Experimental Evaluation of Security Attacks on Self-Driving Car Platforms

TL;DR

This paper systematically evaluates five types of security attacks on autonomous vehicle platforms, revealing distinct behavioral signatures and laying the groundwork for attack detection and defense mechanisms.

Contribution

It provides the first comprehensive on-hardware experimental analysis of multiple attack classes on low-cost self-driving car platforms, identifying unique attack fingerprints.

Findings

Perception attacks produce high steering deviation with low computational cost.

PGD attacks cause combined steering and computational signatures.

DoS attacks degrade frame rate and latency with minimal control impact.

Abstract

Deep learning-based perception pipelines in autonomous ground vehicles are vulnerable to both adversarial manipulation and network-layer disruption. We present a systematic, on-hardware experimental evaluation of five attack classes: FGSM, PGD, man-in-the-middle (MitM), denial-of-service (DoS), and phantom attacks on low-cost autonomous vehicle platforms (JetRacer and Yahboom). Using a standardized 13-second experimental protocol and comprehensive automated logging, we systematically characterize three dimensions of attack behavior:(i) control deviation, (ii) computational cost, and (iii) runtime responsiveness. Our analysis reveals that distinct attack classes produce consistent and separable "fingerprints" across these dimensions: perception attacks (MitM output manipulation and phantom projection) generate high steering deviation signatures with nominal computational overhead, PGD produces combined steering perturbation and computational load signatures across multiple dimensions, and DoS exhibits frame rate and latency degradation signatures with minimal control-plane perturbation. We demonstrate that our fingerprinting framework generalizes across both digital attacks (adversarial perturbations, network manipulation) and environmental attacks (projected false features), providing a foundation for attack-aware monitoring systems and targeted, signature-based defense mechanisms.