AD$^2$: Analysis and Detection of Adversarial Threats in Visual Perception for End-to-End Autonomous Driving Systems

TL;DR

This paper evaluates the vulnerability of end-to-end autonomous driving systems to various adversarial attacks in a simulated environment and proposes a lightweight detection method to improve robustness.

Contribution

It introduces a comprehensive evaluation of adversarial threats in autonomous driving and proposes a novel attention-based detection model for such threats.

Findings

Severe vulnerabilities found in state-of-the-art agents under attack.

Detection model achieves high accuracy and efficiency in experiments.

Attacks can reduce driving performance by up to 99%.

Abstract

End-to-end autonomous driving systems have achieved significant progress, yet their adversarial robustness remains largely underexplored. In this work, we conduct a closed-loop evaluation of state-of-the-art autonomous driving agents under black-box adversarial threat models in CARLA. Specifically, we consider three representative attack vectors on the visual perception pipeline: (i) a physics-based blur attack induced by acoustic waves, (ii) an electromagnetic interference attack that distorts captured images, and (iii) a digital attack that adds ghost objects as carefully crafted bounded perturbations on images. Our experiments on two advanced agents, Transfuser and Interfuser, reveal severe vulnerabilities to such attacks, with driving scores dropping by up to 99% in the worst case, raising valid safety concerns. To help mitigate such threats, we further propose a lightweight Attack Detection model for Autonomous Driving systems (AD$^2$) based on attention mechanisms that capture spatial-temporal consistency. Comprehensive experiments across multi-camera inputs on CARLA show that our detector achieves superior detection capability and computational efficiency compared to existing approaches.