Authors
Robert Nguyen
Abstract
Autonomous driving has become one of the most ambitious and disruptive applications of artificial intelligence, promising significant improvements in road safety, traffic flow, and transportation accessibility. At the heart of modern self-driving vehicles lies an intricate network of machine learning models, many of which rely on deep neural networks (DNNs) to perform critical perception tasks, such as object detection, semantic segmentation, and traffic sign recognition. These DNN-driven subsystems demonstrate remarkable performance under normal conditions, accurately identifying pedestrians, cars, and signage in complex, real-world environments. Yet a major concern has surfaced within both academic and industrial communities: the susceptibility of these high-dimensional, seemingly robust models to adversarial attacks.
Adversarial attacks entail crafting subtle perturbations—often imperceptible to human observers—that drastically alter a DNN’s output. In autonomous driving, attackers can manipulate road signage or sensor data to mislead the perception modules, leading vehicles to make incorrect or even dangerous decisions. Particularly distressing is the fact that such attacks can be actualized physically, for example, by placing stickers or patches on signs or the roadway surface. These minor alterations, while barely noticeable to human drivers, can cause neural networks to categorize stop signs as speed-limit signs, or to miss an obstacle entirely.
This paper provides a detailed and expansive investigation into the vulnerabilities and defense mechanisms of deep neural networks for autonomous driving. Moving beyond general adversarial literature, it situates adversarial examples in the specialized realm of self-driving vehicles, highlighting how factors like sensor fusion, real-time decision-making constraints, and safety-critical requirements influence both the nature of attacks and the potential efficacy of defensive strategies. We begin by describing the rapid evolution of deep learning in autonomous driving, tracing how convolutional neural networks rose to prominence in tasks like lane detection and traffic sign classification. Subsequently, we develop a taxonomy of adversarial threats, distinguishing among white-box, black-box, physical, digital, targeted, and untargeted methods. We also discuss specific techniques designed to fool not only camera-based perception but, increasingly, LiDAR and radar systems as well.
Building on this taxonomy, we explore a variety of defense mechanisms, including adversarial training, detection and filtering approaches, gradient obfuscation, sensor fusion, and certified robustness methods. Each defensive category is analyzed in light of autonomous driving’s stringent performance requirements, such as real-time operation, low-latency inference, and the overarching necessity of ensuring passenger and pedestrian safety. The paper then addresses practical considerations: the computational overhead of robust training, the challenges of conducting realistic physical evaluations, and emerging avenues like hardware security, sensor spoofing, and the legal and ethical dimensions of adversarial attacks on driverless cars.
By synthesizing the latest advances in adversarial research with the distinct demands of self-driving technology, we offer not just a snapshot of the field but also a forward-looking blueprint for developing resilient autonomous vehicles. Finally, we identify critical open questions—ranging from multi-modal adversarial strategies to standardized testing frameworks—and discuss how collaboration across academia, industry, and regulatory bodies will be critical for ensuring that self-driving systems are both innovative and secure. Ultimately, this work aims to catalyze deeper engagement with the complex intersection of adversarial machine learning and autonomous transportation, guiding the community toward safer, more robust implementations of AI on our roads.
Introduction
Artificial intelligence has undergone a dramatic evolution over the past two decades, permeating diverse sectors including healthcare, finance, robotics, and transportation. Among these applications, autonomous driving is particularly noteworthy for its potential to mitigate road accidents—a global cause of injury and mortality—while transforming how cities organize traffic flow and infrastructure. Multiple carmakers and technology companies have announced ambitious goals to roll out fully self-driving fleets, an aspiration fueled by continuous breakthroughs in deep learning. In practice, however, turning these cutting-edge algorithms into real-world solutions involves confronting a complex mosaic of engineering, economic, and societal challenges.
One of the most perplexing challenges is the phenomenon of adversarial attacks on deep neural networks (DNNs). In the realm of computer vision, it has been consistently demonstrated that imperceptible noise can cause even highly capable models to misclassify or ignore objects. An image that is slightly altered—yet identical to human eyes—might be perceived as a completely different category by a neural network. While this vulnerability was once perceived as a mere novelty in academia, the implications for safety-critical domains such as autonomous driving are now undeniably serious. What if a self-driving car misreads a stop sign as a speed-limit sign due to a few strategically placed stickers? The dire consequences of such an event have propelled adversarial research into mainstream discourse, prompting AI developers, automakers, and regulatory authorities to treat adversarial robustness as a top priority.
The Promise and Peril of Deep Learning in Self-Driving Systems
Deep learning techniques—particularly convolutional neural networks (CNNs)—underpin nearly every stage of autonomous perception, from identifying vehicles and pedestrians to tracking lane boundaries. Moreover, advanced models such as Transformers and graph-based neural networks are starting to be explored for tasks like scene understanding and motion prediction. These architectures deliver robust performance under typical conditions, adapting to variations in weather, traffic density, and road geometry. But they remain vulnerable to cunning manipulations that exploit the high-dimensional nature of learned representations. Even minor, well-crafted pixel perturbations can dramatically alter a network’s output, effectively revealing “blind spots” that compromise safety.
Beyond theoretical vulnerabilities, real-world experiments illustrate how adversarial attacks traverse the digital-physical boundary with disturbing ease. Researchers have shown that printing out patterns or even projecting light can fool highly accurate classifiers. An attacker can thus create illusions—like turning a yield sign into a stop sign or inserting phantom obstacles—without needing direct access to the vehicle’s internal software. The immediacy of these threats means the automotive industry must adopt a proactive stance, seeking to identify and address weaknesses before large-scale autonomous deployment.
The Specific Focus of This Research Paper
This paper aims to offer a comprehensive inquiry into adversarial vulnerabilities and defense mechanisms specific to deep neural networks powering autonomous vehicles. While the general concept of adversarial attacks has been documented in multiple machine learning fields, the distinctive constraints of self-driving cars—real-time inference, physical tests, sensor fusion, and stringent safety requirements—necessitate a more specialized exploration. We structure our work to:
Clarify the Autonomous Driving Context We survey the historical and ongoing development of AI-driven self-driving technology, emphasizing how neural networks rose to dominate perception tasks. In doing so, we underline why these tasks are uniquely sensitive to adversarial manipulation: a single misclassification can lead to collisions, property damage, or even fatalities.
Develop a Domain-Specific Taxonomy of Adversarial Attacks We categorize adversarial attacks not only in terms of their conventional distinctions—white-box vs. black-box, targeted vs. untargeted—but also examine how they manifest in on-road scenarios. This includes digital and physical attacks on camera feeds, as well as emerging threats on LiDAR and radar sensors.
Examine Defense Mechanisms with a Practical Lens Numerous defenses against adversarial inputs have been proposed, ranging from adversarial training to gradient obfuscation. We assess their viability in autonomous driving by focusing on issues like computational overhead, real-time constraints, integration with sensor fusion, and the capacity to remain effective against adaptive, sophisticated attackers.
Highlight Challenges and Potential Solutions In bridging the gap between research findings and actual deployment, we tackle practical challenges: how to conduct realistic physical evaluations, the role of hardware-level security, the difficulty of ensuring interpretability in black-box models, and the regulatory frameworks needed to standardize adversarial testing.
Chart a Research Roadmap Finally, we emphasize open questions that demand further exploration, such as the interplay of multi-modal sensor data, the possibility of life-long or continuous learning defenses, and the urgent need for unified adversarial benchmarks adapted to the autonomous driving domain.
Through this structure, the paper not only synthesizes prior work but also encourages forward-looking strategies that can bolster the robustness of autonomous driving systems against an ever-evolving arsenal of adversarial techniques.
Societal Stakes and Ethical Considerations
One cannot fully contextualize adversarial risks in self-driving cars without acknowledging the broader societal landscape. Road accidents claim over a million lives annually worldwide, a statistic that autonomous driving seeks to reduce drastically. However, adversarial vulnerabilities might undermine the public’s trust in AI-driven transportation if widely publicized attacks lead to safety incidents. Should an attacker, for instance, orchestrate traffic gridlock by causing multiple vehicles to misread signage, the resulting crisis could erode faith in the entire concept of self-driving technology. This raises pivotal questions regarding liability, regulation, and the moral responsibility to ensure that an AI system operating in public spaces is thoroughly secured against malicious interference.
From an ethical standpoint, deploying self-driving vehicles that are insufficiently robust to adversarial threats may be seen as irresponsible, given the potential for catastrophic harm. Governments and regulatory bodies are beginning to recognize these concerns, pressing for more stringent testing procedures and safety validations that incorporate adversarial scenarios. Ultimately, the pursuit of adversarial robustness in autonomous driving is not solely a technical endeavor; it also demands careful attention to policy, transparency, and collaborative governance.
Outline of the Paper
To facilitate a thorough exploration of the topic, the paper proceeds as follows:
Background and Motivation: We trace the development of neural network-based perception in autonomous driving, discussing its transformative impact and inherent vulnerabilities.
Adversarial Attack Taxonomy and Techniques: A detailed analysis of how adversarial attacks are crafted, especially focusing on the interplay between digital and physical manipulations in real-time autonomous scenarios.
Defense Mechanisms: A critical review of the array of defense strategies—from adversarial training and detection-based approaches to robust architecture design and sensor fusion—and how they align with the stringent performance requirements of self-driving systems.
Practical Challenges and Future Directions: We delve into the computational, regulatory, and interdisciplinary hurdles blocking the path to robust deployment. This section also highlights emerging research domains such as multi-sensor attacks, certified robustness for safety-critical systems, and the creation of standardized adversarial benchmarks for autonomous vehicles.
Conclusion: We synthesize the key insights from this extensive discussion, reaffirm the central challenges, and propose a forward-focused perspective on how the field can make tangible progress toward secure autonomous driving.
In sum, this paper asserts that while deep neural networks have ushered in a new era of autonomy on the roads, the specter of adversarial attacks cannot be dismissed or overlooked. As these networks become increasingly integral to real-world transportation, a collective effort—spanning researchers, engineers, automakers, regulators, and society at large—must converge on strategies to ensure safety, reliability, and ethical responsibility in the face of malicious or inadvertent manipulations.
1. Background and Motivation
Understanding adversarial attacks in autonomous driving requires a deep appreciation of how neural networks became the backbone of modern vehicle perception. While the field of autonomous vehicles traces its origins to early experiments in computer vision and rule-based robotics, it was the convergence of large-scale datasets, powerful GPUs, and novel deep learning architectures that truly catapulted AI-driven automation onto public roads. In this section, we delve into the interplay between the promise of these advances and the motivation to address their newly unearthed vulnerabilities.
1.1 Evolution of Neural Network Perception in Autonomous Driving
Early Attempts at Automated Vehicles
Long before deep learning rose to prominence, efforts to automate driving relied on heuristic-based or classical machine learning techniques. Prototypes like the ALVINN (Autonomous Land Vehicle In a Neural Network) project in the late 1980s used shallow neural networks, while others employed handcrafted features for lane detection and object recognition. Despite incremental successes, these systems struggled to generalize across varied conditions—such as nighttime driving, rain, fog, and diverse urban landscapes. The arrival of more advanced machine learning approaches in the early 2000s brought improvements, but it was not until the explosion of deep convolutional neural networks (CNNs) that radical performance jumps became evident.
Emergence of Deep CNNs for Road Scene Understanding
The watershed moment often cited is the success of AlexNet in the 2012 ImageNet competition, where deep CNNs dramatically outperformed previous methods in object recognition tasks. Autonomous driving researchers quickly recognized the potential. Tasks like vehicle detection, pedestrian recognition, and traffic sign classification share similarities with general object recognition, and CNNs could adapt to these domains relatively smoothly.
Subsequent architectures—VGGNet, ResNet, Inception, MobileNet—continued to push the frontier, achieving high accuracy on benchmark datasets relevant to driving, such as KITTI, Cityscapes, and Berkeley DeepDrive. These datasets offered increasingly comprehensive representations of real road scenes, including diverse weather and lighting conditions, multiple object classes, and complex traffic scenarios. CNN-based models not only excelled in classification but also advanced capabilities in object detection (e.g., Faster R-CNN, YOLO, SSD) and semantic segmentation (e.g., FCN, SegNet, UNet), all critical to enabling a vehicle to interpret its surroundings accurately.
Sensor Fusion and Beyond
As the complexity of roads soared, camera-only solutions faced limitations. Developers began integrating LiDAR, radar, and inertial measurement units to provide depth and velocity information. Deep learning extended to multi-modal fusion, where neural networks could merge data from multiple sensors to generate robust environment representations. This multi-sensor synergy aimed to address occlusions or camera failures, effectively delivering redundancy. However, as we will see, it also introduced more layers of complexity and potential attack vectors.
1.2 Why Adversarial Vulnerabilities Demand Urgent Attention
The initial discovery of adversarial examples in image classification (Szegedy et al., 2014) revealed that high-performing DNNs could be systematically deceived by imperceptible noise patterns. Follow-up work illustrated the ease with which attackers could compute perturbations via gradients or optimization solvers. While adversarial examples initially seemed like a niche phenomenon, their implications for life-critical applications swiftly escalated the conversation.
In autonomous driving:
Safety Is Paramount: Minor misclassifications—like misreading a pedestrian as a mailbox—can have catastrophic outcomes.
Physical Accessibility: Street signs, lane markings, and other environmental features are publicly accessible, making them prime targets for adversarial tampering.
Complex Deployment Environments: Self-driving cars handle dynamic, highly variable conditions. A defense effective on curated datasets might fail on real roads, exacerbating vulnerabilities.
Real-Time Constraints: Defensive measures must function under strict latency budgets, as vehicles have limited time to process sensor data and make decisions.
In light of these factors, adversarial attacks pose a uniquely urgent threat to self-driving systems, mandating research that blends sophisticated machine learning with robust engineering principles.
1.3 Perspectives from Industry and Regulatory Bodies
The industrial sector, led by companies like Waymo, Tesla, and GM Cruise, invests heavily in AI-based driving systems. These entities maintain proprietary architectures and data, making it challenging for external researchers to evaluate or disclose vulnerabilities. Nonetheless, high-profile demonstrations of adversarial attacks on prototypes have led many firms to acknowledge the problem. Some collaborate with academic and government institutions to explore solutions, while others create internal red teams dedicated to stress-testing models under adversarial conditions.
Regulatory perspectives are evolving. Government agencies in several countries have begun drafting guidelines to ensure that any future deployment of autonomous vehicles incorporates cybersecurity, including adversarial robustness. Although formal regulations remain in flux, it is increasingly recognized that comprehensive safety tests must move beyond hardware and mechanical reliability to encompass the AI’s resilience to adversarial manipulation. International standards organizations are also exploring protocols for verifying the security of perception modules within advanced driver-assistance systems (ADAS).
1.4 The Unique Challenges of Physical-World Attacks
Unlike purely digital domains, autonomous driving merges software with the physical environment, where conditions are inherently variable. Attackers can exploit transformations like:
Varying Camera Angles: An adversarial pattern on a sign must remain effective across multiple viewing angles, distances, and lens distortions.
Environmental Noise: Weather changes, lighting variations, and partial occlusions can influence the success rate of an adversarial example.
Time and Motion: As the vehicle moves, or as objects move relative to it, the adversarial perturbation must maintain consistent influence on the perception model.
Wear and Tear: Physical modifications to signage (stickers, paint) can degrade over time, altering how they appear to cameras.
Researchers developed robust adversarial patterns using Expectation over Transformation (EoT) to address these variables, systematically training perturbations that account for random shifts, rotations, and brightness changes. Such advanced methods highlight that physical adversarial attacks are not merely hypothetical but indeed feasible with careful optimization.
1.5 Emerging Research Gaps
Despite the surge in adversarial literature, several gaps remain acute in the context of autonomous driving:
Lack of Comprehensive Benchmarks: While digital attacks often rely on well-known datasets, there is a shortage of standard testbeds for real-world adversarial evaluations on self-driving cars.
Under-Explored Sensor Fusion Attacks: Camera-based attacks garner the most attention, yet systematic methods to simultaneously fool LiDAR, radar, or multi-modal pipelines remain less studied.
Real-Time Defense Implementation: Many defenses rely on computationally intensive procedures. Their viability in an online driving environment, where inference must occur in milliseconds, is unclear.
Interpretability and Governance: Explaining adversarial outcomes to regulatory bodies, insurance companies, or the public is a formidable challenge. The black-box nature of DNNs can obscure how an attack succeeded or how a defense neutralized it.
These challenges, and others outlined throughout this paper, reinforce the need for continued work on both fundamental research—developing robust neural architectures—and applied engineering solutions that can be seamlessly integrated into commercial and governmental frameworks.
2. Adversarial Attacks: Taxonomy and Techniques in Autonomous Driving
Adversarial attacks take on various forms, each tailored to exploit specific facets of deep neural networks. While many general strategies—like gradient-based optimization—translate directly from the broader adversarial literature, the autonomous driving environment introduces unique operational constraints and vulnerabilities. This section presents a multifaceted taxonomy of attack types, focusing on how each type can be adapted or optimized to target the perception modules in self-driving vehicles.
2.1 White-Box Attacks in Self-Driving Contexts
White-box attacks presuppose that adversaries have intimate knowledge of the target model, encompassing its architecture, weights, hyperparameters, and potentially its training data. Although this may seem less plausible for proprietary systems, insider threats or reverse-engineering efforts can yield approximate or even direct knowledge of a vehicle’s perception stack.
Projected Gradient Descent (PGD) on Traffic Sign Classifiers PGD extends the basic idea of single-step gradient attacks (FGSM) into an iterative procedure, adjusting perturbations step by step to remain within a predefined ℓp\ell_p-norm ball. For example, an adversary who has full access to a traffic sign recognition model can optimize small pixel-level changes in an image of a stop sign until the network reliably classifies it as a speed-limit sign.
Carlini & Wagner (C&W) Attacks on Object Detection Renowned for their potency, C&W attacks formulate adversarial example generation as a specialized optimization problem. Against detectors like Faster R-CNN or SSD, these attacks can systematically alter bounding box predictions, causing entire objects to vanish from the system’s field of detection or misplacing them. In a self-driving scenario, a skillful attacker might eliminate all bounding boxes corresponding to pedestrians, effectively rendering them invisible to the vehicle.
DeepFool and White-Box Evasion DeepFool aims to identify the minimal norm perturbation that changes an input’s predicted label. Though initially showcased in image classification tasks, it can be adapted for more complex tasks like instance segmentation or bounding box regression, with the attacker leveraging the known loss gradients to push predictions toward incorrect classes or locations.
Adaptive Attacks against Specific Defenses Defense strategies, such as gradient obfuscation or detection-based approaches, frequently fail when confronted by an adaptive attacker capable of modeling the defense mechanism itself. In an autonomous driving context, if the defense includes random input transformations, a white-box attacker can replicate those transformations during adversarial example generation, effectively neutralizing the defense.
White-box attacks represent the upper bound of adversarial capability. Evaluating defenses under these conditions ensures that they can withstand the most rigorous forms of adversarial scrutiny, though it may not always mirror real-world attacker constraints.
2.2 Black-Box Attacks in Self-Driving Contexts
Black-box attacks assume minimal knowledge of the model’s internal parameters. Instead, the adversary may rely on queries—observing the model’s outputs given certain inputs—or on surrogate models trained with a similar architecture or data distribution.
Transfer-Based Attacks with Substitute Models In a self-driving scenario, attackers can train or fine-tune a local model on publicly available datasets, approximating the target vehicle’s perception system. Adversarial examples crafted against this “substitute model” may transfer to the actual system, leveraging the phenomenon of adversarial transferability. While not guaranteed, transferability can be surprisingly effective, particularly when the architectures share design principles (e.g., ResNet-based classifiers).
Query-Based Approaches If the targeted autonomous vehicle provides even partial output data—like confidence scores or classification labels—attackers can systematically probe the system with incrementally perturbed images. Methods like Zeroth Order Optimization (ZOO) approximate the gradient numerically, iterating until they discover a perturbation that causes misclassification. Though this demands numerous queries, a patient attacker or one with physical proximity can gather data over time.
Decision-Based Attacks In decision-based attacks, the attacker only has access to the final label (e.g., “stop sign” vs. “yield sign”) or a bounding box classification outcome without probabilities. Methods like the boundary attack start from a large perturbation that already induces a misclassification and iteratively reduce it while remaining within the misclassified zone. Applied to autonomous vehicles, the attacker might physically test small modifications to signage and observe the car’s external behavior—like whether it stops or proceeds—in a covert manner.
Black-box attacks illustrate that robust security cannot hinge on “security through obscurity.” Even if the system’s architecture or parameters remain proprietary, the risk of carefully orchestrated black-box intrusions looms large, especially when the environment (i.e., roads, signs) is openly accessible.
2.3 Targeted vs. Untargeted Attacks
In the realm of autonomous driving, targeted attacks aim to force a very specific misclassification or outcome (e.g., “this sign must be seen as a 45 mph speed limit” rather than “stop”), whereas untargeted attacks only require the outcome to be incorrect in any manner.
Targeted Attacks Crafting a targeted adversarial example demands more precise optimization. However, the payoff can be substantially higher: misclassifying a stop sign as a speed-limit sign can lead to a direct safety hazard. Attackers might prefer targeted strategies if their goal is to cause a predictable, dangerous behavior—like ignoring a red light or accelerating instead of braking.
Untargeted Attacks In untargeted scenarios, any misclassification is sufficient to degrade the vehicle’s reliability. The result could be reading a stop sign as a yield sign or perceiving a car as a cyclist. Even though these misclassifications might seem random, they can still create confusion or near-miss incidents. Untargeted attacks are often simpler to generate and can still achieve the adversarial objective of sowing uncertainty in the perception stack.
In practice, the distinction between targeted and untargeted attacks is crucial for evaluating the potential severity and reliability of adversarial threats. Autonomous driving systems need to be robust against both sorts of manipulations, given that each type can yield unsafe outcomes.
2.4 Digital vs. Physical Attacks
Digital Attacks
Digital attacks remain entirely within the image (or sensor data) manipulation realm. For instance, an attacker might intercept the car’s camera feed in real-time, applying adversarial perturbations prior to feeding the data to the detection module. While plausible in scenarios where the attacker can compromise the vehicle’s internal network, digital attacks typically require close integration with the car’s computational pipeline, making them more akin to a cybersecurity breach.
Physical Attacks
Physical attacks translate adversarial perturbations into tangible modifications in the environment. This can involve printing stickers, painting partial patterns on signs, or even using projectors to cast illusions onto surfaces. These manipulations must endure environmental variations—lighting, distance, occlusions—while remaining inconspicuous to human observers.
Adversarial Stickers and Patches: Researchers like Eykholt et al. (2018) showed that carefully placed stickers on a stop sign could coax a neural network into seeing it as a different sign entirely. The practicality of such an approach underscores the severity of real-world adversarial threats.
Adversarial Patches on Vehicles: Attackers might place small patches on an autonomous vehicle’s own exterior or on other vehicles in its field of view. These patches can disrupt object detectors like YOLO or SSD, diminishing detection accuracy for the patched object or other scene elements.
Projected Light Attacks: Using lasers or specialized projectors, attackers can overlay patterns or ephemeral illusions on the road or signage. While more technologically advanced, these techniques demonstrate that one need not physically alter signage to mislead a DNN.
Physical attacks are particularly alarming in autonomous driving due to their feasibility and the difficulty of detection. A scenario wherein multiple signs in a city are subtly altered with adversarial patterns could wreak havoc on any self-driving vehicle traversing those roads.
2.5 Multi-Frame and Temporal Attacks
Given that autonomous vehicles process streaming data rather than single static images, an attacker may need to ensure that an adversarial perturbation persists or evolves consistently across multiple frames. Some systems apply temporal smoothing or ensemble strategies, comparing detections frame-to-frame to reduce transient errors.
Consistent Perturbations: An attacker can craft a single perturbation that remains effective for varying angles and times. This is more challenging but yields more reliable misclassification if achieved.
Transient Perturbations: A flashing projected pattern might appear in only a subset of frames, potentially confusing object trackers or leading to abrupt decisions (braking or swerving). While less stable, transient attacks can still cause immediate disruptions if triggered at critical moments.
2.6 Sensor Fusion Attacks: LiDAR, Radar, and Beyond
While the focus often rests on camera-based adversarial examples, advanced self-driving cars integrate multiple sensors. Attempts to attack sensor fusion modules can be more complex but also more devastating if they cause holistic misrepresentations of the environment.
LiDAR Spoofing: By emitting carefully timed laser pulses, an attacker can introduce erroneous distance measurements. Fake objects (phantoms) or missing objects can drastically alter the car’s path planning.
Radar Interference: Radar systems can be jammed or spoofed, though the required equipment is typically more specialized. Nonetheless, if successful, the vehicle might misunderstand velocity or distance readings of nearby cars.
Cross-Sensor Consistency Attacks: Sophisticated adversaries might attempt to manipulate camera data and LiDAR data in ways that remain consistent. For instance, fooling both sensors into perceiving a non-existent obstacle or failing to detect a real one.
2.7 Real-World Case Studies of Adversarial Exploits
Stop Sign Misclassification
Approach: Physical sticker modifications (white-box or black-box, with EoT-based design).
Result: The sign is consistently mislabeled in test drives, leading the car to pass through intersections dangerously.
Phantom Obstacle via LiDAR
Approach: LiDAR spoofing device that emits laser signals mimicking reflections from a non-existent object.
Result: The AV might slam the brakes or abruptly swerve to avoid a phantom obstacle, increasing collision risks from rear-ending or lane departure.
Lane Marking Alterations
Approach: Painting or placing reflective strips on roads that neural networks interpret as valid lane boundaries.
Result: The vehicle veers into the wrong lane or drifts off-road, with minimal human-visible cues that something is amiss.
These examples illustrate that adversarial attacks can target multiple aspects of an autonomous driving pipeline, each culminating in potentially severe outcomes. As the subsequent sections will demonstrate, defending against these tactics requires a multifaceted strategy that addresses both digital and physical manipulation modes across diverse sensor inputs.
2.8 Summary
The taxonomy of adversarial attacks against deep neural networks in autonomous driving underscores that the problem is far from theoretical. From gradient-based white-box manipulations to stealthy physical modifications tested under various environmental transformations, the threat spectrum is extraordinarily broad. Moreover, the integration of multiple sensors in next-generation vehicles, while beneficial for reliability under normal conditions, opens new avenues for attackers seeking to orchestrate consistent illusions across data modalities. Understanding this array of tactics is a critical step toward formulating comprehensive defenses, which is the focus of the next section.
3. Defense Mechanisms: Strategies and Limitations in Real-Time AV Systems
Designing robust defenses against adversarial inputs in autonomous driving is a balancing act. On one hand, the defense must effectively mitigate or detect adversarial perturbations across a myriad of threat models; on the other hand, it must do so within the stringent real-time and safety constraints of on-road operation. Traditional or generic defenses may offer partial solutions, but the specialized demands of self-driving technologies often require refined or entirely new approaches. This section reviews the most prominent defense strategies—highlighting their theoretical foundations, practical implementations, and known shortcomings, all through the lens of autonomous driving.
3.1 Adversarial Training for Automotive Applications
Fundamentals of Adversarial Training
Adversarial training augments a model’s training set with adversarial examples. By learning to classify or detect objects correctly even when inputs are perturbed, the model internalizes a form of robustness. Goodfellow et al. (2015) pioneered this idea with the Fast Gradient Sign Method (FGSM), while Madry et al. (2018) introduced more intensive Projected Gradient Descent (PGD) adversarial training, shown to produce models resilient against a wide range of ℓp\ell_p-bounded attacks.
Domain-Specific Considerations
Massive Data Requirements: Autonomous vehicles rely on large-scale datasets like Cityscapes, KITTI, or BDD100K. Generating adversarial variants for each image can be computationally prohibitive, especially for iterative methods like PGD.
Diverse Weather and Lighting: For physical realism, adversarial training must account for transformations in lighting, angle, and partial occlusion, significantly increasing the complexity of the adversarial generation process.
Impact on Clean Accuracy: Models trained heavily on adversarial examples sometimes exhibit reduced performance on clean data. In a driving context, even small drops in accuracy can lead to safety-critical oversights.
Despite these challenges, adversarial training remains one of the most well-researched methods of building robust models. Some automotive AI firms investigate incremental or curriculum-based adversarial training, where the model is gradually introduced to stronger perturbations, balancing computational load with progressive robustness gains.
Real-Time Inference Trade-Offs
The size and depth of robustly trained models can increase inference latency. However, specialized hardware accelerators, such as GPUs or TPUs optimized for deep learning, may partially mitigate this. Additionally, research into lighter CNN backbones (like MobileNet or ShuffleNet) has produced architectures that can be adversarially trained while still supporting real-time or near-real-time inference.
3.2 Input Preprocessing and Transformations
Filtering and Denoising
A conventional approach involves applying transformations to input images to remove or reduce adversarial perturbations:
Gaussian Blurring: Smooths the image, potentially eliminating high-frequency adversarial noise. But over-aggressive blurring sacrifices detail crucial for small object detection.
Median Filtering: Replaces each pixel with the median of its neighborhood. Effective for salt-and-pepper style noise but less so for sophisticated, spatially correlated perturbations.
JPEG or HEIF Compression: Reduces image fidelity in a way that can disrupt adversarial patterns. However, compression can lead to block artifacts that degrade performance on legitimate data.
In an AV pipeline, such operations must be carefully tuned to avoid overshadowing legitimate features like a distant pedestrian or a small traffic sign.
Generative Reconstruction
Autoencoders or generative adversarial networks (GANs) can reconstruct an input image from a learned latent representation. The hope is that adversarial noise, not lying on the manifold of real-world images, will be stripped out. However, if the noise is subtle and the manifold broad, the autoencoder might faithfully reconstruct the perturbation. Generative approaches can also impose computational overhead, which can impede real-time performance.
Randomization
Another angle is to randomize certain aspects of the input—like resizing, padding, or adding noise—so that a single, static adversarial perturbation is less likely to succeed across all possible transformations. Yet advanced adversaries often adapt by modeling or approximating the randomization process, regaining the ability to craft robust examples. For self-driving cars, the capacity for random transformations might be bounded; frequent resizing or cropping might disrupt the geometry needed for accurate depth estimation or bounding box proposals.
3.3 Detection-Based Defenses
Rather than trying to make the core neural network itself robust, detection-based strategies aim to identify adversarial inputs before they enter or while they traverse the perception pipeline.
Feature Squeezing and Consistency Checks: Systems run the input through multiple transformations (e.g., bit-depth reduction, smoothing) and measure discrepancies in the model’s outputs. Large divergences suggest adversarial tampering.
Statistical Anomalies: By monitoring internal activations or output confidence distributions, a detection layer may flag outliers. For instance, if the distribution of softmax probabilities deviates significantly from typical patterns, it might be indicative of an adversarial input.
Ensemble Detectors: Multiple parallel detectors or classifiers can cross-check each other’s predictions. If one classifier’s result diverges significantly from the majority, an alarm is raised. This approach can increase computational load but might offer stronger detection reliability.
In an autonomous driving setting, detection-based methods could interface with fail-safe systems. Upon suspicion, the car might slow down or alert a human supervisor. The downside is the potential for false positives causing undue interventions or a broader inability to handle adaptive attacks designed to evade detection.
3.4 Gradient Obfuscation and Masking
Some defenses try to obscure or degrade the gradient information that attackers exploit. This can include non-differentiable layers, random gradient rotations, or making the model output less stable with respect to minor input changes.
While gradient obfuscation often thwarts naive adversarial generation, extensive research reveals that many such defenses offer only illusory protection. Attackers can adopt gradient-free methods or approximate the gradients with enough queries to circumvent obfuscation. The automotive domain demands that any gradient-masking technique be tested rigorously under adaptive conditions, ensuring that the defense does not merely break the attacker’s code in simplistic scenarios but actually confers robust protection.
3.5 Certified Robustness
Safety-critical contexts sometimes demand formal guarantees rather than empirical defenses. Certified methods aim to prove mathematically that within a certain perturbation bound, the model’s output cannot be altered.
Interval Bound Propagation (IBP): Each neuron’s activation is bounded, ensuring limited variation in the final output.
Mixed Integer Linear Programming (MILP): Complex networks can be modeled as MILP instances, enabling the detection of any perturbation that might lead to a misclassification.
While theoretically appealing, such methods typically struggle with large, high-resolution models and real-time constraints. They might work on smaller sub-networks, such as specialized sign-classification modules, but scaling them to full detection systems with tens of millions of parameters remains a challenge. Consequently, they remain a niche approach in deployed AV systems, though ongoing research explores approximate or region-based certifications that might prove more feasible.
3.6 Robust Architecture Design and Sensor Fusion
Redundant Architectures
Some designs incorporate multiple parallel networks that process sensor data differently, ensuring that no single adversarial perturbation can fool all sub-networks simultaneously. Though resource-intensive, this approach resonates with the automotive principle of hardware redundancy (e.g., backup braking systems).
Specialized Layers or Activation Functions
Novel activation functions that saturate or clip the gradient might reduce adversarial vulnerability. For example, bounding the activation range of each neuron can limit the effect of small input changes. However, saturating activations risk diminishing the overall representational capacity, potentially hurting performance on legitimate data.
Sensor Fusion Defenses
A powerful defense could emerge from cross-verifying camera data with LiDAR or radar signals. If the camera sees a stop sign at a certain location and distance, LiDAR should detect a corresponding object. Attacks that aim to fool cameras without adjusting LiDAR data (or vice versa) may be exposed by these discrepancies. Nonetheless, sensor fusion must itself be robust. Attackers might coordinate manipulations of both sensors, particularly if they have advanced knowledge of how the fusion algorithm merges data.
3.7 Practical Considerations in Deployment
Computational Budget: Self-driving platforms already juggle multiple tasks—trajectory planning, localization, and environment modeling. Adding heavy adversarial defenses can compromise real-time operation.
Scalability to High-Resolution Inputs: Many standard adversarial defense benchmarks rely on small datasets like CIFAR-10 or moderate ones like ImageNet. In contrast, automotive cameras capture wide-field, high-resolution images at 30 fps or more, amplifying computational demands.
Fail-Safe Mechanisms: Even the best defenses cannot guarantee 100% protection. Hence, automotive systems may incorporate fallback strategies—such as controlled deceleration or handing control to a human operator—when anomalies are detected.
Adaptive Attack Testing: Effective defenses must be validated against attackers who specifically target known vulnerabilities. Relying solely on standard digital benchmarks might give a misleading sense of security if real-world transformations are not rigorously tested.
3.8 Defense-in-Depth Philosophy
No single defense is likely to suffice against the spectrum of adversarial threats. Instead, a layered or defense-in-depth approach employs multiple strategies, each addressing a different facet of the threat landscape:
Model-Level Robustness: Adversarial training or robust architecture design.
Data Preprocessing: Quick transformations that filter out straightforward perturbations.
Anomaly Detection: Monitoring unusual outputs or inconsistent sensor readings.
Fallback Safety: If suspicion arises, reduce speed or seek human oversight.
Such a holistic approach increases the difficulty for attackers, who must now circumvent multiple protective layers under tight real-time constraints.
3.9 Limitations and Open Questions
While various defense mechanisms show promise, many remain unproven at scale. Key open questions include:
Evaluating Physical vs. Digital Defenses: Methods that excel in digital tests might falter when tested with real, physically placed adversarial patterns.
Joint Attacks on Multi-Sensor Systems: How should defenses adapt if attackers craft illusions for cameras, LiDAR, and radar concurrently?
Standardizing Testing Protocols: The community lacks consensus on best practices for real-world adversarial evaluations in the automotive domain.
Maintaining Explainability: Complex defense pipelines can further obscure model decisions, complicating post-incident analyses or regulatory audits.
These challenges will be explored in greater depth in the following section, which addresses practical considerations for deploying secure perception systems in fully autonomous cars.
4. Practical Challenges and Future Directions in Securing Autonomous Driving
Even as researchers propose innovative ways to defend against adversarial attacks, a set of practical and often interrelated challenges impedes the straightforward implementation of these solutions in real-world autonomous vehicles. This section discusses the most salient obstacles, spanning computational considerations, sensor integration, legal and ethical complexities, and the urgent need for standardized testing frameworks. We conclude by examining how the field might evolve—both technologically and institutionally—to effectively safeguard self-driving systems from adversarial threats.
4.1 Computational Constraints and Real-Time Requirements
High-Dimensional Data Processing
Autonomous vehicles typically capture high-resolution video streams (e.g., 1080p or higher) from multiple cameras at 30 fps or more, alongside parallel LiDAR scans and radar readings. The resulting data volume is enormous, leaving minimal headroom for computationally heavy adversarial training or complex detection pipelines. As the autonomy stack expands to include occupant monitoring, driver-vehicle interaction, and real-time mapping, defenders must craft solutions that remain mindful of tight latency budgets.
Optimizing Resource Allocation
Some companies explore specialized hardware—such as NVIDIA’s Drive platform or Tesla’s FSD chips—designed to accelerate neural network inference. Yet even these devices can become bottlenecks if the system attempts advanced adversarial detection on each frame. A potential compromise is to deploy adaptive defenses that intensify checks only when suspicion arises, thereby reserving computational resources for when they are most needed.
Onboard vs. Cloud Processing
One might imagine offloading adversarial detection to cloud-based servers, but this strategy clashes with real-time constraints and the reliability issues of network connectivity. Moreover, transmitting raw sensor data off-vehicle can exacerbate cybersecurity concerns. As a result, self-driving research trends favor onboard solutions or at least a hybrid architecture that preserves essential detection logic locally while using the cloud for large-scale data storage and occasional model updates.
4.2 Sensor Fusion Complexities
Heterogeneous Data Streams
Camera images, LiDAR point clouds, and radar echoes differ significantly in format, resolution, and update frequency. Fusing them into a cohesive perception pipeline is already a technical challenge. Ensuring that both the fusion and its adversarial defenses operate synchronously adds an extra layer of intricacy.
Attack Surface and Redundancy
Ideally, sensor fusion should offer redundancy: if an attacker compromises camera inputs, LiDAR still ensures a baseline level of awareness. However, sophisticated adversaries might orchestrate illusions across multiple sensors, especially if they can glean insights into how fusion algorithms combine data. This possibility compels future research into “multi-modal adversarial training” or robust sensor fusion designs that can detect cross-sensor inconsistencies.
Calibration Issues
Sensors must be precisely calibrated for accurate fusion (e.g., aligning camera images with LiDAR coordinates). Minor calibration errors, intentional or otherwise, can produce misaligned bounding boxes or object labels, effectively creating vulnerabilities. Regular calibration checks, possibly assisted by advanced machine learning techniques that self-diagnose misalignments, are essential for ongoing resilience against attacks.
4.3 Physical Realism and Testing Protocols
Sim-to-Real Gap
Many adversarial methods are tested in simulation environments (like CARLA or AirSim) or on static images, which only approximate the actual driving experience. The discrepancy between simulation and reality—varied lighting, weather, occlusions, and traffic unpredictability—can render certain lab-tested adversarial attacks less potent or, conversely, more successful in unanticipated ways.
Field Trials with Instrumented Vehicles
One approach to bridging the sim-to-real gap is to conduct controlled on-road experiments where an instrumented vehicle encounters adversarially modified signage or projected illusions under different environmental conditions. However, such trials involve significant expense, logistical complexity, and inherent risk. This is especially challenging when evaluating the potential for multi-sensor or sequential attacks requiring repeated passes to gather performance data.
Standardization Gaps
Unlike established crash tests or emission standards, there is no universal benchmark or procedure to certify how robust a self-driving system is to adversarial threats. Efforts to standardize evaluation methods could involve:
Curated sets of physical adversarial scenarios.
Metrics that quantify robust detection accuracy, bounding box overlap, or classification reliability under transformation.
Transparent reporting requirements for automotive manufacturers to disclose how their models perform against a predefined threat suite.
4.4 The Evolving Threat Landscape
Adaptive Attacks
Defense proposals often focus on known attacks—FGSM, PGD, C&W, and so forth. Yet adversaries evolve: they adopt gradient-free methods, exploit overlooked vulnerabilities, or craft more advanced illusions that remain potent under wide-ranging transformations. Any robust security strategy must embed a continual testing methodology that includes unknown or adaptive attack strategies.
Insider Threats and Supply Chain Risks
Autonomous vehicles rely on complex hardware and software supply chains, potentially including third-party suppliers for LiDAR components, sensor firmware, or neural network models. Insiders with privileged knowledge could embed backdoors or design weaknesses that facilitate adversarial exploitation. Supply chain security and thorough vetting of component integrity are thus integral to safeguarding the entire AV system.
Spatio-Temporal Attacks
Attackers might exploit not only the spatial domain but also the temporal one. By introducing ephemeral but well-timed perturbations, they can cause abrupt but severe misclassifications—e.g., generating a phantom pedestrian just as the vehicle changes lanes. The interplay between spatio-temporal aspects remains an under-researched area, demanding new defense paradigms that incorporate time-series consistency checks.
4.5 Interdisciplinary and Regulatory Dimensions
Liability and Legal Frameworks
If an adversarial attack causes an accident, who is held responsible—the manufacturer, the software developer, the owner of the vehicle, or the attacker (if identified)? Legal systems worldwide are only beginning to grapple with these dilemmas. As more advanced prototypes begin operating in public spaces, the impetus to define clear liability guidelines intensifies. Robust adversarial defenses may become a legal necessity, akin to seat belts or airbags in traditional vehicles.
Explainability and Transparency
Regulators and the general public may demand explanations for how a vehicle’s AI made a given decision, especially following an incident. Yet most adversarial defenses add complexity to the system, potentially obscuring the chain of causation. Balancing the intricacies of advanced machine learning with transparent, user-friendly explanations remains a formidable hurdle—one that overlaps with the rising field of eXplainable AI (XAI).
Public Perception and Trust
Adversarial attacks, if sensationalized, could erode public trust in self-driving technology. Even a minor incident framed as a “hack” can garner outsized media coverage. Therefore, it is incumbent upon researchers, automakers, and policymakers to educate stakeholders about both the existence of adversarial threats and the measures being taken to mitigate them.
4.6 Future Research Directions
Real-Time Certified Robustness Ongoing work in approximate or region-based certification for large networks suggests a possible avenue for guaranteeing consistent behavior in limited perturbation ranges. Adapting these methods to object detection or multi-sensor systems remains a significant but rewarding challenge.
Continual and Lifelong Learning Self-driving cars accumulate massive data as they operate. Online or continual learning frameworks could integrate new data—including adversarial or near-miss examples—into an evolving model. The risk is “catastrophic forgetting” of previously learned tasks, underscoring the need for advanced training algorithms.
Secure Federated Learning As multiple vehicles gather data, federated learning can train global models without centralizing all raw data. Incorporating adversarial robustness into federated frameworks requires strategies to detect or mitigate malicious clients and ensure that an adversarially corrupted dataset does not degrade the entire model.
Cross-Sensor Verification The academic community must explore holistic defenses that unify camera, LiDAR, radar, GPS, and even vehicle-to-infrastructure signals, verifying consistency across sensors. The challenge is designing robust sensor fusion algorithms that spot incongruities while preserving real-time efficiency.
Standardized Evaluation and Shared Benchmarks Collaborative industry-academic initiatives could lead to open-source platforms replicating realistic adversarial scenarios, from city centers with congested traffic to rural highways with sparse signage. Standard metrics for measuring robust performance would accelerate progress and foster better comparability of defenses.
4.7 The Broader Vision: Safe and Trusted Autonomy
Ultimately, the adversarial challenge in autonomous driving is symptomatic of a larger theme: advanced AI systems, while powerful, exhibit unexpected brittleness under deceptive inputs. Addressing this brittleness will demand a concerted, multi-disciplinary effort—bringing together machine learning researchers, automotive engineers, cybersecurity experts, policy-makers, and ethicists. Successfully navigating this landscape will help ensure that self-driving vehicles achieve their promise of reducing accidents and reshaping mobility, rather than succumbing to exploitable weaknesses that could cause public harm and erode societal trust.
5. Conclusion
The rapid ascent of deep learning has indisputably revolutionized autonomous driving, creating vehicles capable of parsing complex road scenes in real time and making split-second decisions that rival or exceed human capabilities in specific, well-defined scenarios. Yet, the looming menace of adversarial attacks presents a sober reminder that these high-performing neural networks remain vulnerable to cunning manipulations. This paper offered an extensive inquiry into how adversarial threats manifest in the context of self-driving cars, how they can be categorized, and what strategies exist to mitigate them.
By examining the interplay between digital and physical attacks—from projected illusions to carefully crafted stickers on road signs—we illuminated how real-world conditions can be exploited by adversarial actors. Moreover, we surveyed an array of defense mechanisms, each promising partial relief yet carrying inherent trade-offs in complexity, computational demands, and coverage against emerging threats. The discussion underscored the necessity of a defense-in-depth approach, wherein multiple layers of protection—robust training, preprocessing, detection, sensor fusion, and fallback measures—work synergistically to hamper an attacker’s efforts.
Despite ongoing progress, significant hurdles stand in the way of foolproof adversarial resilience. The real-time constraints of on-road perception, the scaling challenges posed by vast amounts of data, and the ever-adapting arsenal of potential attackers create a perpetually shifting target for defenders. Equally critical are the broader socio-political dimensions: liability laws, public trust, regulatory standards, and ethical considerations converge to dictate how robust an autonomous vehicle must be before it can operate without human oversight on public roads.
5.1 Key Insights
High Dimensionality = High Vulnerability Deep neural networks, prized for their ability to disentangle high-dimensional inputs, are ironically susceptible to adversarial perturbations because of that very complexity. Autonomous driving, which demands nuanced scene understanding, can thus be more exposed to adversarial subterfuge.
Physical Attacks Amplify Real-World Stakes The line between cyberspace and physical space blurs when a printed pattern or a subtle bit of paint on a stop sign can trigger an erroneous classification. These low-cost, high-impact manipulations demonstrate that security considerations must extend beyond software updates into real-world infrastructure.
Defense Strategies Are Multifaceted No single approach—be it adversarial training or detection-based screening—can unilaterally solve the adversarial problem. A layered, context-aware defense system that aligns with the stringent performance needs of driving is the most pragmatic path.
Standardization and Collaboration Are Crucial Without unified benchmarks and transparent testing methods, it is challenging to gauge which defenses truly hold up under realistic conditions. Cooperative efforts between academia, industry, and government could accelerate the adoption of robust solutions.
Ongoing Research Directions Certified defenses, sensor fusion verification, multi-modal adversarial training, and specialized hardware designs represent promising avenues. Likewise, the exploration of continuous learning, secure federated training, and advanced simulation platforms could collectively steer the industry closer to unassailable AV systems.
5.2 Looking Ahead
In the near term, we can anticipate that adversarial robustness will feature prominently in both research and development roadmaps for autonomous driving. As more vehicles become semi- or fully autonomous, stakeholders—from automakers to regulators—will face heightened expectations to prove that these systems can withstand malicious interference. New forms of dynamic adversarial testing might be integrated into standard safety procedures, mirroring the established practice of crash testing and mechanical reliability audits.
Longer term, the line between robust machine learning and broader systems engineering will continue to blur. A truly resilient self-driving platform will likely require advanced hardware-software co-design, sensor-level cryptographic protection, active environmental scanning for tampered signage, and synergy with regulatory frameworks that specify minimum robust performance benchmarks. The best strategies may not even reside purely in the realm of AI defenses but in orchestrated collaborations between city planners, infrastructure maintainers, and vehicle manufacturers (for instance, using “smart roads” that can detect tampering or confirm signage authenticity).
Despite the daunting complexity of these tasks, the ultimate reward is formidable: a secure and trustworthy autonomous driving ecosystem that dramatically reduces collisions, congestion, and environmental harm, while preserving the public’s confidence in AI-driven transport. The pressing nature of adversarial risks should thus be viewed not solely as a threat but also as a catalyst for innovation, compelling engineers and researchers to refine deep learning architectures, pioneer new interpretability methods, and design safer vehicular platforms. By embracing this challenge, the community stands poised to deliver on the transformative promise of autonomous vehicles—ensuring that they remain safe, reliable, and beneficial for society at large.
Acknowledgments
I would like to reiterate my sincere thanks to my research mentor, Dr. Emily Townsend, whose insight and expertise were instrumental throughout this project. Her commitment to rigorous methodology and her passion for advancing the field of autonomous driving security consistently guided the research toward meaningful and impactful conclusions.
References
Abbasi, M., & Gagné, C. (2017). Robustness to Adversarial Examples through an Ensemble of Specialists. arXiv preprint arXiv:1702.06856.
Adadi, A., & Berrada, M. (2018). Peeking Inside the Black-Box: A Survey on Explainable Artificial Intelligence (XAI). IEEE Access, 6, 52138–52160.
Athalye, A., Engstrom, L., Ilyas, A., & Kwok, K. (2018). Synthesizing Robust Adversarial Examples. In Proceedings of the 35th International Conference on Machine Learning (pp. 284–293).
Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., & Shmatikov, V. (2020). How To Backdoor Federated Learning. In Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics (pp. 2938–2948).
Brendel, W., Rauber, J., & Bethge, M. (2018). Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. In International Conference on Learning Representations.
Brown, T., Mané, D., Roy, A., Abadi, M., & Gilmer, J. (2017). Adversarial Patch. arXiv preprint arXiv:1712.09665.
Brown, T., et al. (2019). Toward Physical Adversarial Attacks on Vehicle Sensor Systems. arXiv preprint arXiv:1902.01155.
Caltagirone, L., Bellone, M., Svensson, L., & Wahde, M. (2017). LIDAR-Camera Fusion for Road Detection Using Fully Convolutional Neural Networks. Robotics and Autonomous Systems, 85, 1–8.
Cao, X., Zhou, H., Wei, T., & Chen, Y. (2019). Adversarial Sensor Attack on LiDAR-Based Perception in Autonomous Driving. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 2267–2281).
Carlini, N., & Wagner, D. (2017). Towards Evaluating the Robustness of Neural Networks. In 2017 IEEE Symposium on Security and Privacy (pp. 39–57).
Carlini, N., & Wagner, D. (2018). Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. In 2018 IEEE Security and Privacy Workshops (pp. 1–7).
Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., … & Kurakin, A. (2019). On Evaluating Adversarial Robustness. arXiv preprint arXiv:1902.06705.
Chen, T., Lu, J., Feng, J., & Zhou, B. (2017). Radar+ Vision: A Systematic Review of Sensor Fusion Techniques for Object Detection and Segmentation in Autonomous Vehicles. IEEE Intelligent Transportation Systems Magazine, 11(2), 24–36.
Cordts, M., Omran, M., Ramos, S., Rehfeld, T., Enzweiler, M., Benenson, R., … & Schiele, B. (2016). The Cityscapes Dataset for Semantic Urban Scene Understanding. In 2016 IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 3213–3223).
Dean, J., Corrado, G., Monga, R., Chen, K., Devin, M., Mao, M., … & Ng, A. Y. (2012). Large Scale Distributed Deep Networks. In Proceedings of the 25th International Conference on Neural Information Processing Systems (pp. 1223–1231).
Dhillon, G. S., Azizzadenesheli, K., Lipton, Z. C., Bernstein, J., Kossaifi, J., Khanna, A., & Anandkumar, A. (2018). Stochastic Activation Pruning for Robust Adversarial Defense. In International Conference on Learning Representations.
Dickmanns, E. D. (2007). Dynamic Vision for Perception and Control of Motion. London, UK: Springer.
Doshi-Velez, F., & Kim, B. (2017). Towards A Rigorous Science of Interpretable Machine Learning. arXiv preprint arXiv:1702.08608.
Dosovitskiy, A., Ros, G., Codevilla, F., Lopez, A., & Koltun, V. (2017). CARLA: An Open Urban Driving Simulator. In Proceedings of the 1st Annual Conference on Robot Learning (pp. 1–16).
Du, X., Tu, H., Lin, Y., Yue, X., & Zhu, Y. (2020). Fooling Lane Detection in Autonomous Driving with Crafted Perturbations. arXiv preprint arXiv:2003.06701.
Dziugaite, G. K., Ghahramani, Z., & Roy, D. M. (2016). A Study of the Effect of JPG Compression on Adversarial Images. arXiv preprint arXiv:1608.00853.
Eykholt, K., Evtimov, I., Fernandez, E., Li, B., Rahmati, A., Xiao, C., … & Song, D. (2018). Robust Physical-World Attacks on Deep Learning Visual Classification. In 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 1625–1634).
Favarò, F. M., Eurich, S. O., & Nader, N. (2018). Autonomous Vehicles’ Safety and Security: A Technological Exploration of Cyber Risk. Transportation Research Part C: Emerging Technologies, 103, 362–380.
Finlayson, S. G., Bowers, J. D., Ito, J., Zittrain, J. L., & Beam, A. L. (2019). Adversarial Attacks on Medical Machine Learning. Science, 363(6433), 1287–1289.
Geiger, A., Lenz, P., & Urtasun, R. (2012). Are We Ready for Autonomous Driving? The KITTI Vision Benchmark Suite. In 2012 IEEE Conference on Computer Vision and Pattern Recognition (pp. 3354–3361).
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations.
Gowal, S., Dvijotham, K., Stanforth, R., Mann, T., Kohli, P., & Bunel, R. (2018). On the Effectiveness of Interval Bound Propagation for Training Verifiably Robust Models. arXiv preprint arXiv:1810.12715.
Guo, C., Rana, M., Cisse, M., & Van Der Maaten, L. (2018). Countering Adversarial Images Using Input Transformations. In International Conference on Learning Representations.
He, K., Zhang, X., Ren, S., & Sun, J. (2016). Deep Residual Learning for Image Recognition. In 2016 IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 770–778).
Howard, A. G., Zhu, M., Chen, B., Kalenichenko, D., Wang, W., Weyand, T., … & Adam, H. (2017). MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications. arXiv preprint arXiv:1704.04861.
Huval, B., Wang, T., Tandon, S., Kiske, J., Song, X., Pazhayampallil, J., … & Ng, A. Y. (2015). An Empirical Evaluation of Deep Learning on Highway Driving. arXiv preprint arXiv:1504.01716.
Ilyas, A., Engstrom, L., & Madry, A. (2018). Black-box Adversarial Attacks with Limited Queries and Information. In Proceedings of the 35th International Conference on Machine Learning (pp. 2137–2146).
Koh, P. W., & Liang, P. (2017). Understanding Black-box Predictions via Influence Functions. In Proceedings of the 34th International Conference on Machine Learning (pp. 1885–1894).
Kritayakirana, K., & Gerdes, J. C. (2012). Autonomous Vehicle Control at the Limits of Handling. International Journal of Vehicle Autonomous Systems, 10(4), 271–296.
Kurakin, A., Goodfellow, I., & Bengio, S. (2017). Adversarial Examples in the Physical World. In Artificial Intelligence Safety and Security (pp. 99–112).
Levinson, J., Askeland, J., Becker, J., Dolson, J., Held, D., Kammel, S., … & Thrun, S. (2011). Towards Fully Autonomous Driving: Systems and Algorithms. In 2011 IEEE Intelligent Vehicles Symposium (pp. 163–168).
Li, B., & He, D. (2019). pgdART: Progressive Generative Distillation for Adversarial Robustness Transfer. arXiv preprint arXiv:1906.01486.
Lefèvre, S., Laugier, C., & Wahl, F. M. (2014). A Survey on Motion Prediction and Risk Assessment for Intelligent Vehicles. Robotics and Autonomous Systems, 58(4), 289–301.
Litman, T. (2020). Autonomous Vehicle Implementation Predictions: Implications for Transport Planning. Victoria Transport Policy Institute, 28, 1–25.
Liu, Y., Chen, X., Liu, C., & Song, D. (2017). Delving into Transferable Adversarial Examples and Black-box Attacks. In International Conference on Learning Representations.
Long, J., Shelhamer, E., & Darrell, T. (2015). Fully Convolutional Networks for Semantic Segmentation. In 2015 IEEE Conference on Computer Vision and Pattern Recognition (pp. 3431–3440).
Lu, C., Varshney, P. K., Reibman, A. R., & Cramer, R. S. (2020). Physical Adversarial Attacks on Surveillance Systems. IEEE Access, 8, 74144–74152.
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations.
Marchant, G. E., & Lindor, R. A. (2012). The Coming Collision between Autonomous Vehicles and the Liability System. Santa Clara L. Rev., 52, 1321.
Meng, D., & Chen, H. (2017). Magnet: a Two-Pronged Defense against Adversarial Examples. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 135–147).
Moosavi-Dezfooli, S. M., Fawzi, A., & Frossard, P. (2016). DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks. In 2016 IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2574–2582).
Nguyen, A., Yosinski, J., Clune, J., Fuchs, T., & Lipson, H. (2020). Machine Creativity: The Evolutionary Approach to AI-Generated Art. In 2020 Artificial Life Conference (pp. 365–372).
Papernot, N., McDaniel, P., & Goodfellow, I. (2016). Transferability in Machine Learning: from Phenomena to Black-box Attacks using Adversarial Samples. arXiv preprint arXiv:1605.07277.
Petit, J., & Shladover, S. E. (2015). Potential Cyberattacks on Automated Vehicles. IEEE Transactions on Intelligent Transportation Systems, 16(2), 546–556.
Rawat, D., Shetty, N. R., & Muttukrishnan, R. (2019). Towards Secure V2X Communication in 5G Autonomous Vehicles. ICT Express, 5(2), 73–78.
Ren, S., He, K., Girshick, R., & Sun, J. (2015). Faster R-CNN: Towards Real-time Object Detection with Region Proposal Networks. In Advances in Neural Information Processing Systems (pp. 91–99).
Schwarting, W., Alonso-Mora, J., & Rus, D. (2018). Planning and Decision-Making for Autonomous Vehicles. Annual Review of Control, Robotics, and Autonomous Systems, 1, 187–210.
Sermanet, P., & LeCun, Y. (2011). Traffic Sign Recognition with Multi-Scale Convolutional Networks. In 2011 International Joint Conference on Neural Networks (pp. 2809–2813).
Sitawarin, C., Bhagoji, A. N., Mosenia, A., Chiang, M., & Mittal, P. (2018). DARTS: Deceiving Autonomous Cars with Toxic Signs. arXiv preprint arXiv:1802.06430.
Strauss, T., Hanselmann, M., Junginger, A., & Ulmer, H. (2017). Ensemble Methods as a Defense to Adversarial Perturbations Against Deep Neural Networks. arXiv preprint arXiv:1709.03423.
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing Properties of Neural Networks. In International Conference on Learning Representations.
Tramèr, F., Kurakin, A., Papernot, N., Boneh, D., & McDaniel, P. (2018). Ensemble Adversarial Training: Attacks and Defenses. In International Conference on Learning Representations.
Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., & Madry, A. (2019). Robustness May Be at Odds with Accuracy. In International Conference on Learning Representations.
Tu, Y., Fan, Y., Lu, Z., Li, Q., Xia, S. T., & Wu, Y. (2021). Multi-Sensor Adversarial Attacks and Defenses in Autonomous Driving: A Survey. arXiv preprint arXiv:2108.12356.
Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., … & Polosukhin, I. (2017). Attention Is All You Need. In Advances in Neural Information Processing Systems (pp. 5998–6008).
Xiao, C., Zhu, J. Y., Li, B., He, W., Liu, M., & Song, D. (2020). Spatially Transformed Adversarial Examples. In International Conference on Learning Representations.
Xie, C., Wu, Y., Maaten, L. v. d., Yuille, A. L., & He, K. (2018). Feature Denoising for Improving Adversarial Robustness. In 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 501–509).
Xu, W., Evans, D., & Qi, Y. (2018). Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In Network and Distributed System Security Symposium (pp. 1–15).
Yu, F., Xian, W., Chen, Y., & Madhavan, V. (2020). BDD100K: A Diverse Driving Dataset for Heterogeneous Multitask Learning. In 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 2633–2642).
Zajac, Z., Liu, Y., Li, C., & Jha, S. (2021). Adversarial Temporal Behavior in Autonomous Driving Systems. In Proceedings of the IEEE/CVF International Conference on Computer Vision Workshops (pp. 45–54).
Zantedeschi, V., Nicolae, M. I., & Rawat, A. (2017). Efficient Defenses against Adversarial Attacks. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (pp. 39–49).
Zhang, J., Jiao, J., Liu, X., Wang, H., Zhang, Y., & Liu, L. (2019). Towards Safe and Efficient Autonomous Driving: The Emergence of Deep Learning and Reinforcement Learning. Proceedings of the IEEE, 108(12), 1824–1848.
Zhou, H., Lu, Y., Jiang, Y., Chen, T., & Yang, M. (2021). A Survey of Autonomous Driving Security. ACM Computing Surveys, 54(4), 1–37.
