, our approach outperforms adversarial training in mitigating the error-minimizing attacks. Furthermore, we propose a detection model capable of identifying poisoned data even when the perturbations are imperceptible to human inspection. Our detection model achieves a success rate of over 99% in identifying the attack. This research highlights the need to employ advanced training methods for DNNs in traffic sign recognition systems to mitigate the effects of data poisoning attacks.